Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

2,353 views

Published on

2015/11/14 AVTOKYO2015
Japanese version is available at http://www.slideshare.net/inaz2/abusing-interrupts-for-reliable-windows-kernel-exploitation-ja

Published in: Technology
  • Be the first to comment

Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

  1. 1. Abusing Interrupts for Reliable Windows Kernel Exploitation 2015/11/14 AVTOKYO2015 inaz2
  2. 2. About me • inaz2 • Security engineer & Python programmer • Working at NTT Communications • Weblog “momoiro technology” • http://inaz2.hatenablog.com/ 2
  3. 3. Windows kernel exploitation • Attacks that exploit the vulnerability in the kernel land • Including the vulnerability in device drivers • Write-what-where condition/vulnerability is widely used • Enables to write an arbitrary value to the arbitrary address • Execute the shellcode to escalate privilege of the attacking process • Then launch the administrator command prompt 3
  4. 4. Classic technique: halDispatchTable overwrite • nt!NtQueryIntervalProfile internal API • call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile • Overwrite [nt!halDispatchTable+4] to shellcode 4
  5. 5. Replace token shellcode • Copy the token object from System process (PID=4) 5 Replace 41414141h to the attacking process’ PID
  6. 6. It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 6
  7. 7. It works but … • Depending on the implementation of nt!NtQueryIntervalProfile • Kernel implementation may be changed in the future (i.e. not reliable) • Is there the more reliable target to overwrite? 7
  8. 8. x86 interrupt handling • There are hardware interrupts (keyboard etc.) and software interrupts (zero division etc.) • Software interrupts are triggered by “int n” instruction • Interrupt Descriptor Table (IDT) • Stores the addresses of hander functions (Interrupt Software Routines; ISR) in each entry (interrupt gate) • ISRs are executed in Ring 0 • Can do everything 8
  9. 9. x86 privilege levels (protection rings) • 4 privilege levels numbered from 0 to 3 • The greater number means lesser privileges • Most OS including Windows use only two rings • Ring 0 corresponding to kernel mode and Ring 3 to user mode 9
  10. 10. Interrupt Descriptor Table (1/4) • Intel Developer’s Manual Volume 3, Chapter 6 10
  11. 11. Interrupt Descriptor Table (2/4) • Intel Developer’s Manual Volume 3, Chapter 6 11 Can be interrupted from Ring 3 if DPL=3
  12. 12. Interrupt Descriptor Table (3/4) • WinDbg (KD) view 12
  13. 13. Interrupt Descriptor Table (4/4) • Overwrite the interrupt gate for interrupt #0 13 414184fc 000884fc 4141ee00 DPL=3
  14. 14. IDT overwrite technique 14 Get the IDT address Overwrite the interrupt gate for interrupt #n Trigger interrupt #n by “int n” instruction Execute shellcode
  15. 15. Detailed procedure 16
  16. 16. Find the write-what-where vulnerability • Write and install the vulnerable device driver • Enables to attack write-what-where vulnerability via IOCTL 17
  17. 17. Get the IDT address (1/2) 18 Can be used even in Ring 3!
  18. 18. Get the IDT address (2/2) • The function that returns the IDT address 19 Disable alignment
  19. 19. Write the Interrupt Software Routine (ISR) • Switch the value of fs segment register • 0x33 (TEB) → 0x30 (KPCR) • Call the shellcode right after ISR • Return by iretd instruction instead of ret 20
  20. 20. Allocate memory & put the codes • Allocate nop-sled from 0x41410000 to 0x41420000 • Put the ISR code + shellcode from 0x41420000 21
  21. 21. Overwrite the interrupt gate • Write 0x4141ee00 to the latter half of the interrupt gate for interrupt #32 • #32-255 are designated as user-defined interrupts (not reserved) 22
  22. 22. Trigger the software interrupt • Execute “int 32” • Shellcode is executed via ISR • Then launch cmd.exe 23
  23. 23. Demo 24
  24. 24. What about 64 bit Windows? • The size of interrupt gate increases to 16 bytes • As 0x100000000 bytes nop-sled is quite hard, overwriting entire interrupt gate is required (i.e. write 2 times) • However, my VirtualBox VM hangs up when the interrupt is triggered (PatchGuard??) 25
  25. 25. Comparison with halDispatchTable overwrite • Pros • Reliable against all versions of x86-based Windows • Easy to determine the address to be overwritten • Cons • Need to prepare the ISR code • Need to allocate nop-sled • Not confirmed on 64 bit 26
  26. 26. Recap • IDT overwrite technique is reliable against all versions of x86-based Windows • Independent with kernel implementation changes • We can get the IDT address even in Ring 3 • There’s more than one way to do it  27
  27. 27. References • Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる - もも いろテクノロジー • http://inaz2.hatenablog.com/entry/2015/09/15/121926 • Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation • http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule- them-all_21.html • Interrupt Service Routines - OSDev Wiki • http://wiki.osdev.org/Interrupt_Service_Routines • SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ? • http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html 28
  28. 28. Thank you! inaz2 29

×