Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)

386 views

Published on

Palestra realizada por Otavio Silva durante a 4a. ediação da Nullbyte Security Conference em 18 de novembro de 2017.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Windows's Kindnesses - Commoner to D-K(d)OM (Direct Kernel Object Manipulation)

  1. 1. Windows’s Kindnesses - Commoner to D-K(d)OM Ot´avio Augusto A. Silva at NullByte 4a. Ed. 18 Nov. 2017 Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 1 / 46
  2. 2. Agenda 1 Introduction Context Overview 2 Attacks 3 Old 0day 4 D.D 0day hunt 5 Got tool? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 2 / 46
  3. 3. 1 Introduction Context Overview 2 Attacks 3 Old 0day 4 D.D 0day hunt 5 Got tool? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 3 / 46
  4. 4. Introduction What is Windows 10? It’s a Windows... means retro-compatibility. New approach in a hybrid kernel. Sanitized “sandboxes” for systems process and “critical user process”. Enforced security behavior that were optional until Windows 8.1. More obscure and bizarre (Nt/Sys) internals. TPM1-2 (Trusted Platform Mode), Device Guard etc. Forced Updates A lot of new features were added to ensure that the user will not screw (less) with the system. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 4 / 46
  5. 5. Introduction What this is about? Windows 0days are worth A LOT of money What happens if I tell you that Windows 10 will have 0days 4ever (if its conceptual design remains unchanged). Its hybrid kernel approach is susceptible of some weakness not present among other kernels (Linux, Mac, *BSD etc.). MS usually name these weakness FEATURES, not bugs. As mostly of it demands some level of elevation, privileges or “patched mechanism”. This isn’t about a singular approach, bug or exploit. This is about features inherent in Windows, which can leave you to cool placesa. a Spoiler: kernel :) Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 5 / 46
  6. 6. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 6 / 46
  7. 7. Overview Retro-compatibility Windows carries an OS/2 compatibility until today! Windows’s dev are afraid of breaking things: everything must continues to run. Even device drivers back from 2005 using WinNt 3.1 interface MUST run inside Windows 10... It even introduced Compatibility profile for applications. Runs an application, among other chances, using a target Win/NtApi!a a WinAPI is documented and open for directly calls. NtApi is what WinAPI “uses” internally. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 7 / 46
  8. 8. Overview Virtualization Based Security (VBS) “VBS uses software and hardware enforced mechanisms to create an isolated, hypervisor-restricted, specialized subsystem for storing, securing, transferring, and operating other sensitive subsystems and data.” Blah? Uses Model Specific Registers (MSRs) to, among other things, enable Secure Virtual Machine Enable (SVME) bits. The use of: CPU virtualization extensions; Intel VT or AMD-V. Input–Output Memory Management Units; such as VT-d or AMD-IOV. Second Level Address Translation. Seems to be a pretty good approach, right? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 8 / 46
  9. 9. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 9 / 46
  10. 10. Overview These new secure features were added mostly on Windows Store app, and “critical services”. By critical read csrrs and some svchosta instance. a Service Hoster Not all (enforced) changes were avoidable, e.g. Windows Protected Process Light :). Protected Process Light(PPL) Is by all means an anti-malware enchantment added into Windows 8.1 to protected system process and “special” services (likely A/V and DRM). Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 10 / 46
  11. 11. Overview Protected Process Light(PPL) What is PPL? Kernel “flag”a into EPROCESS struct. Protection that avoids user handles to it; System permission isolation (can’t touch it). Apply a code integrity; only loads/runs signed code after launching; PE32/+ to process. A device driver must flag a process (service) as PPL, it also claim the level of code signing (3rd/MS). No code injection, DLL hijacking etc. right? Let’s make a tour into Win10’s process hierarchy and “isolation”. a W10 build ≥ 15063 added in kernel code sign check Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 11 / 46
  12. 12. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 12 / 46
  13. 13. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 13 / 46
  14. 14. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 14 / 46
  15. 15. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 15 / 46
  16. 16. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 16 / 46
  17. 17. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 17 / 46
  18. 18. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 18 / 46
  19. 19. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 19 / 46
  20. 20. Overview Mostly all MS services-to-endUser have handles with permissions to all user process. Some of them have handle to other process/services, outside user ring/token; code injection here I’m.... MS complains: Blah, one need elevation to achieve that, not a security issue. I’m pretty sure it’s a security issue, but Admin access on Windows 10 must be hard to get, right? ... right? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 20 / 46
  21. 21. https://github.com/hfiref0x/UACME Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 21 / 46
  22. 22. Overview MS fixes mostly all public methods, just because it became public. But the main issue remains: bad privilege maintenance! One doesn’t need to depend of MS, some A/V sandbox “ELEVATES” you; sandbox have elevated token (exec from service) and doesn’t drop it before run a sample. Most attacks relies user naivety! The end user will click in an UAC elevate prompt... Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 22 / 46
  23. 23. Overview Make an assurance: Windows UAC can be bypassed. So what an Admin CAN’T do? All the security mechanism listed before are just there to restrain the Admin. Why? Rootkit. MS reinforce its kernel isolation and control so hard, that A/V can’t hook ANY kernel mechanism anymore. KPP scene... Kernel Patch Protection A.k.a Patch Guard, added in x64 editions of Windows(XP), to enforce restrictions on what structures d.drivers cannot modify. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 23 / 46
  24. 24. Overview It works by periodically checking protected system structures in the kernel have not been modified. Avoid modify/use: system service tables. the interrupt descriptor table. the global descriptor table. use kernel stacks not allocated by the kernel. write code within the kernel, HAL or NDIS kernel libs. Thus it doesn’t offer any protection against one d.driver patching another. It relies on security by obscurity and misleading symbol, using a mutate algorithm to deploy into memorya a out of kernel phy. memory Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 24 / 46
  25. 25. 1 Introduction 2 Attacks 3 Old 0day 4 D.D 0day hunt 5 Got tool? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 25 / 46
  26. 26. Attacks Ender game Even with Admin access, user can’t mess with kernel. Unless he have W10 kernel 0day, which cost ALOT. Suppose one wants pretty hard to manipulate a protected process(PLLa), e.g A/V, A/C, DRM. He have to build a kernel module and buy a certificate from MS. a https://github.com/Mattiwatti/PPLKiller Windows 10 have Signed Driver Enforcement... A/V,A/C and DRM software usually check loaded drivera against a remote chain of trust. No local certificate addition. a They also checks debug boot and some old version of vul. d.d Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 26 / 46
  27. 27. Attacks Ender game? Or suppose some one wants to read Phy memory from user level... Must be a crazy right? ;) Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 27 / 46
  28. 28. Attacks Starting the game :) Direct Kernel Object Manipulation (DKom): a.k.a touch the kernel trough user level, by hitting some trust entity, e.g. device driver. DKom isn’t the unique way to manipulate a protected process, handle stealing is easier and faster (one doesn’t need to R.E a device driver...). But DKom always work, and trough kernel is cool :) It relies on the manipulation of some kind of d.driver interface with the kernel; usually trough I/O control (known as IOCTL). Manipulation by a flaw in the d.driver, or permission (wrong) management in the device/end-point within user level. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 28 / 46
  29. 29. Attacks Windows drivers have an important interface with userlevel: I/O Request Packets (IRPs). IRPs are sent to a driver when a particular operation occurs on the driver’s device object, e.g “ Device Priv8Device”. The end interfaces which IRPs are sent: Major Functions as open/close, read/write, and I/O control (IOCTL). This interface is created at DriverEntry with IoCreateDevice and then linked (user-kernel services) with IoCreateSymbolicLink. Then the rest is a list of pointers to (Major Func.) that executes inside the kernel; kernel interface visible into user level? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 29 / 46
  30. 30. What Could Possibly Go Wrong?? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 30 / 46
  31. 31. Attacks This is possible because one d.d used wrong ACL for the end point device, means unprivileged user can access it; privilege escalation at least.... Or that the d.driver have a flaw that can be exploited to operates into kernel pages, or even phy. memory. Dkom usually demands that the exploit implements some kernel function to operates the kernel object through d.d functions. Example: d.d have a function that allows one to read cr3 register, allowing access to page directory and so, memory pages to be iterated through d.d functions ;) Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 31 / 46
  32. 32. Attacks We have a lot famous examples: Capcom.sys: has an ioctl that disables SMEP (Supervisor Mode Execution Protection Enable)a and calls a provided function pointer (shell code?!), and sets SMEP back. ASMMAP.sys: ioctls that map or unmap to the calling process’ address space ANY PART OF PHYSICAL MEMORY, with READ/WRITE permissions. WinNT/Turla VBoxDrv.sys: a set of ioctl and “magic word” for VBox d.d API, that allows to read kernel symbols tabled and write to specific regions (DSE)b. a If set, execution of code in a higher ring generates a fault, KPPable. b Driver Signature Enforcement. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 32 / 46
  33. 33. Attacks Asus have another others widely used d.d flaw (ASMMAP/ASMMAP64), MSI, Dell, Alienware, Nvidia, AMD, Nvidia.... Hold your breath NVIDIA GPU Display Driver: CVE-2017-0308, CVE-2017-0309, CVE-2017-0311, CVE-2017-0312, CVE-2017-0313, CVE-2017-0314, CVE-2017-0315, CVE-2017-0321, CVE-2017-0322, CVE-2017-0323, CVE-2017-0324, CVE-2017-0310, CVE-2017-0318, CVE-2017-0319, CVE-2017-0320, CVE-2017-0317. Basically if a company made d.d for control it’s product using “proprietary API”, you probably got a new d.d IOCTL approach; bad practices is pretty common. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 33 / 46
  34. 34. 1 Introduction 2 Attacks 3 Old 0day 4 D.D 0day hunt 5 Got tool? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 34 / 46
  35. 35. Old 0day All the d.d have a flaws listed here were exploited and widely spread. But continues to work! One can right now download a vulnerable Nvidia d.d, even without a Nvidia GPU, and exploit it to manipulate the kernel; an old 0day still usable. Asus’s ASMMAP.sys (Memory mapping Driver) d.d flaw uses code from WINDOWS 95 to bypass phy. mapping to user protection, added in 2004 into Windows XP! How?? MS automatically sign OEM d.d; no code review!! OEM uses the same certificate for multiples d.d; no vulnerable d.d will have its certificate revoked! Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 35 / 46
  36. 36. Old 0day One doesn’t need to build a rootkit, and then buy a Windows driver certificate, when OEM already delivery it! Kernel modea is an old forum for APT (+1 unicorn died) reverse engineering and (mostly) Windows kernel hacking; it have a bunch of OEM d.d old-0day right now. a http://www.kernelmode.info Tools to monitoring Windows Internals and API uses d.d with the power to probing Windows kernel! Process Hacker 2 have a script language to use its d.d; one doesn’t need to R.E a d.d to get into kernel ;) Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 36 / 46
  37. 37. Old 0day Mitigations It’s not always a double rainbow: some A/Vs blocks old d.d which isn’t used anymore; only CPUID and Process Hacker were blocked testing Avast, Avira and AVG :) A/C and DMR were more aggressive, they doesn’t care if you’re using a old d.d, if they d.d loads and detects a blacklisted d.d loaded; unload it self and alarm user service. some A/Ca uses high sophisticated approach; uses ObRegisterCallbacks of Windows’s kernel API, to check for rogue d.d. a BattlEye, Lord of Bans What about hutting your own d.d IOCTL 0day? Might work :) Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 37 / 46
  38. 38. 1 Introduction 2 Attacks 3 Old 0day 4 D.D 0day hunt 5 Got tool? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 38 / 46
  39. 39. D.D 0day hunt Be advised, it’s simply a R.E task. Bunch of senseless code, assembly and a lot of pain. Any debug which can read Windows Driver Dev. Kit symbols can be used; I recommend IDA Pro or x64dbg :). We are interested only into d.d which creates an IO device, so this cut some fat from analysis; hunt first of all IoCreateDevice. There is no need to escalate permissions, so IO devices with wrong/inefficients permissions will not be a thing. Winobj can be used to locate devices created with bad ACL; a.k.a privilege escalation approach Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 39 / 46
  40. 40. Leak? Go to the conf next time ;) Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 40 / 46
  41. 41. D.D 0day hunt So what? Suppose one can access the displayed device; admin already. Provide enough data to follow the right flux. The d.d will move kernel memory (virtual) to another k.memory; likely a memncpy. Attack scenario: virtual memory write :), although one will have to know dest. kernel address; chained attack here... It isn’t something impossible to locate some bugs! Windows is your friend; best malware kit ever built! Bad news Unless one wants to sell d.d ioctl exploit to malware’s market, there is no reward! Mostly all flaws don’t have a CVE!! Lack of interest when it’s API misuse. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 41 / 46
  42. 42. 1 Introduction 2 Attacks 3 Old 0day 4 D.D 0day hunt 5 Got tool? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 42 / 46
  43. 43. Got tool? There is a tool, the Kindly Injectora, that I made to inject code into Windows process ;). a https://github.com/otavioarj/KiInjector KiInjector was made to avoid some detections applied by both A/C and A/V; even behavior matching was tested o/. Although I didn’t finish the d.d exploit to push it up, eventually I will do; spoiler phy.mem into user space came with BSoD :). But, it’s pretty usable for handle hijacking; I pushed a sample dlla code to be used with it! a https://github.com/otavioarj/HandleN Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 43 / 46
  44. 44. Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 44 / 46
  45. 45. Got tool? Usable scenario Inject HandIn into some cool process with nasty handles (PcaSvca?). Connect into HandIn’s pipe (kilpipe) and write: target-process-name dll-to-be-internal-injected There you go, remotely injected a dll through handle hijacking ;) One can also inject into some svhost instances; pro-tip use Process Hacker 2 to watch process behavior. a Program Compatibility Assistant Service Can I ask you to not use my tools in your malware? <3 Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 45 / 46
  46. 46. Questions? Ot´avio Augusto A. Silva (LASCA-Unicamp) Commoner to D-K(d)OM 18 Nov. 2017 46 / 46

×