Monday, December 28, 2009

pvefindaddr - ImmDbg plugin exposes attack surface

I've been interested in both the attack and the defenses involving various memory corruption bugs for some time as they are a staple of modern computer security concerns. Microsoft's protection schemes continue to improve over time and from a defenders perspective I like to see third party vendors begin using some of the same protection techniques, and I also like to be aware when vendors are not so extra awareness and attack surface reduction can be put into play.

Tonight I received a tweet from @Corelanc0d3r, who has done some nice research into a variety of IT and IT security related matters including exploitation techniques. His tweet:

released v1.7 of pvefindaddr ImmDdg plugin (

You can read his link for further information about this Immunity Debugger plugin, which does a good deal of time-saving enumeration.

Dropping his into my C:\Program Files\Immunity Inc\Immunity Debugger\PyScripts on a Vista box, I took notice of all the functionality, but especially of the ability to enumerate processes without ASLR and SafeSEH with the following command:

!pvefindaddr nosafesehaslr

Since client-side security bugs are a critical entryway, the list of such processes (well, a very limited list based on samples on one particular install) may be of interest to those who wish to reduce/eliminate such code to run hardened systems, and/or of interest to penetration testers or security researchers. Software vendors may also want to take note (not that any are actually reading far as I know) and consider re-architecting and re-compiling with /DYNAMICBASE and /SAFESEH when possible. Anyone running the plugin or equivalent can obtain the same information, however this might save someone some time and stimulate further ideas for research.

HP DeskJet printer software bundle DLL:

 Message=*[+] 0x003d0000 - 0x003db000 : hpzipr12.dll (*** No ASLR, No Safeseh ***)

# I've been concerned about the HP DeskJet printer software bundle for some time. The first clue was that the installation of this software to make a home printer function actually replaced patched versions with unpatched/vulnerable versions of specific code. On an XP box, Windows/Microsoft Update did not catch the issue, however on a Vista box Windows/Microsoft Update did notice and corrected the problem. The Secunia Personal Software Inspector (PSI) notified me pretty quickly that some critical files had regressed. With such a phenomenon taking place in the past I wasn't terribly surprised to see that this DLL was not taking advantage of newer protection techniques. Of course, the actual attack surface varies depending upon the system's usage profile, etc.

Cisco VPN client:
 Message=*[+] 0x00400000 - 0x0057a000 : cvpnd.exe (*** No ASLR, No Safeseh ***)
 Message=*[+] 0x10000000 - 0x1002f000 : vpnapi.dll (*** No ASLR, No Safeseh ***)

# Communication with another security researcher (who is a lot smarter and more experienced than myself) indicated that all the pre-auth memory corruption issues in this particular client had likely been weeded out. However we did not talk about these images being leveraged in a different part of the attack lifecycle.

google chrome DLL:
 Message=*[+] 0x4ad00000 - 0x4b50b000 : icudt38.dll (*** No ASLR, No Safeseh ***)

 Message=*[+] 0x05570000 - 0x05702000 : GPGee.dll (*** No ASLR, No Safeseh ***)

 Message=*[+] 0x04fe0000 - 0x05167000 : PKArchive87U.dll (*** No ASLR, No Safeseh ***)

 Message=*[+] 0x03210000 - 0x0323e000 : rarext.dll (*** No ASLR, No Safeseh ***)

Malware Bytes anti-malware:
 Message=*[+] 0x031f0000 - 0x03202000 : mbamext.dll (*** No ASLR, No Safeseh ***)

010 Hex editor:
 Message=*[+] 0x036f0000 - 0x03700000 : shlext010.dll (*** No ASLR, No Safeseh ***)

FileZilla shell extension:
 Message=*[+] 0x67080000 - 0x6709c000 : fzshellext.dll (*** No ASLR, No Safeseh ***)

 Message=*[+] 0x00400000 - 0x00586000 : TrueCrypt.exe (*** No ASLR, No Safeseh ***)

Found by attaching to VMAuthdService:
 *[+] 0x00160000 - 0x0024e000 : libxml2.dll (*** No ASLR, No Safeseh ***)
 *[+] 0x10000000 - 0x1006a000 : vmcryptolib.DLL (*** No ASLR, No Safeseh ***)
 *[+] 0x00b20000 - 0x00bf9000 : iconv.dll (*** No ASLR, No Safeseh ***)

Again, nothing earth-shattering here but an interesting survey of some typically deployed apps. With advances in exploitation techniques taking place constantly, it may be wise to audit your own apps in a similar way and reach for the uninstall.

Kudos to C0relanc0d3r for his plugin and for the discussions we had about it, and for his code tweak to scan all process memory instead of just the currently loaded/attached process.

1 comment: