SlideShare uma empresa Scribd logo

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

N
NoSuchCon

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

Tecnologia
1 de 52
Baixar para ler offline
Attack on the Core! @zer0mem
#whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
Part 1 -> KernelIo tech
Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
Read & Write boosting [windows]
 KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf Read & Write boosting [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
 PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo http://vulnfactory.org/research/stackjacking-infiltrate11.pdf Read & Write boosting [linux / droids]
Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
Part 2 -> cases
Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO - SMAP 5. but sometimes PXN
Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/ http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf
Part 3 -> design features (flaws)
Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
Part 4 -> state of exploitation
before win8.1 POOL HARDENING SMEP SMAP PLAIN PTRS “KASLR” NtQuerySysInfo even kids … … do pwn
Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented Strong complex access control policy Well randomized kernel space Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
Rebirth to K E R N E L Developing begins
CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
Kernel monitoring [IoCompletion] ▪ IoCompletion – MonitorALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
come on … why shellcoding or pure c ? C++
Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
1. 2. 3. 4. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); Fix Rellocations resolve kernel part of Import table Ready for exec with CPL0! CPLTeleport KERNEL as exploitation VECTOR
Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm
C++ ‘shellcoding’ framework https://github.com/k33nteam/cc-shellcoding releasing very soon @K33nTeam
materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture- client/KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
jfang liac wushi nforest NTarakanov j00ru aionescu Acknowledge Thanks to : cesarcer dan rosenberg rafal wojtczuk krzywix maxim
We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS,WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
Q & A Thank You. follow us @K33nTeam peter (at) keencloudtech.com

Recomendados

Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 

Recomendados

Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
Honorary_BoT
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
Vedran Krivokuca
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew Suarez
Shakacon
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
Using Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled WorldUsing Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled World
Frank Hunleth
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 

Mais conteúdo relacionado

Mais procurados

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
Csaba Fitzl
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew Suarez
Shakacon
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
Csaba Fitzl
 

Mais procurados (20)

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew Suarez
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Using Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled WorldUsing Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled World
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 

Semelhante a NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
Enrico Scapin
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 

Semelhante a NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core (20)

Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
MattsonTutorialSC14.pdf
MattsonTutorialSC14.pdfMattsonTutorialSC14.pdf
MattsonTutorialSC14.pdf
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Audit
AuditAudit
Audit
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside Containers
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 

Mais de NoSuchCon

Mais de NoSuchCon (16)

NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

  • 2. #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
  • 3. outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
  • 4. Part 1 -> KernelIo tech
  • 5. Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
  • 6. Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
  • 7. Read & Write boosting [windows]
  • 8.  KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf Read & Write boosting [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
  • 9. Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
  • 10.  PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo http://vulnfactory.org/research/stackjacking-infiltrate11.pdf Read & Write boosting [linux / droids]
  • 11. Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
  • 12. MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
  • 13. Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
  • 14. KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
  • 15. Part 2 -> cases
  • 16. Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO - SMAP 5. but sometimes PXN
  • 17. Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
  • 18. kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
  • 19. KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
  • 20. KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/ http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf
  • 21. Part 3 -> design features (flaws)
  • 22. Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
  • 23. Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
  • 24. Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
  • 25.
  • 26. Part 4 -> state of exploitation
  • 28. Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
  • 29. Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented Strong complex access control policy Well randomized kernel space Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
  • 30. Rebirth to K E R N E L Developing begins
  • 31. CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
  • 32. Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
  • 33. Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
  • 34. Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
  • 35. Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
  • 36. Kernel monitoring [IoCompletion] ▪ IoCompletion – MonitorALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
  • 37. Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
  • 38. SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
  • 39. come on … why shellcoding or pure c ? C++
  • 40. Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
  • 41. Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
  • 42. Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
  • 43. 1. 2. 3. 4. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); Fix Rellocations resolve kernel part of Import table Ready for exec with CPL0! CPLTeleport KERNEL as exploitation VECTOR
  • 44. Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
  • 45. Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
  • 46. C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm
  • 48. materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture- client/KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
  • 49. jfang liac wushi nforest NTarakanov j00ru aionescu Acknowledge Thanks to : cesarcer dan rosenberg rafal wojtczuk krzywix maxim
  • 50. We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS,WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
  • 51. 2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
  • 52. Q & A Thank You. follow us @K33nTeam peter (at) keencloudtech.com