Some word about Vulnerability Patch Analysis

November 16, 2008

Hi,

Actually I’m a bit busy with Work and some project releated to my collaboration with EvilFingers, but soon I hope to release some paper.

Today we are going to talk a bit about the world of Patch Analysis. The Security practice of analysing the security patches released mainly by microsoft but also by big Software House in the last year have had a great diffusion. The basilar concept is to study the patch to understand and or elaborate the PoC or the Exploit it self.

Let’s take in example the latest vulnerabilies released by Microsoft:

  • MS08-69 -> Microsoft XML Core Services Could Allow Remote Code Execution. That can be downloaded here.
  • MS08-69 -> Vulnerability in SMB Could Allow Remote Code Execution. Than can be downloaded here.

After downloading a copy of patches, obviously relative to our OS, we have two executables:

  • WindowsXP-KB957097-x86-ENU.exe
  • msxml6-KB954459-enu-x86.exe

These two executables contains embedded into installer the system files fixed, so the first operation is to NOT install these fixes but to obtain a copy of the New Dlls. In order to accomplish that we have to unpack these two executables. Fortunately MS installers can receive a set of various commands relative to various installation functionalities, in our case we have to extract the content of the installer into a specific directory. So let’s create a directory, for example Out, now we can extract dlls as follows:

WindowsXP-KB957097-x86-ENU.exe /x:Out

we will obtain

  • /SP2GDR
  • /SP2GFE
  • /SP3GDR
  • /SP3GFE
  • /update

We are working, for example with XP Sp2 so let’s take the copy of mrxsmb.sys proper of SP2GDR or SP2GFE. Now we can apply the Binary Diffing approach πŸ˜‰

In the case of msxml6-KB954459-enu-x86.exe after decompressing it we have a .msi executable, this need to be extracted with msiexec, here how to extract msi files into a wanted directory

msiexec /a PATH_OF YOUR_MSI /qb TARGETDIR=PATH_OF_YOUR_DESTINATION_DIR

in a pratical example

msiexec /a e:\Evil\msxml6.msi /qb TARGETDIR=e:\Evil\Msi\

I also suggest you to pay attention to the Binary Diffing Software that you’re going to use because sometimes patches are “big” 4-5-6 MB and for example Sabre Security’s BinDiff freezes.

The best BinaryDiffer are:

  • Sabre Security’s Bin Diff
  • Eeye Binary Diffing Suite

Regards,

Evilcry πŸ™‚


Process Memory Dumper Finished

March 5, 2008

Hi,

Today I’ve coded a little Process Memory Dumper, just to obtain the entire memory image of a running process.

This will help me to develop a series of applications that exploits a series of Password Disclosure Vulnerable Applications.

Surely, in some time, I’ll publish the source code of the Memory Dumper πŸ™‚

See you


SunOS 5.10 Remote ICMP Kernel Crash

January 13, 2008

Hi,

Recently IT Security spreaded an intersting vulnerability for SunOS 5.10 able to crash the entire kernel just by sending an ICMP packet with some particular data. I’ve written a little .NET application to accomplish this attack, soon I’ll publish it on my website .

See you to the next post.. πŸ™‚


Attacking MultiCore CPUs

September 25, 2007

Recently was published an intersting Security Flaw and realtuΒ  for MultiCore CPUs, here you can find a generic Overview, and here a more Detailed descryption of the Vulnerability πŸ™‚

See you to the next post! πŸ™‚