Print Caller Number with airSlate SignNow

Print caller number

[Music] hey what's up in this video we're going to be taking a look at how we can find format string vulnerabilities and compile binaries i really really want to talk about it's kind of like the process of breaking this down and trying to find it and this is what we're going to be building so this is really nice but how does this actually work and what are some of the things that we're looking for what are some of the things that we can't find you know things like that that's that's what we want to take a look at tonight i have a repo here called potentially vulnerable potentially vulnerable is just a set of random scripts for looking at things so we did a couple of videos on cwe78 which is os command injection um and we did enkidra and binary ninja there's a sample binary here that you can take a look at that has stuff um and then we also are going to be doing the same thing for 134 right now i'm working on the binary ninja one um but i'm sure at some point i'll do a guitar one and throw it up here as well i'll kind of update this there's also a bin this bin comes from the juliet set and i'll tell you what that is in just a minute i put this up here it's an x 86 64 elf and the reason for that is just because it can be kind of a bear to compile all the source code for that just to get a sample test case so i wanted to give you something to play with if you are interested in trying this out yourself now the test set that we're going to be using is one binary out of many that can come out of from the nsa center software nsa center for assured software i always thought it was software assurance so it's a little over 64 000 test cases for cnc plus plus and then what we can do is run those and analyzers and try to figure out sort of if we can find these problems they have a really nice naming convention for this where if it's underscore bad then you know that you found something that's particularly bad if i look at the extraction so if i go and download the juliet test suite for cnt plus plus will have this whole test suite extracted then you'll have a c directory go into that and test cases these are all of the cwes or common weakness enumerations for all of these the ones that we're worried about tonight are um uncontrolled format strings so there's quite a few of them here uh some of these later ones i think only pertain uh they might all pertain to every single system some of them are like windows only and they'll have if deaths too so um using parts of the windows api versus you know posix compliance or something um depending on what you compile for will utilize different pieces of code right so we're gonna be taking a look at specifically this so1 and this 134 sl1 is what i had back here inside of the bin directory and again that's for an elf but the differences in code that you can get just by switching compiler compiler version optimizations and platform visual studio does some really crazy stuff with function wrappers and a lot of really weird stuff that you just don't see in linux or when you're compiling with gcc so i think that's pretty interesting here's a pdf from a stanford class it's pretty interesting like the only time like when i learned about format string vulnerabilities i learned this right so i'm just looking for things like printf or fprintf or whatever else and data that comes from a user the question is do you alert on a function like this um and you like it's like i don't know i mean it really depends because there's only one parameter being passed to it there should be at least two and that is you have a format string with a format specifier like percent s and then you have some variable right it could be it's okay that this is user controlled right uh because it's being parameterized and passed in and formatted correctly the problem with this here is i can do something like percent x and actually pop data off of the stack and leak data from the stack you can use percent n to then give you a primitive uh right what where let's take a look at what this thing is doing to find this so for example if i go to this one 11 for example i'll get this address go in binary ninja here and i am in high level il so this var a1 is what i'm interested in just kind of scrolling on here and then what i want to do is track this up and see where it's been used and then bam right here on a receive a buffer in so i've set this up and declared this whatever this is it's a buffer somewhere and when i receive off that socket it's going straight into here um there is this rax3 that adds to this and it turns out if you look up a little bit more um that's from a string length and then this is from var 78 which is just a null string you have nothing there so all we really need to do for this pattern is to look for printf functions right or any other format string function and look for the parameter that is the actual format string right in this case there's only one parameter that should be an alert already like this seems weird i should have multiple and printf we'll get var a0 or whatever vars passed to it and we'll go see if it relates to a source of data that we care about in this case receive the second parameter even if it's manipulated in some form is still interesting to us and we would just alert and that's exactly what this is doing so let's stop talking about that and just try to figure out how this actually does it um so a couple interesting talking points that one will look at is the differences between mlil and hlil now let's go ahead and take a look at sources and syncs okay so these are some of the format string functions that we're interested in uh these are two of the sources that we're interested in right data can come from basically anywhere we can consider just like in this example the source of data is actually just a parameter passed in to the function like as a function argument so in in that case we don't know if it's user controlled what we'd have to do is find all the callers of func and see what they pass to it and analyze all those individually we could just simplify it and say yeah if i get data passed in on the function i'm just going to assume that it's user controlled and alert if this ever gets the case that way if you're scanning a binary and you find it as long as you're not finding like 50 000 of those where it would just be take way too much time to check yourself and verify what's the harm right just go ahead and do it all right so getting back to this these are the ones that we have i have a dictionary here and then the key in each dictionary is the source and then the value for that is the parameter index for the thing that we care about so f gets for example we care about the string for receive we care about buffer because that's where the data is actually going to come in that's what we care about the lens the flags things like this we don't necessarily care about we want to connect this string and this buffer to the format specifier or format specifier location here so in printf format exists in the first index into that array which is zero so it's a zero for sn printf it is three so being zero indexed it's two right so that's what we're doing we have a debug print function which will be helpful soon so the very first thing we do we're gonna import binary ninja and arc parse binary ninja openview we give it the target that comes from argparse and we open it as a binary view so what we're going to do is the very first thing is to find all symbols we want to analyze so to do that we'll create an empty symbols list and we'll say get all symbols by name for this sync so we're basically saying is there anything that looks like printf right is there anything that looks like fprintf we put all those into a list and then we check to see what type it is so there's different symbol types the ones that i care about are an imported function symbol then i'll append those to the symbol list and if that symbol list comes out to be nothing then i'm going to continue on to the next sync and keep going so once we have this list of symbols and these are symbol objects right not just names we're going to go figure out who calls those things so rather than looking at every single function to say do you call the symbol do you call the symbol what we'll do is find the symbols and then go find just the only places where those are called and analyze those okay so we have all these symbols so for symbol and symbols we're going to do get callers and we'll give it the address this will give us all the callers if there are no locations where that symbol is called from uh or we can't resolve any then we go to the next one right and then for every caller in these callers that we found we're just going to get the function object and the address for it that's going to allow us to get an mlil index so we need to basically find the location where each of these things are called so we might have found that printf is called in five different locations and binary ninja is really good at telling us hey this function a and function b call it i'll go ahead and get the mlil function the reason why i'm doing this is that there's no get instruction start for hlil so i have to go to mlal first get that index for the instruction of where the call is made you can index straight into that to get the mlil instructions so let me show you what that looks like seven let's say all right that's this function right here it doesn't resolve the name in this output um but this is it okay so that's exactly what we're doing when we say mlil index we got the index from this from the address then we go ahead and get the instruction and then we get the hlil version of that instruction so then we'll get a list of params empty we're going to see if that instruction is a call instruction if it is we'll get all the parameters now we want to isolate that format parameter right so if we look back up at our sinks the the format parameter that we want for fprintf is that index one for sn printf it's at index two for printf it's at index zero so this is what we're doing we're gonna isolate that as long as the number of parameters is greater or equal to that i know i'm safe indexing into that location without having an exception thrown right so that's the reason why i do that so in parameters we'll do the sync syncs sync which will say if we're looking at printf it'll just give us a zero so this will resolve to zero i'll get the zeroth parameter and that'll be my f param or format string parameter okay then i'm gonna get the expression type so if expression type exists right and it's a constant then i'm going to go ahead and just say it's safe and move on to the next one right that's the idea if i have a printf and the only thing that's passed to it is an actual like static string that is hello world then there's no reason to look anymore because nothing can be manipulated or affected there so we just say it safe and move on with our lives right so for this target var what we want to do here is get the actual variable that's at that location okay so we'll get the actual parameter but depending on what type of parameter it is so let's say for example this is a variable um but if we look down like this is like a constant of course i don't see any right now so here here's the the draft okay so if we look up here we're going to look to see if it's an hlil draft if it is then i need to do param source var if it's just a high level variable then i just need to do fram var so that's the way that's going to allow us to pull this out i also have a little debug string in here because under testing while i'm doing this i'm really only seeing vars and d-refs but i know that if i point this at some other binary that that i had never tested before it's inevitable that i'll find something that's not a var draft maybe it's a call or something that's then you know resolved and then put put at that location so what i want to do is have this else case that says unsupported type that way if i'm doing maintenance on this script i can change this to a true run it and then i can see all the errors that are coming out like hey listen at this location you don't actually support this type you better add it okay so number five uh we're going to locate the uh definition and in initialization for all of these things so what we're essentially doing now at this point is finding um our sink and we're gonna say var a zero i don't wanna go through this entire function looking at every single instruction trying to find out if it's related to this variable instead you can ask binary ninja like hey tell me all the locations where this is used so it'll give you this it'll give you this it'll give you this it'll give you this it'll give you this but it will not give you this because this is the definition not a use so what we have to do is we can do getvar definitions for the target variable and our target variable is this var a0 and then there's uses so give me all the uses where that's used and then we get definitions and uses um and i just had this in a debug print when i was just starting out with the script i printed all those out just to make sure i can kind of see everything and things sort of made sense to me in the script then when i felt pretty confident with them i put them in a debug print so we're going to loop over all uses and we're going to say is the use a call okay if it's a call we're going to do something if the var and knit we're initially initializing the variable um then we're going to do one thing uh and then you start to realize like as you start testing these things there's different things that we need to kind of drill down towards and you can build this up so let's take a look at the first one the first one is if the use and again this would be a use down here okay so the use on this one is going to be like a variable assignment okay um and we can do that by saying let me go ahead and clear this current hlil and then i'll do 24. all right and then i'll do operation all right so that's a var knit okay so this guy would end up be a var in it so up here we would end up hitting this part because the use the instruction at that use its operation is of our init okay cool so now what we need to do is kind of unwrap that onion and try to figure out like what we're looking at here and seeing if it relates to our sync variable okay uh or wraps back to a source i mean so we want to find the call location uh source call instruction so this is the the source so looking at source and destination if we do that right now um for this guy we could do this operation if we do source like here's the actual instruction here is the source and here is the destination yeah so the destination so for this guy uh this is a varnit so let me go look at avarnet this one is a var in it um i did the instruction current hlil and i gave it 24 uh search r so basically i'm looking to see if we can resolve this location um where are we actually like going back to right so that's that's from this as well so we want to know um if we do this is that source actually being um what do you call it referenced in our tracked sources all right so quick edit there i actually had a little bit of a bug in here um a weird case of kind of a copy pasta from something i saw before so i'll fix that on the repo essentially we have here is we have this var in it and this is one of the things that can really bite you is if you're writing this at a specific um binary that you know is vulnerable and you're writing a signature kind of for it or a pattern for it you can make certain assumptions that like this is always the case that this is going to be and then you run on a different target and all of a sudden you're getting exceptions because you know you're referencing a wrong type or something like that and in this case this is kind of it so there's a hli alvar knit if i get to this instruction and this operation is a var init and then i sort of assume that it's just a call right so i do the use the instruction for it i already know that if it's a var init it's going to have a source like where is that coming from and then i get the destination and that destination from that source um if this is already a call so this is not just a call like for example this is a call this is a varnit with a call okay so that's sort of the subtle difference here what i should really be doing probably after this line is then checking to see if use instruction source is of type source operation is of type uh hlal call and if it is then isolate sort of like where that's coming from in sources and i don't um i haven't got any exceptions yet so i just kind of roll with it you know yolo but um that's one of the things that can bite you is like this kind of case where you know i wrote this and i looked at this and i didn't see or noticed that until i just started talking about it now live with you so uh okay so anyway if this turns out to be a target to a certain source uh we go up here and if it ends up being enough gets or received then we keep looking at it um what we're gonna do when we keep looking at it is we're gonna get um the call instruction so we'll get that source it's the call that we're going towards and then we get the parameters from that so everything that's passed to it so for example uh this strchr would go and get these two guys as the parameters for that once we have those two parameters then we're going to add one to it just to account for the zero indexing and then we're going to use that that length of parameters just to make sure that we're not going to screw up here and be outside of the range of a valid index inside of params so we'll get that target param index so we go to sources get that destination so let's see here yeah sources the name for and this will return the actual index so in that case it's like if this is f gets it would be a zero if it received it'd be a one that got returned from this so paramedex would be zero or one in that particular case now we do params get that zero one put it into target param uh then we look through the prefix operand so for p and prefix operands prefix operands is sort of a way to kind of like peek into everything without having to like do write all the code to drill down into all of it so in this particular function if i'm doing um current hlal24 here i can do prefix or postfix operands right and then that gives us everything that is listed in here like all of the the components that build this instruction um and we can go through each one of them and see if there are certain types or you know whatever we're looking for in this case i use for prefix or parameter whatever in each one of those operands i get p and i say if it's a variable and that variable is equal to our target variable then we're going to alert so we just try to see if it's in there it's a simplified way of without having to pull apart every single possibility which would be like here's a var a and then it would either be var a or this is an addition with a var a so i need to drill down into that addition if it were a subtraction or some other operation this could even be like a call that resolves the buffer and returns it like there's so many different things that could end up being here that having to parse all that stuff out manually it seems like a lot of work definitely possible but i think this is kind of good cheating way to do it and when we run it we end up getting you know good good decent results um so let's take a look at some of the problems like that that was the whole script here and if i run this i'll let it run while i'm pulling up some of these other things um it takes a little bit of time the reason why it takes a little bit of time is every time i'm running this i'm completely running a new pass through binary ninja i probably should be doing this on a binary ninja database to be a little bit faster but you know whatever it's not that big of a deal so let's take a look at mlal versus hlio i know this video is getting really long but whatever you know watch it if you want to all right so let's take a look at this example so i'm here and this is var a zero if i scroll up var a zero right here perfect okay that's easy we just looked at how to find this correlation we found it we alert we're done this is on hlil let me switch back to mlil and show you what we have to do so now here we're at rdi8 rdi8 comes from rdi or rax23 rex 23 comes from var a0 var a0 is used here vari zero series here var a0 is used here var a0 is used here but it's assigned to this which is also assigned to this which is now in buffer bottom line is that's a lot of different reassignments that's crazy and when you go to high level il like it folds it all up for you this is this is excellent there's so much work that you had to do and moil to correlate to just say like yo this this variable var a actually relates to this guy and hll does like basically all of the work for you um even in mla when we come here and we're down at like this location right following this up is really easy for a human you just click on it and keep following it up like this isn't hard um and then you kind of like follow your way back down but if this function was huge and nasty like hundreds of basic blocks and stuff um that can be really hard to track down there's just you don't have a monitor big enough like one just doesn't exist right like when you're zooming out and you're trying to find like where the things are highlighted and it's like it just gets to be kind of nasty doing it manually right so sometimes like falling back to a manual analysis to verify this stuff works really well and other times it's not it's not an easy task right um so i'm just rambling at this point let's take a look at the other one this is resolving parameters okay let me look at this guy and i'll show you another weird thing that happens uh weird from just like a complexity standpoint it's not really like okay so here right so if i go to this function and i see that printf is called from here and i go to look at the format it's a call right it's not a variable right it's not an addition like what like what happen i have to dig into this guy figure out what it does what it returns just to get a sense of what this might be i do know that this printf does have a component which is the argument and up here so i can really simplify this basically to this case there there are some things that you want to consider and right now there's no way that we're going to find this because this ends up being very very different in hlil so if i switch back down to mlal now it's just it's just a variable again right and then i can track this back to the output of this right so you have to keep doing that tracking so there's like you know pluses and minuses from going to a lower level to a higher level or from a higher level to a lower level um and you'll see lots of really weird things like this like to me reading this as a human this makes a heck of a lot of sense right at least is not a problem at all um but when you're doing it from a scripted sense and you're trying to have like a pattern for looking for for issues or problems this is this is a kind of a weird thing like if i wouldn't have seen this example i wouldn't have known to even check if the format was a return value from a call like that doesn't make that's not something that i would have just thought about so um this this sense of like we can write a signature for something as long as we've seen it before kind of sucks right like i want to be able to write something that can find for my string vulnerabilities all the time but the simple reality is that sometimes there's complexities that you just don't think about uh and you're gonna miss them right so um that's pretty much it like there there's a lot more there are more vulnerabilities or vulnerable functions inside of this binary that this does not yet find and a lot of those reasons end up being that there are just some kind of weird quirks or patterns that we have to implement so let's try to find one that we don't support so for this one i don't think we support v printf so why not so if you're running this and you don't see it printing out and you're like why doesn't that come out we can try to find out why so here's f gets we know we support that um yeah okay so here's what happens is we're we're assuming that the source and the sync happen in the same function right um it's for simplicity and things get kind of crazy when you start drilling down into other functions and then going back up into callers um and call ease like the problem with that is that you don't know where the bounds are and you can end up traversing a really large binary pineary for a really long time um so there's a lot of complexity in that right so in this particular case in this function which is bad if i come down here i can find a source right it's wrapped up into an if which is another thing that we didn't really consider is that the if clause actually has this condition that's based on the return value of a function uh you know and then that's based on this we don't really concern ourselves with data flow or or control flow we can totally do that to try to figure out if things are reachable um but in this case having to look into an if operation like we don't support that up here when we look at this we're basically saying is it a call or is it in it we don't even check to see if it's an if right so that's another thing that we have to consider too so if we're looking at this buffer what we need to do is try to figure out where the sync is and it turns out it's in this like wrapper function called bad va sync and if we dig into that we see that the first parameter to this guy is then passed into v print f so v printf we should support uh there it is and the reason why we don't support it here is if this were taken out of that and slapped here we would find this right or we'd be very close to finding it because we just need to implement this if this is the problem with this type of analysis is that like there's just so many weird funky things but in a sense like the more general that we make things the more false positives we're gonna get but i think the more kind of wide-reaching that is and and honestly we've run this against things where we have hundreds of outputs and you give that to a reverse engineer who's good and a vulnerability researcher who understands this stuff and they can validate these things like boom boom boom boom boom and tell you no this is wrong this is wrong this is wrong this is interesting let me mark it and then continue on and then you generate a short list and then you start digging into those a little bit more to try to see if they're interesting and then what you're left with is possibilities and you can fuzz towards those you can emulate um you can put more you know more uh horsepower and more more brain power on it by getting multiple researchers on that target um and saying like is this an interesting uh you know bug here or is this just nothing at all um so i hope that helps i hope that's something that kind of makes sense potentially vulnerable is the place that will have all this stuff so just go to um 134 and then click on this and then this is all of it i think i removed a little bug in here i'll push that in a second uh but if you have any questions feel free to reach out otherwise uh hey thanks for watching [Music] you