Friday, 28 December 2012

MS08-067 As used by Conficker and Stuxnet

How do Worms travel?
Strictly speaking, a computer virus doesn't spread across a network whereas a computer worm can travel from machine to machine. But how do worms move between machines?

A vulnerability with the catchy name of MS08-067 was used by Stuxnet and Conficker to worm themselves across Local Area Networks but how did it work?  I spent a reasonable amount of time reverse engineering the vulnerability to discover how it was exploited. 

Computers on a network can provide services to each other like file and print sharing, it means that a computer is listening on the network for connections from other machines in request of one of the services that it provides. Normally this isn't a problem but as shown by MS08-067, things can go horribly wrong if there should be a programming bug that leads to an exploitable vulnerability.

Without giving away too much useful information, a "behind the scenes" function that provided a network service had a programming bug, whereby a remote computer could send a malformed request that would cause a routine to start searching backwards in CPU stack memory, outside of the function's normal buffer with the aim to find a specific character.  This character would be found in a known position(placed there by a previously executed function) that meant it was possible to overwrite a function return address with a different value causing the computer to jump to an address supplied by the remote computer.  The virus (known as a payload) would be given as part of the malformed request - after things like Data Execution Prevention had been turned off, the exploit would jump to a memory location within the request data payload code.

In short, the exploitation used the fact that this network service code had a programming bug that didn't check the boundary conditions of the supplied data and so it ended up accessing memory that was located outside the boundaries of the appropriate memory buffer.

No comments:

Post a Comment