Confidence 2010: Microsoft Patch Analysis – Patch Tuesday – Exploit Wednessday
By Yaniv Miron
lolcat adaptation #3, a Creative Commons Attribution No-Derivative-Works (2.0) image from kevinsteele's photostream
Exploit wednessday ois the day after patch Tuesday, the second Tuesday of the month when Microsoft releases its patches. While some people say it’s impossible to write an attack in one day, Yaniv has seen it happen and tries to explain how.
This process is based on diffing. Diffing means finding the differences between the old and the patched version of the binary file.
This could be done on the same machine, or between two different versions of the OS (e.g. Windows XP and Vista).
The toolkit for a typical patch analysis consists of:
- Diff programs
- Compare programs
- Decompiles and compilers
- Different versions of windows
Yaniv, then went off to demonstrate a to us the creation of an exploit for MS10-005.
First of all information from public source was gathered to find out which program was effected, what the root cause of the vulnerability was and in which version of Windows the problem is present.
The next part is extracting the patch and analyzing it. First this that needs to be done is finding the files that will be updated. The these files will be compared against the original file, just to find which functions have been changed.
The changed function are then converted to execution graphs which are colored to highlight the amount of change in that part of the code. This is used to determine the interesting area’s of the code. These interesting area’s are then compared byte by byte and the differences analyzed.
If we need to understand how the vulnerability work in order for us to determine how to write the exploit. Since MS10-005 deals with integer overflow in paint using the the jpeg format, understanding if the understanding of the jpeg format is crucial.
Using this knowledge a denial of service exploit could be generated. Yaniv showed us the process in real life.