SlideShare a Scribd company logo

Vulnerability desing patterns

Download as PPTX, PDF
P
Peter Hlavaty

This document discusses vulnerability design patterns for kernel exploitation. It outlines several common vulnerability classes for the kernel including out of boundary errors, buffer overflows, and null pointer writes. It provides examples of how these vulnerabilities could be used to achieve kernel code execution or privilege escalation. It also notes how kernel exploitation techniques have evolved over time to bypass defenses like KASLR and discusses developing exploitation tools instead of just shellcode.

Software
1 of 31
Downloaded 146 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Vulnerability design PATTERNS case: Kernel mode
PAST
Environment for exploitation Simple ioctl W^X NX KASLR Hardened Pool SMEP SMAP
Why kernel exploitation Full control of system Simple exploitation Simple bugs
KERNEL ESCAPE few lines of code, simple, effective – for that time Modified sample from : https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb
EVOLUTION
Exploitation hierarchy User Elevated user (admin / root) supervisor
Past exploitation shortcut User Elevated user (admin / root) supervisor
Present (+-) & Future : Step by step User Elevated user (admin / root) Supervisor • DEP, ASLR, SEHOP, ProtectedFree, Isolated Heap, CFG, Virtual Table Guards, EMET... • sandbox, SELinux and alikes • KASLR, SMEP, SMAP, ..
Why kernel escape • Going to be more and more difficult, but ... • still .. sometimes easier .. shortcut • Natural bypass of SELinux • Full control (cpl0 > cpl3) • for now do not considering cpl-1, ...
exploitation ==> developing • In past was very easy elevate privileges • Now everything is fast moving • You need to adapt to all changes & diversity • Things are getting more complex • Your exploitation code is expanding dramatically • Every change can broke your black-box • + Process of exploitation need more than ioctl • Race conditions, complex mechanism break (ttf), sandbox escapes ...
VULNERABILITY DESIGN PATTERNS kernel case
selected vulnerability classes • Out Of Boundary • Basic types Over/Under flows • Stack overflows • Buffer overflows • nullptr writes • Race conditions –not generic, but ... • may create other bug from above group
Out Of Boundary Simple, mighty, generic
OOB • Read • Write • SMAP – limitation, but not eliminate oob • GENERIC approach
Basic type Over/Under-flow Generic, simple and useful when it comes to aligned rw
Stack Overflow sometimes protected, sometimes not .. local vars ? .. depends on compilation ..
Stack overview • Local vars • canaries • Protect ret & args • ... sometimes ... missing • UNprotected inner calls ? • Arg in main func preserved in register • Inner call invoked, register may be putted onto stack • Rewrite arg (or directly ret) on stack in inner call • Return to main func with altered arg (in register) • Can help more than it seems ;) • Controlled copy, overwrite save your day
Buffer Overflow Common case, can be also byproduct, heap hardening can be problem
Buffer overview • Windows kernel pool, SLUB • not so predictable anymore • but still far from not-predictable at some level • kmalloc • targeted kmalloc from user mode ? • not so hard as can seems • help with predictability • Pool spray • thread, process, pipe, socket ... • caches (linux) • can be problem for precise pool layout, but can be solved
nullptr pwn spray, write, pwn .. 64b bit more effort ...
user part of cake Pool spray kmalloc Pipes ThreadsLocks ret2dir Kernel IO
kernel pool pipes, threads .. kmalloc .. spray
Kernel IO If doable, then almighty ...
workers, locks, helpers a lot of common issues per vuln task
CODING STYLE MATTERS
Elevation of Privilages USER • Find nt!_eprocess / thread_info • Patch credentials • Bypass ACL policy • Reverse engineer per policy • Implement • Keep up to date • Good if not change frequently .. Not that case  KERNEL • Elevate process • Grant access important operations (callbacks) • File access • Process access • Registry access • Network • How effective without framework ?
Kernel part of cake • Boosting privs • Why patching ? • Recognize and grant access instead • No LKM ? Are you sure ? • Kernel exploitation may be equals to enable LKM
CC-shellcoding framework • developing instead of shellcoding ? • C++, boost, std ? • Loading your own kernel modules ? https://github.com/k33nteam/cc-shellcoding more info : http://www.k33nteam.org/blog.htm - CC-SHELLCODING @KEENTEAM
2014 - $500,000 2015 - $??????? Pick a device, name your own challenge!
We are hiring!  Kernel & app sec  A LOT of research  mobile, pc  M$, android, OSX .. Thank You! Q & A @K33nTeam

More Related Content

PPTX
Guardians of your CODE
Peter Hlavaty
 
PPTX
Back to the CORE
Peter Hlavaty
 
PPTX
Racing with Droids
Peter Hlavaty
 
PPTX
Power of linked list
Peter Hlavaty
 
PPTX
Attack on the Core
Peter Hlavaty
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
PDF
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Guardians of your CODE
Peter Hlavaty
 
Back to the CORE
Peter Hlavaty
 
Racing with Droids
Peter Hlavaty
 
Power of linked list
Peter Hlavaty
 
Attack on the Core
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 

What's hot (20)

PDF
When is something overflowing
Peter Hlavaty
 
PPTX
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PPTX
How Safe is your Link ?
Peter Hlavaty
 
PPTX
Hacking - high school intro
Peter Hlavaty
 
PDF
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
PPTX
Steelcon 2014 - Process Injection with Python
infodox
 
PPTX
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
PDF
Packers
Ange Albertini
 
PPTX
Practical Windows Kernel Exploitation
zeroSteiner
 
PDF
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
PDF
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
PDF
Modern Evasion Techniques
Jason Lang
 
PPTX
Software to the slaughter
Quinn Wilton
 
PDF
Process injection - Malware style
Sander Demeester
 
PDF
Is That A Penguin In My Windows?
zeroSteiner
 
PDF
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
PPTX
BSides Hannover 2015 - Shell on Wheels
infodox
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
When is something overflowing
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Security research over Windows #defcon china
Peter Hlavaty
 
How Safe is your Link ?
Peter Hlavaty
 
Hacking - high school intro
Peter Hlavaty
 
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Steelcon 2014 - Process Injection with Python
infodox
 
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
Packers
Ange Albertini
 
Practical Windows Kernel Exploitation
zeroSteiner
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Modern Evasion Techniques
Jason Lang
 
Software to the slaughter
Quinn Wilton
 
Process injection - Malware style
Sander Demeester
 
Is That A Penguin In My Windows?
zeroSteiner
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
BSides Hannover 2015 - Shell on Wheels
infodox
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Ad

Similar to Vulnerability desing patterns (20)

PDF
New hope is comming? Project Loom.pdf
Krystian Zybała
 
PDF
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
PDF
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
srisatish ambati
 
PPTX
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Nikolay Savvinov
 
PDF
Ansible 101 - Presentation at Ansible STL Meetup
Jeff Geerling
 
PDF
Ceph in the GRNET cloud stack
Nikos Kormpakis
 
PDF
LXC Containers and AUFs
Docker, Inc.
 
PPTX
Inferno Scalable Deep Learning on Spark
DataWorks Summit/Hadoop Summit
 
PDF
Scale11x lxc talk
dotCloud
 
PDF
Java Performance Analysis on Linux with Flame Graphs
Brendan Gregg
 
PDF
Experiences with Debugging Data Races
Azul Systems Inc.
 
PDF
You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...
rhatr
 
PDF
Running Applications on the NetBSD Rump Kernel by Justin Cormack
eurobsdcon
 
KEY
Andy Parsons Pivotal June 2011
Andy Parsons
 
PPTX
Go Faster with Ansible (PHP meetup)
Richard Donkin
 
PDF
Lect06
Vin Voro
 
PDF
What Linux can learn from Solaris performance and vice-versa
Brendan Gregg
 
KEY
20100425 Configuration Management With Puppet Lfnw
garrett honeycutt
 
PDF
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
PPTX
Ceph Deployment at Target: Customer Spotlight
Colleen Corrice
 
New hope is comming? Project Loom.pdf
Krystian Zybała
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
srisatish ambati
 
Using the big guns: Advanced OS performance tools for troubleshooting databas...
Nikolay Savvinov
 
Ansible 101 - Presentation at Ansible STL Meetup
Jeff Geerling
 
Ceph in the GRNET cloud stack
Nikos Kormpakis
 
LXC Containers and AUFs
Docker, Inc.
 
Inferno Scalable Deep Learning on Spark
DataWorks Summit/Hadoop Summit
 
Scale11x lxc talk
dotCloud
 
Java Performance Analysis on Linux with Flame Graphs
Brendan Gregg
 
Experiences with Debugging Data Races
Azul Systems Inc.
 
You Call that Micro, Mr. Docker? How OSv and Unikernels Help Micro-services S...
rhatr
 
Running Applications on the NetBSD Rump Kernel by Justin Cormack
eurobsdcon
 
Andy Parsons Pivotal June 2011
Andy Parsons
 
Go Faster with Ansible (PHP meetup)
Richard Donkin
 
Lect06
Vin Voro
 
What Linux can learn from Solaris performance and vice-versa
Brendan Gregg
 
20100425 Configuration Management With Puppet Lfnw
garrett honeycutt
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Ceph Deployment at Target: Customer Spotlight
Colleen Corrice
 
Ad

Recently uploaded (20)

PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Introduction to Artificial Intelligence
lohedi9363
 

Vulnerability desing patterns

  • 3. Environment for exploitation Simple ioctl W^X NX KASLR Hardened Pool SMEP SMAP
  • 4. Why kernel exploitation Full control of system Simple exploitation Simple bugs
  • 5. KERNEL ESCAPE few lines of code, simple, effective – for that time Modified sample from : https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb
  • 8. Past exploitation shortcut User Elevated user (admin / root) supervisor
  • 9. Present (+-) & Future : Step by step User Elevated user (admin / root) Supervisor • DEP, ASLR, SEHOP, ProtectedFree, Isolated Heap, CFG, Virtual Table Guards, EMET... • sandbox, SELinux and alikes • KASLR, SMEP, SMAP, ..
  • 10. Why kernel escape • Going to be more and more difficult, but ... • still .. sometimes easier .. shortcut • Natural bypass of SELinux • Full control (cpl0 > cpl3) • for now do not considering cpl-1, ...
  • 11. exploitation ==> developing • In past was very easy elevate privileges • Now everything is fast moving • You need to adapt to all changes & diversity • Things are getting more complex • Your exploitation code is expanding dramatically • Every change can broke your black-box • + Process of exploitation need more than ioctl • Race conditions, complex mechanism break (ttf), sandbox escapes ...
  • 13. selected vulnerability classes • Out Of Boundary • Basic types Over/Under flows • Stack overflows • Buffer overflows • nullptr writes • Race conditions –not generic, but ... • may create other bug from above group
  • 14. Out Of Boundary Simple, mighty, generic
  • 15. OOB • Read • Write • SMAP – limitation, but not eliminate oob • GENERIC approach
  • 16. Basic type Over/Under-flow Generic, simple and useful when it comes to aligned rw
  • 17. Stack Overflow sometimes protected, sometimes not .. local vars ? .. depends on compilation ..
  • 18. Stack overview • Local vars • canaries • Protect ret & args • ... sometimes ... missing • UNprotected inner calls ? • Arg in main func preserved in register • Inner call invoked, register may be putted onto stack • Rewrite arg (or directly ret) on stack in inner call • Return to main func with altered arg (in register) • Can help more than it seems ;) • Controlled copy, overwrite save your day
  • 19. Buffer Overflow Common case, can be also byproduct, heap hardening can be problem
  • 20. Buffer overview • Windows kernel pool, SLUB • not so predictable anymore • but still far from not-predictable at some level • kmalloc • targeted kmalloc from user mode ? • not so hard as can seems • help with predictability • Pool spray • thread, process, pipe, socket ... • caches (linux) • can be problem for precise pool layout, but can be solved
  • 21. nullptr pwn spray, write, pwn .. 64b bit more effort ...
  • 22. user part of cake Pool spray kmalloc Pipes ThreadsLocks ret2dir Kernel IO
  • 23. kernel pool pipes, threads .. kmalloc .. spray
  • 24. Kernel IO If doable, then almighty ...
  • 25. workers, locks, helpers a lot of common issues per vuln task
  • 27. Elevation of Privilages USER • Find nt!_eprocess / thread_info • Patch credentials • Bypass ACL policy • Reverse engineer per policy • Implement • Keep up to date • Good if not change frequently .. Not that case  KERNEL • Elevate process • Grant access important operations (callbacks) • File access • Process access • Registry access • Network • How effective without framework ?
  • 28. Kernel part of cake • Boosting privs • Why patching ? • Recognize and grant access instead • No LKM ? Are you sure ? • Kernel exploitation may be equals to enable LKM
  • 29. CC-shellcoding framework • developing instead of shellcoding ? • C++, boost, std ? • Loading your own kernel modules ? https://github.com/k33nteam/cc-shellcoding more info : http://www.k33nteam.org/blog.htm - CC-SHELLCODING @KEENTEAM
  • 30. 2014 - $500,000 2015 - $??????? Pick a device, name your own challenge!
  • 31. We are hiring!  Kernel & app sec  A LOT of research  mobile, pc  M$, android, OSX .. Thank You! Q & A @K33nTeam