<<  Data mining microsoft SQL server 2005 Death by PowerPoint  >>
DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL
DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL
Agenda
Agenda
Introduction
Introduction
Pool basics
Pool basics
Pool Header 32-bits
Pool Header 32-bits
Pool Header 64-bits
Pool Header 64-bits
Free Chunks
Free Chunks
Allocation order
Allocation order
Merging Pool Chunks
Merging Pool Chunks
Previous attacks
Previous attacks
Object Metadata
Object Metadata
OBJECT_HEADER
OBJECT_HEADER
ObTypeIndexTable
ObTypeIndexTable
OBJECT_TYPE
OBJECT_TYPE
Procedures
Procedures
ObTypeIndexTable & Object Type
ObTypeIndexTable & Object Type
Object Type Index Table (x86)
Object Type Index Table (x86)
Object Type Index Table (x64)
Object Type Index Table (x64)
Object metadata corruption (DKOHM)
Object metadata corruption (DKOHM)
Windows 8.1
Windows 8.1
New idea
New idea
Object data corruption (DKOHM + DKOM)
Object data corruption (DKOHM + DKOM)
Object data corruption (DKOHM + DKOM)
Object data corruption (DKOHM + DKOM)
Object data corruption (DKOHM+DKOM)
Object data corruption (DKOHM+DKOM)
OBJECT_TYPE_INITIALIZER Procedures
OBJECT_TYPE_INITIALIZER Procedures
OBJECT_TYPE_INITIALIZER Procedures
OBJECT_TYPE_INITIALIZER Procedures
Type Confusion
Type Confusion
SecurityProcedure vector
SecurityProcedure vector
nt!IopGetSetSecurityObject
nt!IopGetSetSecurityObject
nt!IopGetSetSecurityObject
nt!IopGetSetSecurityObject
nt!IopGetSetSecurityObject chain
nt!IopGetSetSecurityObject chain
nt!IopGetSetSecurityObject chain
nt!IopGetSetSecurityObject chain
Close/Delete Procedure vector
Close/Delete Procedure vector
Other Procedures
Other Procedures
Objects body vector (DKOM)
Objects body vector (DKOM)
DKOHM+DKOM restrictions
DKOHM+DKOM restrictions
DKOHM+DKOM restrictions
DKOHM+DKOM restrictions
Symbolic Link: Getter vector NtQuerySymbolicLinkObject
Symbolic Link: Getter vector NtQuerySymbolicLinkObject
Directory Object: Getter vector NtQueryDirectoryObject
Directory Object: Getter vector NtQueryDirectoryObject
WorkerFactory object Getter: NtQueryInformationWorkerFactory
WorkerFactory object Getter: NtQueryInformationWorkerFactory
WorkerFactory object Setter: NtSetInformationWorkerFactory
WorkerFactory object Setter: NtSetInformationWorkerFactory
Redirection to Ring0 Shellcode
Redirection to Ring0 Shellcode
SMEP bypass techniques
SMEP bypass techniques
Typical Payload in EoP exploits
Typical Payload in EoP exploits
Data-only PWNING
Data-only PWNING
Mitigations
Mitigations
Hardware perspective
Hardware perspective
Microsofts perspective
Microsofts perspective
Conclusion
Conclusion
Heapsprays are for the 99%
Heapsprays are for the 99%
ROPs are for the 99%
ROPs are for the 99%
Code execution is for the 99%
Code execution is for the 99%
Q&A
Q&A
References
References

: DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1. : Tarakanov, Nikita. : DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1.pptx. zip-: 335 .

DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1

DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1.pptx
1 DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL

DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL

OVERFLOWS ON MICROSOFT WINDOWS 8.1

Nikita Tarakanov, Moscow, Russia ZeroNights 2014 14st of November 2014

2 Agenda

Agenda

Introduction Pool super basics Previous attacks New idea Mitigations Q&A

3 Introduction

Introduction

Ring3(IE, Adobe Reader, Flash player, MS Office etc) applications as first attack vector Not privileged level Sandboxes (IE EPM, Reader sandbox, Chrome sandbox etc) Need to get Ring0 to have ability to make fancy stuff So, Elevation of Privileges (R3->R0) Exploits/Vulnerabilities are critical Good examples: pwn2own 2013/2014 IE EPM sandbox escapes via kernel exploit

4 Pool basics

Pool basics

Following 5 slides are copy-paste from work of mighty Tarjei Mandt

5 Pool Header 32-bits

Pool Header 32-bits

kd> dt nt!_POOL_HEADER +0x000 PreviousSize : Pos 0, 9 Bits +0x000 PoolIndex : Pos 9, 7 Bits +0x002 BlockSize : Pos 0, 9 Bits +0x002 PoolType : Pos 9, 7 Bits +0x004 PoolTag : Uint4B PreviousSize: BlockSize of the preceding chunk PoolIndex: Index into the associated pool descriptor array BlockSize: (NumberOfBytes+0xF) >> 3 PoolType: Free=0, Allocated=(PoolType|2) PoolTag: 4 printable characters identifying the code responsible for the allocation

6 Pool Header 64-bits

Pool Header 64-bits

kd> dt nt!_POOL_HEADER +0x000 PreviousSize : Pos 0, 8 Bits +0x000 PoolIndex : Pos 8, 8 Bits +0x000 BlockSize : Pos 16, 8 Bits +0x000 PoolType : Pos 24, 8 Bits +0x004 PoolTag : Uint4B +0x008 ProcessBilled : Ptr64 _EPROCESS BlockSize: (NumberOfBytes+0x1F) >> 4 ( 256 ListHeads entries due to 16 byte block size ) ProcessBilled: Pointer to process object charged for the pool allocation (used in quota management)

7 Free Chunks

Free Chunks

If a pool chunk is freed to a pool descriptor ListHeads list, the header is followed by a LINK_ENTRY structure Pointed to by the ListHeads doubly-linked list kd> dt nt!_LIST_ENTRY +0x000 Flink : Ptr32 _LIST_ENTRY +0x004 Blink : Ptr32 _LIST_ENTRY

8 Allocation order

Allocation order

9 Merging Pool Chunks

Merging Pool Chunks

10 Previous attacks

Previous attacks

Pool metadata corruption - out of scope Object metadata corruption (DKOHM)

11 Object Metadata

Object Metadata

OBJECT_HEADER Optional headers

POOL_HEADER

Optional Headers

OBJECT_HEADER

Object

12 OBJECT_HEADER

OBJECT_HEADER

kd> dt nt!_OBJECT_HEADER +0x000 PointerCount : Int4B +0x004 HandleCount : Int4B +0x004 NextToFree : Ptr32 Void +0x008 Lock : _EX_PUSH_LOCK +0x00c TypeIndex : UChar <- Index of pointer to OBJECT_TYPE structure in ObTypeIndexTable +0x00d TraceFlags : UChar +0x00d DbgRefTrace : Pos 0, 1 Bit +0x00d DbgTracePermanent : Pos 1, 1 Bit +0x00e InfoMask : UChar +0x00f Flags : UChar +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION +0x010 QuotaBlockCharged : Ptr32 Void +0x014 SecurityDescriptor : Ptr32 Void +0x018 Body : _QUAD

13 ObTypeIndexTable

ObTypeIndexTable

kd> dd nt!ObTypeIndexTable L40 81a3edc0 00000000 bad0b0b0 8499c040 849aa390 81a3edd0 84964f70 8499b4c0 84979500 84999618 81a3ede0 84974868 849783c8 8499bf70 84970b40 81a3edf0 849a8888 84979340 849aaf70 849a6a38 81a3ee00 8496df70 8495b040 8498cf70 84930a50 81a3ee10 8495af70 8497ff70 84985040 84999e78 81a3ee20 84997f70 8496c040 849646e0 84978f70 81a3ee30 8497aec0 84972608 849a0040 849a9750 81a3ee40 849586d8 84984f70 8499d578 849ab040 81a3ee50 84958938 84974a58 84967168 84967098 81a3ee60 8496ddd0 849a5140 8497ce40 849aa138 81a3ee70 84a6c058 84969c58 8497e720 85c62a28 81a3ee80 85c625f0 00000000 00000000 00000000

14 OBJECT_TYPE

OBJECT_TYPE

kd> dt nt!_OBJECT_TYPE +0x000 TypeList : _LIST_ENTRY +0x008 Name : _UNICODE_STRING +0x010 DefaultObject : Ptr32 Void +0x014 Index : UChar +0x018 TotalNumberOfObjects : Uint4B +0x01c TotalNumberOfHandles : Uint4B +0x020 HighWaterNumberOfObjects : Uint4B +0x024 HighWaterNumberOfHandles : Uint4B +0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x080 TypeLock : _EX_PUSH_LOCK +0x084 Key : Uint4B +0x088 CallbackList : _LIST_ENTRY

15 Procedures

Procedures

kd> dt nt!_OBJECT_TYPE_INITIALIZER [..] +0x030 DumpProcedure : Ptr32 void +0x034 OpenProcedure : Ptr32 long +0x038 CloseProcedure : Ptr32 void +0x03c DeleteProcedure : Ptr32 void +0x040 ParseProcedure : Ptr32 long +0x044 SecurityProcedure : Ptr32 long +0x048 QueryNameProcedure : Ptr32 long +0x04c OkayToCloseProcedure : Ptr32 unsigned char

16 ObTypeIndexTable & Object Type

ObTypeIndexTable & Object Type

ObTypeIndexTable

OBJECT_TYPE

Object Header TypeIndex

Pointer to OBJECT_TYPE

Objects dispatch function

Pointers to various procedures

17 Object Type Index Table (x86)

Object Type Index Table (x86)

18 Object Type Index Table (x64)

Object Type Index Table (x64)

19 Object metadata corruption (DKOHM)

Object metadata corruption (DKOHM)

POOL_HEADER

Optional Headers

overflow

Fake OBJECT_TYPE

0x00000000

ObTypeIndexTable

0xBAD0B0B0

OBJECT_HEADER

Object

Shellcode

20 Windows 8.1

Windows 8.1

0xBAD0B0B0 has gone ?

21 New idea

New idea

Object data corruption (DKOHM + DKOM) Object type confusion

22 Object data corruption (DKOHM + DKOM)

Object data corruption (DKOHM + DKOM)

Set TypeIndex value to different object type (object type confusion) Object Manager is fooled (before it was Type A, not its Type B) Craft malicious objects data (counters, pointers) Invoke system service(s) to trigger access to malicious object Profit

23 Object data corruption (DKOHM + DKOM)

Object data corruption (DKOHM + DKOM)

Object Header

ObTypeIndexTable

FILE OBJECT_TYPE

Object Data

ALPC OBJECT_TYPE

24 Object data corruption (DKOHM+DKOM)

Object data corruption (DKOHM+DKOM)

Object Header

FILE_OBJECT

After overwrite -> type confusion

Object Header

ALPC_OBJECT(all data is under control)

Invoke system service trigger access to object

Different scenarios

exploit

25 OBJECT_TYPE_INITIALIZER Procedures

OBJECT_TYPE_INITIALIZER Procedures

+0x030 DumpProcedure : (null) +0x038 OpenProcedure : (null) +0x040 CloseProcedure : 0xfffff801`5b913b44 void nt!ObpCloseDirectoryObject+0 +0x048 DeleteProcedure : 0xfffff801`5b92743c void nt!ObpDeleteDirectoryObject+0 +0x050 ParseProcedure : (null) +0x058 SecurityProcedure : 0xfffff801`5b848e54 long nt!SeDefaultObjectMethod+0 +0x060 QueryNameProcedure : (null) +0x068 OkayToCloseProcedure : (null)

26 OBJECT_TYPE_INITIALIZER Procedures

OBJECT_TYPE_INITIALIZER Procedures

+0x030 DumpProcedure : (null) +0x038 OpenProcedure : (null) +0x040 CloseProcedure : (null) +0x048 DeleteProcedure : 0xfffff801`5b9250fc void nt!IopDeleteDevice+0 +0x050 ParseProcedure : 0xfffff801`5b86dde0 long nt!IopParseDevice+0 +0x058 SecurityProcedure : 0xfffff801`5b842028 long nt!IopGetSetSecurityObject+0 +0x060 QueryNameProcedure : (null) +0x068 OkayToCloseProcedure : (null)

27 Type Confusion

Type Confusion

nt!SeDefaultObjectMethod

Object Header

Event Object

After overwrite -> type confusion

FILE_OBJECT(all data is under control)

Object Header

NtQuerySecurityObject

nt!IopGetSetSecurityObject

exploit

28 SecurityProcedure vector

SecurityProcedure vector

For most object types: nt!SeDefaultObjectMethod WmiGuid object type: nt!WmipSecurityMethod File/Device object type: nt!IopGetSetSecurityObject Key object type: nt!CmpSecurityMethod

29 nt!IopGetSetSecurityObject

nt!IopGetSetSecurityObject

FILE_OBJECT -> DEVICE_OBJECT -> DRIVER_OBJECT -> MAJOR_ROUTINE -> attackers shellcode Execution Hijack by three consequent dereferences!!!!

30 nt!IopGetSetSecurityObject

nt!IopGetSetSecurityObject

31 nt!IopGetSetSecurityObject chain

nt!IopGetSetSecurityObject chain

0: kd> dt nt!_FILE_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT 0: kd> dt nt!_DEVICE_OBJECT +0x000 Type : Int2B +0x002 Size : Uint2B +0x004 ReferenceCount : Int4B +0x008 DriverObject : Ptr64 _DRIVER_OBJECT

32 nt!IopGetSetSecurityObject chain

nt!IopGetSetSecurityObject chain

0: kd> dt nt!_DRIVER_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT +0x010 Flags : Uint4B +0x018 DriverStart : Ptr64 Void +0x020 DriverSize : Uint4B +0x028 DriverSection : Ptr64 Void +0x030 DriverExtension : Ptr64 _DRIVER_EXTENSION +0x038 DriverName : _UNICODE_STRING +0x048 HardwareDatabase : Ptr64 _UNICODE_STRING +0x050 FastIoDispatch : Ptr64 _FAST_IO_DISPATCH +0x058 DriverInit : Ptr64 long +0x060 DriverStartIo : Ptr64 void +0x068 DriverUnload : Ptr64 void +0x070 MajorFunction : [28] Ptr64 long

33 Close/Delete Procedure vector

Close/Delete Procedure vector

Huge amount of different execution flows: 56 functions Mostly arbitrary memory overwrite Some adjacent read/write Some hijack of execution flow

34 Other Procedures

Other Procedures

DumpProcedure, OpenProcedure, ParseProcedure, QueryNameProcedure, OkayToCloseProcedure Are rare no interest in here

35 Objects body vector (DKOM)

Objects body vector (DKOM)

There are several typical OOP interfaces Constructor NtCreate* (NtCreateFile) Destructor NtClose Getter NtQueryInformation* (NtQueryInformationWorkerFactory) Setter NtSetInformation* (NtSetInformationKey) Object Type specific: NtClearEvent, NtAlpcAcceptConnectPort, NtEnumerateValueKey, NtRecoverResourceManager etc

36 DKOHM+DKOM restrictions

DKOHM+DKOM restrictions

Unfortunately you cant freely use Getter/Setter/Specific when you change type of an object caused by ValidAccessMask field ? +0x010 Name : _UNICODE_STRING "WindowStation +0x01c ValidAccessMask : 0xf037f +0x010 Name : _UNICODE_STRING "Directory +0x01c ValidAccessMask : 0xf000f But you can still smash objects data without changing object type

37 DKOHM+DKOM restrictions

DKOHM+DKOM restrictions

Some Object Types have same ValidAccessMask +0x010 Name : _UNICODE_STRING "Section +0x01c ValidAccessMask : 0x1f001f +0x010 Name : _UNICODE_STRING "Job +0x01c ValidAccessMask : 0x1f001f So technique using Getter/Setter/Specific is possible, but limited

38 Symbolic Link: Getter vector NtQuerySymbolicLinkObject

Symbolic Link: Getter vector NtQuerySymbolicLinkObject

39 Directory Object: Getter vector NtQueryDirectoryObject

Directory Object: Getter vector NtQueryDirectoryObject

Up-to 0x25 times of reading arbitrary memory

40 WorkerFactory object Getter: NtQueryInformationWorkerFactory

WorkerFactory object Getter: NtQueryInformationWorkerFactory

41 WorkerFactory object Setter: NtSetInformationWorkerFactory

WorkerFactory object Setter: NtSetInformationWorkerFactory

42 Redirection to Ring0 Shellcode

Redirection to Ring0 Shellcode

Jump to Ring3 address? Nah, SMEP ?

43 SMEP bypass techniques

SMEP bypass techniques

ROP : ExAllocatePoolWithTag (NonPagedExec) + memcpy+jmp ROP : clear SMEP flag in cr4 Jump to executable Ring0 memory (Artems Shishkin technique) Set Owner flag of PTE to 0 (MI_PTE_OWNER_KERNEL)

44 Typical Payload in EoP exploits

Typical Payload in EoP exploits

Copy token of SYSTEM process to attackers process Basically, its just copying data from memory addr A to addr B

45 Data-only PWNING

Data-only PWNING

!!

We DONT need to execute external instructions or use ROP So its just manipulation with data and executing ABSOLUTE legitimate code (this is NOT ROP/JOP!!!) GAME OVER

46 Mitigations

Mitigations

Hardware perspective Microsofts perspective

47 Hardware perspective

Hardware perspective

SMAP prevent dereference of R3 memory Just raise the bar (attacker has to craft object(s) in r0 memory)

48 Microsofts perspective

Microsofts perspective

OBJECT_HEADER hardening cookie? Randomize TypeIndex of Object Types during boot Isolated Pools

49 Conclusion

Conclusion

50 Heapsprays are for the 99%

Heapsprays are for the 99%

WTFuzz aka Peter VREUGDENHIL

51 ROPs are for the 99%

ROPs are for the 99%

Tombkeeper aka Yang Yu

52 Code execution is for the 99%

Code execution is for the 99%

Nikita Tarakanov

53 Q&A

Q&A

54 References

References

Tarjei Mandt BH US 2012 Nikita Tarakanov HITB AMS 2013

DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1
http://900igr.net/prezentacija/anglijskij-jazyk/data-only-pwning-microsoft-windows-kernel-exploitation-of-kernel-pool-overflows-on-microsoft-windows-8.1-158386.html
c

29
900igr.net > > > DATA-ONLY PWNING MICROSOFT WINDOWS KERNEL: EXPLOITATION OF KERNEL POOL OVERFLOWS ON MICROSOFT WINDOWS 8.1