Concentrated Fire: Black Box Auditing Adobe Shockwave presented at Hackito Ergo Sum 2011

by Aaron Portnoy (Tipping Point ), Logan Brown (Tipping Point ),

Tags: Security

Summary : Attempting to familiarize oneself with anotherís codebase is a daunting task, even with well-documented source code. Attempting to do so for a large symbol-less binary application is even harder. This talk will walk the audience through the TippingPoint security research teamís approach to reverse engineering Adobe Shockwave for the purposes of vulnerability discovery and analysis. We will cover reconnaissance of the attack surface, vulnerabilities discovered, tools developed, and our techniques utilized to recover type information and functionality throughout a 6 month focused audit.
In early 2010 our team began a simple audit of the Shockwave player which, according to Adobe, is installed on an estimated 45% of Internet-enabled computers. Our initial poking at this software turned up 7 remote code execution vulnerabilities. After bringing attention to Shockwave by publishing these, we began to see a substantial increase in industry focus on this particular application. In the months following we have been consistently receiving upwards of 15 Shockwave vulnerabilities per week through the Zero Day Initiative program. Sometimes these submissions are well documented; more often, they are not. Either way, we are required to locate the offending vulnerabilityís root cause. This is often a time-consuming task, especially if each team member works on their assigned vulnerabilities in isolation. As such, we have taken a good deal of time analyzing the requirements for collaborating on these projects and we have developed techniques and tools to return to the audit with a more effective and complete tactic.
As the entire Shockwave codebase is symbol-less (only exporting by ordinal, using a custom memory manager, and generally shirking the use of many standard API calls) we will demonstrate our successful attempt to recover function names and type information. We will release a set of IDA scripts that allow a researcher to match functions from one platformís version of a codebase to another (as well as multiple versions on the same platform). We will also walk through our analysis and dissection of the custom memory manager used by Shockwave, including a tool release that will allows one to track allocations, frees, and walk heap structures in memory. Additionally, we will cover the heuristic-based approaches we took to identify platform-specific abstraction layers within Adobeís code and our tools to display such information within IDA.
Recovering such information is not, however, the most we can do. We will also demonstrate how we have reversed the undocumented file format chunks (based on RIFF) that the Shockwave player uses. This was accomplished using our internal code injection tools and we will demonstrate how the same techniques can be replicated using an instrumentation engine such as Dynamorio or Pin. As we unearthed more and more about Shockwave we became aware of the extent of its attack surface. So, we will also walk through the fuzzing architecture we have used to fuzz both the Director file format, the signed Asset files, and the internal language known as Lingo that Shockwave supports. Cumulatively, these efforts have led to over 20 0day discoveries in the product (at the time of this writing, more likely on the way).