This document discusses bypassing security protections provided by the grsecurity and PaX patchsets on Linux kernels. It begins with an introduction and agenda, then provides background on Linux kernel security issues over the past decade. The presentation notes that an arbitrary kernel write is a common exploitation primitive, but that this is insufficient to escalate privileges when protections like grsecurity/PaX are in place. It then introduces the concept of "stackjacking", where an attacker leverages kernel stack memory disclosures, which are common low severity vulnerabilities, along with an arbitrary kernel write to bypass grsecurity/PaX protections without needing to introduce new code or modify control flow.
This document discusses bypassing Linux kernel protections added by the grsecurity and PaX patchsets. It begins with background on Linux kernel security issues over the past decade. It then explains how grsecurity and PaX attempt to harden the kernel by preventing code introduction and arbitrary control flow changes. The main technique discussed for bypassing these protections is "stackjacking", which involves leveraging kernel stack disclosure vulnerabilities along with an arbitrary kernel write primitive. Through a process called "kstack self-discovery", an attacker can use stack disclosures to determine the base address of the kernel stack, which then enables targeting the arbitrary write.
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
This document discusses remotely using the Spanish National Electronic ID (DNIe) and potential attacks. It provides an introduction to the DNIe and describes a "Man in the Remote" (MiR) attack where an attacker is able to remotely access and use the functionalities of a DNIe card plugged into a different computer. It demonstrates how the attacker could achieve remote authentication and signing. It also discusses some potential solutions to prevent MiR attacks based on analyzing response times.
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
This document summarizes a lightning talk presentation about binary instrumentation using Intel's Pin tool. It introduces Pin as a dynamic binary instrumentation tool that can insert code into programs at runtime. It then discusses several applications of Pin like performance profiling, security tools for sandboxing and reversing, and academic uses. The document provides examples of using Pin APIs and also lists some alternative dynamic instrumentation engines. It encourages the audience to start using Pin and sharing tools they create with the community.
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHackito Ergo Sum
This document discusses potential vulnerabilities related to autorun functionality and removable storage devices like USB drives on Linux systems. It notes that while Linux desktop environments don't automatically run scripts from removable devices, vulnerabilities could still exist in drivers and applications that handle connecting and accessing such devices. Specific vulnerabilities are identified in USB drivers, file system drivers, thumbnail generation applications, and external thumbnailer programs. Exploiting these could allow gaining root access or defeating full disk encryption from physical access to a system.
Vold is the volume daemon in Android that manages storage volumes like external SD cards. It communicates with the Linux kernel via Netlink sockets to receive storage events and with the MountService via a local socket. When a new storage device is inserted, Vold receives the kernel event, mounts the volume if FAT format according to its configuration file, and notifies MountService to make the volume available to the user.
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
This document provides a summary of a presentation by Raoul Chiesa on cybercrime trends from the past to present. It discusses how hacking has evolved from curiosity-driven activities by bored teens to profit-motivated crimes by adults. Reasons for the rise of cybercrime include the increasing number of internet users and victims, economic incentives, availability of hacking tools, recruitment of inexperienced people, and lack of consequences. The presentation also notes how media portrayal has changed perceptions of who hackers are.
This document discusses how TCP flag combinations can be used to fingerprint operating systems with a single packet, generate amplified traffic attacks, and potentially coerce targets into scanning third parties. The author, Barry Irwin, describes fuzzing various systems by sending packets with different TCP flag combinations. He found that some combinations elicited distinctive responses that could identify the remote operating system, such as Linux, FreeBSD, or Windows. These techniques could potentially be used for covert operations, reflective scanning of one's own network, or generating noise to obscure other traffic.
This document discusses bypassing Linux kernel protections added by the grsecurity and PaX patchsets. It begins with background on Linux kernel security issues over the past decade. It then explains how grsecurity and PaX attempt to harden the kernel by preventing code introduction and arbitrary control flow changes. The main technique discussed for bypassing these protections is "stackjacking", which involves leveraging kernel stack disclosure vulnerabilities along with an arbitrary kernel write primitive. Through a process called "kstack self-discovery", an attacker can use stack disclosures to determine the base address of the kernel stack, which then enables targeting the arbitrary write.
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
This document discusses remotely using the Spanish National Electronic ID (DNIe) and potential attacks. It provides an introduction to the DNIe and describes a "Man in the Remote" (MiR) attack where an attacker is able to remotely access and use the functionalities of a DNIe card plugged into a different computer. It demonstrates how the attacker could achieve remote authentication and signing. It also discusses some potential solutions to prevent MiR attacks based on analyzing response times.
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
This document summarizes a lightning talk presentation about binary instrumentation using Intel's Pin tool. It introduces Pin as a dynamic binary instrumentation tool that can insert code into programs at runtime. It then discusses several applications of Pin like performance profiling, security tools for sandboxing and reversing, and academic uses. The document provides examples of using Pin APIs and also lists some alternative dynamic instrumentation engines. It encourages the audience to start using Pin and sharing tools they create with the community.
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHackito Ergo Sum
This document discusses potential vulnerabilities related to autorun functionality and removable storage devices like USB drives on Linux systems. It notes that while Linux desktop environments don't automatically run scripts from removable devices, vulnerabilities could still exist in drivers and applications that handle connecting and accessing such devices. Specific vulnerabilities are identified in USB drivers, file system drivers, thumbnail generation applications, and external thumbnailer programs. Exploiting these could allow gaining root access or defeating full disk encryption from physical access to a system.
Vold is the volume daemon in Android that manages storage volumes like external SD cards. It communicates with the Linux kernel via Netlink sockets to receive storage events and with the MountService via a local socket. When a new storage device is inserted, Vold receives the kernel event, mounts the volume if FAT format according to its configuration file, and notifies MountService to make the volume available to the user.
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
This document provides a summary of a presentation by Raoul Chiesa on cybercrime trends from the past to present. It discusses how hacking has evolved from curiosity-driven activities by bored teens to profit-motivated crimes by adults. Reasons for the rise of cybercrime include the increasing number of internet users and victims, economic incentives, availability of hacking tools, recruitment of inexperienced people, and lack of consequences. The presentation also notes how media portrayal has changed perceptions of who hackers are.
This document discusses how TCP flag combinations can be used to fingerprint operating systems with a single packet, generate amplified traffic attacks, and potentially coerce targets into scanning third parties. The author, Barry Irwin, describes fuzzing various systems by sending packets with different TCP flag combinations. He found that some combinations elicited distinctive responses that could identify the remote operating system, such as Linux, FreeBSD, or Windows. These techniques could potentially be used for covert operations, reflective scanning of one's own network, or generating noise to obscure other traffic.
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Keeping your rack cool with one "/IP route rule"Faelix Ltd
This document discusses how Faelix, an ISP, uses MikroTik hardware and RouterOS at their provider edge to route over 600k IPv4 routes and 30k IPv6 routes. They initially migrated from Quagga and BIRD on Linux servers to MikroTik due to its energy efficiency and affordable hardware. While there were some bugs experienced, MikroTik has proven reliable overall. The document then explains how Faelix is able to firewall traffic with zero filter rules using a single "/ip route rule" to mark and route traffic to a separate routing table based on address lists from fail2ban and AMQP. This allows blocking of attacking traffic at the provider edge across multiple data centers in a
Why software protection matters to everyone, including IT professionals. Design principles for making more robust DRM. Attacker tools. Provides a framework in two variables (L and T) for evaluating the longer term success of a DRM system. Gives an update on the latest DRM cracks. Talk given at RSA Conference in the spring of 2008.
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
This document discusses identifying and exploiting vulnerabilities in consumer routers. It provides examples of analyzing firmware from various router models, including the (--E)-LINK DIR-120 and DIR-300, to gain unauthorized access. Methods discussed include reverse engineering firmware, exploiting services like telnet that are exposed without authentication, and modifying the read-only filesystem. The document also talks about using these compromised routers as bots for botnets performing activities like DDoS attacks, cryptocurrency mining, and spam/phishing campaigns. It provides examples of real botnets like Psyb0t that have exploited routers.
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
Ведущий: Асука Накадзима (Asuka Nakajima)
Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.
Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.
Practical Forensics - Tools & Techniques by Sachin DeodharPriyanka Aash
This lecture introduces security professionals to Forensics and includes - Forensic basics,Locard's principle,PGP,Public Key Cryptoraphy,symmetric key cryptography etc.
This document provides troubleshooting guidance for issues with Ceph. It begins by suggesting identifying the problem domain as either performance, hang, crash, or unexpected behavior. For each problem, it recommends tools and techniques for further investigation such as debugging logs, profiling tools, and source code analysis. Debugging steps include establishing baselines, identifying implicated hosts or subsystems, increasing log verbosity, and tracing transactions through logs. The document emphasizes starting at the user end and working back towards Ceph to isolate issues.
Docker … Podman are two close but different tools. What are their differences, what are their commonalities? In this presentation, we propose to present the two tools in order to highlight their differences in design and their specificities, their similarities.
The objective is to allow you to know these tools, from their common roots (Cgroup, namespace,...) to their divergence (socket). From ease of use (Socket) to the hassle (proxy), we will address the strengths and weaknesses of each through our uses of them (build, test,...). We will of course mention our friends the CVEs to feed your thoughts on their security.
Ceph is an open-source distributed storage system that provides object, block, and file storage. The document discusses Ceph's main components including MONITOR, METADATA SERVER, OSD, and RADOS GATEWAY. It also covers how data is stored using OSDs, pools, and placement groups, and how to architect Ceph for OpenStack. The document provides examples of writing data to Ceph volumes and tracing the data placement across OSDs.
Tips And Tricks For Bioinformatics Software Engineeringjtdudley
This document provides tips and tricks for software engineering in bioinformatics. It discusses using object-oriented software design principles like encapsulation and inheritance. It also covers best practices like automating documentation, performance optimization, working with data using databases and file formats, parallel and distributed computing, hardware acceleration, and web services.
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
This document discusses a DNS cache poisoning attack that exploits IP fragmentation. It begins with background on DNS and DNSSEC. It then explains how predictable IPIDs in DNS responses can be inferred, allowing an off-path attacker to poison caches with few attempts. The attack works across IPv4 and IPv6 by targeting predictable timing of DNS requests. Mitigations are discussed but the attack remains effective against current recommendations.
Software geeks fear hardware. It's a fact of life: code is easy to write and easy to change, but hardware catches on fire if you put it together wrong. But this is changing! Hardware is becoming cheaper and easier to work with every day and can often be managed with the same tools you use to deploy code to the cloud. Join self-described software guy and hardware-phobe Ronald McCollam for a guided trip from the safe world of web development to the scary lands of hardware and back again. We'll see how easy it can be to make the leap from managed code to microprocessors!
This document provides an introduction to using Perl's pack and unpack functions to manipulate binary data. It uses the ID3v2 metadata header format as an example, demonstrating how to parse the header fields using various format specifiers and handle issues like endianness. Key points covered include parsing hexadecimal, ASCII, integer fields of different sizes, and bit strings, as well as replacing bytes using substr. The goal is to make Perl a capable tool for manipulating binary data.
This document outlines 35 different tips and tricks for using Travis-CI, a continuous integration service. It covers topics like playing games within Travis builds, debugging issues, environment configuration, testing strategies, and tools for interacting with the Travis community. The document is presented as a numbered list by Murahashi "Sanemat" Kenichi and is intended to share hidden or underutilized features of Travis-CI.
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
Abstract
*********
SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …).
What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain?
About the Speaker:
*********************
Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.
Choosing the right software architecture for your project is very important. Besides the framework decision there are many other key issues you need to take into account and which have an impact on such things like maintainability, scalability and also the frequency of possible deployments. In this session you will to learn how to avoid the common pitfalls and traps during your project.
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
The document discusses techniques for capturing network traffic and system logs to detect security incidents in large networks. It describes how to capture traffic using libpcap, nfqueue, and DAQ. It also discusses challenges like fragmentation and the need to decode protocols. For logs, it highlights weaknesses like signature-based detection and the importance of normalized, unconfigurable logs. It introduces CUDA and NetGPU for GPU-accelerated traffic processing and visualization tools like SecViz and Circos for analyzing large datasets. The conclusion emphasizes that visualization can help solve the problem of events getting lost in noise and overcome technical limitations of current detection approaches.
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHackito Ergo Sum
This document is a presentation about a crackme called Hackito Ergo Sum. It discusses the various techniques used to protect the crackme, including a verification algorithm using RC4 encryption, instruction mutation, control flow graph obfuscation, encryption layers, direct native API calls, anti-debugging methods, and ways attackers could potentially break it such as bruteforcing the encryption key or reversing the encryption algorithm. The presentation concludes by thanking the audience and opening the floor for questions.
More Related Content
Similar to HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
Marek discusses how his company Faelix uses MikroTik hardware and RouterOS at their network edges to route over 600k IPv4 and 30k IPv6 routes. While there were some initial issues, MikroTik has proven reliable and cost-effective. Marek then explains how Faelix implements firewalling with zero filter rules through a multi-step process. They use fail2ban to block brute force attacks, AMQP to share block lists across routers, and destination NAT misbehaving traffic. Most importantly, they leverage the "/ip route rule" feature to route blocked traffic to a separate routing table for easy isolation without complex firewall rules.
Keeping your rack cool with one "/IP route rule"Faelix Ltd
This document discusses how Faelix, an ISP, uses MikroTik hardware and RouterOS at their provider edge to route over 600k IPv4 routes and 30k IPv6 routes. They initially migrated from Quagga and BIRD on Linux servers to MikroTik due to its energy efficiency and affordable hardware. While there were some bugs experienced, MikroTik has proven reliable overall. The document then explains how Faelix is able to firewall traffic with zero filter rules using a single "/ip route rule" to mark and route traffic to a separate routing table based on address lists from fail2ban and AMQP. This allows blocking of attacking traffic at the provider edge across multiple data centers in a
Why software protection matters to everyone, including IT professionals. Design principles for making more robust DRM. Attacker tools. Provides a framework in two variables (L and T) for evaluating the longer term success of a DRM system. Gives an update on the latest DRM cracks. Talk given at RSA Conference in the spring of 2008.
Security isn’t deploying some overbearing big brother of a hardware or software solution; it’s not running scanning software which tells you you’re safe; because in reality in these type of setups you’re not.
Security is akin to high availability you deploying multiple redundancies to ensure you can still operate, the same can and should be applied to security; identify the potential areas of attack, reduces this attack surface and deploy multiple redundancies to secure your deployments.
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
This document discusses identifying and exploiting vulnerabilities in consumer routers. It provides examples of analyzing firmware from various router models, including the (--E)-LINK DIR-120 and DIR-300, to gain unauthorized access. Methods discussed include reverse engineering firmware, exploiting services like telnet that are exposed without authentication, and modifying the read-only filesystem. The document also talks about using these compromised routers as bots for botnets performing activities like DDoS attacks, cryptocurrency mining, and spam/phishing campaigns. It provides examples of real botnets like Psyb0t that have exploited routers.
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
Ведущий: Асука Накадзима (Asuka Nakajima)
Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.
Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.
Practical Forensics - Tools & Techniques by Sachin DeodharPriyanka Aash
This lecture introduces security professionals to Forensics and includes - Forensic basics,Locard's principle,PGP,Public Key Cryptoraphy,symmetric key cryptography etc.
This document provides troubleshooting guidance for issues with Ceph. It begins by suggesting identifying the problem domain as either performance, hang, crash, or unexpected behavior. For each problem, it recommends tools and techniques for further investigation such as debugging logs, profiling tools, and source code analysis. Debugging steps include establishing baselines, identifying implicated hosts or subsystems, increasing log verbosity, and tracing transactions through logs. The document emphasizes starting at the user end and working back towards Ceph to isolate issues.
Docker … Podman are two close but different tools. What are their differences, what are their commonalities? In this presentation, we propose to present the two tools in order to highlight their differences in design and their specificities, their similarities.
The objective is to allow you to know these tools, from their common roots (Cgroup, namespace,...) to their divergence (socket). From ease of use (Socket) to the hassle (proxy), we will address the strengths and weaknesses of each through our uses of them (build, test,...). We will of course mention our friends the CVEs to feed your thoughts on their security.
Ceph is an open-source distributed storage system that provides object, block, and file storage. The document discusses Ceph's main components including MONITOR, METADATA SERVER, OSD, and RADOS GATEWAY. It also covers how data is stored using OSDs, pools, and placement groups, and how to architect Ceph for OpenStack. The document provides examples of writing data to Ceph volumes and tracing the data placement across OSDs.
Tips And Tricks For Bioinformatics Software Engineeringjtdudley
This document provides tips and tricks for software engineering in bioinformatics. It discusses using object-oriented software design principles like encapsulation and inheritance. It also covers best practices like automating documentation, performance optimization, working with data using databases and file formats, parallel and distributed computing, hardware acceleration, and web services.
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
This document discusses a DNS cache poisoning attack that exploits IP fragmentation. It begins with background on DNS and DNSSEC. It then explains how predictable IPIDs in DNS responses can be inferred, allowing an off-path attacker to poison caches with few attempts. The attack works across IPv4 and IPv6 by targeting predictable timing of DNS requests. Mitigations are discussed but the attack remains effective against current recommendations.
Software geeks fear hardware. It's a fact of life: code is easy to write and easy to change, but hardware catches on fire if you put it together wrong. But this is changing! Hardware is becoming cheaper and easier to work with every day and can often be managed with the same tools you use to deploy code to the cloud. Join self-described software guy and hardware-phobe Ronald McCollam for a guided trip from the safe world of web development to the scary lands of hardware and back again. We'll see how easy it can be to make the leap from managed code to microprocessors!
This document provides an introduction to using Perl's pack and unpack functions to manipulate binary data. It uses the ID3v2 metadata header format as an example, demonstrating how to parse the header fields using various format specifiers and handle issues like endianness. Key points covered include parsing hexadecimal, ASCII, integer fields of different sizes, and bit strings, as well as replacing bytes using substr. The goal is to make Perl a capable tool for manipulating binary data.
This document outlines 35 different tips and tricks for using Travis-CI, a continuous integration service. It covers topics like playing games within Travis builds, debugging issues, environment configuration, testing strategies, and tools for interacting with the Travis community. The document is presented as a numbered list by Murahashi "Sanemat" Kenichi and is intended to share hidden or underutilized features of Travis-CI.
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Research
Abstract
*********
SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …).
What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain?
About the Speaker:
*********************
Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.
Choosing the right software architecture for your project is very important. Besides the framework decision there are many other key issues you need to take into account and which have an impact on such things like maintainability, scalability and also the frequency of possible deployments. In this session you will to learn how to avoid the common pitfalls and traps during your project.
Similar to HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking (20)
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
The document discusses techniques for capturing network traffic and system logs to detect security incidents in large networks. It describes how to capture traffic using libpcap, nfqueue, and DAQ. It also discusses challenges like fragmentation and the need to decode protocols. For logs, it highlights weaknesses like signature-based detection and the importance of normalized, unconfigurable logs. It introduces CUDA and NetGPU for GPU-accelerated traffic processing and visualization tools like SecViz and Circos for analyzing large datasets. The conclusion emphasizes that visualization can help solve the problem of events getting lost in noise and overcome technical limitations of current detection approaches.
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHackito Ergo Sum
This document is a presentation about a crackme called Hackito Ergo Sum. It discusses the various techniques used to protect the crackme, including a verification algorithm using RC4 encryption, instruction mutation, control flow graph obfuscation, encryption layers, direct native API calls, anti-debugging methods, and ways attackers could potentially break it such as bruteforcing the encryption key or reversing the encryption algorithm. The presentation concludes by thanking the audience and opening the floor for questions.
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
This document summarizes an approach to auditing the Adobe Shockwave file format and verifying vulnerabilities. It describes how the authors:
1) Encountered difficulties reversing the Shockwave memory manager using traditional debugging tools.
2) Developed a technique using dynamic binary instrumentation to hook the Shockwave file read function and search read buffers for fuzzed file data.
3) Further refined their approach by directly hooking the file read function in MSVCR71.dll, allowing the technique to be reused for other projects.
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHackito Ergo Sum
The document describes how DWARF bytecode, included in GCC-compiled binaries to support exception handling, can be exploited to insert trojan payloads. DWARF bytecode interpreters are included in the standard C++ runtime and are Turing-complete, allowing the bytecode to perform arbitrary computations by influencing program flow. A demonstration shows how DWARF bytecode can be used to hijack exceptions and execute malicious payloads without requiring native code.
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHackito Ergo Sum
This document provides an overview of Ruby on Rails (RoR) from a code auditor's perspective. It discusses the MVC architecture that RoR uses and describes where the different components (model, view, controller) are typically located in a RoR application. It also discusses common things to look for when reviewing RoR code like user input validation, filters, migrations and more. Specific examples of issues found in Redmine and another open source project are also provided like a persistent XSS issue and information leak.
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHackito Ergo Sum
The document discusses Adobe Reader's use of sandboxing to improve security. It provides background on past vulnerabilities in Adobe Reader and discusses the architecture of the Adobe Reader X sandbox. The sandbox isolates rendering code in a lower privileged process and uses a higher privileged broker process to validate and fulfill requests for system resources according to internal policy. The document outlines how to analyze the sandbox's security mechanisms, such as by determining the rights of processes, auditing the IPC mechanisms, and fuzzing the resource request validation.
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
This document discusses kernel pool exploitation on Windows 7. It begins with an introduction and overview of the kernel pool and its internals such as pool descriptors, free lists, and lookaside lists. It then covers attacks on the kernel pool and ways to harden it against exploitation, such as by modifying pool structures.
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...Hackito Ergo Sum
The document discusses new and evolving ways that criminals steal money through digital means. It outlines how criminal operations have become more sophisticated and business-like, moving from individual hackers to organized underground companies. It describes various technical methods that are used, such as phishing, pharming, malware injections, and man-in-the-browser attacks to steal login credentials and hijack financial transactions. It also discusses how criminal groups set up complex international operations using mules, drop points, and covert channels to launder and cash out the stolen money without being detected. The document warns that security measures are catching up, but that criminals will continue adapting their methods, such as through screen scraping or new types of online games involving money.
The document discusses how software can be used to damage hardware through various techniques like overclocking, overvolting, overheating, and firmware flashing. It provides examples of how components like CPUs, RAM, graphics cards, hard drives, and BIOS can be permanently damaged by exploiting their software interfaces. The goal could be industrial espionage, terrorism, or other malicious motives like destroying a commercial rival's operations through an act of industrial cyber warfare.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
HES2011 - Jon Oberheide and Dan Rosenberg - Stackjacking
1.
2. Introduction
● Jon Oberheide
● Dan Rosenberg
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #2
3. Introduction
In reference to the HES CFP:
“I get excited every time I see a
conference add requirements to
their talk selection along the lines
of 'exploitation presentations must
be against grsecurity/PaX' -- but
then there never ends up being any
presentations of this kind.”
– spender pratt
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #3
4. Agenda
● A review of Linux kernel security
● Exploitation vs. grsecurity/PaX
● Bypassing grsecurity/PaX
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #4
5. A decade of kernel security
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #5
6. A decade of kernel security
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #6
7. Upstream attitude
● Security is hard when upstream ignores the problems
● Linux still hasn't had its “security awakening”
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #7
8. How about last year?
● 142 CVE's assigned
● 30% worse than the previous worst year (2009)
● Based on public CVE requests, issues tracked at
Red Hat Bugzilla, and Eugene's tagged git tree
● Missing dozens of non-CVE vulnerabilities (i.e. the
“Dan Carpenter factor”)
● 61 (43%) discovered by six people
● Kees (4), Brad (3), Tavis (7), Vasiliy (4), Dan (37),
Nelson (6)
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #8
9. Kernel vulns in 2010
● 12 known exploits for local privilege
escalation
● 13 remotely triggerable issues
● 33 potential privilege escalations
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #9
10. Breakdown by Target
2
31
76
33
Core
Distro
Exotic
Red Hat
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #10
11. Breakdown by Impact
13 1
26
7
65 Bypass
30 DOS
Info
Priv Esc?
Priv Esc
Nothing
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #11
12. Interesting exploits of 2010
● full-nelson.c
● Combined three vulns to get a NULL write
● half-nelson.c
● First Linux kernel stack overflow (not buffer overflow) exploit
● linux-rds-exploit.c
● Arbitrary write in RDS packet family
● i-CAN-haz-MODHARDEN.c
● SLUB overflow in CAN packet family
● american-sign-language.c
● Exploit payload written in ACPI's ASL/AML
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #12
13. Agenda
● A review of Linux kernel security
● Exploitation vs. grsecurity/PaX
● Bypassing grsecurity/PaX
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #13
14. Traditional Linux exploitation
● Perhaps most general exploitation
primitive is an arbitrary kernel write
● Sometimes occurs naturally, other
times can be constructed (e.g.
overwriting pointers in an overflow to
trigger a write)
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #14
15. Linux exploitation examples
● Writes to known addresses (IDT)
● Function pointer overwrites
● Redirecting control flow to userspace
● Influencing privesc-related kernel data
(eg. credentials structures)
● Relying on kallsyms and other info
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #15
16. Overview of grsecurity/PaX
● grsecurity/PaX
● Third-party patchset to harden Linux
userspace/kernel security
● Attempts to prevent
● Introduction/execution of arbitrary code
● Execution of existing code out of original order
● Execution of existing code in original order with
arbitrary data
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #16
17. grsecurity/PaX hardening
● Kernel hardening features:
● KERNEXEC
● Prevent the introduction of new executable code
● UDEREF
● Prevent invalid userspace pointer dereferences
● HIDESYM
● Hide info that may be useful to an attacker (kallsyms,
slabinfo, kernel address leaks, etc)
● MODHARDEN
● Prevent auto-loading of crappy unused packet families
(CAN, RDS, econet, etc)
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #17
18. Agenda
● A review of Linux kernel security
● Exploitation vs. grsecurity/PaX
● Bypassing grsecurity/PaX
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #18
19. The main event
● A technique we call stackjacking
● Enables the bypass of common grsecurity/PaX
configurations with common exploit primatives
● Independently discovered, collaboratively
exploited, with slightly different techniques
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #19
20. Plan of attack!
???
STACK
JACKING ROOT
???
OVERVIEW
??? ??? ???
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #20
21. Target kernel assumptions
● Hardened kernel with grsec/PaX
● Config level GRKERNSEC_HIGH
● KERNEXEC
● UDEREF
● HIDESYM
● MODHARDEN
● Etc...
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #21
22. Stronger target assumptions
● Let's make some extra assumptions
● We like a challenge, and these are assumptions that
may possibly be obtainable now or in the future
● Stronger target assumptions
● Zero knowledge of kernel address space
● Fully randomized kernel text/data
● Cannot introduce new code into kernel address space
● Cannot modify kernel control flow (eg. data-only)
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #22
23. Attacker assumption #1
● Assumption: arbitrary kmem write
● A common kernel exploitation primitive
● Examples: RDS, MCAST_MSFILTER
● Other vulns can be turned into writes, e.g.
overflowing into a pointer that's written to
● Wut?
● “You mean I can't escalate privs with an arbitrary
kernel memory write normally?” NOPE.
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #23
24. Arbitrary write into the abyss
DARKNESS!
0xffffffff
kernel
0xc0000000
(TASK_SIZE)
user
No clue where to write!
0x00000000
Exploitation is infeasible.
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #24
25. What's the secret sauce?
ARBITRARY
WRITE + ? = <3
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #25
26. The Great Sandwich?
ARBITRARY
WRITE + = <3
msuiche?
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #26
27. Nah, he's taken
+ = <3
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #27
28. Need to know something
● One way: arbitrary kmem disclosure
● procfs (2005)
● sctp (2008)
● move_pages (2009)
● pktcdvd (2010)
● Just dump entire address space!
● But these are rare!
● And in many instances, mitigated by grsec/PaX
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #28
29. Something more common?
● How about a more common vuln?
● Hints...
● Widely considered to be a useless vulnerability
● Commonly assigned a CVSS score of 1.9 (low)
● 25+ such vulnerabilities reported in 2010
● Often referred to as a Dan Rosenbug
● Can you guess it???
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #29
30. KSTACK MEM DISCLOSURE!
ARBITRARY
WRITE + KSTACK
LEAK = <3
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #30
31. How does kstack leak help?
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #31
32. A bit about Linux kernel stacks
● Each userspace thread is high address
allocated a kernel stack
grows down
● Stores stack frames for kernel
syscalls and other metadata 4k/8k
stack
unused
● Most commonly 8k, some
distros use 4k
● THREAD_SIZE =
2*PAGE_SIZE = low address
2*4086 = 8192
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #32
33. Kernel stack mem disclosures
● Kstack mem disclosures
● Leak of memory from the kernel stack to userspace
● Common cause
● Copying a struct on the kstack back to userspace
with uninitialized fields
● Improper initialization/memset, forgetting member
assignment, structure padding/holes
● A frequent occurrence, especially in compat
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #33
34. Kernel stack mem disclosures
struct foo {
uint32_t bar;
uint32_t leak;
kstack frame kstack frame
uint32_t baz;
foo.bar };
sensitive data sensitive data
foo.leak syscall() {
foo.baz struct foo;
. foo.bar = 1;
. foo.baz = 2;
. copy_to_user(foo);
}
1) process 2) kstack is reused 3) foo struct is copied to
makes syscall on subsequent userspace, leaking 4
and leaves syscall and struct bytes of kstack through
sensitive data overlaps with uninitialized foo.leak
on kstack sensitive data member
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #34
35. Plan of attack!
Arbitrary write
STACK
JACKING ROOT
Kstack disclosure
OVERVIEW
??? ??? ???
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #35
36. What's useful on the kstack?
● Leak data off kstack?
● Sensitive data left behind? Not really...
● Leak addresses off kstack?
● Sensitive addresses left behind? Maybe...
● Pointers to known structures could be exploited
● Too specific of an attack!
● Need something more general
● kstack disclosures differ widely in size/offsets
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #36
37. Kernel stack addresses
● How about a leaking an address that:
● Is stored on the stack; and
● Points to an address on the stack
● These are pretty common
● Eg. pointers to local stack vars, saved ebp, etc
● But what does this gain us?
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #37
38. Kernel stack self-discovery
● If we can leak an pointer 0xcdef2000
to the kstack off the kstack,
we can calculate the base 0xcdef1234
kstack frame
address of the kstack 0xdeadbeef
kstack_base = addr & ~(THREAD_SIZE – 1); 0xcdef1234
kstack_base = 0xcdef1234 & ~(8192 – 1) .
.
kstack_base = 0xcdef0000 0xcdef0000
.
We call this kstack self-discovery
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #38
39. Effective kstack discovery
● Not all kstack disclosures are alike
● May only leak a few bytes, non-consecutive
● How do we effectively self-discover?
● Manual analysis
● Figure out where kstack leak overlaps addresses
● Automatic analysis
● libkstack
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #39
40. Manual kstack self-discovery
● Manual, offline analysis
● 1. prime stack with random syscall
● 2. leak bytes, see if any leaks match real kstack
● 3. repeat until we've collected enough bytes
● 4. construct list of priming syscalls needed for the
particular leak to spill the beans
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #40
41. Automatic with libkstack
● We can automate this process for
runtime self-discovery with libkstack
● 1. prime stack with random syscall
● 2. leak bytes, infer whether bytes belong to a kstack
addr
● 3. repeat until we have sufficient confidence to
calculate the kstack base addr
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #41
42. Plan of attack!
Arbitrary write
STACK
JACKING ROOT
Kstack disclosure
OVERVIEW
STACK
SELF-DISCOVERY
Manual analysis ??? ???
Auto with libkstack
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #42
43. No longer complete darkness
A random pinpoint of light!
0xffffffff
kernel
0xc0000000
(TASK_SIZE)
kstack
user
We can self-discover kstack address!
0x00000000
Exploitation is...maybe feasible?
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #43
44. The next step
● We now have a tiny island
● Use arbitrary write to modify anything on kstack
● Where to write?
● Pointers, data, metadata on kstack
● What to write?
● No userspace addrs (UDEREF), limited kernel
● Game over? Not yet!
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #44
45. Metadata on kernel stack
Anything else of interest on the kstack???
high address
start of stack
grows down
4k/8k
stack pointer stack
unused
thread_info
current_thread_info
low address
thread_info struct stashed at base of kstack!
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #45
46. thread_info candidates
struct thread_info {
struct task_struct *task;
struct exec_domain *exec_domain;
__u32 flags;
● What can we
__u32 status;
__u32 cpu; modify within
int preempt_count;
mm_segment_t addr_limit; thread_info to
struct restart_block restart_block;
void __user *sysenter_return; escalate privs?
#ifdef CONFIG_X86_32
unsigned long previous_esp;
__u8 supervisor_stack;
#endif
int uaccess_err;
};
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #46
47. restart_block func ptr?
struct thread_info {
struct task_struct *task;
struct exec_domain *exec_domain; ● restart_block?
__u32 flags;
__u32 status; ● Has a func ptr we
__u32 cpu;
int preempt_count;
can overwrite and
mm_segment_t addr_limit; invoke via userspace!
struct restart_block restart_block;
void __user *sysenter_return;
● Can't point to
#ifdef CONFIG_X86_32 userspace (UDEREF)
unsigned long previous_esp;
__u8 supervisor_stack;
● Can't point to kmem
#endif (blackbox)
int uaccess_err;
}; ● Plus assuming no
control flow mod
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #47
48. task_struct pointer?
struct thread_info {
struct task_struct *task;
struct exec_domain *exec_domain; ● task_struct?
__u32 flags;
__u32 status; ● Could point it at
__u32 cpu;
int preempt_count;
init_task_struct for
mm_segment_t addr_limit; getting creds/caps of
struct restart_block restart_block; the init task
void __user *sysenter_return;
#ifdef CONFIG_X86_32 ● But we don't know
unsigned long previous_esp; the address of
__u8 supervisor_stack;
#endif
init_task_struct!
int uaccess_err;
};
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #48
49. Attacking task_struct
struct thread_info {
struct task_struct *task;
... ● task_struct->creds?
};
● Modify creds of our process
struct task_struct {
...
directly to escalate privileges?
const struct cred *real_cred; ● But in order to write
const struct cred *cred;
... task_struct->creds, we need
}; to know the address of
task_struct!
struct cred {
... ● If we could read the address
uid_t uid; of task_struct off the end of
gid_t gid;
...
the kstack, we might win!
};
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #49
50. Connecting the dots
Expanding our visibility
0xffffffff
kernel
0xc0000000 creds
(TASK_SIZE)
task_struct
kstack
user
If we can read off the kstack,
0x00000000 we can find task_struct/creds!
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #50
51. Attacking task_struct
● We have an arbitrary write on kstack
● Can we turn this into an arbitrary read?
● If we can get arbitrary read:
● Read base of kstack to find address of task_struct
● Read task_struct to find address of creds struct
● Write into creds struct to set uids/gids/caps
● Spawn a root shell!
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #51
52. Plan of attack!
Arbitrary write
STACK
JACKING ROOT
Kstack disclosure
OVERVIEW
STACK STACK
SELF-DISCOVERY JACKING
Manual analysis ??? ???
Read thread / task
Auto with libkstack Overwrite creds
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #52
53. The Rosengrope Technique
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #53
54. Vanilla kernel
● No segmentation, user/kernel separation
enforced by paging
● copy_*_user functions check user pointers
against addr_limit (per-thread variable in
thread_info struct)
● On vanilla, setting addr_limit to
KERNEL_DS (ULONG_MAX) gives
arbitrary read/write (all checks pass)
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #54
55. set_fs()
● Sometimes kernel wants to reuse code
with kernel pointer arguments
● kernel_sendmsg, kernel_recvmsg, etc.
● Calls set_fs(KERNEL_DS) to set
addr_limit and allow copy_*_user
functions to copy kernel-to-kernel
● Careful to make sure no user-influenced
pointers are used
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #55
56. PAX_UDEREF
● Strict user/kernel separation using
segmentation
● Reload segment registers at kernel
traps, used during copy operations
● Fault on invalid access
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #56
57. PAX_UDEREF and KERNEL_DS
● Use %gs register to keep track of
segment for source/dest of copy
● set_fs(KERNEL_DS) sets addr_limit
and reloads %gs register to contain
__KERNEL_DS segment selector
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #57
58. No more easy root...
● Writing KERNEL_DS to addr_limit is
no longer sufficient
● Access checks on pointers will pass,
but we'll still fault in copy functions
because of incorrect segment
registers
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #58
59. But...
● %gs register is reloaded on context
switch (necessary to keep track of
thread state)
● Reloaded based on contents of
addr_limit!
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #59
60. Using KERNEL_DS trick
● Write KERNEL_DS into addr_limit of
current thread
● Loop on write(pipefd, addr, size)
● Eventually, thread will be scheduled out at right
moment (before copy_from_user)
● When thread resumes, %gs register will be
reloaded with __KERNEL_DS, and read target will
be copied into pipe buffer (kernel-to-kernel copying)
● Restore addr_limit and read
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #60
61. Plan of attack!
Arbitrary write
STACK
JACKING ROOT
Kstack disclosure
OVERVIEW
STACK STACK STACK
SELF-DISCOVERY GROPING JACKING
Manual analysis KERNEL_DS trick ???
Read thread / task
Auto with libkstack Overwrite creds
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #61
62. Pros and cons of KERNEL_DS
● KERNEL_DS
● Pros: clean, simple, generic method to obtain
arbitrary read from write+kleak
● Cons: depends on knowing the location of
addr_limit member of thread_info
● It's possible to move thread_info out of the kstack!
● Any alternatives?
● Let's get a bit crazier...
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #62
63. The Obergrope Technique
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #63
64. The Obergrope Technique
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #64
65. The Obergrope Technique
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #65
66. Attacking the kstack frames
● A different approach
● Don't attack the thread_info metadata on kstack
● Attack the kstack frames themselves!
● End goal is a read
● How to read data by writing a stack frame?
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #66
67. Observations
● Lots of kernel codepaths copy data to userland,
via copy_to_user(), put_user(), etc
● There may be copy_to_user() calls that use a
source address argument that is, at some point,
stored on the kernel stack
● If we can overwrite that source address on the
kstack, we can control source of the
copy_to_user() and leak data to userspace
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #67
68. A problem
● How can we write to our own kstack?
● Unlikely to be able to write into our own stack while
exploiting the vulnerability for our arbitrary write
● Use parent/child processes
● Child self-discovers kstack addr
● Passes kstack addr to parent
● Parent writes into child while child is in syscall
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #68
69. More problems
● How can we write to stack reliably?
● We have a tricky race to win:
● Parent needs to write into child's kstack between
when the copy_to_user() source register is pushed
and popped from the kstack
● This is a very small race window...
.
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #69
70. Winning Linux kernel races
● How to win Linux kernel races
● Get very lucky w/scheduling on SMP machine
● Cause a resource to be in contention (eg. locks)
● Cause kernel to page in from slow I/O device
(sgrakkyu)
● Ehhh...
● We might hose the kernel if we lose the race
● Anything better?
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #70
71. A twist on winning races
● This isn't a “standard” race though
● We can have child execute ANY codepath that
performs copy_to_user() with a src arg on kstack
● Enter, sleepy syscalls!
● Syscalls that allow us to put process to sleep for an
arbitrary amount of time
● nanosleep, wait, select, etc
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #71
72. Sleepy syscall conditions
● Any of these sleepy syscalls have our
required conditions?
● Needs to:
● Push a register to the stack
● Go to sleep for an arbitrary amount of time
● Pop that register off the stack
● Use that register as the source for copy_to_user()
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #72
74. compat_sys_waitid disasm
Dump of assembler code for function compat_sys_waitid:
...
0xffffffff810aba4e <+62>: lea 0x140(%rbp),%r14 1) compat_sys_waitid() stores address of ru in r14
...
0xffffffff810aba8b <+123>: callq 0xffffffff81063b70 2) compat_sys_waitid() calls sys_waitid()
<sys_waitid>
... 3) sys_waitid() calls do_wait()
0xffffffff810abaae <+158>: mov %r14,%rdi
0xffffffff810abab1 <+161>: callq 0xffffffff810aa700 4) do_wait() pushes r14 on kstack
<put_compat_rusage>
... 5) do_wait() sleeps indefinitely
Dump of assembler code for function sys_waitid: 6) we clobber the saved r14 reg on the kstack
...
0xffffffff81063bf9 <+137>: callq 0xffffffff810637e0
7) do_wait() wakes up
<do_wait>
8) do_wait() pops r14 off the kstack
...
9) do_wait() returns
Dump of assembler code for function do_wait: 10) sys_waitid() returns
...
0xffffffff810637e6 <+6>: push %r14 11) compat_sys_waitid() calls put_compat_rusage()
...
PROCESS GOES TO SLEEP HERE 12) put_compat_rusage() uses clobbered source addr
...
0xffffffff810639fb <+539>: pop %r14 13) put_user() copies from source addr to userspace
...
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #74
75. compat_sys_waitid reliability
● Is this reliable across kernel versions?
● Yes, tested on:
● Lucid default build vmlinuz-2.6.32-24-generic
● Lucid custom build vmlinuz-2.6.32.26+drm33.12
● Vanilla build vmlinuz-2.6.36.3
● Vanilla build + grsec vmlinuz-2.6.36.3-grsec
● How about compilers?
● Across most gcc 4.x? Needs more investigation
● Potentially could runtime fingerprint compiler
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #75
76. High-level exploit flow
1. jacker forks/execs groper 8. helper wakes up from sleep
2. groper gets its own kstack addr 9. groper returns from waitid
3. groper passes kstack addr up to 10. groper leaks task_struct address
jacker back to userspace
4. groper forks/execs helper 11. groper passes leaked address
back up with jacker
5. helper goes to sleep for
a bit 12. steps 4-11 are repeated to leak
task/cred addresses
6. groper calls waitid on helper
13. jacker modifies groper's cred
7. jacker overwrites the required struct in-place
offset on groper's stack
14. groper forks off a root shell
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #76
77. Plan of attack!
Arbitrary write
STACK
JACKING ROOT
Kstack disclosure
OVERVIEW
STACK STACK STACK
SELF-DISCOVERY GROPING JACKING
Manual analysis KERNEL_DS trick ???
Read thread / task
Auto with libkstack Clobber saved reg Overwrite creds
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #77
78. Live demo!
● Exploit against
live hardened
system...
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #78
79. Defenses?
● Mitigate the exploitation vectors?
● Remove thread_info metadata from kstack
● RANDKSTACK
● Eliminate all kstack disclosures?
● Clear kstack between syscalls?
● Compiler/toolchain foo?
● ???
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #79
80. Greetz
● #busticati
● $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/
● Those who were already aware of this
bypass vector ;-)
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #80
81. Q&A
QUESTIONS?
Jon Oberheide Dan Rosenberg
jon@oberheide.org dan.j.rosenberg@gmail.com
Duo Security Virtual Security Research
Stackjacking Your Way to grsecurity/PaX Bypass – Jon Oberheide / Dan Rosenberg Slide #81