Monday, December 28, 2009

pvefindaddr - ImmDbg plugin exposes attack surface



I've been interested in both the attack and the defenses involving various memory corruption bugs for some time as they are a staple of modern computer security concerns. Microsoft's protection schemes continue to improve over time and from a defenders perspective I like to see third party vendors begin using some of the same protection techniques, and I also like to be aware when vendors are not so extra awareness and attack surface reduction can be put into play.

Tonight I received a tweet from @Corelanc0d3r, who has done some nice research into a variety of IT and IT security related matters including exploitation techniques. His tweet:

released v1.7 of pvefindaddr ImmDdg plugin (http://bit.ly/57Q14V)


You can read his link for further information about this Immunity Debugger plugin, which does a good deal of time-saving enumeration.

Dropping his pvefindaddr.py into my C:\Program Files\Immunity Inc\Immunity Debugger\PyScripts on a Vista box, I took notice of all the functionality, but especially of the ability to enumerate processes without ASLR and SafeSEH with the following command:

!pvefindaddr nosafesehaslr

Since client-side security bugs are a critical entryway, the list of such processes (well, a very limited list based on samples on one particular install) may be of interest to those who wish to reduce/eliminate such code to run hardened systems, and/or of interest to penetration testers or security researchers. Software vendors may also want to take note (not that any are actually reading this...as far as I know) and consider re-architecting and re-compiling with /DYNAMICBASE and /SAFESEH when possible. Anyone running the plugin or equivalent can obtain the same information, however this might save someone some time and stimulate further ideas for research.

HP DeskJet printer software bundle DLL:

 Message=*[+] 0x003d0000 - 0x003db000 : hpzipr12.dll (*** No ASLR, No Safeseh ***)

# I've been concerned about the HP DeskJet printer software bundle for some time. The first clue was that the installation of this software to make a home printer function actually replaced patched versions with unpatched/vulnerable versions of specific code. On an XP box, Windows/Microsoft Update did not catch the issue, however on a Vista box Windows/Microsoft Update did notice and corrected the problem. The Secunia Personal Software Inspector (PSI) notified me pretty quickly that some critical files had regressed. With such a phenomenon taking place in the past I wasn't terribly surprised to see that this DLL was not taking advantage of newer protection techniques. Of course, the actual attack surface varies depending upon the system's usage profile, etc.

Cisco VPN client:
 Message=*[+] 0x00400000 - 0x0057a000 : cvpnd.exe (*** No ASLR, No Safeseh ***)
 Message=*[+] 0x10000000 - 0x1002f000 : vpnapi.dll (*** No ASLR, No Safeseh ***)

# Communication with another security researcher (who is a lot smarter and more experienced than myself) indicated that all the pre-auth memory corruption issues in this particular client had likely been weeded out. However we did not talk about these images being leveraged in a different part of the attack lifecycle.

google chrome DLL:
 Message=*[+] 0x4ad00000 - 0x4b50b000 : icudt38.dll (*** No ASLR, No Safeseh ***)

GPGee:
 Message=*[+] 0x05570000 - 0x05702000 : GPGee.dll (*** No ASLR, No Safeseh ***)

SecureZIP:
 Message=*[+] 0x04fe0000 - 0x05167000 : PKArchive87U.dll (*** No ASLR, No Safeseh ***)


WinRAR:
 Message=*[+] 0x03210000 - 0x0323e000 : rarext.dll (*** No ASLR, No Safeseh ***)

Malware Bytes anti-malware:
 Message=*[+] 0x031f0000 - 0x03202000 : mbamext.dll (*** No ASLR, No Safeseh ***)

010 Hex editor:
 Message=*[+] 0x036f0000 - 0x03700000 : shlext010.dll (*** No ASLR, No Safeseh ***)

FileZilla shell extension:
 Message=*[+] 0x67080000 - 0x6709c000 : fzshellext.dll (*** No ASLR, No Safeseh ***)

TrueCrypt:
 Message=*[+] 0x00400000 - 0x00586000 : TrueCrypt.exe (*** No ASLR, No Safeseh ***)

Found by attaching to VMAuthdService:
 *[+] 0x00160000 - 0x0024e000 : libxml2.dll (*** No ASLR, No Safeseh ***)
 *[+] 0x10000000 - 0x1006a000 : vmcryptolib.DLL (*** No ASLR, No Safeseh ***)
 *[+] 0x00b20000 - 0x00bf9000 : iconv.dll (*** No ASLR, No Safeseh ***)

Again, nothing earth-shattering here but an interesting survey of some typically deployed apps. With advances in exploitation techniques taking place constantly, it may be wise to audit your own apps in a similar way and reach for the uninstall.

Kudos to C0relanc0d3r for his plugin and for the discussions we had about it, and for his code tweak to scan all process memory instead of just the currently loaded/attached process.

80 comments:

  1. A very interesting article. The insights are really helpful and informative. Thanks for posting.

    123 HP Officejet 6709 Wireless Install Setup

    ReplyDelete
  2. A very interesting article. The insights are really helpful and informative. Thanks for posting.
    Hp Officejet 6709 Wireless Setup

    ReplyDelete
  3. Interesting article. Thanks for sharing 123.hp.com

    ReplyDelete

  4. This post will be very useful to us....i like your blog and helpful to me....nice thoughts for your great work....


    hp.com/123

    ReplyDelete
  5. https://perpetualhorizon.blogspot.com/2009/12/pvefindaddr-immdbg-plugin-exposes.html?showComment=1556624224655#c4823679087491484689

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Thanks for sharing ,its great content ,Here some information Regarding Printer Want to setup HP Envy 5055 wireless? Is an effortless process that won’t take much of your time Hardware Setup: Firstly, remove the printer from its box, then place it on a clean surface.Visit www.123.hp.com For more Details.

    ReplyDelete
  8. Great Content here some tips regarding HP Printer, Want to Troubleshoot HP ENVY 5055,It is very simple Uninstall the existing driver and update the matching version. It’s important to cross-check and ensure that the drivers are compatible to use with your model After that, all you have to do is navigate to 123.hp.com/setup 5055 and download the Drivers.

    ReplyDelete
  9. I am a technical writer based at Tampa, USA and I have been writing blogs on many technical products that have impressed me so far. When it comes to streaming, I have explored a lot of devices. But I have never come across a product like Roku. It is fabulous and more dynamic in design. The shape resembles a Pendrive yet it could bring you loads of Entertainment. The features of the Roku player are pretty decent and especially the enhanced voice search is what impressed me the most. The search provides me almost every movie that I like
    My works:
    Roku.com/link
    Roku.com/link create account
    Roku.com/link activate account
    Roku.com/link enter code
    Roku.com/link account
    Roku.com/link activate
    Roku.com/link activation
    Roku.com/link code
    Roku.com/link setup
    www.Roku.com/link
    Roku com link
    Roku com link create account
    Roku com link activate account
    Roku com link actiavte
    Roku com link activation
    Roku com link account
    Roku com link code
    Roku com link enter code
    Roku com link setup
    Roku activation code

    ReplyDelete
  10. Hulu allows you to stream many movies and shows on your device. Visit hulu activate code, just enter the activation code and link it with device. Enjoy continuous streaming!

    ReplyDelete
  11. https://souletz.blogspot.com/2012/02/download-driver-laptop-semua-merk-dan.html?showComment=1573195325163#c7639682921773838721
    http://balunywa.blogspot.com/2015/09/should-you-leave-your-laptop-plugged-in.html#.XcUN0tUza1s
    https://perpetualhorizon.blogspot.com/2009/12/pvefindaddr-immdbg-plugin-exposes.html?showComment=1573195521250#c411663586659528273
    https://i-like-freeware-files.blogspot.com/2014/05/virtualdub-plugin-pack-by-thomas.html?showComment=1573195840032#c5941485488380824821
    http://toutsurlachine.blogspot.com/2010/11/guide-du-numerique-2010-tv-3d-photo.html

    ReplyDelete
  12. Rent a car Islamabad is one of the most trustworthy and renowned name of the VIP car rental market place in Pakistan.
    We offer premium car rental service at affordable charges to keep your traveling need absolutely budget friendly.
    rent a car islamabad

    ReplyDelete
  13. Really its very useful information that you have shared and thanks for sharing the information with us.
    123.hp.com/oj3830

    ReplyDelete
  14. Webroot is an antivirus program that helps the user to secure their computer and network from harmful infection which is coming from the internet. Webroot keeps your computer update to date with latest virus definition. If it will detect any unwanted program or file which can harm your computer, it will remove that directly. It also takes an update and scans your computer regularly. Webroot also provides cloud-based security which is very useful nowadays. In order to download and install webroot secureanywhere user needs to visit
    webroot.com/safe

    ReplyDelete
  15. Degree C is Tasmania's Leading Multi-Trade Contracting Company. We are Tasmania's Heating and Cooling Experts. Daikin Heat Pumps and Air Conditioning Hobart.
    Daikin Heat Pumps
    Air Conditioning Hobart

    ReplyDelete

  16. Nice Post, Thanks for sharing helpful information.

    HOBART SEO is one of the leading SEO and digital marketing specialists in Hobart. With years of experience under our belt and a creative team of individuals that possess outstanding design and technical knowledge, we’re more than confident that our team can assist you in establishing and growing a digital presence.

    https://www.hobartseo.com.au/
    https://www.hobartseo.com.au/seo-hobart/
    https://www.hobartseo.com.au/digital-marketing-hobart/

    ReplyDelete
  17. Nice Blog, this information is intresting and helpful.Thanks

    At Hobart Bin Hire we want to make the waste disposal process as simple as possible. We can provide 2, 3 and 4 cubic metre skip bins for the clean-up of all your household and commercial rubbish. Coming to you throughout Hobart we accept all waste matter apart from hazardous material.
    https://www.hobartbinhire.com.au/

    ReplyDelete
  18. Hi, the post which you have provided is fantastic, I really enjoyed reading your post, and hope to read more. thank you so much for sharing this informative blog. This is really valuable and awesome. Thanks for sharing! Know about Garmin.com/Express.

    ReplyDelete
  19. iot training in chennai - Iot Training in Chennai - IOT is an latest trending technology in which most of students are literally Interested to start there career in. Find the Best IOT Training Institute in Chennai.

    DevOps training in chennai - Start to learn the DeVops technology from the Best DeVops training Institute in Chennai.

    blue prism training in Chennai - Join the Robotic process automation from the Best Blue prism training in Chennai and go forward in your career.

    uipath training in Chennai - Join the uipath course and training in Chennai a web application course that will help you to schedule, monitor as well as manage the Robots.
    microsoft azure training in chennai - Microsoft azure is an course for both freshers and experienced, get trained under the Best Microsoft azure training Institute in Chennai.

    ReplyDelete
  20. Steps to create a Roku account:
    1.At first, understand Roku account creation steps
    2.If the steps are clear, open a new web browser on your mobile device
    3.Now paste the URL,https://my.roku.com/signup
    4.Navigate to the sign up tab
    5.Fill the required data to complete the Roku account creation. The Name, Email ID, and password is essential
    6.Click on the submit tab to complete the account creation process
    7.Now provide the Roku account credentials
    8.Find the Roku activation code
    9.Enter the code by visiting the page, www.roku.com/link to complete the Roku device linking process
    For more and detailed information about Roku account creation call us @ +1-820-300-0630

    ReplyDelete
  21. Hello Sir, thanks for giving that type of information. Really enjoyed this blog post. Really looking forward to reading more. Much obliged. You can connect with our professionals to ask any possible doubt about fubo.tv/connect.

    ReplyDelete
  22. Due to poor technical knowledge, I am getting jam in the middle of the setup process of the HP printer. What to do? I am unable to guess the setup process of the HP printer. It has become a risky task for me, so I need to take the master technical help from a certified technical specialist. I am sharing the HP setup procedure, this discussion with all of you, guys. So please anyone can urge the simple ways to set up the hp.com/123 HP printer perfectly. Your guidence would be praise.

    ReplyDelete
  23. Build an on-demand taxi-hailing app like UBER with Goappx’s Uber clone script. No coding. Customize the app anyway you like. Go live instantly.

    ReplyDelete
  24. https://ktaraghi.blogspot.com/2011/08/monitoring-network-printers.html?showComment=1551180718262#c809168339793779041

    ReplyDelete
  25. Purchase Cob Led Downlights from Jainsons Lights. Other than decorative lights, we also offer various lighting variations. Today, you have got the choice to browse web shops and buy online. If you're still hesitant about purchasing lights online, you may want to contemplate the advantages and convenience that online shopping must offer.

    ReplyDelete
  26. Via online casino 2go vind je een overzicht van alle online casinos in Nederland.

    ReplyDelete
  27. It would be pretty difficult to set up their HP Printer in a suitable way. The unprotected printer users may vary for generative instruction for the printer tool. That’s why; our technical engineers have fixed to advance a website i.e., 123.hp.com/setup to give more information concerning HP Printer setup.

    ReplyDelete
  28. Being a machinery device, different technical 123.hp.com/setup faults could arise during print jobs. There are so many general printer issues that multiple users may be confronting continuously and so need quick support to fix them.

    ReplyDelete
  29. Festival season is here and we all want to make our home beautiful and thinking to buy Decorative Chandelier. If you are also thinking to buy Chandelier, then without delay visit our online portal today. Start buying the best quality light and decorate your property with the lights in a very beautiful way.

    ReplyDelete

  30. If you want to fill every corner of the house with light, then Buy Led Lights Online from Jainsons Lights website. It is a prominent place where you will get all types of lights available at affordable prices. The staff working here are always present at your service and they will also give you the right knowledge about which light you should buy for your home.

    ReplyDelete
  31. Jainsons Lights is a trusted lighting supplier always offers the widest choice of illumination equipment, demonstrating high professionalism, a brand new level of service, customer care. If you wish to buy Led Lights Wholesale in India, then visit our showroom directly. We are here, to produce any amount of products within the shortest time. Just email us and that we will prepare a proposal for you.

    ReplyDelete
  32. At Broken LCD, we're well aware of how crucial it is to stay connected with our loved ones and to keep up with business developments. We also know that you cannot function without the aid of technology, and if any of your devices are damaged, you will be thrown back into the stone age. This is why when you come to us, we ensure to get your device up and running in the shortest time possible. Phone Repair Paisley

    ReplyDelete