Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark

2,524 views

Published on

CanSecWest2017

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark

  1. 1. Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem @360Vulcan Team Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf)
  2. 2. About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2016 .pwned Chrome pwn2own 2016 .pwned Flash pwn2own 2016 Pwnfest winners 2016 .pwned Edge PwnFest 2016 .pwned Flash PwnFest 2016 Pwn2Own winners 2015 .pwned IE pwn2own 2015
  3. 3. Agdenda Direct Composition Overview 0day & Exploitation Fuzzing Mitigation & Bypass
  4. 4. •  High-performance bitmap composition with transforms, effects and animations graphic engine •  Introduced from windows 8. •  Working based on dwm(desktop windows manager). Direct Composition Overview
  5. 5. Direction Composition Architecture dwmcore dcomp . . . userland kernel DirectComposiAon CApplicaAonChannel visual CExpressionMarshaler CFilterEffectMarshaler CScaleTransformMarshaler . . . submit DWM (desktop windows manager) DXGK (directX graphic kernel) call
  6. 6. Significant Change since win10 RS1 •  kernel implement changed •  Interface changed Remove lots of interface. 10+? Lots of funcAon has been rewrite, not fix vuln Add some interface. eg:
  7. 7. Before win10 RS1 Exist independently and some in the win32k filter table Since win10 RS1 all included in This func1on is out of Win32k filter list
  8. 8. Why attack DirectComposition •  Reachable in AppContainer and out of win32k filter •  This part implement with c++ in kernel •  Introduced from windows 8, ever been focus by another researchers, !!!as far as we know!!!
  9. 9. Important functions
  10. 10. Channel Object •  know as Device Object in user interface •  owner of resource, use to create resource •  pArgSec(onBaseMapInProcess return a batch buffer we need later
  11. 11. Resource Object •  know as visual in user interface •  similar to win32k surface •  It has a lots of types. CScaleTransformMarshaler CTranslateTransformMarshaler CRectangleClipMarshaler CBaseClipMarshaler CSharedSecAonMarshaler CMatrixTransformMarshaler CMatrixTransform3DMarshaler CShadowEffectMarshaler . . .
  12. 12. Batch Buffer •  Associate with a channel •  Returned from NtDComposiAonCreateChannel •  NtDComposiAonProcessChannelBatchBuffer parse it •  This funcAon support a lot of commands
  13. 13. How to fuzz
  14. 14. By default is 1, we increase those funcAon’s probability to 100.
  15. 15. •  They need a channel we give them one. •  They need a resource we give them one. •  If we do not known what they want, give them a random one.
  16. 16. 0day & Exploition
  17. 17. Resource Double free (CVE-2017-XXXX)
  18. 18. Root Cause Free the resource(visual)'s property buffer forget to clear resource->Databuffer. result in free again when resource is free First time free
  19. 19. Second time free
  20. 20. Exploition Res1First time free ResY Free this one Res2 Res3 Res4 … Res1 palette Occupy with palette Res2 Res3 Res4 … Res1 palette Free palette Res2 Res3 Res4 …Second time free Res1 ResX Occupy with ResX Res2 Res3 Res4 …
  21. 21. Modify the palette->pEntries to what you want when occupy palette with a ResourceBuffer palette pEntries ResX- >DataBuf xxxxx occupy second time Content Replace palette pEntries bitma pScan0 Usually, cover palette1->pEntries to a bitmap address
  22. 22. Read & Write primity Replace process token, exploited
  23. 23. Fix BSOD •  We finished privilege escalation, but BSOD when process exit •  There still has double either Palette or ResX's DataBuffer, because they share the same kernel buffer •  Double free happened in clear process handle table when process exit •  Close palette handle first, Resource handle next •  So? must clear ResX->DataBuffer or remove ResX handle from handle table before process exit
  24. 24. Clear ResX->DataBuffer •  It's a binary tree struct, search the binary tree to find the channel that Resource belongs to. •  Channel handle table locate in: _EPROCESS->Win32Process->GenericTable GenericTable channel1 channel2 channel3 channel4 channel5 1. Locate ResX address 2. Locate channel address Resource address store in channel's resource table
  25. 25. Resource table in channel implement as a array void* ptrNull=0; AddressWrite(&ResX->DataBuffer, sizeof(void*), &ptrNull); Clear
  26. 26. BagMarshaler Integer overflow (CVE-2016-XXXX)
  27. 27. Root cause Integer overflow while dataOffset < DataSize-0xc if DataSize < 0xc If (dwOffet < (DWORD)(0x1-0xc)) { if (DataBuffer[dwOffset]==0x66) { DataBuffer[dwOffset+0xc]=xxxx; } } •  By default,this->Databuffer==NULL && this->DataSize==0 •  Write anywhere in x86 system. •  Not so easy in x64 system. 1.this->Databuffer must not NULL 2.this->DataSize < 0xC && this->DataSize!=0 3.*(this->Databuffer + inbuf->offset)==(0x45 or 0x66) Exploitation:
  28. 28. 1.this->Databuffer must not NULL we could call CPropertyBagMarshaler::SetBufferProperty(...) with property==2 to alloc a buffer, then store in this->DataBuffer
  29. 29. *(this->DataBuffer+inbuf->offset)==(0x45 or 0x66) Spray lots of bufferX to enable that bufferX behind this->DataBuffer DataBuffer bufferX ... Calc inbuf->offset value, it must be saAsfy: bufferX •  (Databuffer+offset) locate in bufferX, ( bufferX->Filed1 ) •  bufferX->Flied1 must be modifyable from usermod, set it to (0x45 or 0x66) •  (Databuffer+offset+0xc) locate in bufferX, and it must be exploitable. DataBuffer bufferX ... Offset 0xc Flied1 Flied2
  30. 30. Fortunately, we found bitmap saAsfy this case perfectly DataBuffer bitmap ... Offset 0xc Height pScan0 Now, bitmap->pScan0 has benn changed to the value we set. so we got Read/Write primary 1. GetBitmapbits (....) 2. SetBitmapbits (....) Replace ps token, exploited !
  31. 31. Complier Warning? WARNING!!
  32. 32. Mitigation & bypass
  33. 33. Read/Write ability object
  34. 34. 1. tagWND abuse Write what? tagWND.strName ? (UNICODE_STRING) GetWindowText ? NtUserDefSetText ? Unfortunately, the destination address has been modify when write to, just desktop heap range is legal.
  35. 35. Maybe 2014 Pwn2Own:KeenTeam used once. HackingTeam leaked 0day. Someone write it to a public paper 2015.3 Pwn2Own: We used Twice. Pwn2Own: KeenTeam used Once. 2016.3 2016.8 2.BITMAP ABUSED 2016.10 We use Acclerator Object To Guess Bitmap Object Address. Then We used Twice again in PwnFast. Coresecurity guys release a paper to talk about is.
  36. 36. 14393 VS 15xxx:
  37. 37. A New way
  38. 38. But Only The Object which Allocate at desktop heap: 1.  Window 2.  Menu 3.  InputContext 4.  CallProc limitation But It is enough, I believe you guys could find something useful!!
  39. 39. We are just on the way. Thank you.

×