Deep MS06-040 (6)

3 Outlook
-- The mountains are high and the months are small.
The greatest truths are no more than two, three, and four. However, in my opinion, only those who follow up the memory, stare at the registers, and get frustrated by inexplicable problems will be eligible to talk about the "Tao ". Let's take a look at the beautiful scenery in the mountains and mountains.
3.1 magic waves, worms!
There is no essential difference in programming technology, whether it is to allow remote machines to "hack", bind commands as backdoors, or format disks. Maybe there will be a sense of silence at some level when our technology reaches a certain level. Someone will write something to let their programs use the vulnerabilities to copy and spread them between networks. This is a worm.
Because the MS06-040 on XP SP2 cannot be used successfully, the main affected machines are concentrated in WIN2000 and XP earlier operating systems, so fewer affected clusters. In addition, RPC calls require ports 139 and 445. These two ports were completely blocked by major gateway routes as early as the Shock Wave era. Therefore, from the network perspective, this computer risk does not cause congestion paralysis.
However, I personally think that this computer risk has not completely passed. Because the outbreak of worms is due to a school holiday, the impact may not be significant at that time. Nowadays, when colleges and universities start school, a large number of campus network users cannot update patches abroad, so they should be vigilant.
I don't want to take up the space here for Reverse Analysis of magic wave. In the spirit of studying and improving the technology, I put the shellcode part of magic wave in the attachment, as for the complete code and executable PE samples, please forgive me for not publishing them here, because I cannot afford this responsibility if a few hot-blooded friends use these materials to produce a few Worm Variants.
The main behavior of magic wave is to open a backdoor and turn the target machine into a remote "zombie" machine. This is different from the worms that are purely for propagation purposes. It happens that two doctors in the research group are doing this research, so they can say a few more words for them.
Currently, the main idea of worm research is to extract features from network behavior for early warning and control. Simply put, a worm sends out a large number of scanning data packets during transmission, which causes the exponential growth of specific data packets in the network and occupies a large amount of network bandwidth. By monitoring network conditions in real time, researchers extract features such as protocol type, protocol proportion, stream, and timing from network traffic for detection. When a worm outbreak is discovered, a mathematical model can be established based on the spread of the worm to predict and control the worm. Generally, a large amount of knowledge in random process and mathematical statistics is used to analyze network behavior, for example, it is very popular to use hidden Markov chains to process random data in time series in this field recently. In control prediction, an infectious disease prediction model is usually used to establish a set of equations for prediction and control. If you are interested,
You can find a lot of paper on IEEE and ACM. You may search several paper files using EI or SCI. However, this type of article is a so-called "Tao" Article, which is full of partial differential equations and basically cannot see the register status.
Another emerging research area is the study of Worm Propagation in IPV6. Technically speaking, it seems that there is no qualitative difference from our experiment. It is nothing more than replacing Beep () with IPV6 network operations in shellcode. from an academic point of view, there seems to be no big difference, or is it the theory of infectious disease prediction. Otherwise, an important difference between IPV4 and IPV6 is the increase in address space. In a sparse address space, if the target host is randomly scanned for infection like a traditional worm, then, when we build a mathematical model, we will find that the curves of the number of infected hosts under the two protocols are almost the same, all of which are exponential curves, but the timeline coordinates are completely different, the infection progress is calculated in seconds and minutes in IPV4, while in IPV6, the infection progress is calculated in XXXX years!
Of course, theoretically predicted difficulties in dissemination can also promote the progress of hack technology in my opinion. The next generation of IPV6 worms must have new ideas in the propagation technology. Discovering the target host will be a challenge. Random scanning is not desirable. You can try other technologies and use other protocols, such as spreading host information on DNS and ARP.
When the IPV6 worm occurs, the propagation model also changes a lot, and many new academic research achievements may emerge. It is really a joint improvement in attack and defense.
For this information, see the article "Worm Propagation Model and Analysis in IPv6 networks" published by the research team's doctor in the computer Journal of August. They are experts in this field.
3.2 patch, no holes to drill?
After enjoying the overflowing pleasure, do you want to see what has been modified in Microsoft's patch? I provided different versions of netapi32.dll before and after the patch in the attachment. Check with IDA. During the length check, the limit 0x411 before the patch has been changed to 0x208 after the patch. I also provide the DLL before and after the patch of XP SP2. You may wish to see the changes. In addition to NetpwPathCanonicalize () in the MS06-040, there are other issues that will not be discussed here, interested can refer to the above analysis 0x557.
The ability to drill holes also requires holes to be drilled. Otherwise, after the patch, the insects do not have no active path. Here I want to talk about how to mine 0-day data.
0-Day is a vulnerability that can be used successfully, and Microsoft does not know or know it has not published. If you have a zero-day hack, you can almost all the machines in the world. The MS06-040 we discussed was undoubtedly a 0-day game played by shopaholics before its launch. Whether it is for hacker, for Microsoft, for the military, for security companies, 0-day is of great significance. Being able to exploit the vulnerabilities is only a little technical knowledge, and 0-day is the true success story.
In fact, on the basis of our experiment, we will slightly modify the RPC Overflow Code to enrich the interface and function definitions in IDL, so that you can have your own RPC Function Vulnerability mining tools. If the remote function requires int, it will send the long type, the pointer will pilot NULL and the like, and the string will be stuffed with extra-long, in short, it is to combine all the factors that may cause errors and send them one by one to the function to see the response. You can program to test the remote functions that can be called by RPC one by one. If you find a crash, use the preceding debugging method to check the cause of the crash, check whether the stack and register status can be used. If you're lucky, it will hit 0 day.
I came back from this year's XCon Security Focus Information Security Technology Summit, with a lot of emotion. Four of the 14 speakers involved vulnerability mining methods. The attempts made by Funnyway and CoolQ in code auditing give us the courage of hacker, while the RPC Vulnerability fuzz demonstrated by Dave is directly concerned with the technology itself, in the end, the views on 0-day published by Microsoft's Adrian strongly inspire people with lofty ideals to join this field. Next I will talk about my understanding and opinions on this field based on my personal research.
In fact, the method for testing 0-day in the last interview is the fuzz method widely used in the industry. Fuzz is actually a black box test in software engineering. You can perform such fuzz tests on protocols, APIs, and software. The advantage of the fuzz method is that there is no false alarm, although some running errors may not be used successfully. The disadvantage is that you cannot give up all the input, even if fuzz is not faulty, it cannot prove that a system is safe.
In the academic world, it is preferred to use algorithms to directly search for vulnerabilities in the logic of the program. There are many methods and theories in this area, such as data stream analysis, type verification system, boundary verification system, and state machine system. The advantage of this method is that all paths in the program flow can be searched, but the disadvantage is that it is very easy to report false positives.
I studied code-level vulnerability mining for a period of time six months ago. The method used is probably the static analysis technology listed above, in addition, a demo version is provided to analyze SQL Injection Vulnerabilities in PHP scripts. After the study, I deeply felt that there is still a long way to go before the static analysis theory of code can be used in the industry. The prominent problem lies in a large number of false positives. I personally think that all theories in this regard face the same tricky problem: it is the natural defect of static analysis when processing complex conditional branches and loops caused by dynamic factors in the program logic. To make a substantial breakthrough, static analysis algorithms must face the challenge of "thoroughly understanding" The program logic, which actually involves context-related grammar in formal languages, the compilation theory and state machine theory have only evolved into the stage of interpreting context-independent grammar.
If the static code analysis technology makes a breakthrough in grammar interpretation, it is possible to prove that a software has no defects in mathematics! This progress is not only an improvement in vulnerability mining, more importantly, the leap in formal language and logic behind the computer-this could be comparable to the contributions of the lebounitz, geder, Boolean, Turing, and von noiman's one-vote logic masters achievements-more than 50 years after the introduction of Jordan's Grammar System, although compilation theory and technology are booming, the language that computers can "read" is always limited to context-independent grammar. Let's look at what kind of beauty the computer will look like when it can process context-related grammar or even Turing machines: when VC is compiled, it will tell you where there is an endless loop, where the memory leaks, where the pointer will run under what circumstances ...... The compiler not only checks Syntax problems, but also checks logic problems. in software engineering, No matter development or testing, the pressure will be greatly reduced, and the entire computer industry system will make a leap, of course, our vulnerability mining tools are more intelligent --
It's just that on that day, hackers may all be laid off :)