SlideShare a Scribd company logo

Attack on the Core

Download as PPTX, PDF
P
Peter Hlavaty

The document discusses advanced kernel exploitation techniques, focusing on vulnerabilities and design flaws in various operating systems, particularly Windows and Linux. It emphasizes the importance of understanding kernel structures and the potential for exploiting these weaknesses using a C++ development approach rather than traditional shellcoding. The author argues for the evolution of exploitation tactics toward more sophisticated and maintainable code, alongside a call for stronger security measures in operating systems.

Education
1 of 52
Downloaded 222 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Attack on the Core! @zer0mem
#whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
Part 1 -> KernelIo tech
Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
Read & Write boosting [windows]
 KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress Read & Write boosting http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
[linux / droids]  PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo Read & Write boosting http://vulnfactory.org/research/stackjacking-infiltrate11.pdf
Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
Part 2 -> cases
Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO -SMAP 5. but sometimes PXN
Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/
Part 3 -> design features (flaws)
Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
Attack on the Core
Part 4 -> state of exploitation
before win8.1 POOL HARDENING SMEP SMAP PLAIN PTRS “KASLR” NtQuerySysInfo even kids … … do pwn
Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented  Strong complex access control policy Well randomized kernel space  Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
Rebirth to K E R N E L Developing begins
CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
Kernel monitoring [IoCompletion] ▪ IoCompletion – Monitor ALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
C++ come on … why shellcoding or pure c ?
Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
KERNEL as exploitation VECTOR 1. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); 2. 3. Fix Rellocations 4. resolve kernel part of Import table Ready for exec with CPL0! CPL Teleport
Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C
C++ ‘shellcoding’ framework https://github.com/k33nteam/cc-shellcoding releasing very soon @K33nTeam
materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture-client/ KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
Acknowledge Thanks to : jfang liac rafal wojtczuk wushi nforest NTarakanov j00ru aionescu cesarcer dan rosenberg krzywix maxim
We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS, WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
follow us @K33nTeam Thank You. Q & A peter (at) keencloudtech.com

More Related Content

PPTX
Back to the CORE
Peter Hlavaty
 
PPTX
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
PPTX
Power of linked list
Peter Hlavaty
 
PPTX
Vulnerability desing patterns
Peter Hlavaty
 
PPTX
Racing with Droids
Peter Hlavaty
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
PPTX
Guardians of your CODE
Peter Hlavaty
 
PDF
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Back to the CORE
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Power of linked list
Peter Hlavaty
 
Vulnerability desing patterns
Peter Hlavaty
 
Racing with Droids
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Guardians of your CODE
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 

What's hot (20)

PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
PDF
When is something overflowing
Peter Hlavaty
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
PPTX
Hacking - high school intro
Peter Hlavaty
 
PPTX
How Safe is your Link ?
Peter Hlavaty
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PPTX
Steelcon 2014 - Process Injection with Python
infodox
 
PPTX
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
PDF
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
PDF
Packers
Ange Albertini
 
PDF
Process injection - Malware style
Sander Demeester
 
PPTX
Software Security : From school to reality and back!
Peter Hlavaty
 
PPTX
Software to the slaughter
Quinn Wilton
 
PPTX
Practical Windows Kernel Exploitation
zeroSteiner
 
PPTX
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
PDF
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
PDF
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
PPTX
BSides Hannover 2015 - Shell on Wheels
infodox
 
PDF
Low Level Exploits
hughpearse
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
When is something overflowing
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Hacking - high school intro
Peter Hlavaty
 
How Safe is your Link ?
Peter Hlavaty
 
Security research over Windows #defcon china
Peter Hlavaty
 
Steelcon 2014 - Process Injection with Python
infodox
 
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Packers
Ange Albertini
 
Process injection - Malware style
Sander Demeester
 
Software Security : From school to reality and back!
Peter Hlavaty
 
Software to the slaughter
Quinn Wilton
 
Practical Windows Kernel Exploitation
zeroSteiner
 
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen
 
BSides Hannover 2015 - Shell on Wheels
infodox
 
Low Level Exploits
hughpearse
 
Ad

Viewers also liked (20)

PDF
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
PDF
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
PDF
Digging for Android Kernel Bugs
Jiahong Fang
 
PDF
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
PDF
Find your own iOS kernel bug
Gustavo Martinez
 
PDF
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
PDF
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank2
 
PDF
Applying Anti-Reversing Techniques to Machine Code
Teodoro Cipresso
 
PDF
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
PPT
Intrusion detection and prevention
Nicholas Davis
 
PDF
Spo2 t19 spo2-t19
SelectedPresentations
 
PDF
Generic attack detection engine
Vikrant Kansal
 
PPT
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
PDF
Obfuscation, Golfing and Secret Operators in Perl
José Castro
 
PDF
EvasionTechniques
Candan BOLUKBAS
 
PDF
CSIRT_16_Jun
Candan BOLUKBAS
 
PDF
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
 
PPTX
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
DOCX
Vijay Amarnath - Updated
Vijay Amarnath
 
PDF
Targeting the iOS kernel
Seguridad Apple
 
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
Digging for Android Kernel Bugs
Jiahong Fang
 
Designing and Attacking DRM (RSA 2008)
Nate Lawson
 
Find your own iOS kernel bug
Gustavo Martinez
 
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank2
 
Applying Anti-Reversing Techniques to Machine Code
Teodoro Cipresso
 
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan
 
Intrusion detection and prevention
Nicholas Davis
 
Spo2 t19 spo2-t19
SelectedPresentations
 
Generic attack detection engine
Vikrant Kansal
 
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
Obfuscation, Golfing and Secret Operators in Perl
José Castro
 
EvasionTechniques
Candan BOLUKBAS
 
CSIRT_16_Jun
Candan BOLUKBAS
 
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Vijay Amarnath - Updated
Vijay Amarnath
 
Targeting the iOS kernel
Seguridad Apple
 
Ad

Similar to Attack on the Core (20)

PDF
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
RootedCON
 
PPTX
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
PDF
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
PDF
Bh us 12_cerrudo_windows_kernel_wp
Le Sy Duy Hiep
 
PDF
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Kernel TLV
 
PDF
Analyzing Kernel Security and Approaches for Improving it
Milan Rajpara
 
PDF
Linux Kernel Exploitation
Scio Security
 
PDF
CONFidence 2015: when something overflowing... - Peter Hlavaty
PROIDEA
 
PPTX
Meltdown and Spectre
yeokm1
 
PDF
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
PPTX
Exploiting the windows kernel
Japneet Singh
 
PPTX
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
PDF
Linux SMEP bypass techniques
Vitaly Nikolenko
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
PPTX
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
PDF
Di shen pacsec_final
PacSecJP
 
PDF
Csw2016 economou nissim-getting_physical
CanSecWest
 
PDF
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Nullbyte Security Conference
 
PDF
Squash Those IoT Security Bugs with a Hardened System Profile
Steve Arnold
 
PPTX
Summary of linux kernel security protections
Shubham Dubey
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
RootedCON
 
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Bh us 12_cerrudo_windows_kernel_wp
Le Sy Duy Hiep
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Kernel TLV
 
Analyzing Kernel Security and Approaches for Improving it
Milan Rajpara
 
Linux Kernel Exploitation
Scio Security
 
CONFidence 2015: when something overflowing... - Peter Hlavaty
PROIDEA
 
Meltdown and Spectre
yeokm1
 
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
Exploiting the windows kernel
Japneet Singh
 
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Linux SMEP bypass techniques
Vitaly Nikolenko
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Di shen pacsec_final
PacSecJP
 
Csw2016 economou nissim-getting_physical
CanSecWest
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Nullbyte Security Conference
 
Squash Those IoT Security Bugs with a Hardened System Profile
Steve Arnold
 
Summary of linux kernel security protections
Shubham Dubey
 

Recently uploaded (20)

PPTX
master seminar digital applications in india
ananyaray35
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
master seminar digital applications in india
ananyaray35
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 

Attack on the Core

  • 1. Attack on the Core! @zer0mem
  • 2. #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
  • 3. outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
  • 4. Part 1 -> KernelIo tech
  • 5. Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
  • 6. Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
  • 7. Read & Write boosting [windows]
  • 8.  KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress Read & Write boosting http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
  • 9. Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
  • 10. [linux / droids]  PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo Read & Write boosting http://vulnfactory.org/research/stackjacking-infiltrate11.pdf
  • 11. Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
  • 12. MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
  • 13. Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
  • 14. KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
  • 15. Part 2 -> cases
  • 16. Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO -SMAP 5. but sometimes PXN
  • 17. Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
  • 18. kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
  • 19. KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
  • 20. KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/
  • 21. Part 3 -> design features (flaws)
  • 22. Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
  • 23. Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
  • 24. Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
  • 26. Part 4 -> state of exploitation
  • 27. before win8.1 POOL HARDENING SMEP SMAP PLAIN PTRS “KASLR” NtQuerySysInfo even kids … … do pwn
  • 28. Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
  • 29. Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented  Strong complex access control policy Well randomized kernel space  Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
  • 30. Rebirth to K E R N E L Developing begins
  • 31. CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
  • 32. Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
  • 33. Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
  • 34. Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
  • 35. Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
  • 36. Kernel monitoring [IoCompletion] ▪ IoCompletion – Monitor ALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
  • 37. Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
  • 38. SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
  • 39. C++ come on … why shellcoding or pure c ?
  • 40. Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
  • 41. Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
  • 42. Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
  • 43. KERNEL as exploitation VECTOR 1. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); 2. 3. Fix Rellocations 4. resolve kernel part of Import table Ready for exec with CPL0! CPL Teleport
  • 44. Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
  • 45. Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
  • 46. C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C
  • 47. C++ ‘shellcoding’ framework https://github.com/k33nteam/cc-shellcoding releasing very soon @K33nTeam
  • 48. materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture-client/ KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
  • 49. Acknowledge Thanks to : jfang liac rafal wojtczuk wushi nforest NTarakanov j00ru aionescu cesarcer dan rosenberg krzywix maxim
  • 50. We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS, WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
  • 51. 2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
  • 52. follow us @K33nTeam Thank You. Q & A peter (at) keencloudtech.com