4. How to Run Code via USB
gconf setting:
● media automout
/apps/nautilus/preferences/media_automount
TRUE
● Nautilus window opening
by default
/apps/nautilus/preferences/media_automount_open
5. Thumbnails and DVI format
● Gnome support the generation of thumbnail images by
external application
● evince-thumbnail generates the DVI files' thumbnailers:
gconf-editor /desktop/gnome/thumbnailers/application@x-dvi
DVI files:
● binary description of the document's visual layout
● preamble, one or more pages, postamble
● rely on external files to typeset the font
● PK font file: character code (cc ) for each character definition
with some dimensional fields, w, h, x, y
7. How the Exploit Works
● Python code to generate DVI files referencing to two malicious
fonts (CVE-2010-2640).
● The first one casues the overwrite of ptr->info.lookup
● The second one is executed instead of looked up!
Building a malicious font:
● cc value ~ [-236, -239]
cc = (font->chars - &ptr->info.lookup) / sizeof(DviFontChar)
● pad value
● system address
part of /lib/libpthread-2.12.1.so, libc
8. Fix
The fix simply consists in a check before the
reading of the x, y, w, h values:
Security mechanisms in Ubuntu:
●
AppArmor
●
Address Space Layout Randomization (ASLR)
9. How to Become Root
A rootkit which exploit 3 vulnerabilities in the
linux kernel:
a)A failure to revert address limit override due to an
OOPS (CVE-2010-4258).
b)A local Denial of Service in the Econet protocol
which causes a kernel OOPS (CVE-2010-3849,
CVE-2010-3850).
10. How they work
a) When an OOPS occurs, the kernel attempts:
● to clean up the process’ resources
● to kill it by calling the do_exit function
...but, it is still running in Kernel Mode!
do_exit can write a NULL word in an user space
location:
CLONE_CHILD_CLEARTID flag
set in the clone system call
11. Execution Flow
1.Resolving two addresses of the Econet protocol.
2.Calculating the address of the system call to overwrite.
3.Calculating the result address of the overwrite.
4.Copying the privilege escalation function in the previous address.
5.Invoking the clone which executes the function that trigger the
NULL pointer dereference.
6.Termination of the thread which overrides the system call
address calculated at point 2.
7.Invoking this system call which will now cause to run the privilege
escalation function.
12. Resolving addresses
●
econet_ops (struct): information related to a
socket network access protocol
●
econet_ioctl (pointer): refers to the function's
address to be used as Input/Output Control
13. Address to overwrite
1. econet_ioctl has to be overwritten
2. It will point to a controlled memory region
3. target refers to the address to be overwritten
4. ...while landing is the address after the
overwrite
14. The Privilege Escalation Function
●
It is copied in memory
●
So that, after the overwrite, it will be executed
●
An Heap Spray attack is performed to facilitate
the exploit
15. The Clone System Call
●
Creates a new process (similar to fork)
●
If the CLONE_CHILD_CLEARTID flag is used,
a NULL word will be written to a user-specified
pointer when exits
●
The kernel checks if it can write to that pointer
by simple compare against a boundary
16. Writing in Kernel Space
●
An OOPS causes a process to exit
●
The kernel kills it invoking the do_exit
●
However the do_exit does not revert a previous
address limit override
●
The use of CLONE_CHILD_CLEARTID will
causes a NULL write also in an arbitrary
Kernel Space location
17. The Trigger Function
●
An OOPS in KERNEL_DS is needed to
terminate the cloned process
●
Two bugs in the Econet protocol are used:
1.Missing capability check
2.NULL pointer dereference in the econet_sendmsg
18. Getting Root
●
At this point the econet_ioctl is overwrite and
point to our previously trampoline function
●
Invoking the ioctl on the Econet socket will
now run the trampoline instead
19. The trampoline
●
The function trampoline is copied directly in the
memory
●
Which means it has to be written in machine
code
●
...and it simply executes another function
20. ...one last effort: Get Root!
●
The trampoline refers to the getroot function
●
...which changes the process capabilities
22. Fix
The fixes consist in checks or resets
addition:
(CVE-4258): set_fs(USER_DS) reset
(CVE-3849): CAP_NET_ADMIN check
(CVE-3850): NULL pointer check
23. Combining
As the rootkit is executed any kind of malicious
action could be executed:
● opening a root terminal;
● installing a remote or local backdoor in order to leave
open the access to the machine;
● adding a keylogger in order to capture important
information typed by the user;
● accessing to restricted area in order to stole users’
private documents;
● executing other code which will lead the system in an
unwanted state;
● ...or whatever else the attacker may want to do.
24. Don't worry...the end!
●
What we have learnt:
●
Dynamic analysis with GDB tool
●
Deeper knowledge of the GNU/Linux environment
●
Kernel system calls
●
Security mechanisms: ASLR, AppArmor
●
USB driver management
●
If you are looking for a smart project...look at
here: http://www.vulnfactory.org/exploits/
ANY QUESTION??