Embedded FontApocalypse: MS Никита Тараканов
First of All Я не связан ни с одной АВ компанией У меня не было, нету оригинального семлпа, который используется Duqu Методы тестирования АВ продуктов могут быть некорректными
Небольшой ЛикБез TTF – TrueType – win32k.sys OTF – OpenType – atmfd.dll
Хронология уязвимостей MS – CFF memory Corruption MS – OTF Parsing (2 vulns) MS – OTF Parsing (3 vulns) MS – OTF Encoded Char vuln MS – OTF Parsing
Хронология уязвимостей MS – EOT Parsing MS – TTF Parsing MS – OTF(?) Validation MS – TTF,FON vulns MS – DoS in TTF Interpreter MS – TTF sbit integer vulns
MS11-087(Duqu vuln)
TrueType Bitmap glyphs EBLC – info about indexes(position) of bitmap data EBDT – actual bitmap data EBSC – info about scaling
TrueType Assembler! Over 100 instructions Implemented in kernel(!!!) land Vulns were discovered(MS11-084) Itrp_XXX – example: itrp_PUSHB Instructions in cvt table and fpgm
TrueType Assembler
GetSbitComponent One parameter is TTF interpreter context Integer overflow leads to kernel pool corruption Corrupts TTF interpreter context! This leads to full pwn at r0(!!!) remotely
Lame lame cybercriminals The guys behind Duqu has failed to exploit this vuln on x64 systems! Actually, its real hardcore: you have to implement ROP program in TTF assembler TODO: go pwn x64, crack your brain!
MS attack vectors TTF – good for Vista/2k8/7/8 DOC – Duqu attack vector DOCX – same as DOC, but OOXML IE – drive by download scenario LPE – no comments…
AV/HIPS vs MS TTF vector detection: Avast,avira,bitdefender,bullguard,escan,gdata,k7,kl,lavasoft,rising,trustport,vipre,zonealarm LPE: FAIL, FAIL, FAIL! Even with MPAA info some AV FAILED to detect mine PoC
MS Easter Egg
Kernel Attack Surface Interrrupts Syscalls
Interrupts Exceptions Interrupt transitions NTVDM
Syscalls Ntoskrnl.exe Win32k.sys