This document summarizes a presentation about finding vulnerabilities in the Windows kernel network stack. It discusses how exploiting complex and uncommon features like IPv6 packet fragmentation can lead to vulnerabilities. Specifically, it describes CVE-2014-9383, a remote code execution vulnerability discovered in a Bitdefender NDIS filter driver through an IPv6 packet defragmentation bug. The presentation outlines techniques for kernel bug hunting such as intercepting packets and overwriting packet data buffers to cause memory overflows. It also notes tools that can help with reverse engineering NDIS drivers like NDISaster.
Windows Kernel Vulnerabilities: Exploring the NDIS Attack Surface
1.
2. Windows Kernel, the final frontier
Our mission: to explore strange new attack surfaces, to
seek out new bugs and new 0-days. To boldly go where
(almost) no security researcher has gone before
3. NDIS PACKET OF DEATH
TURNING WINDOWS’ COMPLEXITY AGAINST ITSELF
NITAY ARTENSTEIN
CHECK POINT
4.
5. AGENDA
1. INTO THE KERNEL
2. FINDING VULNERABILITIES
3. PWNAGE: CVE-2014-9383
6. AGENDA
1. INTO THE KERNEL
2. FINDING VULNERABILITIES
3. PWNAGE: CVE-2014-9383
7. USS WINTERPRISE PACKET FLOW
USERlAND
KERNEL
bridge /
APPLICATION
NETWORK CARD
WINSOCK API
WINSOCK KERNEL
?
9. Filter Drivers
• Handle all packets,
regardless of configuration
• Massive attack surface
• Small, easy to reverse
engineer
“Being stuck in the middle is
not THAT bad!”
13. The Windows network driver layers
absolutely horrendous messes of
conflicting layers of backward-compatible
cruft
emotional trauma
the Windows network stack
🙀
14. Hostile Programming Environments
• Bad API design
• Complicated memory
management
• Inadequate documentation
• No helper functions
“They said kernel programming
is good money”
15. NETWORK DRIVER INTERFACE SPECIFICATION
NETWORK CARD
MINIPORT DRIVER
FILTER DRIVER
PROTOCOL DRIVER
NDIS
SECURiTY
1. Third party
code
2. Too much
complexity
3. API quality
16.
17. AGENDA
1. INTO THE KERNEL
2. FINDING VULNERABILITIES
3. PWNAGE: CVE-2014-9383
25. FIRST ATTACK: PACKET CONFUSION
EVIL
API DOCUMENTATION SAMPLE CODE
STACKOVERFLOW.COM SITES FROM THE 90’s
26. FIRST ATTACK: PACKET CONFUSION
If we need to queue this packet we will
also have to copy over the per-packet
information. This is because
data is available only for the duration
of this receive indication call
EVIL
33. SECOND ATTACK: PACKET OVERWRITE
EVIL
API DOCUMENTATION SAMPLE CODE
Remove all MDLs [memory buffers] from
the end of the chain, where the last byte
of the MDL isn’t part of the packet
buffer
40. THIRD ATTACK: death by protocol
GOOD
RFC 2460 (IPv6)
RFC 790 (IPv4)
RFC 791 (IPv4)
RFC 826 (ARP)
RFC 1034 (DNS)
RFC 768 (UDP)
RFC 793 (TCP)
RFC 792 (ICMP)
41. GOOD EVIL
0 3
“I keep this around for when Spock is not on board”
42. AGENDA
1. INTO THE KERNEL
2. FINDING VULNERABILITIES
3. PWNAGE: CVE-2014-9383
43. PREMISE:
1. MORE COMPLEXITY == MORE BUGS
2. EDGE CASES ARE THE MOST DIFFICULT
TO TEST
CONCLUSION:
LOOK FOR BUGS IN COMPLICATED AND
UNCOMMON USE CASES
BUG HUNTING 101
EVIL
44. A Word About IPv6
• Insanely complicated protocol
• Nobody’s using it
• Has isoteric features that
REALLY nobody uses
• NDIS drivers still have to
support those features
“Anybody order pizza?”
45. BONUS: YOU GET TO SET
THE SIZE OF THE
EXTENSION HEADER
SECURiTY
1. Complicated!
46. RFC 2460
A node may use the IPv6 Fragment
header to fragment the packet at the
source and have it reassembled at the
destination.
However,
is discouraged
EVIL
SECURiTY
2. Unused!
47. About CVE-2014-9383
• RCE vulnerability in Bitdefender
NDIS filter driver
• Patched last month
• Disclaimer: No ASLR bypass
(requires another vuln)
• Another disclaimer: Statistical
attack, works 50% of the time
“Next time Iet me write a Linux
driver”
54. Bonus: DIY with NDISaster
• Identifies the main handler functions in NDIS drivers
• Generates a Windbg script for packet capture
• Incorporates the output from Windbag back to IDA
• Identifies the main functions per protocol
• Still no support for NDIS 6!