Exploitable Crash Analyzer

September 6, 2009

no comments

The Microsoft Security Science Team released a debugger extension that performs automated crash dump analysis and assesses the security risk associated with the crash. It’s extremely simple to use—fire up WinDbg, open the crash dump (or debug the application until it crashes), load the debugger extension and execute the !exploitable command to receive an immediate risk assessment.

I immediately wanted to try this thing out, so here’s what I did. I wrote a simple console application that reads user input with gets into a 4-character buffer:

int main(int argc, char* argv[])

{

    puts("Enter a string:");

 

    char buf[4];

    gets(buf);

 

    return 0;

}

I ran the application in Release mode (in Debug mode the CRT will raise an assertion, obstructing the natural flow), gave it a string of approximately 20 characters, and sure enough, it crashed. Next I opened the crash dump in WinDbg, loaded the debugging extension and voila:

0:000> .load D:\Development\MSEC_DebuggingExts\Binaries\x86\msec.dll
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable – Data Execution Prevention Violation starting at Unknown Symbol @ 0x00000000736a6661 called from kernel32!BaseThreadInitThunk+0x000000000000000e (Hash=0x14055f47.0x0f50276b)
User mode DEP access violations are exploitable.

As you see, the crash was classified as exploitable—it’s basically execution of a random return address that has overwritten the stack (DEP prevented it because the value reflects some random characters I typed, but it could be shellcode from an attacker).

Here’s another example that I generated by emitting the cli privileged instruction in a user-mode process:

(178c.16d0): Unknown exception – code c0000096 (first chance)
(178c.16d0): Unknown exception – code c0000096 (!!! second chance !!!)
[…]
ExploitableBug!main:
00cb1000 fa              cli
0:000> k
ChildEBP RetAddr 
0044fc08 00cb116d ExploitableBug!main [d:\development\scratch\exploitablebug\exploitablebug.cpp @ 8]
0044fc4c 76103f39 ExploitableBug!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586]
0044fc58 77ea0409 kernel32!BaseThreadInitThunk+0xe
0044fc98 77ea03dc ntdll!__RtlUserThreadStart+0x70
0044fcb0 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> .load D:\Development\MSEC_DebuggingExts\Binaries\x86\msec.dll
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable – Privileged Instruction Violation starting at ExploitableBug!main+0x0000000000000000 (Hash=0x415f583b.0x5827743b)
A privileged instruction exception indicates that the attacker controls execution flow.

All in all, this is a really simple debugging extension that can be automated and streamlined. As you can see, it even suggests a bucket for the bug—which means it’s very useful for automated crash analysis (and that’s how it is used by various teams at Microsoft).

This debugging extension also ships with source code, which means you can dig right in and see how the various detection rules are implemented. You can find them in the exploitable_rules.h header file in the form of nested macros such as the following:

// Rule: Stack Buffer Overruns (/GS Exceptions) must be fixed
BEGIN_ANALYZE_DATA
    PROCESSOR_MODE                DONT_CARE
    EXCEPTION_ADDRESS_RANGE        DONT_CARE
    EXCEPTION_TYPE                STATUS_STACK_BUFFER_OVERRUN
    EXCEPTION_SUBTYPE            DONT_CARE
    EXCEPTION_LEVEL                DONT_CARE
    ANALYZE_FUNCTION            NULL
    RESULT_CLASSIFICATION        EXPLOITABLE
    RESULT_DESCRIPTION            L"Stack Buffer Overrun (/GS Exception)"
    RESULT_SHORTDESCRIPTION        L"GSViolation"
    RESULT_EXPLANATION            L"An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed."
    RESULT_URL                    NULL
    RESULT_IS_FINAL                true
END_ANALYZE_DATA

It’s fairly easy to add additional rules and detection heuristics, recompile, and you have a crash analysis extensions tailored for your needs. (This is also a great way to learn about how debugging extensions can be implemented and how simple and sophisticated instruction analysis in a crash dump can be performed.)

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*