green dam analysis valkyrie-x by alnthony lai
DESCRIPTION
Reversing and Exploiting Green Dam by Anthony Lai 賴灼東 2009.07.21TRANSCRIPT
Reversing and Exploiting
Green Dam
[0xdf] Valkyrie-X Security Research Lab
1 VXRL 2009
Special Thank You • Mr. Byoungyoung Lee from PLUS and
who is the mentor/advisor of Valkyrie-X
2 VXRL 2009
Background • Focus on research and studies on
software/system exploitation, vulnerability and reverse engineering, penetration test and crypto problems.
• Activity:We joined CTF and ranked at 68 in DefCon 17 Prequalifying Round out 230 teams.
3 VXRL 2009
4
Agenda • Reversing a few critical modules in Green
Dam. • Exploitation Possibility
5 VXRL 2009
Let us start
6 VXRL 2009
Reversing • XNet2.exe
– It is the major Green Dam service – It is for installation and register software key
to the system – It is responsible for password check and reset – Commander of XDaemon.exe and gn.exe – Kick start a number of processes with the
following executables: • Xdaemon, gn HTAnalyzer, MPSVCC, HNCENG,
HH, Looklog and LookPic 7 VXRL 2009
Prepare and set up processes
8
Installation • Installation – Software Key Registration To
Registry.
9
More Interesting stuff is…
10 VXRL 2009
11
Prepare a list of processes
12
Installation Password • After Green Dam converts the password
using the MD5 algorithm, it saves it in text format within the kwpwf.dll file located in the C:\WINDOWS\system32 directory. When opened using Notepad, if the content is then replaced with "D0970714757783E6CF17????????????????????" and saved, the password can then be restored to the original "1122??????". 13 VXRL 2009
Easy Password
14 VXRL 2009
Green Dam – Data File • Decrypted file content
– Contain keywords for filtering • The data file naming convention and
filtering classification are exactly the same as Cybersitter from Solid Oak.
15 VXRL 2009
Green Dam – Data File
16
17 VXRL 2009
Green Dam – Connected IPs • Connected IPs
– Connected to ISP in USA? – Connected to NIST’s time server?
18 VXRL 2009
19 VXRL 2009
20
21 VXRL 2009
Green Dam – Monitored Software • Monitored software
– We could find it from injlib32.dll – Injlib32.dll is injected to every critical process. – Handle.dll is to create process/thread to
monitor any messages received from injected DLL. (as it supports transmitstring).
Notepad.exe
Injlib32.dll Handler.dll
22 VXRL 2009
23
24
25
Green Dam – Exploitation • Possible vulnerabilities in Green Dam
version 3.1.7 – As Green Dam is injected to the browser
process and it cannot handle long URL – Stack Buffer Overflow is found.
• The exploit is published in Milw0rm.com. It should be the same
26 VXRL 2009
What is Stack Buffer Overflow?
27 VXRL 2009
What is Stack Buffer Overflow? (from Wikipedia.org)
28 VXRL 2009
How can we exploit? • We try out input 2048 ‘A’s and submit it as
an URL. • We attach OllyDbg to the process of
Internet Explorer named as iexplore.exe for debugging purpose in runtime.
29 VXRL 2009
Demo
30 VXRL 2009
Exploitation Summary • Successfully overwritten with our input. • Deploying shellcode will be our next
mission. • No patch is provided
31 VXRL 2009
Our Conclusion
32 VXRL 2009
Conclusion • We strongly suggest not installing this
software. • It gives vulnerability, it is not just filtering
but monitor the use of software and the content you typing into.
33 VXRL 2009
Reference • Technical Analysis of Green Dam
– http://wikileaks.org/wiki/A_technical_analysis_of_the_Chinese_'Green_Dam_Youth-Escort'_censorship_software
• Analysis of Green Dam Censorware System – http://www.cse.umich.edu/~jhalderm/pub/gd/
35 VXRL 2009
Tools • MD5 Decryption
– http://www.md5decrypter.com/ • IDA Pro (Get a free version)
– http://www.hex-rays.com/idapro/ – http://www.amazon.com/exec/obidos/ASIN/1593271786/
datarescuesanv
36 VXRL 2009