This document discusses kernel pool exploitation on Windows 7. It begins with an introduction and overview of the kernel pool and its internals such as pool descriptors, free lists, and lookaside lists. It then covers attacks on the kernel pool and ways to harden it against exploitation, such as by modifying pool structures.
Windows 10 Nt Heap Exploitation (English version)Angel Boy
The document discusses the Windows memory allocator and heap exploitation. It describes the core components and data structures of the NT heap, including the _HEAP structure, _HEAP_ENTRY chunks, BlocksIndex structure, and FreeLists. It also explains the differences between the backend and frontend allocators as well as how chunks of different sizes are managed.
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
The document discusses Windows memory allocation and the NT heap. It describes the core data structures used, including the _HEAP, _HEAP_ENTRY chunks, and _HEAP_LIST_LOOKUP BlocksIndex. It explains how allocated, freed, and VirtualAlloc chunks are structured and managed in the Back-End, including using freelist chains and BlocksIndex to efficiently service allocation requests.
Master Canary Forging by Yuki Koike - CODE BLUE 2015CODE BLUE
Stack Smashing Protection(SSP) is one of the oldest and fundamental protections against exploits, and is now supported by most compilers and modern operating systems.
One technique for SSP is using stack canaries, which verify if a stack buffer has been overflown by checking the integrity of a value stored immediately after the buffer.
Previously, the main methods to bypass stack canaries were to exploit different vulnerabilities to either avoid the canary validation completely, or to provide the correct canary value by leaking the value.
In this talk I will propose a new technique to bypass stack canaries in SSP which takes a different approach from the previous two methods.
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
This document provides an overview of keyed hashing and message authentication codes (MACs). It discusses using cryptographic hash functions and block ciphers to build MACs, as well as dedicated MAC designs like Poly1305 and SipHash. It also covers potential issues like timing attacks on MAC verification and side-channel attacks that can leak the internal state of sponge-based MACs.
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
The document discusses techniques for bypassing Control Flow Guard (CFG) protections on Windows. It begins by introducing the author and their background in security research. It then outlines several potential attack surfaces for bypassing CFG, including using functions like VirtualAlloc and VirtualProtect that can mark memory as valid call targets, writing return addresses, and leveraging indirect calls without CFG checks. The document analyzes six CFG bypass vulnerabilities found by the author in Microsoft Edge and Chakra, and provides details on exploitation methods. It concludes by discussing improvements to harden CFG protections further.
Windows 10 Nt Heap Exploitation (English version)Angel Boy
The document discusses the Windows memory allocator and heap exploitation. It describes the core components and data structures of the NT heap, including the _HEAP structure, _HEAP_ENTRY chunks, BlocksIndex structure, and FreeLists. It also explains the differences between the backend and frontend allocators as well as how chunks of different sizes are managed.
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
The document discusses Windows memory allocation and the NT heap. It describes the core data structures used, including the _HEAP, _HEAP_ENTRY chunks, and _HEAP_LIST_LOOKUP BlocksIndex. It explains how allocated, freed, and VirtualAlloc chunks are structured and managed in the Back-End, including using freelist chains and BlocksIndex to efficiently service allocation requests.
Master Canary Forging by Yuki Koike - CODE BLUE 2015CODE BLUE
Stack Smashing Protection(SSP) is one of the oldest and fundamental protections against exploits, and is now supported by most compilers and modern operating systems.
One technique for SSP is using stack canaries, which verify if a stack buffer has been overflown by checking the integrity of a value stored immediately after the buffer.
Previously, the main methods to bypass stack canaries were to exploit different vulnerabilities to either avoid the canary validation completely, or to provide the correct canary value by leaking the value.
In this talk I will propose a new technique to bypass stack canaries in SSP which takes a different approach from the previous two methods.
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
This document provides an overview of keyed hashing and message authentication codes (MACs). It discusses using cryptographic hash functions and block ciphers to build MACs, as well as dedicated MAC designs like Poly1305 and SipHash. It also covers potential issues like timing attacks on MAC verification and side-channel attacks that can leak the internal state of sponge-based MACs.
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
The document discusses techniques for bypassing Control Flow Guard (CFG) protections on Windows. It begins by introducing the author and their background in security research. It then outlines several potential attack surfaces for bypassing CFG, including using functions like VirtualAlloc and VirtualProtect that can mark memory as valid call targets, writing return addresses, and leveraging indirect calls without CFG checks. The document analyzes six CFG bypass vulnerabilities found by the author in Microsoft Edge and Chakra, and provides details on exploitation methods. It concludes by discussing improvements to harden CFG protections further.
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
The document discusses modern techniques for exploiting vulnerabilities in the Windows kernel memory pool. It provides an overview of the kernel pool structures and internals in Windows 7 and earlier versions. Specific topics covered include the pool descriptor, pool headers, free lists, lookaside lists, large allocations, and the use of bitmaps. The goal is to identify weaknesses that can be leveraged for privilege escalation attacks.
The document discusses C++ exploitation techniques including name mangling, virtual function tables, vtable hijacking, vectors, strings, and memory allocation/deallocation functions like new and delete. It provides details on how virtual function tables are used to implement polymorphism in C++ and how vtable hijacking can be used to exploit vulnerabilities by forcing a vtable and hijacking the virtual function pointer to call shellcode. It also explains how vectors and strings are implemented dynamically in memory and their memory layout.
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
The document discusses the Windows kernel pool and how it can be exploited. It provides an overview of the kernel pool structures like pool descriptors and lookaside lists. It describes the allocation and freeing algorithms, including splitting and merging of chunks. It then gives an example of exploiting a kernel pool overflow bug, MS08-001, by overwriting structures in the pool to achieve code execution.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
The document discusses exploiting TrueType font (TTF) vulnerabilities to achieve kernel code execution on Windows systems. It begins by describing the discovery of exploitable bugs in a TTF fuzzer. Despite mitigations like KASLR, NX, SMAP, and CFG, the researchers were able to bypass these protections through techniques like controlled overflows, abusing plain kernel structures, and function-driven attacks. They show how to leverage wild overflows, control kernel memory layout, and hijack control flow to achieve arbitrary code execution. The document emphasizes that OS design weaknesses allow bypassing modern defenses through clever bug chaining and memory manipulation.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
The document provides an overview of the cgroup subsystem and namespace subsystem in Linux, which form the basis of Linux containers. It discusses how cgroups and namespaces enable lightweight virtualization of processes through isolation of resources and namespaces. It then covers specific aspects of cgroups like the memory, CPU, devices, and PIDs controllers. It also summarizes the key differences and improvements in the cgroup v2 implementation, such as having a single unified hierarchy and consistent controller interfaces.
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
The document discusses exploiting the FILE structure in C programs. It provides an overview of how file streams and the FILE structure work. Key points include that the FILE structure contains flags, buffers, a file descriptor, and a virtual function table. It describes how functions like fopen, fread, and fwrite interact with the FILE structure. It then discusses potential exploitation techniques like overwriting the virtual function table or FILE's linked list to gain control of program flow. It notes defenses like vtable verification implemented in modern libc libraries.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
The document discusses using return-oriented programming (ROP) to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It describes using the procedure linkage table (PLT) to leak the address of functions like puts to bypass ASLR. A ROP chain is then constructed to call read to read "/bin/sh" into memory and execute it, achieving arbitrary code execution.
The document provides an overview of the Advanced Encryption Standard (AES) algorithm. It defines key terms like block, state, and XOR used in AES. It then describes the AES algorithm which works by repeating rounds that include byte substitution, shifting rows, mixing columns, and adding a round key. The number of rounds depends on the key size, being 10 for a 16-byte key and 14 for a 32-byte key. Encryption and decryption are similar processes performed in reverse order.
This document summarizes a presentation on designing Active Directory DACL backdoors for persistence after gaining initial domain elevation. It discusses how DACL misconfigurations can provide stealthy, long-term access. Specific techniques covered include hiding DACLs and principals from easy enumeration, as well as case studies on backdoors involving DCSync rights, AdminSDHolder, LAPS passwords, Exchange objects, and abusing GPOs. Defenses discussed include proper event log collection and SACL auditing. The document provides an overview of how DACLs can be stealthily misconfigured to maintain access without immediate detection.
This document summarizes a presentation about attacking the DirectComposition component of the Windows graphics subsystem. It discusses:
1) An overview of DirectComposition and its architecture.
2) Two zero-day vulnerabilities the researchers found - a double free bug and integer overflow bug that were exploited to achieve code execution.
3) Their fuzzing approach and how they increased coverage of important DirectComposition functions.
4) Mitigation techniques Microsoft employed in later versions and ways the researchers bypassed them, such as abusing tagWND and bitmap objects.
AOS Lab 10: File system -- Inodes and beyondZubair Nabi
This document provides a summary of file system concepts in the xv6 operating system, including:
1) Inodes are data structures that represent files and provide metadata and pointers to file data blocks. On-disk inodes are read into memory inodes when files are accessed.
2) Directories are represented by special directory inodes containing directory entries with names and pointers to other inodes.
3) The file system layout divides the disk into sections for the boot sector, superblock, inodes, bitmap, data blocks, and log for atomic transactions.
AOS Lab 9: File system -- Of buffers, logs, and blocksZubair Nabi
The document describes the file system layers in xv6, including the buffer cache, logging, and on-disk layout. The buffer cache synchronizes access to disk blocks and caches popular blocks in memory. The logging layer ensures atomicity by wrapping file system updates in transactions written to a log on disk before writing to the file system structures. The on-disk layout divides the disk into sections for the boot sector, superblock, inodes, bitmap, data blocks, and log blocks.
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
The document discusses modern techniques for exploiting vulnerabilities in the Windows kernel memory pool. It provides an overview of the kernel pool structures and internals in Windows 7 and earlier versions. Specific topics covered include the pool descriptor, pool headers, free lists, lookaside lists, large allocations, and the use of bitmaps. The goal is to identify weaknesses that can be leveraged for privilege escalation attacks.
The document discusses C++ exploitation techniques including name mangling, virtual function tables, vtable hijacking, vectors, strings, and memory allocation/deallocation functions like new and delete. It provides details on how virtual function tables are used to implement polymorphism in C++ and how vtable hijacking can be used to exploit vulnerabilities by forcing a vtable and hijacking the virtual function pointer to call shellcode. It also explains how vectors and strings are implemented dynamically in memory and their memory layout.
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
The document discusses the Windows kernel pool and how it can be exploited. It provides an overview of the kernel pool structures like pool descriptors and lookaside lists. It describes the allocation and freeing algorithms, including splitting and merging of chunks. It then gives an example of exploiting a kernel pool overflow bug, MS08-001, by overwriting structures in the pool to achieve code execution.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
The document discusses exploiting TrueType font (TTF) vulnerabilities to achieve kernel code execution on Windows systems. It begins by describing the discovery of exploitable bugs in a TTF fuzzer. Despite mitigations like KASLR, NX, SMAP, and CFG, the researchers were able to bypass these protections through techniques like controlled overflows, abusing plain kernel structures, and function-driven attacks. They show how to leverage wild overflows, control kernel memory layout, and hijack control flow to achieve arbitrary code execution. The document emphasizes that OS design weaknesses allow bypassing modern defenses through clever bug chaining and memory manipulation.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
The document provides an overview of the cgroup subsystem and namespace subsystem in Linux, which form the basis of Linux containers. It discusses how cgroups and namespaces enable lightweight virtualization of processes through isolation of resources and namespaces. It then covers specific aspects of cgroups like the memory, CPU, devices, and PIDs controllers. It also summarizes the key differences and improvements in the cgroup v2 implementation, such as having a single unified hierarchy and consistent controller interfaces.
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
The document discusses exploiting the FILE structure in C programs. It provides an overview of how file streams and the FILE structure work. Key points include that the FILE structure contains flags, buffers, a file descriptor, and a virtual function table. It describes how functions like fopen, fread, and fwrite interact with the FILE structure. It then discusses potential exploitation techniques like overwriting the virtual function table or FILE's linked list to gain control of program flow. It notes defenses like vtable verification implemented in modern libc libraries.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
The document discusses using return-oriented programming (ROP) to bypass address space layout randomization (ASLR) and data execution prevention (DEP). It describes using the procedure linkage table (PLT) to leak the address of functions like puts to bypass ASLR. A ROP chain is then constructed to call read to read "/bin/sh" into memory and execute it, achieving arbitrary code execution.
The document provides an overview of the Advanced Encryption Standard (AES) algorithm. It defines key terms like block, state, and XOR used in AES. It then describes the AES algorithm which works by repeating rounds that include byte substitution, shifting rows, mixing columns, and adding a round key. The number of rounds depends on the key size, being 10 for a 16-byte key and 14 for a 32-byte key. Encryption and decryption are similar processes performed in reverse order.
This document summarizes a presentation on designing Active Directory DACL backdoors for persistence after gaining initial domain elevation. It discusses how DACL misconfigurations can provide stealthy, long-term access. Specific techniques covered include hiding DACLs and principals from easy enumeration, as well as case studies on backdoors involving DCSync rights, AdminSDHolder, LAPS passwords, Exchange objects, and abusing GPOs. Defenses discussed include proper event log collection and SACL auditing. The document provides an overview of how DACLs can be stealthily misconfigured to maintain access without immediate detection.
This document summarizes a presentation about attacking the DirectComposition component of the Windows graphics subsystem. It discusses:
1) An overview of DirectComposition and its architecture.
2) Two zero-day vulnerabilities the researchers found - a double free bug and integer overflow bug that were exploited to achieve code execution.
3) Their fuzzing approach and how they increased coverage of important DirectComposition functions.
4) Mitigation techniques Microsoft employed in later versions and ways the researchers bypassed them, such as abusing tagWND and bitmap objects.
AOS Lab 10: File system -- Inodes and beyondZubair Nabi
This document provides a summary of file system concepts in the xv6 operating system, including:
1) Inodes are data structures that represent files and provide metadata and pointers to file data blocks. On-disk inodes are read into memory inodes when files are accessed.
2) Directories are represented by special directory inodes containing directory entries with names and pointers to other inodes.
3) The file system layout divides the disk into sections for the boot sector, superblock, inodes, bitmap, data blocks, and log for atomic transactions.
AOS Lab 9: File system -- Of buffers, logs, and blocksZubair Nabi
The document describes the file system layers in xv6, including the buffer cache, logging, and on-disk layout. The buffer cache synchronizes access to disk blocks and caches popular blocks in memory. The logging layer ensures atomicity by wrapping file system updates in transactions written to a log on disk before writing to the file system structures. The on-disk layout divides the disk into sections for the boot sector, superblock, inodes, bitmap, data blocks, and log blocks.
This presentation discusses NTFS and inodes. It provides an overview of NTFS, including its architecture, metadata files like the master file table, directories, files, security features, and clusters. It also describes Unix file systems and how they use inodes to store metadata about each file, such as the file size, owner, and pointers to data blocks. Inodes are allocated from a free inode list and contain information about the file as well as pointers to data blocks.
Application Performance & Flexibility on Exokernel Systems paper reviewVimukthi Wickramasinghe
This document provides an overview of operating system structures and summarizes a research paper discussing the performance of exokernel systems. It introduces layered and alternative OS structures like microkernels and exokernels. The paper discusses the principles of exokernels and evaluates the performance of the Xok exokernel and its components like the XN storage system. Performance tests show Xok can match or exceed UNIX performance for most applications and significantly outperform UNIX for I/O intensive servers like HTTP servers. While exokernels provide advantages like flexibility and performance, their interfaces can be complex and lead to code management issues.
This document discusses the different types of tablespaces in InnoDB including the system tablespace (ibdata1), file-per-table tablespaces (.ibd), general tablespaces (.ibd), undo tablespaces (undo_001), and temporary tablespaces (.ibt, ibtmp1). It provides details on the structure and management of space within these tablespaces including pages, extents, segments, the file space header, extent descriptor pages, and the doublewrite buffer.
The document discusses two Linux file systems: ext4 and BTRFS. Ext4 is the latest version of the ext file system family and aims to overcome limitations of ext3, such as larger file and volume sizes and improved performance. BTRFS is a newer file system that uses B-trees for its structures and aims to replace ext3/4 with new storage management approaches like snapshots and copy-on-write. The document provides details on the technical specifications and features of each file system.
The document discusses SQLite, a widely used lightweight database format. It notes that SQLite databases are commonly used in smartphones and applications to store structured data. The document outlines challenges in recovering deleted data from SQLite databases and introduces an advanced SQLite recovery tool being developed by viaForensics. It provides information on SQLite database structure, including pages, B-trees, records, and data types. It also discusses viewing and analyzing SQLite databases using command line and graphical tools.
Linux provide facilities to expose emulated LUNs to initiators using Linux-IO (LIO) scsi target implementation . LIO not only support exposing conventional block devices but also supports other storage interfaces like file or memory based LUNs. Also it supports multiple fabric interfaces - FC, FCoE, iscsi and many more.
LIO can be used in SAN environments with minimal storage resources.
Native support for LIO in linux hypervisors and in Openstack make it a good storage option for cloud deployments.
The document discusses NTFS forensics and the structure of the NTFS file system. Some key points:
1) NTFS stores metadata about files and folders in the Master File Table ($MFT) using file records and attributes like $FILE_NAME and $DATA.
2) Files can be recovered by finding their data runs stored in the $MFT entry and reading the data from disk.
3) Additional forensic artifacts can be found in hidden internal files like $USNJRNL, $LogFile, and $Bitmap that contain metadata about file operations and deletions.
A presentation on the Ext4 file system and the evolution of Ext filesystem in Linux operating system. Linux uses virtual filesystem. The comparison of the ext filesystem generations is provided.
This document discusses the internal representation of files in a file system. It describes inodes, which contain metadata about files, including file type and size. Inodes exist as disk inodes and in-core inodes in memory. Path names are converted to inodes using the namei algorithm. Directories store file names and inode numbers. The iget and iput algorithms manage caching of in-core inodes. New files are assigned inodes from the free inode list using ialloc. Blocks are allocated for file data non-contiguously using indirect pointers in the inode.
This document discusses exploiting the OS X El Capitan kernel using a vulnerability found in IOAcceleratorFamily. It describes how memory spraying can be used to leak kernel information despite mitigations like kASLR. It then provides a case study of exploiting CVE-2016-1815, an out-of-bounds write bug, to leak bytes from kernel memory and eventually gain kernel code execution. The exploitation technique involves spraying kernel memory with controlled data, overwriting a function pointer to point to that data, and using an information leak primitive to read bytes from the sprayed region and bypass kASLR.
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
This document provides an overview of investigating Mac OS X systems, including analyzing the file system and various system artifacts. It discusses the HFS+ file system structures like the volume header, catalog file, and attributes file. It also covers time stamps, Spotlight indexing, and managed storage revisions. Key directories in the local, system, network, and user domains are outlined. Specific sources of evidence from the user domain like user accounts, shares, and trash are also mentioned. The document discusses tools like OpenBSM for system auditing and various system logs and databases that can be analyzed.
The document provides an overview of disk forensics concepts and tools used for analyzing disk images. It discusses locating the NTFS partition, inspecting the master boot record and partition table. It also covers the NTFS file system structures like the master file table, file attributes, alternate data streams, and methods for recovering deleted files. Timestamp analysis and registry forensics are also briefly introduced. Various forensic tools like The Sleuth Kit, Autopsy, and samdump2 are demonstrated.
OSDC 2011 | Enterprise Linux Server Filesystems by Remo RickliNETWAYS
Der Einsatz des richtigen Filesystems ist noch immer eine grundlegende Entscheidung mit großem Einfluss auf spätere Performance und Management. Mit Ext4 und BTRFS gibt es nun zwei neue Alternativen die der Erwartungshaltung bisherige Schwachstellen auszumerzen standhalten müssen. Während Ext4 bereits stable ist und den Sprung in die gängigen Enterprise Distributionen geschafft hat, steht das von Oracle BTRFS hier noch eher am Anfang. Trotz des scheinbaren Nachteils sehen vielen in BTRFS das nächste Standardfilesystem für Linux, da es im Vergleich bestehenden Limitierungen von Ext4 auflöst und als die Linux-Alternative zu ZFS gesehen wird.
Der Vortrag erläutert Architektur und Charakteristiken beider Dateisysteme, bewertet sie aus Sicht eines Systemadministrators für den Einsatz im Rechenzentrum und beschreibt mögliche Migrationspfade.
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
There are two main types of parallel computers: shared memory multiprocessors and distributed memory multicomputers. Shared memory multiprocessors have multiple processors that can access a shared memory address space, while distributed memory multicomputers consist of separate computers connected by an interconnect network that communicate by message passing. Beowulf clusters are a type of distributed memory multicomputer made from interconnected commodity computers that provide high-performance computing at low cost. Programming distributed memory systems requires using message passing libraries to explicitly specify communication between processes on different computers.
The document discusses key concepts related to kernel architecture, processes, and file handling in operating systems. It covers topics such as inodes, process tables, file descriptors, context switching, fork system calls, and the interaction between inodes, file tables, and process file descriptor tables when files are opened. The main components of a file system like boot blocks, super blocks, inode lists, and data blocks are also summarized.
The Btrfs filesystem was jointly developed by several companies including Oracle and Redhat. It uses copy-on-write and maintains CRCs for metadata and data. Features include snapshots, multi-device support, online resizing and compression. Performance and stability have improved through fixes and new tools allow automated repair of corrupt blocks. Storage is allocated through extent and chunk trees which map logical to physical blocks and allow different RAID levels for data and metadata. Btrfs works well with flash storage through trim support and hints to optimize device lifetime and performance.
Linux Kernel Booting Process (2) - For NLKBshimosawa
Describes the bootstrapping part in Linux, and related architectural mechanisms and technologies.
This is the part two of the slides, and the succeeding slides may contain the errata for this slide.
Similar to HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7 (20)
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
This document summarizes a lightning talk presentation about binary instrumentation using Intel's Pin tool. It introduces Pin as a dynamic binary instrumentation tool that can insert code into programs at runtime. It then discusses several applications of Pin like performance profiling, security tools for sandboxing and reversing, and academic uses. The document provides examples of using Pin APIs and also lists some alternative dynamic instrumentation engines. It encourages the audience to start using Pin and sharing tools they create with the community.
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHackito Ergo Sum
This document discusses bypassing security protections provided by the grsecurity and PaX patchsets on Linux kernels. It begins with an introduction and agenda, then provides background on Linux kernel security issues over the past decade. The presentation notes that an arbitrary kernel write is a common exploitation primitive, but that this is insufficient to escalate privileges when protections like grsecurity/PaX are in place. It then introduces the concept of "stackjacking", where an attacker leverages kernel stack memory disclosures, which are common low severity vulnerabilities, along with an arbitrary kernel write to bypass grsecurity/PaX protections without needing to introduce new code or modify control flow.
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
This document discusses remotely using the Spanish National Electronic ID (DNIe) and potential attacks. It provides an introduction to the DNIe and describes a "Man in the Remote" (MiR) attack where an attacker is able to remotely access and use the functionalities of a DNIe card plugged into a different computer. It demonstrates how the attacker could achieve remote authentication and signing. It also discusses some potential solutions to prevent MiR attacks based on analyzing response times.
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
The document discusses techniques for capturing network traffic and system logs to detect security incidents in large networks. It describes how to capture traffic using libpcap, nfqueue, and DAQ. It also discusses challenges like fragmentation and the need to decode protocols. For logs, it highlights weaknesses like signature-based detection and the importance of normalized, unconfigurable logs. It introduces CUDA and NetGPU for GPU-accelerated traffic processing and visualization tools like SecViz and Circos for analyzing large datasets. The conclusion emphasizes that visualization can help solve the problem of events getting lost in noise and overcome technical limitations of current detection approaches.
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHackito Ergo Sum
This document is a presentation about a crackme called Hackito Ergo Sum. It discusses the various techniques used to protect the crackme, including a verification algorithm using RC4 encryption, instruction mutation, control flow graph obfuscation, encryption layers, direct native API calls, anti-debugging methods, and ways attackers could potentially break it such as bruteforcing the encryption key or reversing the encryption algorithm. The presentation concludes by thanking the audience and opening the floor for questions.
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
This document summarizes an approach to auditing the Adobe Shockwave file format and verifying vulnerabilities. It describes how the authors:
1) Encountered difficulties reversing the Shockwave memory manager using traditional debugging tools.
2) Developed a technique using dynamic binary instrumentation to hook the Shockwave file read function and search read buffers for fuzzed file data.
3) Further refined their approach by directly hooking the file read function in MSVCR71.dll, allowing the technique to be reused for other projects.
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHackito Ergo Sum
This document discusses potential vulnerabilities related to autorun functionality and removable storage devices like USB drives on Linux systems. It notes that while Linux desktop environments don't automatically run scripts from removable devices, vulnerabilities could still exist in drivers and applications that handle connecting and accessing such devices. Specific vulnerabilities are identified in USB drivers, file system drivers, thumbnail generation applications, and external thumbnailer programs. Exploiting these could allow gaining root access or defeating full disk encryption from physical access to a system.
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHackito Ergo Sum
The document describes how DWARF bytecode, included in GCC-compiled binaries to support exception handling, can be exploited to insert trojan payloads. DWARF bytecode interpreters are included in the standard C++ runtime and are Turing-complete, allowing the bytecode to perform arbitrary computations by influencing program flow. A demonstration shows how DWARF bytecode can be used to hijack exceptions and execute malicious payloads without requiring native code.
HES2011 - joernchen - Ruby on Rails from a Code Auditor PerspectiveHackito Ergo Sum
This document provides an overview of Ruby on Rails (RoR) from a code auditor's perspective. It discusses the MVC architecture that RoR uses and describes where the different components (model, view, controller) are typically located in a RoR application. It also discusses common things to look for when reviewing RoR code like user input validation, filters, migrations and more. Specific examples of issues found in Redmine and another open source project are also provided like a persistent XSS issue and information leak.
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
This document provides a summary of a presentation by Raoul Chiesa on cybercrime trends from the past to present. It discusses how hacking has evolved from curiosity-driven activities by bored teens to profit-motivated crimes by adults. Reasons for the rise of cybercrime include the increasing number of internet users and victims, economic incentives, availability of hacking tools, recruitment of inexperienced people, and lack of consequences. The presentation also notes how media portrayal has changed perceptions of who hackers are.
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHackito Ergo Sum
The document discusses Adobe Reader's use of sandboxing to improve security. It provides background on past vulnerabilities in Adobe Reader and discusses the architecture of the Adobe Reader X sandbox. The sandbox isolates rendering code in a lower privileged process and uses a higher privileged broker process to validate and fulfill requests for system resources according to internal policy. The document outlines how to analyze the sandbox's security mechanisms, such as by determining the rights of processes, auditing the IPC mechanisms, and fuzzing the resource request validation.
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...Hackito Ergo Sum
The document discusses new and evolving ways that criminals steal money through digital means. It outlines how criminal operations have become more sophisticated and business-like, moving from individual hackers to organized underground companies. It describes various technical methods that are used, such as phishing, pharming, malware injections, and man-in-the-browser attacks to steal login credentials and hijack financial transactions. It also discusses how criminal groups set up complex international operations using mules, drop points, and covert channels to launder and cash out the stolen money without being detected. The document warns that security measures are catching up, but that criminals will continue adapting their methods, such as through screen scraping or new types of online games involving money.
The document discusses how software can be used to damage hardware through various techniques like overclocking, overvolting, overheating, and firmware flashing. It provides examples of how components like CPUs, RAM, graphics cards, hard drives, and BIOS can be permanently damaged by exploiting their software interfaces. The goal could be industrial espionage, terrorism, or other malicious motives like destroying a commercial rival's operations through an act of industrial cyber warfare.
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
Introducing BoxLang : A new JVM language for productivity and modularity!Ortus Solutions, Corp
Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang.
Dynamic. Modular. Productive.
BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems.
Interoperability at its Core
With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration.
Multi-Runtime
From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime.
The Fusion of Modernity and Tradition
Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers.
Empowering Transition with Transpiler Support
Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments.
Unlocking Creativity with IDE Tools
Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxSunil Jagani
Discover how AI is transforming the workplace and learn strategies for reskilling and upskilling employees to stay ahead. This comprehensive guide covers the impact of AI on jobs, essential skills for the future, and successful case studies from industry leaders. Embrace AI-driven changes, foster continuous learning, and build a future-ready workforce.
Read More - https://bit.ly/3VKly70
2. Who am I
11. april 2011
• Security Researcher at Norman
• Malware Detection Team (MDT)
• Focused on exploit detection / mitigation
• Interests
• Vulnerability research
• Operating systems internals
• Low-level stuff
• Found some kernel bugs recently
• MS10-073, MS10-098, MS11-012, ...
3. Agenda
11. april 2011
• Introduction
• Kernel Pool Internals
• Kernel Pool Attacks
• Case Study / Demo
• Kernel Pool Hardening
• Conclusion
5. Introduction
11. april 2011
• Exploit mitigations such as DEP and ASLR do not
prevent exploitation in every case
• JIT spraying, memory leaks, etc.
• Privilege isolation is becoming an important
component in confining application vulnerabilities
• Browsers and office applications employ “sandboxed”
render processes
• Relies on (security) features of the operating system
• In turn, this has motivated attackers to focus their
efforts on privilege escalation attacks
• Arbitrary ring0 code execution → OS security undermined
6. The Kernel Pool
11. april 2011
• Resource for dynamically allocating memory
• Shared between all kernel modules and drivers
• Analogous to the user-mode heap
• Each pool is defined by its own structure
• Maintains lists of free pool chunks
• Highly optimized for performance
• No kernel pool cookie or pool header obfuscation
• The kernel executive exports dedicated
functions for handling pool memory
• ExAllocatePool* and ExFreePool* (discussed later)
7. Kernel Pool Exploitation
11. april 2011
• An attacker’s ability to leverage pool corruption
vulnerabilities to execute arbitrary code in ring 0
• Similar to traditional heap exploitation
• Kernel pool exploitation requires careful
modification of kernel pool structures
• Access violations are likely to end up with a bug check
(BSOD)
• Up until Windows 7, kernel pool overflows could
be generically exploited using write-4 techniques
• Sobeit[2005]
• Kortchinsky[2008]
8. Previous Work
11. april 2011
• Primarily focused on XP/2003 platforms
• How To Exploit Windows Kernel Memory Pool
• Presented by SoBeIt at XCON 2005
• Proposed two write-4 exploit methods for overflows
• Real World Kernel Pool Exploitation
• Presented by Kostya Kortchinsky at SyScan 2008
• Discussed four write-4 exploitation techniques
• Demonstrated practical exploitation of MS08-001
• All the above exploitation techniques were
addressed in Windows 7
• Beck[2009]
9. Contributions
11. april 2011
• Elaborate on the internal structures and
changes made to the Windows 7 (and Vista)
kernel pool
• Identify weaknesses in the Windows 7 kernel
pool and show how an attacker may leverage
these to exploit pool corruption vulnerabilities
• Propose ways to thwart the discussed attacks
and further harden the kernel pool
11. Kernel Pool Fundamentals
11. april 2011
• Kernel pools are divided into types
• Defined in the POOL_TYPE enum
• Non-Paged Pools, Paged Pools, Session Pools, etc.
• Each kernel pool is defined by a pool descriptor
• Defined by the POOL_DESCRIPTOR structure
• Tracks the number of allocs/frees, pages in use, etc.
• Maintains lists of free pool chunks
• The initial descriptors for paged and non-paged
pools are defined in the nt!PoolVector array
• Each index points to an array of one or more
descriptors
13. Non-Paged Pool
11. april 2011
• Non-pagable system memory
• Guaranteed to reside in physical memory at all times
• Number of pools stored in
nt!ExpNumberOfNonPagedPools
• On uniprocessor systems, the first index of the
nt!PoolVector array points to the non-paged pool
descriptor
• kd> dt nt!_POOL_DESCRIPTOR poi(nt!PoolVector)
• On multiprocessor systems, each node has its own
non-paged pool descriptor
• Pointers stored in nt!ExpNonPagedPoolDescriptor array
14. Paged Pool
11. april 2011
• Pageable system memory
• Can only be accessed at IRQL < DPC/Dispatch level
• Number of paged pools defined by
nt!ExpNumberOfPagedPools
• On uniprocessor systems, four (4) paged pool
descriptors are defined
• Index 1 through 4 in nt!ExpPagedPoolDescriptor
• On multiprocessor systems, one (1) paged pool
descriptor is defined per node
• One additional paged pool descriptor is defined for
prototype pools / full page allocations
• Index 0 in nt!ExpPagedPoolDescriptor
15. Session Paged Pool
11. april 2011
• Pageable system memory for session space
• E.g. Unique to each logged in user
• Initialized in nt!MiInitializeSessionPool
• On Vista, the pool descriptor pointer is stored
in nt!ExpSessionPoolDescriptor (session space)
• On Windows 7, a pointer to the pool descriptor
from the current thread is used
• KTHREAD->Process->Session.PagedPool
• Non-paged session allocations use the global
non-paged pools
16. Pool Descriptor Free Lists (x86)
11. april 2011
• Each pool descriptor has a
ListHeads array of 512 doubly-
linked lists of free chunks of 0
the same size 1 8 bytes 8 bytes
• 8 byte granularity 2
3 24 bytes
• Used for allocations up to 4080
bytes 4
24 bytes data +
..
• Free chunks are indexed into 8 byte header
..
the ListHeads array by block ..
size ..
• BlockSize: (NumBytes+0xF) >> 3 511 4080 bytes
• Each pool chunk is preceded by
an 8-byte pool header PoolDescriptor.ListHeads
17. Kernel Pool Header (x86)
11. april 2011
• kd> dt nt!_POOL_HEADER
• +0x000 PreviousSize : Pos 0, 9 Bits
• +0x000 PoolIndex : Pos 9, 7 Bits
• +0x002 BlockSize : Pos 0, 9 Bits
• +0x002 PoolType : Pos 9, 7 Bits
• +0x004 PoolTag : Uint4B
• PreviousSize: BlockSize of the preceding chunk
• PoolIndex: Index in associated pool descriptor array
• BlockSize: (NumberOfBytes+0xF) >> 3
• PoolType: Free=0, Allocated=(PoolType|2)
• PoolTag: 4 printable characters identifying the code
responsible for the allocation
18. Kernel Pool Header (x64)
11. april 2011
• kd> dt nt!_POOL_HEADER
• +0x000 PreviousSize : Pos 0, 8 Bits
• +0x000 PoolIndex : Pos 8, 8 Bits
• +0x000 BlockSize : Pos 16, 8 Bits
• +0x000 PoolType : Pos 24, 8 Bits
• +0x004 PoolTag : Uint4B
• +0x008 ProcessBilled : Ptr64 _EPROCESS
• BlockSize: (NumberOfBytes+0x1F) >> 4
• 256 ListHeads entries due to 16 byte block size
• ProcessBilled: Pointer to process object charged for
the pool allocation (used in quota management)
19. Free Pool Chunks
11. april 2011
• If a pool chunk is freed to a pool descriptor
ListHeads list, the header is followed by a
LINK_ENTRY structure
• Pointed to by the ListHeads doubly-linked list
• kd> dt nt!_LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY
+0x004 Blink : Ptr32 _LIST_ENTRY
.. Header Header
Flink Flink Flink
n
Blink Blink Blink
Blocksize n
..
PoolDescriptor.ListHeads Free chunks
20. Lookaside Lists
11. april 2011
• Kernel uses lookaside lists for faster
allocation/deallocation of small pool chunks
• Singly-linked LIFO lists
• Optimized for performance – e.g. no checks
• Separate per-processor lookaside lists for
pagable and non-pagable allocations
• Defined in the Processor Control Block (KPRCB)
• Maximum BlockSize being 0x20 (256 bytes)
• 8 byte granularity, hence 32 lookaside lists per type
• Each lookaside list is defined by a
GENERAL_LOOKASIDE_POOL structure
22. Lookaside Lists (Per-Processor)
11. april 2011
Free lookaside chunks
Processor Control Region
(pointed to by FS segment selector)
PPNPagedLookasideList[0]
PPNPagedLookasideList[1] Header Header
KPCR
Next Next Next
ListHead
Depth
PPNPagedLookasideList[2]
PPNPagedLookasideList[3]
KPRCB
PPNPagedLookasideList[32] PPNPagedLookasideList[n]
PPPagedLookasideList[32] Each per-processor lookaside list
entry (GENERAL_LOOKASIDE_POOL)
is 0x48 bytes in size
PPNPagedLookasideList[31]
Processor Control Block Per-Processor Non-
Paged Lookaside Lists
23. Lookaside Lists (Session)
11. april 2011
• Separate per-session lookaside lists for pagable
allocations
• Defined in session space (nt!ExpSessionPoolLookaside)
• Maximum BlockSize being 0x19 (200 bytes)
• Uses the same structure (with padding) as per-processor lists
• All processors use the same session lookaside lists
• Non-paged session allocations use the per-processor
non-paged lookaside list
• Lookaside lists are disabled if hot/cold separation is
used
• nt!ExpPoolFlags & 0x100
• Used during system boot to increase speed and reduce the
memory footprint
24. Lookaside Lists (Session)
11. april 2011
Free lookaside chunks
Lookaside[0]
Lookaside[1] Header Header
Next Next Next
ListHead
Depth
MM_SESSION_SPACE
Lookaside[2]
(nt!MmSessionSpace)
Lookaside[3]
Lookaside[25] Lookaside[n]
Each per-processor lookaside list
entry (GENERAL_LOOKASIDE) is
0x80 bytes in size
Lookaside[24]
Session Space Session Paged
Lookaside Lists
25. Dedicated Lookaside Lists
11. april 2011
• Frequently allocated buffers (of fixed size) in
the NT kernel have dedicated lookaside lists
• Object create information
• I/O request packets
• Memory descriptor lists
• Defined in the processor control block (KPRCB)
• 16 PP_LOOKASIDE_LIST structures, each defining one
per-processor and one system-wide list
26. Large Pool Allocations
11. april 2011
• Allocations greater than 0xff0 (4080) bytes
• Handled by the function nt!ExpAllocateBigPool
• Internally calls nt!MiAllocatePoolPages
• Requested size is rounded up to the nearest page size
• Excess bytes are put back at the end of the
appropriate pool descriptor ListHeads list
• Each node (e.g. processor) has 4 singly-linked
lookaside lists for big pool allocations
• 1 paged for allocations of a single page
• 3 non-paged for allocations of page count 1, 2, and 3
• Defined in KNODE (KPCR.PrcbData.ParentNode)
27. Large Pool Allocations
11. april 2011
• If lookaside lists cannot be used, an allocation
bitmap is used to obtain the requested pool pages
• Array of bits that indicate which memory pages are in use
• Defined by the RTL_BITMAP structure
• The bitmap is searched for the first index that
holds the requested number of unused pages
• Bitmaps are defined for every major pool type with
its own dedicated memory
• E.g. nt!MiNonPagedPoolBitMap
• The array of bits is located at the beginning of the
pool memory range
29. Allocation Algorithm
11. april 2011
• The kernel exports several allocation functions for
kernel modules and drivers to use
• All exported kernel pool allocation routines are
essentially wrappers for ExAllocatePoolWithTag
• The allocation algorithm returns a free chunk by
checking with the following (in order)
• Lookaside list(s)
• ListHeads list(s)
• Pool page allocator
• Windows 7 performs safe unlinking when pulling a
chunk from a free list
30. Safe Pool Unlinking
11. april 2011
Pool Header Pool Header Pool Header
Flink 0x8080BBB0 Flink
Blink 0x8080AAA0 Blink
3. Does previous chunk’s 2. Does next chunk’s
Flink point at the chunk 1. Chunk to be unlinked ... Blink point at the chunk
being unlinked ? being unlinked ?
Pool Header Pool Header
0x8080BBB0 Flink
Blink 0x8080AAA0
31. ExAllocatePoolWithTag (1/2)
11. april 2011
• PVOID ExAllocatePoolWithTag(POOL_TYPE
PoolType, SIZE_T NumberOfBytes, ULONG Tag)
• If NumberOfBytes > 0xff0
• Call nt!ExpAllocateBigPool
• If PagedPool requested
• If (PoolType & SessionPoolMask) and BlockSize <= 0x19
• Try the session paged lookaside list
• Return on success
• Else If BlockSize <= 0x20
• Try the per-processor paged lookaside list
• Return on success
• Lock (session) paged pool descriptor (round robin)
32. ExAllocatePoolWithTag (2/2)
11. april 2011
• Else (NonPagedPool requested)
• If BlockSize <= 0x20
• Try the per-processor non-paged lookaside list
• Return on success
• Lock non-paged pool descriptor (local node)
• Use ListHeads of currently locked pool
• For n in range(BlockSize,512)
• If ListHeads[n] is empty, try next BlockSize
• Safe unlink first entry and split if larger than needed
• Return on success
• If failed, expand the pool by adding a page
• Call nt!MiAllocatePoolPages
• Split entry and return on success
34. Splitting Pool Chunks
11. april 2011
• If a chunk larger than the size requested is
returned from ListHeads[n], the chunk is split
• If chunk is page aligned, the requested size is
allocated from the front of the chunk
• If chunk is not page aligned, the requested size is
allocated at the end of the chunk
• The remaining fragment of the split chunk is
put at the tail of the proper ListHeads[n] list
35. Splitting Pool Chunks
11. april 2011
PreviousSize == 0 :
Allocate chunk in the front
1st alloc 1st alloc
Free Pool
Free Chunk Free Chunk
Page
4th alloc
3rd alloc 2nd alloc
PreviousSize != 0 :
Allocate chunk at the end
36. Free Algorithm
11. april 2011
• The free algorithm inspects the pool header of
the chunk to be freed and frees it to the
appropriate list
• Implemented by ExFreePoolWithTag
• Bordering free chunks may be merged with the
freed chunk to reduce fragmentation
• Windows 7 uses safe unlinking in the merging process
37. ExFreePoolWithTag (1/2)
11. april 2011
• VOID ExFreePoolWithTag(PVOID Address, ULONG Tag)
• If Address (chunk) is page aligned
• Call nt!MiFreePoolPages
• If Chunk->BlockSize != NextChunk->PreviousSize
• BugCheckEx(BAD_POOL_HEADER)
• If (PoolType & PagedPoolSession) and BlockSize <=
0x19
• Put in session pool lookaside list
• Else If BlockSize <= 0x20 and pool is local to processor
• If (PoolType & PagedPool)
• Put in per-processor paged lookaside list
• Else (NonPagedPool)
• Put in per-processor non-paged lookaside list
• Return on sucess
38. ExFreePoolWithTag (2/2)
11. april 2011
• If the DELAY_FREE pool flag is set
• If pending frees >= 0x20
• Call nt!ExDeferredFreePool
• Add to front of pending frees list (singly-linked)
• Else
• If next chunk is free and not page aligned
• Safe unlink and merge with current chunk
• If previous chunk is free
• Safe unlink and merge with current chunk
• If resulting chunk is a full page
• Call nt!MiFreePoolPages
• Else
• Add to front of appropriate ListHeads list
40. Merging Pool Chunks
11. april 2011
Chunk to be freed
Pool Header Pool Header Pool Header
(free) (busy) (free)
Next chunk unlinked
Pool Header Pool Header unlinked
(free) (busy) chunk
Previous chunk unlinked Merge with next
Pool Header
unlinked chunk BlockSize updated
(busy)
Marked as free and returned Merge with previous
Pool Header
BlockSize updated
(free)
41. Delayed Pool Frees
11. april 2011
• A performance optimization that frees several pool
allocations at once to amortize pool acquisition/release
• Briefly mentioned in mxatone[2008]
• Enabled when MmNumberOfPhysicalPages >= 0x1fc00
• Equivalent to 508 MBs of RAM on IA-32 and AMD64
• nt!ExpPoolFlags & 0x200
• Each call to ExFreePoolWithTag appends a pool chunk
to a singly-linked deferred free list specific to each pool
descriptor
• Current number of entries is given by PendingFreeDepth
• The list is processed by the function ExDeferredFreePool if it
has 32 or more entries
42. ExDeferredFreePool
11. april 2011
• VOID ExDeferredFreePool(PPOOL_DESCRIPTOR
PoolDescriptor, BOOLEAN bMultiThreaded)
• For each entry on pending frees list
• If next chunk is free and not page aligned
• Safe unlink and merge with current chunk
• If previous chunk is free
• Safe unlink and merge with current chunk
• If resulting chunk is a full page
• Add to full page list
• Else
• Add to front of appropriate ListHeads list
• For each page in full page list
• Call nt!MiFreePoolPages
43. Free Pool Chunk Ordering
11. april 2011
• Frees to the lookaside and pool descriptor
ListHeads are always put in the front of the
appropriate list
• Exceptions are remaining fragments of split blocks which
are put at the tail of the list
• Blocks are split when the pool allocator returns chunks
larger than the requested size
• Full pages split in ExpBigPoolAllocation
• ListHeads[n] entries split in ExAllocatePoolWithTag
• Allocations are always made from the most
recently used blocks, from the front of the
appropriate list
• Attempts to use the CPU cache as much as possible
45. Overview
11. april 2011
• Traditional ListEntry Attacks (< Windows 7)
• ListEntry Flink Overwrite
• Lookaside Pointer Overwrite
• PoolIndex Overwrite
• PendingFrees Pointer Overwrite
• Quota Process Pointer Overwrite
46. ListEntry Overwrite (< Windows 7)
11. april 2011
• All free list (ListHeads) pool chunks are linked
together by LIST_ENTRY structures
• Vista and former versions do not validate the
structures’ forward and backward pointers
• A ListEntry overwrite may be leveraged to
trigger a write-4 in the following situations
• Unlink in merge with next pool chunk
• Unlink in merge with previous pool chunk
• Unlink in allocation from ListHeads[n] free list
47. ListEntry Overwrite (Merge With Next)
11. april 2011
Pool List
Header Entry
Pool
Blink
Flink
Header Pool overflow
(busy)
Chunk to be freed
Pool List
Header Entry
PoolType
Pool
Blink
Flink
Header
(busy)
PoolType set to 0 (free)
Pool
Header unlinked chunk write-4
(free)
Chunk size is updated to When the overflowing chunk is freed, the
accomodate the merged chunk next bordering chunk is merged and unlinked
48. ListEntry Overwrite (Merge With Previous)
11. april 2011
Pool
Header
Pool
Header Pool overflow (busy)
(busy)
Chunk to be freed
PoolType set to 0 (free)
Pool
Header
Pool Fake
Previou
Blink
Flink
sSize
Header Header (busy)
(busy) (free)
Use overflow to create a fake pool PreviousSize updated
header for merging freed chunk for fake previous header
Pool
unlinked chunk
Header (free)
write-4
(busy)
When the corrupted chunk is freed, the fake
previous chunk is unlinked before being merged
49. ListEntry Flink Overwrite
11. april 2011
• Windows 7 uses safe unlinking to validate the
LIST_ENTRY pointers of a chunk being unlinked
• In allocating a pool chunk from a ListHeads free
list, the kernel fails to properly validate its forward
link
• The algorithm validates the ListHeads[n] LIST_ENTRY
structure instead
• Overwriting the forward link of a free chunk may
cause the address of ListHeads[n] to be written to
an attacker controlled address
• Target ListHeads[n] list must hold at least two free chunks
50. The Not So Safe Unlink
11. april 2011
After unlink
• FakeEntry.Blink = ListHeads[n]
• ListHeads[n].Flink = FakeEntry
Pool Descriptor ListHeads Chunk to be unlinked
FakeEntry
ListHeads[n].Flink
overflow
Pool
(validated in safe unlink)
Pool Pool
Index for BlockSize n,
Header Header
Flink points to first
chunk to be allocated Flink Flink Flink
ListEntry
Blink Blink Blink
PreviousEntry.Flink
ListHeads[n].Blink (validated in safe unlink)
(validated in safe unlink) NextEntry.Blink
(validated in safe unlink)
51. ListEntry Flink Overwrite
11. april 2011
• In the following output, the address of
ListHeads[n] (esi) in the pool descriptor is
written to an attacker controlled address (eax)
• Pointers are not sufficiently validated when
allocating a pool chunk from the free list
eax=80808080 ebx=829848c0 ecx=8cc15768 edx=8cc43298 esi=82984a18 edi=829848c4
eip=8296f067 esp=82974c00 ebp=82974c48 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!ExAllocatePoolWithTag+0x4b7:
8296f067 897004 mov dword ptr [eax+4],esi ds:0023:80808084=????????
52. ListEntry Flink Overwrite
11. april 2011
• After unlink, the attacker may control the
address of the next allocated entry
• ListHeads[n].Flink = FakeEntry
• FakeEntry can be safely unlinked as its blink was
updated to point back to ListHeads[n]
• FakeEntry.Blink = ListHeads[n]
• If a user-mode pointer is used in the overwrite,
the attacker could fully control the contents of
the next allocation
53. ListEntry Flink Overwrite
11. april 2011
Pool Descriptor ListHeads
Next
FakeEntry
ListHeads[n].Flink Chunk to
(validated in safe unlink) be unlinked
Pool
Index for BlockSize n,
Header
Flink points to first
chunk to be allocated Flink FakeEntry Flink
ListEntry
Blink Blink
PreviousEntry.Flink
ListHeads[n].Blink (validated in safe unlink)
(validated in safe unlink) FakeEntry.Blink
(updated in previous unlink
and validated in safe unlink)
54. Lookaside Pointer Overwrite
11. april 2011
• Pool chunks and pool pages on lookaside lists
are singly-linked
• Each entry holds a pointer to the next entry
• Overwriting a next pointer may cause the kernel pool
allocator to return an attacker controlled address
• A pool chunk is freed to a lookaside list if the
following hold
• BlockSize <= 0x20 for paged/non-paged pool chunks
• BlockSize <= 0x19 for paged session pool chunks
• Lookaside list for target BlockSize is not full
• Hot/cold page separation is not used
55. Lookaside Pointer Overwrite (Chunks)
11. april 2011
Per-Processor Non- Pool overflow into a
Paged Lookaside Lists lookaside list chunk
Pool overflow
PPNPagedLookasideList[0]
PPNPagedLookasideList[1] Header
Next Next arbitrary
ListHead
address
Depth
PPNPagedLookasideList[2]
PPNPagedLookasideList[0]
After an allocation has been
PPNPagedLookasideList[1] made for BlockSize 2, the
Next pointer points to the
arbitrary
Next attacker supplied address
ListHead
address
Depth
PPNPagedLookasideList[2]
56. Lookaside Pointer Overwrite (Pages)
11. april 2011
• A pool page is freed to a lookaside list if the
following hold
• NumberOfPages = 1 for paged pool pages
• NumberOfPages <= 3 for non-paged pool pages
• Lookaside list for target page count is not full
• Size limit determined by physical page count in system
• A pointer overwrite of lookaside pages requires
at most a pointer-wide overflow
• No pool headers on free pool pages!
• Partial pointer overwrites may also be sufficient
57. Lookaside Pointer Overwrite (Pages)
11. april 2011
Page-aligned pointer to
Pool overflow
next lookaside pool page
Node (KNODE)
PagedPoolSListHead
Next Next
NonPagedPool
SListHead[0]
Depth
Pool page arbitrary
(0x1000 address
NonPagedPoolSListHead[1] bytes)
NonPagedPoolSListHead[2]
PagedPoolSListHead
Next MiAllocatePoolPages
NonPagedPool returns a page with an
SListHead[0]
Depth address we control
arbitrary
address
NonPagedPoolSListHead[1]
NonPagedPoolSListHead[2]
58. PendingFrees Pointer Overwrite
11. april 2011
• Pool chunks waiting to be freed are stored in
the pool descriptor deferred free list
• Singly-linked (similar to lookaside list)
• Overwriting a chunk’s next pointer will cause
an arbitrary address to be freed
• Inserted in the front of ListHeads[n]
• Next pointer must be NULL to end the linked list
• In freeing a user-mode address, the attacker
may control the contents of subsequent
allocations
• Must be made from the same process context
59. PendingFrees Pointer Overwrite
11. april 2011
Paged Pool Descriptor
0 PoolType
Pool overflow
4 PagedLock
Pool
…
Header
100h PendingFrees Next arbitrary
address
104h PendingFreesDepth
Data
Put in front of
140h ListHeads[512] ListHeads[n] on free
Pool Header
140h Flink Flink Attacker controlled address is
+ returned in requesting memory
N*8 Blink Blink from ListHeads[n]
60. PendingFrees Pointer Overwrite Steps
11. april 2011
• Free a chunk to the deferred free list
• Overwrite the chunk’s next pointer
• Or any of the deferred free list entries (32 in total)
• Trigger processing of the deferred free list
• Attacker controlled pointer freed to designated free
list
• Force allocation of the controlled list entry
• Allocator returns user-mode address
• Corrupt allocated entry
• Trigger use of corrupted entry
61. PoolIndex Overwrite
11. april 2011
• A pool chunk’s PoolIndex denotes an index into
the associated pool descriptor array
• For paged pools, PoolIndex always denotes an
index into the nt!ExpPagedPoolDescriptor array
• On checked builds, the index value is validated in a
compare against nt!ExpNumberOfPagedPools
• On free (retail) builds, the index is not validated
• For non-paged pools, PoolIndex denotes an
index into nt!ExpNonPagedPoolDescriptor
when there are multiple NUMA nodes
• PoolIndex is not validated on free builds
62. PoolIndex Overwrite
11. april 2011
Pool chunk in which
the overflow occurs Chunk that is corrupted
Pool
Header
PreviousSize
PoolIndex
BlockSize
PoolType
Pool Header Pool overflow Chunk data Pool Header
Pool descriptor Pool type
array index
BlockSize of the
previous chunk BlockSize of the
next chunk
63. PoolIndex Overwrite
11. april 2011
• A malformed PoolIndex may cause an allocated
pool chunk to be freed to a null-pointer pool
descriptor
• Controllable with null page allocation
• Requires a 2 byte pool overflow
• When linking in to a controlled pool descriptor,
the attacker can write the address of the freed
chunk to an arbitrary location
• No checks performed when “linking in”
• All ListHeads entries are fully controlled
• ListHeads[n].Flink->Blink = FreedChunk
64. PoolIndex Overwrite
11. april 2011
Index Virtual Address
NULL Paged Pool Descriptor
Freed pool chunk
The virtual null page is
0 8b1ac000 0 PoolType
mapped to control the
contents of the «null»
1 8b1ad140 4 PagedLock paged pool descriptor
Pool Header
PreviousSize
2 8b1ae280 …
PoolIndex
BlockSize
PoolType
Chunk data
3 8b1af3c0 100h PendingFrees
4 8b1b0500 104h PendingFreesDepth
PoolIndex set to 5 5 0 140h ListHeads[512]
Pool Header
6 0 140h Flink Flink
+
N*8 Blink Blink
… 0
15 0
Attacker-controlled Updated with pointer
pointers to freed chunk
nt!ExpPagedPoolDescriptor
65. PoolIndex Overwrite (Delayed Frees)
11. april 2011
• If delayed pool frees are enabled, the same
effect can be achieved by creating a fake
PendingFrees list
• First entry should point to a user crafted chunk
• The PendingFreeDepth field of the pool
descriptor should be >= 0x20 to trigger
processing of the PendingFrees list
• The free algorithm of ExDeferredFreePool does
basic validation on the crafted chunks
• Coalescing / safe unlinking
• The freed chunk should have busy bordering chunks
66. PoolIndex Overwrite (Delayed Frees)
11. april 2011
Freed pool chunk
NULL Paged Pool Descriptor
Pool
1st chunk to be
Header
0x0 PoolType linked into
PreviousSize
ListHeads[n]
PoolIndex
BlockSize
PoolType
Virtual 0x4 PagedLock
Data
Address
… Pool Header
100h PendingFrees Next
arbitrary
0 8b1ac000 104h PendingFreesDepth
Data
1 8b1ad140
2 8b1ae280
140h ListHeads[512] Put in front of ListHeads[n]
3 8b1af3c0
Pool Header Pool Header
4 8b1b0500
140h Flink Flink Flink
5 0 +
N*8 Blink Blink Blink
Index … 0
15 0 The virtual null page is
mapped to control the Freed chunks are put in front of the
contents of the «null» linked list, hence the blink of the
paged pool descriptor block previously in front is updated
nt!ExpPagedPoolDescriptor
67. PoolIndex Overwrite (Example)
11. april 2011
• In controlling the PendingFrees list, a user-
controlled virtual address (eax) can be written
to an arbitrary destination address (esi)
• In turn, this can be used to corrupt function
pointers used by the kernel to execute arbitrary
code
eax=20000008 ebx=000001ff ecx=000001ff edx=00000538 esi=80808080 edi=00000000
eip=8293c943 esp=9c05fb20 ebp=9c05fb58 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExDeferredFreePool+0x2e3:
8293c943 894604 mov dword ptr [esi+4],eax ds:0023:80808084=????????
68. PoolIndex Overwrite + Coalescing
11. april 2011
• If delayed frees are not used, we can still write
a user-controlled address to an arbitrary
location by coalescing the freed chunk
• Need to free an adjacent pool chunk
• This will cause the chunk to be unlinked and
update the target address Blink with a pointer
back to the null-page ListHeads entry
69. PoolIndex Overwrite + Coalescing
11. april 2011
Null-page pool descriptor Target address
ListHeads entry before 1st free (e.g. HalDispatchTable)
140h HalDispatchTable +0
+
n*8 Blink xHalQuerySystemInformation
Corrupted pool chunk is freed
Pool Header
140h Corrupted Chunk Flink +0
+
n*8 Blink Blink Corrupted Chunk
«Blink» points back to
kernel pool address
Corrupted pool chunk is coalesced
with adjacent free and unlinked
140h HalDispatchTable +0
+
n*8 Blink ListHeads Entry
Pointer updated with null-
page address after unlink
70. Quota Process Pointer Overwrite
11. april 2011
• Quota charged pool allocations store a pointer
to the associated process object
• x86: last four bytes of pool body
• x64: last eight bytes of pool header
• Upon freeing a pool chunk, the quota is
released and the process object is dereferenced
• The object’s reference count is decremented
• Overwriting the process object pointer could
allow an attacker to free an in-use process
object or corrupt arbitrary memory
71. Quota Process Pointer Overwrite
11. april 2011
x64
Pool Header
PreviousSize
PoolIndex
BlockSize
PoolType
Process Pool
Pool Header Pool overflow
Pointer Header
Process pointer stored in the pool header or at the
x86
end of the pool body depending on platform
architecture
Pool Header
PreviousSize
PoolIndex
BlockSize
PoolType
Process Pool
Pool Header Pool overflow
Pointer Header
PoolType & 0x8
(quota used)
72. Quota Process Pointer Overwrite
11. april 2011
• Quota information is stored in a
EPROCESS_QUOTA_BLOCK structure
• Pointed to by the EPROCESS object
• Provides information on limits and how much quota
is being used
• On free, the charged quota is returned by
subtracting the size of the allocation from the
quota used
• An attacker controlling the quota block pointer could
decrement the value of an arbitrary address
• More on this later!
73. Arbitrary Pointer Decrement
11. april 2011
Address of executive process
object controlled by the attacker
EPROCESS EPROCESS_QUOTA_BLOCK
Usage counter decremented
on free, for which the
address is controlled by the
attacker
Quota charged pool allocation (x86)
Process
Pool Header Pool overflow Pool Header
Pointer
74. Summary of Attacks
11. april 2011
• Corruption of busy pool chunk
• BlockSize <= 0x20
• PoolIndex + PoolType/BlockSize Overwrite
• Quota Process Pointer Overwrite
• BlockSize > 0x20
• PoolIndex (+PoolType) Overwrite
• Quota Process Pointer Overwrite
• Corruption of free pool chunk
• BlockSize <= 0x20
• Lookaside Pointer Overwrite
• BlockSize > 0x20
• ListEntry Flink Overwrite / PendingFrees Pointer Overwrite
76. Case Study Agenda
11. april 2011
• Two pool overflow vulnerabilities
• Both perceived as difficult to exploit
• CVE-2010-3939 (MS10-098)
• Win32k CreateDIBPalette() Pool Overflow
• CVE-2010-1893 (MS10-058)
• Integer Overflow in Windows Networking
77. CVE-2010-3939 (MS10-098)
11. april 2011
• Pool overflow in win32k!CreateDIBPalette()
• Discovered by Arkon
• Function did not validate the number of color
entries in the color table used by a bitmap
• BITMAPINFOHEADER.biClrUsed
• Every fourth byte of the overflowing buffer was set
to 4
• Can only reference 0x4xxxxxx addresses (user-mode)
• PoolType is always set to NonPaged
Pool Header
Pool Header Pool overflow X X X 0x2
PoolType = NonPaged | InUse
(0x2 due to bit alignment of field on x86)
78. CVE-2010-3939 (MS10-098)
11. april 2011
• The attacker could coerce the pool allocator to
return a user-mode pool chunk
• ListEntry Flink Overwrite
• Lookaside Overwrite
• Requires the kernel pool to be cleaned up in
order for execution to continue safely
• Repair/remove broken linked lists
Pool Header Next Pointer
Pool Header Pool overflow 0x4xxxxxx
79. CVE-2010-3939 (MS10-098)
11. april 2011
• Vulnerable buffer is also quota charged
• Can overwrite the process object pointer (x86)
• No pool chunks are corrupted (clean!)
• Tactic: Decrement the value of a kernel-mode
window object procedure pointer
• Trigger the vulnerability n-times until it points to
user-mode memory and call the procedure
Quota charged allocation
Process
Pool Header Pool overflow Pool Header
Pointer
81. CVE-2010-1893 (MS10-058)
11. april 2011
• Integer overflow in
tcpip!IppSortDestinationAddresses()
• Discovered by Matthieu Suiche
• Affected Windows 7/2008 R2 and Vista/2008
• Function did not use safe-int functions
consistently
• Could result in an undersized buffer allocation,
subsequently leading to a pool overflow
82. IppSortDestinationAddresses()
11. april 2011
• Sorts a list of IPv6 and IPv4 destination addresses
• Each address is a SOCKADDR_IN6 record
• Reachable from user-mode by calling WSAIoctl()
• Ioctl: SIO_ADDRESS_LIST_SORT
• Buffer: SOCKET_ADDRESS_LIST structure
• Allocates buffer for the address list
• iAddressCount * sizeof(SOCKADDR_IN6)
• No overflow checks in multiplication
typedef struct _SOCKET_ADDRESS_LIST {
INT iAddressCount;
SOCKET_ADDRESS Address[1];
} SOCKET_ADDRESS_LIST, *PSOCKET_ADDRESS_LIST;
83. IppFlattenAddressList()
11. april 2011
• Copies the user provided address list to the
allocated kernel pool chunk
• An undersized buffer could result in a pool
overflow
• Overflows the next pool chunk with the size of an
address structure (0x1c bytes)
• Stops copying records if the size != 0x1c or the
protocol family != AF_INET6 (0x17)
• Possible to avoid trashing the kernel pool completely
• The protocol check is done after the memcpy()
• We can overflow using any combination of bytes
84. Pool Overflow
11. april 2011
Pool chunk in which
the overflow occurs
Blocksize padding
Pool Address Address Address Pool
Pool overflow Chunk data
Header Record Record Record Header
SOCKADDR_IN6
structure (0x1c bytes) Corrupted memory
(0x1c bytes minimum)
85. Exploitation Tactics
11. april 2011
• Can use the PoolIndex attack to extend the
pool overflow to an arbitrary memory write
• Must overwrite a busy chunk
• Overwritten chunk must be freed to ListHeads
• BlockSize > 0x20
• Or… fill the lookaside list
• To overflow the desired pool chunk, we must
defragment and manipulate the kernel pool
• Allocate chunks of the same size
• Create “holes” by freeing every other chunk
86. Filling the Kernel Pool
11. april 2011
• What do we use to fill the pool ?
• Depends on the pool type
• Should be easy to allocate and free
• NonPaged Pool
• NT objects (low overhead)
• Paged Pool
• Unicode strings (e.g. object properties)
• Session Paged Pool
• Window Manager (USER) and GDI objects
87. Kernel Pool Manipulation
• We create holes for every second allocation
11. april 2011
• The vulnerable buffer is later allocated in one of these holes
• Freeing the remaining allocations after triggering the
vulnerability mounts the PoolIndex attack
kd> !pool @eax
Pool page 976e34c8 region is Nonpaged pool
976e32e0 size: 60 previous size: 60 (Allocated) IoCo (Protected)
976e3340 size: 60 previous size: 60 (Free) IoCo
976e33a0 size: 60 previous size: 60 (Allocated) IoCo (Protected)
976e3400 size: 60 previous size: 60 (Free) IoCo
976e3460 size: 60 previous size: 60 (Allocated) IoCo (Protected)
*976e34c0 size: 60 previous size: 60 (Allocated) *Ipas
Pooltag Ipas : IP Buffers for Address Sort, Binary : tcpip.sys
976e3520 size: 60 previous size: 60 (Allocated) IoCo (Protected)
976e3580 size: 60 previous size: 60 (Free) IoCo
976e35e0 size: 60 previous size: 60 (Allocated) IoCo (Protected)
976e3640 size: 60 previous size: 60 (Free) IoCo
90. ListEntry Flink Overwrites
11. april 2011
• Can be addressed by properly validating the
flink and blink of the chunk being unlinked
• Yep, that’s it...
91. Lookaside Pointer Overwrites
11. april 2011
• Lookaside lists are inherently insecure
• Unchecked embedded pointers
• All pool chunks must reserve space for at least
the size of a LIST_ENTRY structure
• Two pointers (flink and blink)
• Chunks on lookaside lists only store a single
pointer
• Could include a cookie for protecting against pool
overflows
• Cookies could also be used by PendingFrees list
entries
92. Lookaside Pool Chunk Cookie
11. april 2011
Pool overflow
Per-Processor Non-
Paged Lookaside Lists
PPNPagedLookasideList[0] Header Header
PPNPagedLookasideList[1] Cookie Cookie
Next Next Next
ListHead
Depth
PPNPagedLookasideList[2]
ExAllocatePoolWithTag verifies
Cookie before returning the chunk
93. PoolIndex Overwrites
11. april 2011
• Can be addressed by validating the PoolIndex
value before freeing a pool chunk
• E.g. is PoolIndex > nt!ExpNumberOfPagedPools ?
• Also required the NULL-page to be mapped
• Could deny mapping of this address in non-privileged
processes
• Would probably break some applications (e.g. 16-bit
WOW support)
94. Quota Process Pointer Overwrites
11. april 2011
• Can be addressed by encoding or obfuscating
the process pointer
• E.g. XOR’ed with a constant unknown to the attacker
• Ideally, no pointers should be embedded in
pool chunks
• Pointers to structures that are written to can easily
be leveraged to corrupt arbitrary memory
96. Future Work
11. april 2011
• Pool content corruption
• Object function pointers
• Data structures
• Remote kernel pool exploitation
• Very situation based
• Kernel pool manipulation is hard
• Attacks that rely on null page mapping are infeasible
• Kernel pool manipulation
• Becomes more important as generic vectors are
addressed
97. Conclusion
11. april 2011
• The kernel pool was designed to be fast
• E.g. no pool header obfuscation
• In spite of safe unlinking, there is still a big window
of opportunity in attacking pool metadata
• Kernel pool manipulation is the key to success
• Attacks can be addressed by adding simple checks
or adopting exploit prevention features from the
userland heap
• Header integrity checks
• Pointer encoding
• Cookies
98. References
11. april 2011
• SoBeIt[2005] – SoBeIt
How to exploit Windows kernel memory pool,
X’con 2005
• Kortchinsky[2008] – Kostya Kortchinsky
Real-World Kernel Pool Exploitation,
SyScan 2008 Hong Kong
• Mxatone[2008] – mxatone
Analyzing Local Privilege Escalations in win32k,
Uninformed Journal, vol. 10 article 2
• Beck[2009] – Peter Beck
Safe Unlinking in the Kernel Pool,
Microsoft Security Research & Defense (blog)