Pwning Adobe Reader - SyScan360 and Infiltrate 2016 slide decks

Hi everyone,

in the last few weeks I've given two presentations (@ SyScan360, Singapore and Infiltrate, Miami) about Pwning Adobe Reader using its embedded XFA engine. 

The URLs to the slide decks can be found below. Besides the PDFs I also uploaded the PPTX versions since some might have reservations opening PDFs from me (at least with Adobe products...) ;-)


The analytical part of the presentations (symbol recovery, object and jfCacheManager analysis) are mostly identical. The main difference is the practical exploitation part: At SyScan360 I explained how to abuse a 0-DWORD write primitive to create a memory leak (thus bypassing ASLR) and to get near 100% reliable, OS- and version-independant code execution within the sandboxed Reader process. At Infiltrate I used an 0day exploit to showcase the great flexibility of the exploitation technique and explained the general steps to exploit a rather "ugly" vulnerability which does not give you a clean, controlled write primitive.

• SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pdf
• SyScan360_2016_-_Pwning_Adobe_Reader_with_XFA.pptx

• Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pdf 
• Infiltrate_2016_-_Pwning_Adobe_Reader_with_XFA.pptx 

[ Please note that the layout of the Powerpoint version gets a bit screwed up when viewed with mobile PPTX readers (such as the one embedded in iOS)... ]

A technical writeup which goes deeper into the topic of Pwning the Reader will be released soon. Stay tuned :)

Cheers,
Sebastian

Pwn2Own 2014 - Escaping the sandbox through AFD.sys

This year Andy and I were finally able to take part in the Pwn2Own contest during the CanSecWest conference in Vancouver. We won the Internet Explorer 11 competition by compromising a fully-patched Windows 8.1 (x64) system.
For successful exploitation we abused three distinct vulnerabilities:

• Two Internet Explorer 11 Use-After-Frees which evaded ASLR/DEP and gave us userland code execution
• One Windows Kernel vulnerability to escape the Internet Explorer sandbox and execute code with SYSTEM privileges.

(In fact, we needed three Internet Explorer vulnerabilities, since the second vulnerability in our exploit chain had been patched the day before the contest - yes, it was a rather sleepless night.)

The vulnerabilities have been patched in the Microsoft Security Bulletins MS14-035, MS14-037 and MS14-040.

The vulnerability analysis, a detailed description of the exploitation process and the patch analysis can be downloaded HERE.

Hopefully see you at next year's Pwn2Own! :)
Sebastian

Custom Viewer

With release 0.9.17 watobo introduced a new viewer pane. This custom viewer gives you full control of how the output should look like. It enables you to parse the response (extract, format, decode, …) and display only the relevant parts by using the power of ruby – an example will follow shortly.
The custom viewer is available in the main window’s response viewer as well as in the manual request editor response - the latter we use for this tutorial.
Here’s the place we’re talking about:

Example

Our example function takes two parameters ‘char’ and ‘count’. The JSON response contains the parameter ‘answer’, which looks based64 encoded:

For decoding, select the base64 string, right-click and send it to watobo’s transcoder …

and finally decode it. But it still doesn't look human readable:

There's no well known magic-byte, but because of the two parameters ‘char’ and ‘count’ … bla … bla … bla … I know that the response is deflated with zlib ;)
Let’s proof it in irb:

>> require 'zlib'
>> require 'base64'
>> Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate Base64.decode64("Cw+HAQA=")
WWWWWWWWWW

This looks much better!

Cool, but it is not very comfortable if you have to copy-paste this string for each single response. So this is the time for the custom viewer.To automate this process (extract, decode and finally inflate) we only have to write a small handler. This handler consists of a ruby-lambda which receives the response object as an argument.

The very handler skeleton looks like this:

lambda{|response|
}

Because the return value of the handler function will be displayed,  it is a good choice to return a string.


The final code should look like this:

lambda{|response|
  h = JSON.parse(response.body.to_s)
  bin = Base64.decode64(h[‚answer‘])
  Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate bin
}

Now, save it and go on with the custom viewer:

You should see the red sign "No handler!". Press ‘add’ and select our freshly created handler file.
The sign should have been turned green, saying "Handler ready!"

*DRUMS_PLEASE* … press “SEND” … et voilà!

The viewer shows only the extracted, decoded and finally inflated value.

If you like it, please spread the word!

[as]

Installing FX/Ruby on (Kali) Linux

As most of the common linux distribution also Kali Linux has its own ruby package. But using these pre-built packages is often a pain in the ... ahm ... not the best choice, especially if you need to compile your own modules. From my experiences with Ruby on linux, I recommend to use RVM (Ruby Version Manager) for installing Ruby. This little tutorial will show you how to install (FX)Ruby on Kali Linux.

I assume you're using Kali Linux as an unprivileged user (not/never root!). If not, it's not my problem ;)
If running as root you should create an unprivileged user with the following commands:

adduser -m -s /bin/bash -G sudo "your_username"
passwd "your_username" [now enter your super-secure-password]

Now logout 'root' and login as your new user

Note: The following steps are meant to be executed as an unprivileged user!
Otherwise RVM will install itself as a multi-user-environment which will not work for this tutorial.

1. Install Additional Packages

These packages are necessary to compile fox-toolkit, fxscintilla and opengl which are essential for fxruby.

for pkg in bash curl git patch bzip2 build-essential openssl libreadline6 libreadline6-dev git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt-dev autoconf libc6-dev libgdbm-dev ncurses-dev automake libtool bison subversion pkg-config libffi-dev libx11-dev libxcursor-dev libxext-dev libxrandr-dev libxft2-dev freeglut3-dev libjpeg-turbo8-dev libjpeg8-dev libjpeg-dev zlib1g-dev libbz2-dev libpng12-dev libtiff4-dev;
do
sudo apt-get -y install $pkg
done
# ftp://ftp.fox-toolkit.org/pub/fox-1.6.47.tar.gz
# Download and compile fox-toolkit
# version 1.6.44 works
# version 1.7.x is incompatible with fxruby
# http://www.fox-toolkit.org/
wget http://ftp.fox-toolkit.org/pub/fox-1.6.47.tar.gz
tar xzvf fox-1.6.47.tar.gz
cd fox-1.6.47
./configure
make
sudo make install
cd ..

# Download and compile fxscintilla
wget http://download.savannah.gnu.org/releases/fxscintilla/fxscintilla-2.28.0.tar.gz
tar xzvf fxscintilla-2.28.0.tar.gz
cd fxscintilla-2.28.0
./configure
make
sudo make install
cd ..

Now it's time to lay back and get a coffee ...

2. Install RVM

Installing RVM is very straight forward. More details can be found here.

znow@hotdog:~$curl https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash -s stable
znow@hotdog:~$source "$HOME/.rvm/scripts/rvm"

3. Integrate RVM Into Gnome Terminal

Before we continue with installing Ruby we should make our bash running as a login-shell. If you want to learn more about how to integrate RVM into Gnome, I recommend this article.
So, first check "Run command as login shell" option under Terminal->Edit->Profile Preferences|<-title data-blogger-escaped-and="" data-blogger-escaped-command-="">

Next, we have to edit ~/.bash_profile to make it look like this:

source "$HOME/.profile"
[[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm" # Load RVM into a shell session *as a function*

4. Install Ruby

In case you want to use WATOBO you should install Ruby 1.9.3. No lower version and no higher! Open a new terminal and type:

znow@hotdog:~$rvm install 1.9.3

Now it's time to lay back and get a 2nd coffee ....

Re-check your ruby path which should point into your home directory:

znow@hotdog:~$ which ruby
/home/znow/.rvm/rubies/ruby-1.9.3-p392/bin/ruby

5. Install FXRuby and more ...

Now everything should be fine and you can continue installing gems you like, like fxruby, opengl, ...

znow@hotdog:~$ gem install fxruby
Fetching: fxruby-1.6.26.gem (100%)
Building native extensions. This could take a while...
Successfully installed fxruby-1.6.26
1 gem installed
Installing ri documentation for fxruby-1.6.26...
Installing RDoc documentation for fxruby-1.6.26...
znow@hotdog:~$ ruby -e "require 'fox16'; puts Fox.fxversion"
1.6.47
znow@hotdog:~$

Installer

You can download the installer shell script [here]

[as]

WATOBO Running SQLMap

In WATOBO version 0.9.9 I introduced a new plugin which builds a bridge between WATOBO and sqlmap (http://sqlmap.org).

To bring up the plugin right-click on the request you want to test and select 'Send to' -> SQLmap:

The plugin provides an easy to use interface:

There are predefined menus for typical sqlmap options like Technique, Risk and Level. You also can add any command line option manually, e.g. for further enumeration tasks.

When you press the start button WATOBO will first write the request to a file in the temp directory which will be parsed by sqlmap (-r option). Then it opens a new command window and runs sqlmap.

Have Phun!
-andy

WATOBO 0.9.9 Supports Transparent Mode

"Cool, WATOBO can act as a transparent proxy. But why do I need this feature?"
Right, most of the time when you're pentesting a web application you only have to configure your browser to use a proxy. This will work for most of the applications designed for web browsers.
But there are more and more apps for mobile devices, e.g. iPhones or Androids which also rely on web based applications. Sometimes these apps are not able to use a proxy or even refuse to use one.
For these special cases a transparent proxy is the only way to intercept and modify the communication - beside modifying or hooking the app itself.

Running Transparent

Some very special requirements must be met by the proxy and by the Operating System (IP Stack) in order to run a web proxy in transparent mode - especially when SSL connections must be handled.

These are the main tasks which have to be fulfilled:
- intercept the request before the request arrives at the proxy
- keep track of the original destination of the request
- get the certificate of the original destination to extract the CommonName
- create a fake certificat with the correct CommonName
- redirect the request to the proxy
- proxy must lookup the original destination
- lookup for the correct certificate
- do the SSL handshake

Because some of these tasks need a direct access to the routing process of the operating system it is only possible (with a minimum effort) on a Linux system. Most of this magic is done with IPTables and NetfilterQueues. The later is an IPTables interface to analyze and modify IP packets from within the userland.

Note:
At the time of this writing I'm not aware of any other web testing proxy supporting transparent mode. If you know one, please let me know.

Lab Setup

The folling steps will show you how to setup a system running WATOBO as a transparent proxy.

You must met some requirements before working with this tutorial:
- BackTrack 5R2
- DHCPD (dhcp3-server)
- DNS (bind9) server
- HostAP Daemon up and running to connect your mobile device

The following link might help you if you have problems installing bind9 or dhcp3-server.
http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/

Our lab setup is as follows:

Here's the interface configuration (/etc/network/interfaces):

auto eth0
iface eth0 inet dhcp

auto wlan0
iface wlan0 inet static
address 192.168.33.1
netmask 255.255.255.0

Note:
If you only want to test the transparent feature without a mobile device you don't need hostapd. Any other additional interface, e.g. eth1 will also work.
But don't forget to adjust the example scripts and commands.

Testing Basic Communication

Before you continue with setting up WATOBO this would be a good time to test your general network setup. So, we first convert our system into a simple router which hides our internal IP addresses (NAT). For this, we have to enable IP forwarding and NATing:

echo "Turn on NATing"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "Enable IP forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward

Now you should have a working internet connection with your mobile device. If not, you must work on your setup - try harder ;)

Time To Install WATOBO

 Just download and run the installer script.

wget http://watobo.sourceforge.net/extras/watobo-installer.sh

Start And Configure WATOBO 

After the installation script finished open a new shell and type watobo_gui.rb.
Then start a new project and open the Interceptor settings menu  (Settings -> Interceptor).

Enable the transparent mode and don't forget to change the Bind Address to make WATOBO listening on the correct interface. In our lab we set it to 0.0.0.0  => listen on all interfaces.

You must restart WATOBO after changing the interceptor settings. After re-open the project the port information in the statusbar should be highlighted in red.

Import The WATOBO CA Certificate

To prevent your app or your browser from complaining (or even stop working) about a wrong certificate you should make your device trust the WATOBO CA. This CA is used to generate the fake server certificates. The CA certificate is generated the first time you start WATOBO and is written to /root/.watobo/CA/cacert.pem

To make your iPhone trust this certificate, send the cacert.pem file via email to your device and install it.

Start Netfilter Server

Next we have to start the Netfilter Server. This is our userland process which handles incoming requests before they are redirected to the proxy necessary to keep track of the original destination. I first tried to implement this service inside the WATOBO core process but I run into problems crashing WATOBO imediately. I guess there were some conflicts with other IO streams. My second attempt was to implement it as an XML/RPC service but the same problems occured. Now the process is implemented as a DRb (Distributed Ruby) service which seems to be much more stable. You can get more infos about DRb here.

So, to run this service type:

nfq_server.rb

Note:
Unfortunately this service also crashes or hangs from time to time. So just keep an eye on the shell where you started the service. If you see any error message or the service stopped working a simple restart will let the communication continue without any problems.

If I find some time I will write a watchdog service or maybe you want to do it? ;)

Configure IPTables

Ok, now IPTables comes on the scene. We use it for two tasks:
First, we have to redirect incoming traffic imediatly to our Netfilter Server before routing takes place. This can be done with the mangle table of the pre-routing chain. You can find detailed information about IPTables packet-flow here: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
In our lab setup we only redirect traffic using port 443 because we have to keep track of the original destination of encrypted connections - we don't get a CONNECT request when running transparent. This is not necessary for regular HTTP traffic. Here we can extract the original destination from the HTTP Server Header. Anyway, to not slow down communication too much we only want to redirect SYN packets. This can be done with the following command:

iptables -t mangle -A PREROUTING -p tcp -m state --dport 443 --state NEW -j NFQUEUE --queue-num 0

After the packet has been processed by our Netfilter Server it's passed back to the regular packet-flow of IPTables.

The second task is to redirect the traffic to the WATOBO proxy. We do this for the ports 80 and 443:

iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp -j REDIRECT --dport 443 --to-ports 8081
iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp -j REDIRECT --dport 80 --to-ports 8081

You can download a little script which does all the necessary IPTables commands for you here or using wget:

wget http://watobo.sourceforge.net/extras/watobo-transparent.sh

 Start Analyzing Your App

Finally just start the app you want to analyze. You don't have to configure a proxy. If everything went well you should see all the requests in the conversation table of WATOBO - ready to perform some nice checks ;)

Have Phun!
-andy

Installing WATOBO on BackTrack 5R2

The following script installs all necessary gems on your BackTrack system:

#!/bin/bash
# WATOBO-Installer for BackTrack 5R2 - may work on other distros too.
# Version: 1.0
# Date: 26.06.2012
# Author: Andreas Schmidt
info() {
printf "\033[36m$*\033[0m\n"
}
head() {
printf "\033[31m$*\033[0m\n"
}
head "##############################################"
head "# W A T O B O - I N S T A L L E R #"
head "##############################################"
echo "Adding /root/.gem/ruby/1.9.2/bin/ to your PATH .."
echo 'export PATH=$PATH:/root/.gem/ruby/1.9.2/bin/' >> /root/.bashrc
export PATH=$PATH:/root/.gem/ruby/1.9.2/bin/

echo "Installing needed gems ..."
for G in selenium-webdriver mechanize fxruby net-http-digest_auth net-http-persistent nokogiri domain_name unf webrobots ntlm-http net-http-pipeline watobo
do
info ">> $G"
gem install --user-install $G
done

info "Installation finished."
echo "Type watobo_gui.rb to start WATOBO."
echo "For manuals/videos and general information about WATOBO please check:"
echo "* http://watobo.sourceforge.net/"

Get the most recent script [here].

wget http://watobo.sourceforge.net/extras/watobo-installer.sh

Enjoy!

[as]