O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio

Confira estes a seguir

1 de 123 Anúncio

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.

Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Mais recentes (20)

Anúncio

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

  1. 1. Join Us: https://www.linkedin.com /company/application- security-virtual-meetups QR Link:
  2. 2. Enso.security The Code OS IDE Risks The developer’s attack surface Omer Yaron Research
  3. 3. Enso.security ● Head of Research at Enso.security ● Securing scale cloud-computing and serverless environments. ● Former Incident response and digital forensics @ Israel National Cyber Directorate ● Former Mentor for Israel's national cyber education program Omer Yaron
  4. 4. Enso.security Agenda What is an IDE ? Developers and supply chain attacks Research of IDE extensions/plugins Findings Takeaways
  5. 5. Enso.security IDE Integrated Development Environment Why and how
  6. 6. Integrated Development Environment Microsoft - VScode JetBrains - IntelliJ IDEA An integrated development environment (IDE) is a software application that provides comprehensive facilities to computer programmers for software development. An IDE normally consists of at least a source code editor, build automation tools and a debugger. From wikipedia
  7. 7. Enso.security Developers and supply chain attacks
  8. 8. Supply chain and malicious packages Google Trends Dependency Confusion Feb 2021 ESLint-scope incident Jul 2018 Log4shell Dec 2021 Some Context: Biden’s executive order May 2021 And more…
  9. 9. Enso.security Research of IDE extensions/plugins
  10. 10. What we wanted to check? ● Can we use supply chain malicious packages attacks for IDE plugins? ○ Can anonymous users publish packages? ○ Are name-squatting attacks possible? ○ Star-Jacking? ○ Download counter manipulation? ○ Indication of validity?
  11. 11. Enso.security Findings Can you guess?
  12. 12. VScode - Create https://code.visualstudio.com/api/get-started/your-first-extension
  13. 13. VScode - Publish https://code.visualstudio.com/api/working-with-extensions/publishing-extension
  14. 14. VScode
  15. 15. VScode
  16. 16. VScode - add credibility
  17. 17. VScode - add credibility - Star-Jacking
  18. 18. VScode - Verified package? https://code.visualstudio.com/api/working-with-extensions/publishing-extension
  19. 19. VScode - Verified package?
  20. 20. VScode - Last thing - counter?
  21. 21. VScode - Last thing - counter?
  22. 22. VScode - Last thing - Install counter?
  23. 23. IntelliJ https://plugins.jetbrains.com/docs/intellij/plugin-github-template.html
  24. 24. IntelliJ - what more? https://plugins.jetbrains.com/docs/marketplace/custom-pages.html
  25. 25. IntelliJ - what more?
  26. 26. Enso.security Takeaways What did we learn?
  27. 27. Code is a vast and constantly changing resource ● IDEs are a potential threat! ● Developers awareness to this threat, and tools to assess extension’s security are lacking ● Code repositories hold crucial security relevant data ● It is easy, free and anonymous to publish publicly available extensions/plugins ● Follow up - hunt for malicious extensions/plugins Takeaways Original Blog Post
  28. 28. Thank You Questions?
  29. 29. Some extra time? (CVE-2022-30129) reference: https://blog.sonarsource.com/securing-developer-tools-argument-injection-in- vscode Deep links allow for code execution: vscode:// - vscode-insiders://
  30. 30. Malware Analysis - Red Team Edition Uriel Kosayev - @MalFuzzer
  31. 31. Think like Fluid Water, not like a Rigid Rock Think and operate like a criminal Help security grow and become better
  32. 32. To learn Malware Analysis!
  33. 33. root@caliber/# Uriel Kosayev Book Author Founder of MalwareAnalysis.co Red Team Tech Leader Malware Researcher YouTuber, Blogger & Lecturer Twitter Handle: @MalFuzzer
  34. 34. But before the show begins!
  35. 35. What is Malware Analysis?
  36. 36. The art of analyzing and research of malicious software behavior and patterns.
  37. 37. Static Analysis Automated Analysis Dynamic Analysis Reverse Engineering Harder
  38. 38. What is Red Teaming?
  39. 39. Red Teaming is not about achieving DA! Red Teaming is about simulating Real-World threats!
  40. 40. The purpose of Red Teams is to provide a real-world picture of business-related threats Act like the adversary based on accurate TI of threat actors targeting your business Simulate potential threat actors' TTPs as accurate as possible To help the organization grow its security posture
  41. 41. A Red Teamer must have an adversarial mindset
  42. 42. But mom always told us to stay away from bad guys… Oh so sweet! ☺
  43. 43. Now behold the real power of Red Teaming!
  44. 44. Cobalt Strike!
  45. 45. So why not doing things like this?!
  46. 46. Malware Analysis + Red Teaming == 0x4C6F7665 (Love)
  47. 47. Now don’t get me wrong!
  48. 48. Both Malware Analysis and Red Teaming are not about the tools one is using, but the ability to research and understand technical and abstract concepts
  49. 49. So why does Malware Analysis need to concern Red Teamers?
  50. 50. Because the bad guys do!
  51. 51. Threat actors evolve by learning and leveraging the craft and TTPs by researching malware samples in the wild. So why Red Teamers cannot do so?!
  52. 52. The Malware Development Life-Cycle (MDLC)
  53. 53. Malware Development Tests and QA Malware Defense Bypass Techniques Offline AV/EDR Testing IoC Collection and Removal Operational Use and TI Feed
  54. 54. You do not have to develop your malware from zero Learn from real world malware samples and incidents
  55. 55. DarkSide Ransomware Seek & Hide Runtime Code Decryption & Dynamic API Resolve
  56. 56. No functions in the IAT!
  57. 57. Packed/Encrypted PE Sections
  58. 58. Runtime Unpacking/Decryption
  59. 59. Dynamic API Resolve
  60. 60. And Voila! Runtime built IAT for you
  61. 61. Bypass Techniques Implementation Rename Obfuscation & Memory Bombing
  62. 62. Let’s take a simple Reverse Shell
  63. 63. Look for IoCs in the compiled malware
  64. 64. Rename/Obfuscate variables and strings
  65. 65. Validate IoC Removal
  66. 66. BOMB the memory!
  67. 67. And now for the Detection Test Results!
  68. 68. Before Rename Obfuscation & Memory Bombing
  69. 69. After Rename Obfuscation & Memory Bombing
  70. 70. Some important tips for success
  71. 71. Always understand your tools and malware Go as deep as possible, you will be surprised as what you will learn Learn Malware Analysis to understand and think like a blue teamer Research malware to gain deeper knowledge and inspirations Follow the MDLC model, malware development is like any other SDLC process Be curious, passionate, and innovative And take some break in between!
  72. 72. Cooperation!
  73. 73. Threat Intelligence Red Team Adversary Simulation
  74. 74. Adversary Simulation Blue Team Better Security & Monitoring
  75. 75. Think like Fluid Water, not like a Rigid Rock Think and operate like a criminal Help security grow and become better
  76. 76. Malware Analysis Tools and More! https://MalwareAnalysis.co
  77. 77. Thank you!
  78. 78. PAGE Matan Liber, Research Team Lead @ Pentera 93 The Good, Bad and Compromisable Aspects of Linux eBPF
  79. 79. PAGE About me: • 25 years old • Served in a classified unit in the IDF, specializing in malware analysis, reverse engineering and incident response • Worked at Pentera for 2 years (current Team Lead) • Areas of research: Vulnerability hunting and exploitation, codeql, linux lateral movement. 94
  80. 80. PAGE AMA Feel free to ask questions! I’ll be sure to answer them at the end of the presentation. 95
  81. 81. PAGE What is eBPF? • Technology for operating systems that allows programs to analyze network traffic • Provides a raw interface to data link layers (i.e. Layer 2 connectivity), allowing a user space process to supply a filter program specifying which packets it wants to receive 96 LINUX KERNEL Process write() read() File Descriptor VFS Block Device Storage Syscall sendmsg() recvmsg() Sockets TCP/IP Network Device Network Syscall Process eBPF eBPF eBPF eBPF eBPF eBPF
  82. 82. PAGE What is eBPF? 97 11 REGISTERS BYTES STACK x86 ASSEMBLY-LIKE INSTRUCTIONS 512
  83. 83. PAGE eBPF Attack Surface 98 A malicious payload with kernel mode privileges basically compromises the entire system! Allows a user mode process to supply a program which will run with kernel mode privileges
  84. 84. PAGE eBPF verifier Prevents the user provided program from acting maliciously • Pointer bounds checking • Verifies that the stack’s reads are preceded by stack writes • Disallowing writing of pointers to the stack • And much more… 99
  85. 85. PAGE CVE-2022-23222 • eBPF has several types of pointers, some of which have the phrase `OR_NULL` in their names used for operations that may yield null • Pointer arithmetic should not be allowed for this type of pointers • Due to improper type checking, pointer arithmetic is allowed for some of these types • Can lead to Privilege Escalation 100
  86. 86. PAGE BPF Maps What are Maps used for? 101 Memory Layout: • Program state • Program coniguration • Share data between programs • Share state, metrics and statics with user space Map Types  Hash tables, Arrays  LRU (Least Recently Used)  Ring Buffer  Stack Trace  LPM (Longest Prefix match) MAP Struct (Metadata) Map Value (Data) Controller Syscall Admin Syscall BPF Map LINUX KERNEL sendmsg() recvmsg() Sockets TCP/IP Network Device Syscall </> Process eBPF eBPF
  87. 87. PAGE Exploitation • Historically exploited using BPF maps underflow • Map struct members overwrite can lead to local privilege escalation 102 Map Struct Map Value
  88. 88. PAGE Exploitation - Step 1 • Bypass the verifier – make some sort of action that is supposed to be prohibited • Using a series of carefully crafted instructions, we can achieve a state in which the register holds the value X, but the verifier believes the value is 1 103
  89. 89. PAGE How can we use it to our advantage? 104
  90. 90. PAGE Exploitation - Ideal Scheme • R0 = Map value pointer • R1 = Invalid register holding X (verifier thinks it’s 0) • R0= R0-R1 • Store data at R0 105 Map Struct Map Value
  91. 91. PAGE Exploitation - Verifier • R0 = Map value pointer • R1 = Invalid register holding X (verifier thinks it’s 0) • R0= R0-R1 • Store data at R0 106 ALU sanitation renders the subtraction obsolete. (R0 = R0-0)
  92. 92. PAGE Exploitation - Step 2 • We need to find a way to achieve some kind of overflow/underflow that the verifier does not intervene with • No pointer arithmetics! 107
  93. 93. PAGE Exploitation - Step 2 – BPF Helpers 108 • Random numbers • Get current time • Map access • Get process/cgroup context • Manipulate network packets and forwarding What helpers exist? LINUX KERNEL sendmsg() recvmsg() Sockets TCP/IP Network Device Syscall </> Process eBPF eBPF • Access socket data • Perform tail call • Access process stack • Access syscall arguments
  94. 94. PAGE Exploitation - Step 2 – BPF Helpers • bpf_skb_load_bytes(skb, len, to) • Used to read data from packet into memory • Using to as a pointer to a map and with out invalid register as len value we can write to it 109
  95. 95. PAGE Exploitation - Verifier • The verifier would normally block us if we try to write out of bounds 110
  96. 96. PAGE • Using our pointer from step 1, which holds the value X but the verifier thinks is 1, we can trick the verifier into thinking we are still In bounds. • We have successfully achieved out-of-bound read and write! Exploitation - Step 2 111 Map Struct Map Value Memory Beyond Map
  97. 97. PAGE How can we use it to our advantage? 112
  98. 98. PAGE Exploitation But what we wanted was: 113 Map Struct Map Value
  99. 99. PAGE Exploitation • What if we could get the following layout: 114 Map Struct Map Value Map Struct Map Value
  100. 100. PAGE Exploitation • We want to allocate two maps that would reside one after the other • Allocation order is random – we are not guaranteed that the maps will be allocated contiguously 115 Map Struct Map Value Map Struct Map Value … …
  101. 101. PAGE Exploitation – step 3 • We can control map values • Keep allocating maps and assign each map a unique value 116 Map Struct Map Struct … … … … Value A Map Value B Map
  102. 102. PAGE Exploitation – step 3 • Now read out of bounds from our maps • Most likely at the start we won’t find anything interesting 117 Map Struct Map Struct … … … … Value A Map Value B Map
  103. 103. PAGE Exploitation – step 3 • But after allocating enough maps we can be certain we have two contiguous maps by encountering one of our generated values at an expected offset 118 Map Struct … … Value B Map Map Struct Value C Map Map Struct Value A Map
  104. 104. PAGE Exploitation – step 3 • Finally, we can use our out of bound write to use the tried-and-true map structure overwrite technique for LPE • Linux Kernel Privilege Escalation Via Improper EBPF Program Verification – Manfred Paul 119 Map Struct … … Value B Map Map Struct Value C Map Map Struct Value A Map
  105. 105. About Me
  106. 106. PAGE Conclusion • Went from a relatively small bug to full blown LPE • New technique to achieve map structure overwrite using map value overflows 121
  107. 107. • Thank You! • Questions? • To be continued… Join Us: https://www.linkedin.com/company/ap plication-security-virtual-meetups

×