Confidence 2010: Microsoft Patch Analysis – Patch Tuesday – Exploit Wednessday
By Yaniv Miron
lolcat adaptation #3, a Creative Commons Attribution No-Derivative-Works (2.0) image from kevinsteele's photostream
Exploit wednessday ois the day after patch Tuesday, the second Tuesday of the month when Microsoft releases its patches. While some people say it’s impossible to write an attack in one day, Yaniv has seen it happen and tries to explain how.
This process is based on diffing. Diffing means finding the differences between the old and the patched version of the binary file.
This could be done on the same machine, or between two different versions of the OS (e.g. Windows XP and Vista).
The toolkit for a typical patch analysis consists of:
- Diff programs
- Compare programs
- Decompiles and compilers
- Different versions of windows
Yaniv, then went off to demonstrate a to us the creation of an exploit for MS10-005.
First of all information from public source was gathered to find out which program was effected, what the root cause of the vulnerability was and in which version of Windows the problem is present.
The next part is extracting the patch and analyzing it. First this that needs to be done is finding the files that will be updated. The these files will be compared against the original file, just to find which functions have been changed.
new about uploading a file to a web server and then executing it, using SQL injection to do it is a novelty. By using a Zlib compress, base64 encoded payload and uploading them via SQL injection the speaker would be able to bypass standard defenses like extension limiting and file type checking.