Post on 12-Jul-2015
Vulnerability design
PATTERNS
case: Kernel mode
PAST
Environment for exploitation
Simple ioctl
W^X NX KASLRHardened
PoolSMEP SMAP
Why kernel exploitation
Full control of system
Simple exploitation
Simple bugs
KERNEL ESCAPE
few lines of code, simple, effective – for that time
Modified sample from : https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb
EVOLUTION
Exploitation hierarchy
User
Elevated user
(admin / root)
supervisor
Past exploitation shortcut
User
Elevated user
(admin / root)
supervisor
Present (+-) & Future : Step by step
UserElevated user
(admin / root)Supervisor
• DEP, ASLR, SEHOP, ProtectedFree, Isolated Heap, CFG,
Virtual Table Guards, EMET...
• sandbox, SELinux and alikes
• KASLR, SMEP, SMAP, ..
Why kernel escape
• Going to be more and more difficult, but ...
• still .. sometimes easier .. shortcut
• Natural bypass of SELinux
• Full control (cpl0 > cpl3)• for now do not considering cpl-1, ...
exploitation ==> developing
• In past was very easy elevate privileges
• Now everything is fast moving
• You need to adapt to all changes & diversity
• Things are getting more complex
• Your exploitation code is expanding dramatically
• Every change can broke your black-box
• + Process of exploitation need more than ioctl
• Race conditions, complex mechanism break (ttf), sandbox escapes ...
VULNERABILITY DESIGN PATTERNS
kernel case
selected vulnerability classes
• Out Of Boundary
• Basic types Over/Under flows
• Stack overflows
• Buffer overflows
• nullptr writes
• Race conditions –not generic, but ...
• may create other bug from above group
Out Of Boundary
Simple, mighty, generic
OOB
• Read
• Write
• SMAP – limitation, but not
eliminate oob
• GENERIC approach
Basic type Over/Under-flow
Generic, simple and useful when it comes to aligned rw
Stack Overflow
sometimes protected, sometimes not .. local vars ?
.. depends on compilation ..
Stack overview
• Local vars
• canaries
• Protect ret & args
• ... sometimes ... missing
• UNprotected inner calls ?
• Arg in main func preserved in register
• Inner call invoked, register may be putted onto stack
• Rewrite arg (or directly ret) on stack in inner call
• Return to main func with altered arg (in register)
• Can help more than it seems ;)
• Controlled copy, overwrite save your day
Buffer Overflow
Common case, can be also byproduct, heap hardening can be
problem
Buffer overview
• Windows kernel pool, SLUB
• not so predictable anymore
• but still far from not-predictable at some level
• kmalloc
• targeted kmalloc from user mode ?
• not so hard as can seems
• help with predictability
• Pool spray
• thread, process, pipe, socket ...
• caches (linux)
• can be problem for precise pool layout, but can be solved
nullptr pwn
spray, write, pwn .. 64b bit more effort ...
user part of cake
Pool spray
kmalloc
Pipes
ThreadsLocks
ret2dir
Kernel IO
kernel pool
pipes, threads .. kmalloc .. spray
Kernel IO
If doable, then almighty ...
workers, locks, helpers
a lot of common issues per vuln task
CODING STYLE MATTERS
Elevation of Privilages
USER
• Find nt!_eprocess / thread_info
• Patch credentials
• Bypass ACL policy
• Reverse engineer per policy
• Implement
• Keep up to date
• Good if not change frequently .. Not that case
KERNEL
• Elevate process
• Grant access important operations (callbacks)
• File access
• Process access
• Registry access
• Network
• How effective without framework ?
Kernel part of cake
• Boosting privs
• Why patching ?
• Recognize and grant access instead
• No LKM ? Are you sure ?
• Kernel exploitation may be equals to enable LKM
CC-shellcoding framework
• developing instead of shellcoding ?
• C++, boost, std ?
• Loading your own kernel modules ?
https://github.com/k33nteam/cc-shellcoding
more info : http://www.k33nteam.org/blog.htm -
CC-SHELLCODING
@KEENTEAM
2014 - $500,0002015 - $??????? Pick a device, name your own challenge!
We are hiring! Kernel & app sec
A LOT of research
mobile, pc
M$, android, OSX ..
Thank You! Q & A
@K33nTeam