Download Of Code Without Integrity Check

Teaching Sec503, our intrusion detection class last week, we yet again wrote a signature for a CVS exploit from a few years back. Sure, it is kind of old news by now. But I think it is is very timely if you are concerned about the integrity of your software. If you are not familiar with it: CVS is software used to manage source code repositories. A compromise of your CVS server means that you can no longer trust the software maintained by this server. Hardly anybody installs software from a CD anymore. Most software today is downloaded and installed. But how do you know if the download has been tampered with?

There are two main methods to verify file (and with that software) integrity: Cryptographic hashes and digital signatures. Cryptographic hashes are essentially fancy checksums. Unlike a checksum, it is very hard to find two documents with the same hash. An attacker will not be able to for example add a backdoor to your code, and then add additional comments or empty code to make the hash fit. This may no longer be fully true for MD5, but even MD5 is still "pretty good" and exploits at this point only work if certain conditions are met.

DOWNLOAD 🔥 https://urluss.com/2y2PJP 🔥

But there is a fundamental weakness that comes with using a hash to ensure file integrity: How do you make sure that the hash didn't get changed? In many cases, the hash is stored in the same directory, with the same permissions, as the original code. An attacker could just replace the code, and the software using the same attack.

But there is a fundamental weakness that comes with using a hash to ensure file integrity: How do you make sure that the hash didn\'t get changed? In many cases, the hash is stored in the same directory, with the same permissions, as the original code. An attacker could just replace the code, and the software using the same attack.

If you do get classes from the outside - like, download them from somewhere or allow users to upload classes or source code and compile it - then you are subject to this weakness and need to take measures. If you get classes from users you have a problem. :) If you get them from some location you seem as secure, you can use HTTPS or check signatures on your own. But I guess this is not your case.

A new category for 2021 focuses on making assumptions related tosoftware updates, critical data, and CI/CD pipelines without verifyingintegrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data. Notable Common Weakness Enumerations (CWEs) includeCWE-829: Inclusion of Functionality from Untrusted Control Sphere,CWE-494: Download of Code Without Integrity Check, and CWE-502: Deserialization of Untrusted Data.

Software and data integrity failures relate to code and infrastructurethat does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and contentdelivery networks (CDNs). An insecure CI/CD pipeline can introduce thepotential for unauthorized access, malicious code, or system compromise.Lastly, many applications now include auto-update functionality, whereupdates are downloaded without sufficient integrity verification andapplied to the previously trusted application. Attackers couldpotentially upload their own updates to be distributed and run on allinstallations. Another example is whereobjects or data are encoded or serialized into a structure that anattacker can see and modify is vulnerable to insecure deserialization.

This code does not verify that the external domain accessed is the intended one. An attacker may somehow cause the external domain name to resolve to an attack server, which would provide the information for a false database. The attacker may then steal the usernames and encrypted passwords from real user login attempts, or simply allow themself to access the application without a real user account.

Note: For subresource-integrity verification of a resource served from an origin other than the document in which it's embedded, browsers additionally check the resource using Cross-Origin Resource Sharing (CORS), to ensure the origin serving the resource allows it to be shared with the requesting origin.

You use the Subresource Integrity feature by specifying a base64-encoded cryptographic hash of a resource (file) you're telling the browser to fetch, in the value of the integrity attribute of any or element.

An integrity value begins with at least one string, with each string including a prefix indicating a particular hash algorithm (currently the allowed prefixes are sha256, sha384, and sha512), followed by a dash, and ending with the actual base64-encoded hash.

For subresource-integrity verification of a resource served from an origin other than the document in which it's embedded, browsers additionally check the resource using Cross-Origin Resource Sharing (CORS), to ensure the origin serving the resource allows it to be shared with the requesting origin. Therefore, the resource must be served with an Access-Control-Allow-Origin header that allows the resource to be shared with the requesting origin; for example:

Just a little disclaimer here. The goal of this post is not to encourage piracy. Creating pirated copies is possible without bypassing the integrity checks and has long been done.Neither do I want to encourage cheating or hacking. In fact, the game has a lot of unpatched security vulnerabilities, which make it almost unplayable.Therefore, I hope this post opens up the possibility to get these patched.

Because the game sometimes deadlocks, I thought the penalty is not an immediate action the game takes. Rather, I assumed, the result of those integrity checks is integrated into the control flow of the execution.

So on a high level, the evaluation might be something like this:

To discover and analyze the checks, my idea was to place a watchpoint on some piece of code to see who reads it.

As code is usually just executed by the CPU and not actually read as data, such a breakpoint being triggered would mean an integrity check reading the code to verify it.

The breakpoint triggered at the line mov eax, [rdx+rax*4], which loads the checksum into eax.Just like before, rax was zero at that point. So rdx is the interesting value here.It gets assigned through mov rdx, [rbp+38h]. So at this point, stack frame offset 0x38 turns out to be the integrity_handler_context.

However, the last two lines are very interesting: lea rdx, dword_14259841A loads an address of memory somewhere in the .text section.The last line, mov [rdx+rcx*4], eax, seems to store the checksum at that location in the .text section (rcx again being zero).Note that due to the DRM rewriting and decrypting code at runtime, the .text segment is RWX.

However, if such a hook gets called, how can I find the offset of the integrity context on the stack frame?I noticed two things:The original checksum was always located in the .text section.The calculated checksum always resided in some region on the stack.

On top of that, I was surprised that patching the integrity checks was possible with only two patterns.I expected a lot more variations, different integrity checks that required a lot more analysis and different patterns, but in the end it is two variations of a single form of integrity check injected 1219 times.

In general, the protection of the game seems very good to me, as next to having integrity checks, a whole bunch of other protections are applied as well. This makes reverse engineering the game a tough challenge. ff782bc1db