We have developed a system that discovers 0day vulnerabilities automatically.
Finding bugs automatically
The leader of this project is Attila Marosi-Bauer. In his free time, he likes to dive deep in the process of reverse engineering to get a better understanding of how these products are operating, and more importantly to find the vulnerabilities and weaknesses of these kinds of software.
Ok, we recognized that we have the obsession to find software bugs on Windows systems. One of the easiest test cases is to run the tested application while Sysinternals ProcMon or any kind of system monitoring service running to collect information about the discussion of the application and the Operation System. After harvesting enough behavior information, the one that can query well may find software vulnerabilities.
- DLL search order hijacking
- DLL injection
- DLL hijack
- loading DLL by COM objects (com object hijacking)
- here we have the same ability: hijack and/or add dll to the application (depends on the application)
- start a VM
- start monitoring tools
- harvest collected data
It was pretty clear at the beginning of this process that simply grepping the logs to find “NOT FOUND” and such will result in more false-positive records then valuable hints.
So we decided to create a system that can “rebuild” processes by the logs and can understand the events by the time they occur. By this approach, the system can easily make differences between events that are good for nothing, and taking care of them is just a waste of time or events that may highlight vulnerabilities that can be exploited for sure.
- dll hijack
- com object hijack
How deep is the rabbit hole?
VMware Workstation 14.1.5 / VMware Player 15 – Host VMX Process COM Class Hijack Privilege Escalation
- can be hijacked by CLSID
- can be hijacked by dll injection
- or any of the vulnerabilities can be turned into a privilege escalation
- 5 COM object has to be used by the process
- DLLLoaded: True = From the 5, only 3 loaded during the analysis. This is one of the best features of the tool. According to the logs, these were many many COM actions but only these can give you a chance to exploit them.
- DLLLoaded: False = These are the COM objects that are queried by the process but during the analysis () they not loaded. Maybe later, in other circumstances, there will be an event that leads to DLL load, but in our analysis, they did not load.
S(H)ELOB – Streams Endlessly Logic Bugs
Pros – Cons
- No need to understand the code
- no source code needed
- no need to decompile
- Finds logical software bugs quickly and efficiently
- Generate vulnerability report in Markdown format (each type of vulnerability has its own template). Contains all information which needs to reproduce the bug
- Capable of generating Proof of Concept (PoC) codes automatically
- This framework has a good base to extend to find more type of bugs
- We have to be able to run the application. Sometimes it not so trivial:
- system compatibility issues
- licensing… etc.
- We can only test the code path that we can run
- if there is a code path we did not reach (or cannot reach) we won’t find any vulnerabilities