Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Win32k Dark Composition
Attacking the Shadow Part of Graphic Subsystem
@360Vulcan Team
Peng	Qiu	(@pgboy)	
SheFang	Zhong	(@...
About US
Member of 360 vulcan team.
Windows kernel security researcher
Pwn2Own winners 2016
.pwned Chrome pwn2own 2016
.pw...
Agdenda
Direct Composition Overview	
0day & Exploitation	
Fuzzing	
Mitigation & Bypass
•  High-performance bitmap composition with transforms,
effects and animations graphic engine
•  Introduced from windows 8...
Direction Composition Architecture
dwmcore	 dcomp	
.	.	.	
userland	
kernel	
DirectComposiAon	
CApplicaAonChannel	
visual	
...
Significant Change since win10 RS1
•  kernel	implement	changed	
•  Interface	changed	
Remove	lots	of	interface.	
10+?	
Lot...
Before	win10	RS1	
Exist	independently	and	some	in	the	
win32k	filter	table	
Since	win10	RS1	
all included in
This	func1on	i...
Why attack DirectComposition
•  Reachable	in	AppContainer	and	out	of	win32k	filter	
•  This	part	implement	with	c++	in	kern...
Important functions
Channel Object
•  know	as	Device	Object	in	user	interface	
•  owner	of	resource,	use	to	create	resource	
•  pArgSec(onBase...
Resource Object
•  know	as	visual	in	user	interface	
•  similar	to	win32k	surface	
	
•  It	has	a	lots	of	types.	
CScaleTra...
Batch Buffer
	
•  Associate	with	a	channel	
•  Returned	from	NtDComposiAonCreateChannel	
	
•  NtDComposiAonProcessChannelB...
How to fuzz
By	default	is	1,	we	increase	those	funcAon’s	probability	to	100.
•  They	need	a	channel	we	give	them	one.	
•  They	need	a	resource	we	give	them	one.	
•  If	we	do	not	known	what	they	want,...
0day & Exploition
Resource Double free (CVE-2017-XXXX)
Root Cause
Free the resource(visual)'s property buffer forget to clear resource->Databuffer.
result in free again when res...
Second time free
Exploition
Res1First time free ResY
Free this one
Res2 Res3 Res4 …
Res1 palette
Occupy with palette
Res2 Res3 Res4 …
Res1 ...
Modify the palette->pEntries to what you want when
occupy palette with a ResourceBuffer
palette pEntries
ResX-
>DataBuf
xx...
Read	&	Write	primity
Replace	process	token,	exploited
Fix BSOD
•  We finished privilege escalation, but BSOD
when process exit
•  There still has double either Palette or ResX'...
Clear ResX->DataBuffer
•  It's a binary tree struct, search the binary tree to
find the channel that Resource belongs to.
...
Resource table in channel implement as a array
void*	ptrNull=0;	
AddressWrite(&ResX->DataBuffer,	sizeof(void*),	&ptrNull);	...
BagMarshaler Integer overflow (CVE-2016-XXXX)
Root cause
Integer overflow while dataOffset < DataSize-0xc if DataSize < 0xc
If	(dwOffet	<	(DWORD)(0x1-0xc))	{	
		
							...
1.this->Databuffer must not NULL
we	could	call	CPropertyBagMarshaler::SetBufferProperty(...)	with	property==2		
to	alloc	a	...
*(this->DataBuffer+inbuf->offset)==(0x45 or 0x66)
Spray	lots	of	bufferX	to	enable	that		bufferX	behind	this->DataBuffer	
Data...
Fortunately,	we	found	bitmap	saAsfy	this	case	perfectly			
DataBuffer	
bitmap	
...	
Offset	
0xc	
Height	 pScan0	
Now,	bitmap...
Complier Warning?
WARNING!!
Mitigation & bypass
Read/Write ability object
1. tagWND abuse
Write what? tagWND.strName ? (UNICODE_STRING)
GetWindowText ?
NtUserDefSetText ?
Unfortunately, the destin...
Maybe
2014
Pwn2Own:KeenTeam used once.
HackingTeam leaked 0day.
Someone write it to a public paper
2015.3
Pwn2Own: We used...
14393	VS	15xxx:
A New way
But	Only	The	Object	which	Allocate	at	desktop	heap:	
	
1.  Window	
2.  Menu	
3.  InputContext	
4.  CallProc	
limitation
Bu...
We are just on the way.
Thank you.
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
Next
Upcoming SlideShare
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
Next
Download to read offline and view in fullscreen.

Share

CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark

Download to read offline

CanSecWest2017

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark

  1. 1. Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem @360Vulcan Team Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf)
  2. 2. About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2016 .pwned Chrome pwn2own 2016 .pwned Flash pwn2own 2016 Pwnfest winners 2016 .pwned Edge PwnFest 2016 .pwned Flash PwnFest 2016 Pwn2Own winners 2015 .pwned IE pwn2own 2015
  3. 3. Agdenda Direct Composition Overview 0day & Exploitation Fuzzing Mitigation & Bypass
  4. 4. •  High-performance bitmap composition with transforms, effects and animations graphic engine •  Introduced from windows 8. •  Working based on dwm(desktop windows manager). Direct Composition Overview
  5. 5. Direction Composition Architecture dwmcore dcomp . . . userland kernel DirectComposiAon CApplicaAonChannel visual CExpressionMarshaler CFilterEffectMarshaler CScaleTransformMarshaler . . . submit DWM (desktop windows manager) DXGK (directX graphic kernel) call
  6. 6. Significant Change since win10 RS1 •  kernel implement changed •  Interface changed Remove lots of interface. 10+? Lots of funcAon has been rewrite, not fix vuln Add some interface. eg:
  7. 7. Before win10 RS1 Exist independently and some in the win32k filter table Since win10 RS1 all included in This func1on is out of Win32k filter list
  8. 8. Why attack DirectComposition •  Reachable in AppContainer and out of win32k filter •  This part implement with c++ in kernel •  Introduced from windows 8, ever been focus by another researchers, !!!as far as we know!!!
  9. 9. Important functions
  10. 10. Channel Object •  know as Device Object in user interface •  owner of resource, use to create resource •  pArgSec(onBaseMapInProcess return a batch buffer we need later
  11. 11. Resource Object •  know as visual in user interface •  similar to win32k surface •  It has a lots of types. CScaleTransformMarshaler CTranslateTransformMarshaler CRectangleClipMarshaler CBaseClipMarshaler CSharedSecAonMarshaler CMatrixTransformMarshaler CMatrixTransform3DMarshaler CShadowEffectMarshaler . . .
  12. 12. Batch Buffer •  Associate with a channel •  Returned from NtDComposiAonCreateChannel •  NtDComposiAonProcessChannelBatchBuffer parse it •  This funcAon support a lot of commands
  13. 13. How to fuzz
  14. 14. By default is 1, we increase those funcAon’s probability to 100.
  15. 15. •  They need a channel we give them one. •  They need a resource we give them one. •  If we do not known what they want, give them a random one.
  16. 16. 0day & Exploition
  17. 17. Resource Double free (CVE-2017-XXXX)
  18. 18. Root Cause Free the resource(visual)'s property buffer forget to clear resource->Databuffer. result in free again when resource is free First time free
  19. 19. Second time free
  20. 20. Exploition Res1First time free ResY Free this one Res2 Res3 Res4 … Res1 palette Occupy with palette Res2 Res3 Res4 … Res1 palette Free palette Res2 Res3 Res4 …Second time free Res1 ResX Occupy with ResX Res2 Res3 Res4 …
  21. 21. Modify the palette->pEntries to what you want when occupy palette with a ResourceBuffer palette pEntries ResX- >DataBuf xxxxx occupy second time Content Replace palette pEntries bitma pScan0 Usually, cover palette1->pEntries to a bitmap address
  22. 22. Read & Write primity Replace process token, exploited
  23. 23. Fix BSOD •  We finished privilege escalation, but BSOD when process exit •  There still has double either Palette or ResX's DataBuffer, because they share the same kernel buffer •  Double free happened in clear process handle table when process exit •  Close palette handle first, Resource handle next •  So? must clear ResX->DataBuffer or remove ResX handle from handle table before process exit
  24. 24. Clear ResX->DataBuffer •  It's a binary tree struct, search the binary tree to find the channel that Resource belongs to. •  Channel handle table locate in: _EPROCESS->Win32Process->GenericTable GenericTable channel1 channel2 channel3 channel4 channel5 1. Locate ResX address 2. Locate channel address Resource address store in channel's resource table
  25. 25. Resource table in channel implement as a array void* ptrNull=0; AddressWrite(&ResX->DataBuffer, sizeof(void*), &ptrNull); Clear
  26. 26. BagMarshaler Integer overflow (CVE-2016-XXXX)
  27. 27. Root cause Integer overflow while dataOffset < DataSize-0xc if DataSize < 0xc If (dwOffet < (DWORD)(0x1-0xc)) { if (DataBuffer[dwOffset]==0x66) { DataBuffer[dwOffset+0xc]=xxxx; } } •  By default,this->Databuffer==NULL && this->DataSize==0 •  Write anywhere in x86 system. •  Not so easy in x64 system. 1.this->Databuffer must not NULL 2.this->DataSize < 0xC && this->DataSize!=0 3.*(this->Databuffer + inbuf->offset)==(0x45 or 0x66) Exploitation:
  28. 28. 1.this->Databuffer must not NULL we could call CPropertyBagMarshaler::SetBufferProperty(...) with property==2 to alloc a buffer, then store in this->DataBuffer
  29. 29. *(this->DataBuffer+inbuf->offset)==(0x45 or 0x66) Spray lots of bufferX to enable that bufferX behind this->DataBuffer DataBuffer bufferX ... Calc inbuf->offset value, it must be saAsfy: bufferX •  (Databuffer+offset) locate in bufferX, ( bufferX->Filed1 ) •  bufferX->Flied1 must be modifyable from usermod, set it to (0x45 or 0x66) •  (Databuffer+offset+0xc) locate in bufferX, and it must be exploitable. DataBuffer bufferX ... Offset 0xc Flied1 Flied2
  30. 30. Fortunately, we found bitmap saAsfy this case perfectly DataBuffer bitmap ... Offset 0xc Height pScan0 Now, bitmap->pScan0 has benn changed to the value we set. so we got Read/Write primary 1. GetBitmapbits (....) 2. SetBitmapbits (....) Replace ps token, exploited !
  31. 31. Complier Warning? WARNING!!
  32. 32. Mitigation & bypass
  33. 33. Read/Write ability object
  34. 34. 1. tagWND abuse Write what? tagWND.strName ? (UNICODE_STRING) GetWindowText ? NtUserDefSetText ? Unfortunately, the destination address has been modify when write to, just desktop heap range is legal.
  35. 35. Maybe 2014 Pwn2Own:KeenTeam used once. HackingTeam leaked 0day. Someone write it to a public paper 2015.3 Pwn2Own: We used Twice. Pwn2Own: KeenTeam used Once. 2016.3 2016.8 2.BITMAP ABUSED 2016.10 We use Acclerator Object To Guess Bitmap Object Address. Then We used Twice again in PwnFast. Coresecurity guys release a paper to talk about is.
  36. 36. 14393 VS 15xxx:
  37. 37. A New way
  38. 38. But Only The Object which Allocate at desktop heap: 1.  Window 2.  Menu 3.  InputContext 4.  CallProc limitation But It is enough, I believe you guys could find something useful!!
  39. 39. We are just on the way. Thank you.
  • gd321

    Nov. 17, 2018
  • lowchinyick

    Mar. 28, 2017
  • moshez

    Mar. 22, 2017
  • jhetoxekri

    Mar. 18, 2017

CanSecWest2017

Views

Total views

3,691

On Slideshare

0

From embeds

0

Number of embeds

242

Actions

Downloads

219

Shares

0

Comments

0

Likes

4

×