SecurIMAG 2011-11-17 FROM BROWSER TO KERNEL EXPLOITATION · 2011. 11. 21. · Java is also known as...

FROM BROWSER TO KERNEL EXPLOITATIONFROM BROWSER TO KERNEL EXPLOITATION… … or how to do it like an APT from your bunkeror how to do it like an APT from your bunker

By teach By teach UFR IMAG – Computer science and Applied MathematicsUFR IMAG – Computer science and Applied Mathematics

[email protected]@vxhell.org or or [email protected]@e.ujf-grenoble.fr« Im in ur br0wser, overflowin' ur kern3l ... »« Im in ur br0wser, overflowin' ur kern3l ... »

SecurIMAG2011-11-17

WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

¡¡_ (in)security we trust _!!

Grenoble INPEnsimag

mailto:[email protected]:[email protected]://ensiwiki.ensimag.fr/index.php/Club_Securite_SecurIMAGhttp://www.ensimag.fr/

Agenda

2 SecurIMAG – From Browser to Kernel Exploitation - teach – 11/17/2011

● The rise of the client-side threat● Advances in server side userland applications security● Advances in kernel hacking

● Browser Security● The Browser Attack Surface● Browser Bugs● Plugins Bugs

● Kernel Security● Kernel Attack Surface● Kernel Bug Classes

Agenda (end)


● Case Study : Remote root access through cascading exploitation

● Goals● Understanding CVE-2010-0094● CVE-2010-0094 exploitation● Understanding CVE-2010-3081● CVE-2010-3081 exploitation

● Demo !

Question


Over the last few years, why every basement dwellers started looking for client side vulnerabilities ?

Client-side vulnerabilities threat


● Server side applications are more and more robust ● Network daemons developers are getting aware of good coding

practices ● Network admins put everything behind firewalls with strict rules● Operating Systems and compilers are enforcing critical applications

security– Non executable data, full ASLR– GCC SSP, SafeSEH (windows specific)– Heap management structures protection

…● Due to their high value, remote holes and reliable exploits in setuid root

programs are much sought after as the last sex tape of Kim Kardashian



Basically if you were planning to

$ grep -R strcpy /usr/src/sendmail

then probably



● On the other hand kernel level vulnerabilities and browser exploits are more and more common

● Why ?● Computer security researchers, hackers and cyber-criminals a.k.a '17

years old bored boyscouts' know that if you can't directly compromise a system, then you better hack into someone else computer which has legitimate access to it !

● Browsers represent an insanely large codebase with tons of vulnerabilities yet to be found

● Now we know that kernel code isn't a crazy giant beast where only 40+ years old system developers should look at



● So, this is the typical APT™ attack scenario : ● You want to impress your girlfriend and be cool and sexy ? Then hack

into her brother's computer remotely :– Prepare your latest Internet Explorer or Firefox 0day

If you don't have one, don't start crying, i got some nice things for you in the next slides

– Bundle it with another kernel privilege escalation 0day, which drops your favorite APT cyber walfare toolkit arsenal : poisonIvy, Zeus, mood-nt …

– Send him a mail containing « Hey ! Checkout this amazing news talking about naked photos of Rihanna » alongside with a link pointing to http://yourbasement.com/yourexploit.html

– Wait him to click – ???– PROFIT !



● But everyone knows that the fact of impressing girls with your computer hacking skills is a myth

● And if the girl is smart enough she will soon realize that if you can break into her brother's computer, nothing avoids you for doing the same to her :)

● So a real life scenario would be :● Go back to the previous steps and replace « her brother » by « a stupid

bureaucrat or developer working for a large compagny »● After gaining access to his computer, exfiltrate every single file you can then

sell them (and the access) in the black market for mass $$$● Buy the girl the latest and expansive Apple Isomething with the money ● Repeat for more awesomeness :)

● Now you should probably laugh at all the news on tv about the « amazingly skilled and awesome cyber-criminals »



Now lets get to the important and challenging technical stuff

Browser Security


● Browsers as any other piece of software are subject to bugs and security vulnerabilities

● The browser-specific case is even more critical because ● People doesn't think in general that a compromise of their browser

could lead to their total computer compromission● Security is not at all about avoiding the execution of untrusted code but

also avoiding executing trusted code with untrusted data or if this is not applicable, at least try to securely compute unstrusted data with trusted code

● Looking at it more closely, the browser is also executing (sometimes securely, sometimes not) untrusted code

Browser Security


The Attack Surface

Browser Security - The Attack Surface


● The first and obviously large attack surface considering web browsers is the code responsible of processing / rendering web content

● It's insanely big in order to support all kind of weirdness web site developers could write

● Poorly written for more efficacity / readability / simplicity● Keep in mind that processing and executing javascript efficiently is

hard● We are in 2011 and now your browser embedds a compiler ... Deal with it ! [*]

● Often, simple recursion in web pages can bring havoc into your browser memory

– See Browser Bugs[*] http://hacks.mozilla.org/2010/01/javascript-speedups-in-firefox-3-6/



● Another large attack surface is third parties plugins or additional third parties code also known as Activex in the Microsoft world

● Plugins like Adobe Flash Player are complex as hell● We are in 2011 and your flash plugin embedds a just in time compiler as well

… Deal with it ! [1]● Flash plugin is present on +90% of personal computers according to adobe [2]● I once heard that a big source of suicide in major compagnies is due to IT guys

failing over and over again at deploying patches and updates for adobe products … true story.

● Java is also known as the worst of all evils[1] http://semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

[2] http://www.adobe.com/products/flashplatformruntimes/statistics.html

http://semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf



Put everything together : an average user may have at least 3 different plugins running at the same time in the

browser

Browser Security – Browser Bugs


● Browser Bugs



● Bugs in the core componment of a browser are mostly due to an incorrect parsing of web pages.

● Due to the dynamic nature of web page processing, these bugs mostly lead to some kind of memory corruption on the heap

● Here are some bug classes related to browsers :



Use-after-free● Probably the most frequent bugs this last years● An object used in two or more componments (or part of

the code), is freed somewhere in one componment while the others are still using the same object or a reference to it.

● As a result, the others componments are using a freed memory, possibly reading it like valid memory or at worst writing values in it.

● Exploitation heavily depends on the ability to control heap chunk reallocation



Use-after-free● Exemple : MS11-050 CObjectElement Use After Free in

mshtml.dll – Make a web page with an invalid tag (without codebase ...)– Add other elements on the page– Use css to position the other elements on top of the element– Since the is invalid the CObjectElement gets freed – But another object called CDisplay is still holding a reference to the freed

CobjectElement.– After the element gets freed, the browser then tries to do some

recalculatation in the layout and ends calling a function in the CDisplay object which after some more voodoo call CElement::Doc passing it the reference to the freed object ...



Integer overflow – Integer signedness issues ● Integers overflow occurs when in the code, after some integer arithmetics

an overflow occurs with the result wrapping zero around with the code not handling that case

● Signedness issues are when somewhere in the code the browser is misguided and use an signed integer as an unsigned one or vice-versa

● Think about is as



● Some bugs leading to memory corruption are caused when browsers code needs to deal with some nasty recursion or complex race condition. Sometimes it just leads to an EPIC FAIL

● MS11-003 : Internet Explorer CSS Recursive Import Use After Free



● Some browser bugs aren't leading to memory corruption at all.● They are sometimes just put there by developers to serve a

purpose, but can lead to a serious mess regarding security● In some closed circles, they are often called 'features' :)

● Exemple : Until a couple of weeks ago, Mac OS X Safari allowed remote web page to launch programs present in the computer through file:/// type URLs !

● Exploiting this remotely is left as an exercise

file:///../

Browser Security – Plugins Bugs


Plugins Bugs



● Plugins are much more like any other kind of program● They take some input, compute it, render a result within

the browser● Most of public plugins take as input a file. This file can

contain among others thing precompiled bytecode designed to be parsed then transformed into the target machine code before being executed (Flash swf, java applets …)

● Basic security requires that the bytecode when computed into machine code must not do anything harmful



● Nasty things can happen here at 3 places :

(1) The code responsible for parsing the file can be vulnerable(2) By design the algorithm ensuring that the machine code runs indeed inside a restricted environment can be flawed and thus bypassed(3) The code responsible for verifying the bytecode and generate correct machine code can be buggy and/or tricked



● We won't discuss about (1) since it's much like a classic browser memory corruption

● (2) will be our case study :)● The ActionScript Virtual Machine atom confusion class

of vulnerabilities is a real world example of (3)



● CVE-2011-0611

● Atom Confusion happens because the Date class has been extended by adding the function confuse() which calls the method getSize() of the class SharedObject

● What results is that when getDay() gets called, it calls confuse() which ends calling SharedObject.prototype.getSize()



● The problem here is that the ActionScript Virtual Machine when generating machine code for the getSize() call expect to find in the stack an object of the SharedObject type ( getSize() is a method of the class SharedObject)

● But instead we managed to call getSize() from a Date object, so it's a Date object which is actually on the stack

● Memory corruption occurs because the generated machine code tries to call a pointer (at 0xc) in the vtable of SharedObject but instead the code is referencing the memory where a Date object resides …

● … and specially the '1.6809522584e-314' double precision float is represented as 0xCACAC0C0 in memory :)

Kernel Security


● The Attack Surface

Kernel Security – The attack Surface


● Due to complex interactions with userland, the kernel is also subject to many vulnerabilities

● History shows that system call handlers was among the first part being audited for vulnerabilites

● There is more than 300 syscalls in linux [*]● In the beginning of the 2000s there was some trivially spottable buffer

overflows in some system call handlers– Yes the ones you can spot with grep

● IOCTLs are also legion● Interruption handling, memory management, network

protocols stack implementation …[*] take a look at /usr/include/i386-linux-gnu/asm/unistd_32.h



● An operating system worth the name must support a lot of filesystems

● Their implementation is another valid and big attack surface

● All kernels have some obscure parts dealing with low level stuffs like specific hardware features, complex algorithms related to binary format loaders …

● But you really must have badass skills to pretend audit these parts

● High level design choices in the implementation● Yes, the ones your advanced automated static analysis scripts won't

find



Drivers● Commonly simply called HELL● Written in many cases by a drunk guy at 3am for a

device _nobody_ ever heard about and/or use● Gets shipped with the kernel ● In the case of some network drivers you can manage to

get them loaded automatically by the kernel from an unprivileged account by simply opening a socket for the protocol family the driver implements

● Then you gets crappy code running in ring0 waiting to get subverted

Kernel Security


Kernel Vulnerabilities

Kernel Security – Kernel Vulnerabilities


● Well established fact that kernels are prone to security vulnerabilities● Beside standard insecure programming errors, there are also insanely

complex bugs none here ever heard about● Complex race conditions leading to privilege escalation, cache desynchronisation,

processor bugs …● Some polish researchers at isec.pl discovered some of the most advanced Linux

kernel vulnerabilities between 2003 and 2007 :● The do_mremap VMA limit and the i386 SMP page fault handler race condition

privilege escalation are worth a word● Last year Tavis Ormandy disclosed the most complex bug i've ever seen : the

NtVdmControl()->KiTrap0d privilege escalation● These bugs most of the time lead to the developpement of purely awesome exploits

● Let's stay humble and focus on some more common ones :)



Kernel level stack buffer overflows● Happens when kernel copy data (generally under user control) into

a local kernel stack variable without proper bound checks● See Linux Kernel perf_counter_open stack buffer overflow

vulnerability as an example (CVE 2009-3234)● Exploitation is trivial : put your kernel payload somewhere in

userland, overwrite the kernel return address with the location of your payload → your payload gets exec with ring0 privileges

● Take care of not overwriting stuff used before the function returns or prepare to face kernel panic

● Properly exit from the ring0 to ring3● Notes on kernel payloads and ring0 → ring3 using the iret technique later



Invalid userland pointer dereference● The infamous kernel NULL pointer dereferences are a subclass of

this bug class● Wasn't considered as a security vulnerability until recently (~2006)

● Probably the first public exploit released by spender back in 2007

● Happens when the kernel incorrectly dereference a pointer landing in userland but assuming it as a valid kernel pointer

● The kernel could assume that the pointer is referencing either data or code (fptrs)

● In both cases exploitation is trivial if you are able to trigger the bug



Kernel use-after-free / double free / dangling pointers● Similar to the userland version of this bugs● The effect is mostly memory corruption somehow

related to kernel heap ● Exploiting them is all about finding a way to reallocate

the memory freed (or the memory pointed by the dangling pointer) and populate it with controlled data before the kernel re-use itbefore the kernel re-use it

● Double frees are a special case needing further Double frees are a special case needing further research in exploitation actually :)research in exploitation actually :)



And many many many info leaks …And many many many info leaks …So i heard you like slides ...So i heard you like slides ...

Case Study


Case Study

Remote root access through cascading exploitation

Case Study - Goals


● We are at the beginning of last year, our target is a remote x64 linux desktop station

● Our only assumption is that we can manage to get the target on a web site we control

● Our goal is to gain root access remotely by defeating aslr, nx, -pie …

● We have no way to get further intelligence about the target machine browser address space (no info leak)

● … and no we aren't trying to win Pwn2Own

Case Study - ZDI-10-051 / CVE-2010-0094


Understanding ZDI-10-051 / CVE-2010-0094

From http://www.zerodayinitiative.com/advisories/ZDI-10-051/



● Sold by Sami Koivu to ZDI, disclosed on April 2010● Yet another instance of the so-called « Java Privilegied

Deserialization vulnerability »● PHP developpers are now aware (or not?) that

unserializing user input without proper validation is a serious design security vulnerability

● Remote users could serialize a custom object and send it to the application

● In php when a object gets unserialized, __wakeup is automatically called

● To win, one simply needs to implement a class which spawns a remote shell in the __wakeup method, serialize an instance of it and send it to the vulnerable web app



● The Java Runtime runs java applets in a secure sandbox, effectively avoiding unsigned/unauthorized applets to access the entire filesystem

● The problem is that the JRE needs sometimes to deserialize some objects at a privilegied level regarding the rest of the code it is running

● In the specific case of ZDI-10-051, in javax.management.remote.rmi.RMIConnectionImpl the private method unwrap, called from the public method createMBean, does a privileged deserialization of an object array serialized inside a MarshalledObject

● MarshalledObjects contain serialized objects represented as a byte stream● MarshalledObject.get() method returns a deserialized copy of the aforementionned

object



– This is what leads to the vulnerability

● From src/javax/management/remote/rmi/RMIConnectionImp.java



Exploitation



● Exploiting java privilegied deserialization mainly consist in crafting a custom serialized input which when deserialized could allow to escape from the sandbox

● Both Julien Tinnes and Sami Koivu accorded to the fact that the ClassLoader class is the best choice out of many● Applets can't normally instanciate classes with a protection domain

granting java.security.AllPermission● Since the deserialization occurs in a privilegied context, if we manage to

send as input a ClassLoader subclass, when deserialized, the readObject() method of this subclass is called

● In the readObject() method we can affect the instance of this subclass running in a privilegied context to a static variable within the class so that even at the end of the deserialization processus we still have a reference to it and it's not get freed by the jvm



● In ZDI-10-051 specific case, to trigger the bug :● We must first of all declare a MarshalledObject containing our

serialized ClassLoader ● Then we call the public method createMBean with our loader name and

the MarshalledObject as parameters – As stated before, in createMBean the private method unwrap is called which

does the deserialization stuff– After our ClassLoader subclass is deserialized an exception is throwed since

unwrap expects to deserialize an object array and instead ends up with a ClassLoader object

– But it doesn't matter since we still have an instance of our shiny ClassLoader in a static variable

– We catch the exception in our applet then call a method in our classloader through the instance we've got (ie : Loader.globalInstance.method() ) : this instance runs in a privilegied context, which means we can grant ourself any permissions in this method and then load and execute java classes outside the sandbox



In our applet



How do we generate the serialized input ? MakePayload.java



Our loadClass method load the class Escape from the Scotfield's package in order to execute our payload which automatically download then execute

a kernel local root exploit



● We intentionnally didn't mention certains things in order to keep this presentation simple

● The overall exploit is quitte complex and uses many parts from reverse engineered exploits. Ours is about :● 4 java source files + 1 html + 1 python source for

the httpd ● 6 java classes ● 530 lines of code



● So in the end we are executing code outside the java sandbox

● The payload is in our case written entirely in java which means :

● It execs anywere where there is a java virtual machine

● It does bypass any memory corruption exploit mitigation implemented in the browser and java because we are exploiting a design vulnerability and the payload is being executed by the jvm like normal java classes.

Case Study - CVE-2010-3081

54

● Understanding CVE-2010-3081http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081

Redhat Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=634457

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3081



● Introduced in 2008 by this patch : http://marc.info/?l=linux-netdev&m=120936134900789

● Independantly spotted in September 2010 by Ben Hawkes● The root cause of the bug is an integer underflow resulting after

the substraction of a value from a user process stack pointer value in the function arch_compat_alloc_user_space(long len)

From linux-2.6.35/arch/x86/include/asm/compat.h

http://marc.info/?l=linux-netdev&m=120936134900789



● The vulnerable function purpose is to allocate memory in a process address space (on the stack)

● It used in linux ia32 compatibility layer which allows 32 bits applications to runs in 64bits systems with an enabled kernel

● The problem is that a process have control over the value of the stack pointer

● And under certains circumstances, as spotted by Ben Hawkes the 'len' could also by controlled

● With carefully choosen values, the function can return a pointer landing in kernel land



● Memory corruption occurs later if kernel code tries to write to this area

● The attack vector pointed out by Mr Hawkes was the compat_mc_getsockopt function in net/compat.c with MCAST_MSFILTER as optname

● This function implements the compatibility syscall for sys_getsockopt● A check is done ensuring that the gf32 struct passed as the optval

pointer is landing effectively in userland as well as optlen but no check for the pointer returned by compat_alloc_user_space

● Then the user controlled struct gf32 is copied to the address pointed by kgf



From linux-2.6.35/net/compat.c



Exploitation



● CVE-2010-3081 basically allows to have a primitive to write an arbitrary 4 bytes value into kernel address space

– The target must be writable of course● Writing exactly WHAT we want WHERE we want

involves doing precise and surgical strikes :– Our exploit set esp to 0x00407350– Set optlen to (esp – target – 0x08)– Set optval to a gf32 struct populated by the 4

bytes value we want to write



● Finally, call the socketcall syscall to invoke sys_getsockopt ● don't forget to mmap the page where the new stack is switched

otherwise the kernel will pagefault before writing to our target● What happens next :

● task_pt_regs(current)->sp = 0x00407350● klen = *optlen = (esp – target – 0x8)● The kernel exec kgf = compat_alloc_user_space(klen+sizeof(long))● klen + 0x8 = (esp – target – 0x8) + 0x8 = esp – target● So we ends up with kgf = task_pt_regs(current)->sp – (esp – target)● Which equals to : kgf = target !!



So, what should we target ?



● Unused system call handlers● Interruptions handlers● Various structures containing functions pointers :

● Linux Security Modules, ...

● We decided to target INTO interruption handler ● On some configurations it might be impossible to gather informations about

syscall handlers location as well as symbols regarding fptrs● The SIDT instruction allows to retrieve the IDT location. We just need to

compute INTO handler address from the IDT base



64bits Interrupt descriptors



We have only a write4 primitive, but we can write multiple times



● Now that we can redirect kernel execution flow, final step is to elevate our process privileges

● Each process has a pointer to a task struct located at the bottom of the kernel stack

● The task struct contains depending on kernel versions the uid,gid or credentials under which the process is running

● To get the process task struct once we got ring0 code execution :

task_struct = *(KSTACK_POINTER & ~(THREAD_SIZE – 1) )● From there we just need to scan the task struct, find our uids or cred

then set them 0 i.e root



● Last note before the demo :● Regarding the kernel payload

– In order to be run in ia32 compatibility mode our exploit must be compiled as a 32bits executable

– But the kernel runs in 64bits, so the payload must be 64bits code– It's impossible to mix natively 32bits and 64bits C code, or to link a 32bits bin with a

64bits lib– The trick to include 64bits code in our exploit in to compile our payload in 64bits as

position independent code, disassemble it, extract opcodes and include them in the exploit as a shellcode blob. We have written a tool for that purpose

– We just need to manually replace the last 'leave; ret' instructions opcodes by 'iretq'● Fortunately, we dont need to setup the stack properly before executing iret

– The userland return address, code segments selectors, eflags and stack pointer values are already on the stack

Challenge succeeded !

From browser to kernel land


Demo !



Bonus :)



Questions … ?

Diapo 1Diapo 2Diapo 3Diapo 4Diapo 5Diapo 6Diapo 7Diapo 8Diapo 9Diapo 10Diapo 11Diapo 12Diapo 13Diapo 14Diapo 15Diapo 16Diapo 17Diapo 18Diapo 19Diapo 20Diapo 21Diapo 22Diapo 23Diapo 24Diapo 25Diapo 26Diapo 27Diapo 28Diapo 29Diapo 30Diapo 31Diapo 32Diapo 33Diapo 34Diapo 35Diapo 36Diapo 37Diapo 38Diapo 39Diapo 40Diapo 41Diapo 42Diapo 43Diapo 44Diapo 45Diapo 46Diapo 47Diapo 48Diapo 49Diapo 50Diapo 51Diapo 52Diapo 53Diapo 54Diapo 55Diapo 56Diapo 57Diapo 58Diapo 59Diapo 60Diapo 61Diapo 62Diapo 63Diapo 64Diapo 65Diapo 66Diapo 67Diapo 68Diapo 69Diapo 70

SecurIMAG 2011-11-17 FROM BROWSER TO KERNEL EXPLOITATION · 2011. 11. 21. · Java is also known as...

Documents

Transcript of SecurIMAG 2011-11-17 FROM BROWSER TO KERNEL EXPLOITATION · 2011. 11. 21. · Java is also known as...