Mr201308 understanding bypassing aslr by a pointer at a fixed address eng
•
0 likes•1,237 views
This document summarizes a vulnerability (CVE-2013-2556) that allows bypassing of address space layout randomization (ASLR). It discusses how on 32-bit Windows, a fixed pointer to KiFastSystemCall could be leveraged, and on 32-bit processes on 64-bit Windows, a fixed pointer to LdrHotPatchRoutine could be used to load arbitrary DLLs. Microsoft patch MS13-063 addressed this by removing the fixed pointer to LdrHotPatchRoutine and making its location randomized.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Mr201308 understanding bypassing aslr by a pointer at a fixed address eng
Similar to Mr201308 understanding bypassing aslr by a pointer at a fixed address eng (20)
More from FFRI, Inc.
More from FFRI, Inc. (20)
Recently uploaded
Recently uploaded (20)
Mr201308 understanding bypassing aslr by a pointer at a fixed address eng
- 1. FFRI,Inc. 1 Monthly Research Understanding bypassing ASLR by a pointer at a fixed address FFRI,Inc. http://www.ffri.jp Ver 2.00.01
- 2. FFRI,Inc. • Security patch published by Microsoft in Aug 2013 • Includes a fix for ALSR bypassing vulnerability(CVE-2013-2556) • This slide is about the detail of the vulnerability and the fix MS13-063 2
- 3. FFRI,Inc. • Published in CansecWest2013 – This vulnerability alone does not allow an attacker to exploit an application (need another vulnerability for successful exploit) – This vulnerability allows an attacker to bypass ASLR if another specific kind of vulnerability can be found. A summary of the ASLR bypassing vulnerability(CVE-2013-2556) 3
- 4. FFRI,Inc. • This vulnerability was published with a title “DEP/ASLR bypass without ROP/JIT” in CanSecWest2013 by Yang Yu. • Mainly 2 problems – In 32bit Windows, a pointer to KiFastSystemCall is at a fixed address – In a 32bit process on 64bit Windows, a pointer to LdrHotPatchRoutine is at a fixed address Why these pointers at fixed addresses are problem? Can be used to bypass ASLR if there is use-after-free/heap overflow vulnerability which leads overwriting a pointer to a vtable of C++ objects. What is “overwriting a pointer to a vtable” Details of the vulnerability 4
- 5. FFRI,Inc. • C++ Object layout in general C++ implementation. • How C++ calls member functions Preliminary knowledge:C++ object layout 5 A pointer to a vtable // Note that member functions are “virtual” class MyClass { public: MyClass(); virtual ~MyClass(); virtual void doWork(); private: int m_myVariable; }; Instantiate m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object // code to call doWork() // ecx has the address of a MyWorker object mov eax,dword ptr [ecx] // eax is the address of the vtable push ecx // argument for the function call(*) call dword ptr [eax+4] // call doWork() (the address is obtained from the vtable) * The first argument for cdecl calling convention is “this” pointer vtable for MyClass class
- 6. FFRI,Inc. • What happens if a pointer to a vtable can be rewritten? A problem of rewriting a pointer to a vtable 6 A pointer to a vtable m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object vtable for MyClass class Rewrite here Value in memory 1 Value in memory 2 Somewhere in memory ??? //The exactly same code from the previous slide. //Rewriting a pointer to a vtable results in executing another function mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // argument for the function call call dword ptr [eax+4] // Execute the memory “Value in memory 2” points to
- 7. FFRI,Inc. • Rewrite a pointer to a vtable in such a way that KiFastSystemCall is called • KiFastSystemCall is a shared code to call system call in Windows • ASLR is irrelevant in this scenario In case of a pointer to KiFastSystemCall is at a fixed address 7 A pointer to a vtable m_myVariable A pointer to ~MyClass() A pointer to doWork() MyClass object vtable for MyClass classRewrite with a fixed value by utilizing a vulnerability (use-after-free/heap overflow) Value in memory 1 KiFastSystemCallへのポインタ Fixed address KiFastSystemCall KiFastSystemCall is called. However, calling system call with some arguments as an attacker intends to is difficult. mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // argument for the function call call dword ptr [eax+4] // call KiFastSystemCall
- 8. FFRI,Inc. • In 64bit Windows, a pointer KiFastSystemCall does not exist at a fixed address. • But 32bit processes on 64bit Windows have a pointer to LdrHotPatchRoutine at a fixed address. • LdrHotPatchRoutine internally loads a DLL which is specified via its argument. • A pointer to LdrHotPatchRoutine resides in SharedUserData in 32bit processes on 64bit Windows • SharedUserData is at a fixed address(0x7ffe0000) Overwrite C++ object in such a way that the vtable includes a pointer to LdrHotPatchRoutine. DLL can be loaded. Using LdrHotPatchRoutine 8 … … 0x7ffe0000 (fixed address) SharedUserData A pointer to LdrHotPatchRoutine LdrHotPatchRoutine struct HotPatchBuffer{ … USHORT PatcherNameOffset; // An offset to a DLL name to load USHORT PatcherNameLen; // The length of the DLL … }; void LdrHotPatchRoutine( struct *HotPatchBuffer);
- 9. FFRI,Inc. • Rewrite a pointer to a vtable in such a way as calling LdrHotPatchRoutine In case of a pointer to LdrHotPatchRoutine is at a fixed address 9 A pointer to a vtable A pointe to ~MyClass() A pointer to doWork() MyClass object mov eax,dword ptr [ecx] // eax is the address of vtable push ecx // pass the object address as an argument call dword ptr [eax+4] // call LdrHotPatchRoutine A vtable for MyClass classRewrite here by utilizing a vulnerability Value in memory 1 A pointer to LdrHotPatchRoutine Fixed address LdrHotPatchRoutine • LdrHotPatchRoutine is called. • Constructing an argument to LdrHotPatchRoutine (with a DLL name such as ¥¥192.168.1.100¥foo.dll) will results in loading a DLL on a server. • Note that the object can be overwritten with arbitrary data when an attacker overwrites a pointer to a vtable Construct here as a HotPatchBuffer structure
- 10. FFRI,Inc. • MS13-063 fixes the vulnerability in such a way that a pointer to LdrHotPatchRoutine is not at a fixed address. – Eliminate a function table in SharedUserData – Move the function table to a data section in ntdll.dll and export it as LdrSystemDllInitBlock • ASLR is enabled on ntdll.dll and it makes the address of the function table not fixed. Can not bypass ASLR to load a DLL by utilizing LdrHotPatchRoutine The fix in MS13-063 10 A pointer to LdrHotPatchRoutine Randomized
- 11. FFRI,Inc. References • http://technet.microsoft.com/ja-jp/security/bulletin/ms13- 063 • http://cansecwest.com/slides/2013/DEP- ASLR%20bypass%20without%20ROP-JIT.pdf • http://blogs.technet.com/b/srd/archive/2013/08/12/mitigatin g-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13- 063.aspx • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2013-2556 11
- 12. FFRI,Inc. Contact Information E-Mail : research-feedback@ffri.jp Twitter: @FFRI_Research 12