Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you tips on how to analyze CVE-2021-1647 loopholes. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Summary

The recently exposed CVE-2021-1647 is a rce vulnerability in the Windows Defender MpEngine module. The following aims to analyze the techniques used by the relevant samples from the vulnerability exploitation level. The sample hash used by the author is: 6e1e9fa0334d8f1f5d0e3a160ba65441f0656d1f1c99f8a9f1ae4b1b1bf7d788.

Loophole principle

Windows Defender uses the strategy of simulation execution to determine the black and white of executable files. Simulation execution is divided into the following two levels: instruction simulation and running environment simulation. The instruction simulation part is responsible for converting the corresponding platform instructions (including arm/x86/x64, etc.) into intermediate instructions (IL), and then running the corresponding intermediate instructions through jit/ interpretation and execution. The running environment simulation includes memory system simulation / file system simulation / api simulation / DLL simulation (the vdm file in the same directory as MpEngine.dll is a compressed set / combination of dll simulation files). During the execution of instruction simulation, defender will also simulate the decompression process when it encounters a compressed shell (see UnpackerContext::Unpack function for details)

In the figure above, v2q28 represents the beginning of an section array, which contains four elements, each section element 8 bytes, the first 4 bytes are used to describe the virtual address of the section, and the last four bytes are used to describe the size of the section. The above figure describes the process of traversing a four-item section array, finally getting a sectionva and sectionsize, and applying for a piece of sectionva+sectionsize memory to store the extracted section content. However, there are errors in the calculation of sectionva and sectionsize. The code only considers the case of section [I + 1] .va > section [I] .va, but does not consider the equality between the two. If the values of the four elements in the section array are as follows: [0jue 0], [0jue 0], [0x2000ct 0x3000], according to the logic of the above code, the final applied memory size is 0x2000+0=0x2000, so when decompressing the last section, because its size is 0x3000.

Use skill 1. Determine version offset

The following function is called at the beginning of the sample:

At the beginning of the analysis of the sample, the author thought that the address was the address of an unopened ASLR module in defender or a similar measure to use exception handling for anti-debugging, but in fact, the author made a huge mistake. To be clear, when the sample was simulated by defender, all memory addresses were not on the real host, but an address in the defender simulated memory space. In other words, 0x7c96c654 is actually an address in the simulated memory space of defender, which actually corresponds to a piece of code in the simulated dll module-- ntdll.dll (the simulated ntdll.dll can be obtained by decompressing the mpasbase.vdm in the same directory as mpengine.dll):

Note that the last two bytes of the function: 0xf 0xff, these two bytes indicate that this is a native api call, and the next four bytes 0x9E9EFDF0 is a crc check code used to identify the final native api function. The so-called native api is a series of functions api provided by mpengine.dll. Eventually, the function will be implemented by mpengineered NTDLLfunctions NtControlChannel, that is to say, the call 7C96C654 in the sample will actually call mpengineNTDLLencoded DLLs NtControlChannel to complete the function. The first parameter of the function represents the function number, and the 3 in the sample represents to obtain the defender version information. The sample obtains the version information through this function, and then hard-codes the key offset according to the different version information.

two。 Memory occupancy / modify key field

The sample contains a lot of SuspendThread and ResumeThread calling code, which is actually used for memory layout and placeholding. after the heap overflow occurs, the lfind object whose layout is behind the heap memory is modified, and the two key fields in the lfind object are modified to 2f9b and 2f9c (the original values are 107e and 107f). These two fields are referenced in the lfind_switch::switch_in (which triggers the function call when simulating the execution of the ResumeThread function):

The v20 in the figure above is the 2f9b and 2f9c that will be referenced. Obviously, because the modified value is larger than the normal value, this will result in an out-of-bounds writing behavior. The * (v20codes * (v16Secret144)) = 3 in the figure above is the key to exploit the vulnerability. This part of the code modifies a key field in vmmcontrol. We will explain the purpose of this field in the third part.

3. Acquire arbitrary reading and writing ability

The structure is used to maintain the mapping between the simulated memory address and the real memory address, and the structure exists in the form of an array in memory.

In order to achieve efficient address translation, defender also introduces an index array (2 bytes per reference), which stores the index of the EmuVaddrNode structure array and is sorted according to EmuPagenum from small to large, that is, assuming that the EmuVaddrNode array contains three elements and the EmuPageNum field content of the three elements is 0x2000, 0x1000, 0x5000, then normally the content of the index array is 1: 0. 3 (1, 0, 3 all represent the index of the EmuVaddrNode array), and the layout of the EmuVaddrNode array and the index array in real memory is as follows (assuming that from left to right represents the address from low to high):

In other words, the index array is followed by the EmuVaddrNode array, and the EmuVaddrNode array is followed by the Page,Page represents the real memory requested by defender to map the simulated memory space, that is, the Vaddr in the EmuVaddrNode is cut from the page.

Finally, let's review the modification mentioned in part 2 of the key field in vmmcontrol, which describes how many elements there are in the indexed array. If we change the value as large as possible so that the starting address of the indexed array + the number of indexed arrays * 2 > the Page address, and the content in the Page is controllable, we can arrange the content we want in the Page by letting the defender simulate the execution of * p=value. First, we forge an index array in Page, and the index is much larger than the number of items in the EmuVaddrNode array, so when defender simulates the execution of instructions like * p=value, we first get a fake index from the index array we forged in Page (the index is much larger than the number of items in the EmuVaddrNode array). Then, we continue to forge an EmuVaddrNode structure in Page, then defender will access the EmuVaddrNode structure we forged in Page through the forged index, and then the Vaddr of the EmuVaddrNode structure is controllable, so we have the ability to read and write any address. "write" is achieved by letting defender simulate * p=value, and "read" by letting dfender simulate the execution of value=*p. Colleagues with experience of browser or kernel vulnerabilities should be familiar with this scenario by modifying the length field to forge the object and its pointer field and finally gain the ability to read and write any address.

4. Get code execution capability

In defender, commonly used code fragments will be processed by jit. Usually prolog and epilog fragments are stored in jit memory. After obtaining the read and write ability of any address, the sample will first obtain the real address of the jit part through hard-coding offset, set the vaddr of an EmuVaddrNode to the real address of jit, and write shellcode to the jit address using simulation execution memcpy (EmuPageNum,shellcode, sizeof (shellocde)). Finally, as long as the jit function is used, shellcode will be executed.

Detection principle

Because the sample is triggered in the process of defender simulation execution, it is obviously very easy to bypass if we simply take a few feature strings in the sample as matching rules. The author suggests that the following information can be integrated as a feature:

1. Characteristics of asprotect shells

two。 The content shown in the figure above is a check on the unzipped content in MpEngine. Heap overflow operations will be triggered only if the conditions are met, so the assignment operations such as "* (memory) = 0x8d; * (memory+1) = 0x85; * (memory+6) = 0x50; * (memory+7) = 0xc3" can be matched.

3. The sample gets the version information through NtControlChannel to determine the offset information, so the call feature of NtControlChannel function can be used as the matching basis.

4. The characteristics of other simulation calls made in the sample to achieve a stable memory layout.

The above is the editor for you to share how to analyze the vulnerability exploitation skills of CVE-2021-1647, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.