Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[若渴計畫]CVE 2014-9322, CVE-2015-0235, CVE-2009-3547

857 views

Published on

自從追蹤The Hacker News, 網路攻防戰的fb之後,
每天都有很多新奇的訊息.
挑了CVE 2014-9322, CVE-2015-0235, CVE-2009-3547理解
而從網路攻防戰得知the Carbanak APT很想模擬玩玩看
但發現需要知道很多知識一個人要玩很久
所以藉此分享CVE 2014-9322, CVE-2015-0235, CVE-2009-3547
來找研究the Carbanak APT的夥伴XD

  • Be the first to comment

[若渴計畫]CVE 2014-9322, CVE-2015-0235, CVE-2009-3547

  1. 1. CVE-2014-9322, CVE-2015- 0235, CVE-2009-3547 AJ (張仁傑) <ajblane0612@gmail.com> 2015.2.28
  2. 2. CVE(Common Vulnerabilities and Exposures) • Vulnerabilities • An information security “vulnerability” is a mistake in software that can be directly used by a hacker to gain access to a system or network (from CVE Terminology) • Exposure • An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network (from CVE Terminology) • 其實不太知道為什麼要分Vulnerabilities/ Exposure, 這兩字眼解釋
  3. 3. 看到Vulnerabilities, Exposure我只會想到 已存在的軟體/系統(因為大家都可能用啊XD) trigger 男人都想 (Vulnerabilities, Exposure) 1 2 3 你們會想到?
  4. 4. 接下來只介紹Vulnerabilities (一個idea,就像你 知道buffer overflow是漏洞,但你不知道怎觸發) • CVE-2014-9322 • CVE-2015-0235 • CVE-2009-3547 • CVE-XXXX-XXXX=>可以慢慢研究XD
  5. 5. CVE-2014-9322: bad_iretSS exception • "The next two bugs are related to espfix. The IRET instruction has IMO a blatant design flaw: IRET to a 16-bit user stack segment will leak bits 31:16 of the kernel stack pointer. This flaw exists on 32-bit and 64-bit systems. 32-bit Linux kernels have mitigated this leak for a long time, and 64-bit Linux kernels have mitigated this leak since 3.16. The mitigation is called espfix.“ from http://www.phoronix.com/scan.php?page=news_item&px=MTg2NzY ss kernel stackuser stack 0x0001_00000x0000_10000x0001_0000 IRET ss 0x0001_1000 bad_iret(不正確返回)
  6. 6. CVE-2014-9322: bad_iret • 對象: Linux 64bit 3.11.10-301 on Intel X86 • The vulnerability • 透過計算espfix製造bad_iret,先push espfix, 在iret時,會發生#SS exception • GS是X86的segment register,被linux拿來指向儲 存CPU資料的結構,而SWAPGS如下描述 kernel’gs User’gs current gs temp kernel’gsUser’gs SWAPGS
  7. 7. GS指向的資料結構
  8. 8. 假設準備假的GS指向的資料結構會發生? fake’gs kernel’gs SWAPGS kernel’gs fake’gs fake’gs kernel’gs SWAPGS kernel’gs fake’gs SWAPGS fake’gs kernel’gs SWAPGS kernel’gs fake’gs SWAPGS current gs temp 靠背! GP exception在執行fake’gs • 為什麼會有兩個SWAPGS? 只是contex switch時,store gs和 restore gs而已
  9. 9. CVE-2015-0235:GHOST (glibc gethostbyname buffer overflow) • 對象: gethostbyname*() • 要知道The vulnerability要了解gethostbyname_r • 藉由name可拿到host的資訊(如: official name of host) • int gethostbyname_r( const char *name, //輸入hostname or IPv4 or IPv6 struct hostent *ret, //= =+ 不太了解 char *buf, // 此buf存在目的只是根據name的大小,來配置足夠大的temp給 內部處理 size_t buflen, struct hostent **result, // host的資訊 int *h_errnop //錯誤訊息 ); • 所以正確使用gethostbyname_r,使要先配置足夠大的buffer在執行 gethostbyname_r,可參閱(How to use gethostbyname_r (correct example)
  10. 10. CVE-2015-0235: Buffer Overflow Vulnerability len= 991
  11. 11. (gdb) p name $19 = '0' <repeats 991 times >, "000377262360000000 000000000320006@", '000 ' <repeats 13 times>"360, 004@000000000000" (gdb)p temp $16 = { buffer = '000' <repeats 16 t imes>, "020", '000' <repeat s 21 times>, '0' <repeats 984 times>, canary = "0000000000 oal_mine"} 因為在name很大時, buffer會 overflow,所以複寫到canary屬性 (條件成立可以參閱: Qualys Security Advisory CVE-2015-0235 )
  12. 12. CVE-2009-3547 • 對象: 2.6.29 release of the Linux kernel的 fs/pipe.c
  13. 13. 靠! 有啥問題@@? • The vulnerability • Process A : open pipe • Process B : release pipe • 執行順序 A|B(意思是A,B都在mutex_lock)->B->A • 結果A process會執行(NULL)->writers++ mutex_lock(&inode->i_mutex); inode->i_pipe->writers--; mutex_unlock(&inode->i_mutex); A B mean: 控制(NULL)->writers位置的值+1
  14. 14. 為了 ,給自己一個目標 模擬 the Carbanak APT攻擊
  15. 15. 討論紀錄與補充
  16. 16. bad_iret的問題討論 • 由Intel® 64 and IA-32 Architectures Software Developer’s Manual知 道iret是使用16-bit operand size,並不代表是在16 mode下做運作,而 是指stack可使用的範圍 • Large memory management vulnerabilitiesp.16頁中 linux 2.6 kernel stack被安裝在 3G的地方 • 由於linux的stack位置設計,所以會有此投影片p.5的狀況
  17. 17. 如何Trigger CVE-2014-9322 Vulnerabilities? • Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)的 Triggering the vulnerability小節
  18. 18. (NULL)->writers++為啥可執行? • 因為(NULL)->writers++是在kernel mode執行,在user mode會跳 exception

×