Peter Tröger, profile picture
Uploaded byPeter Tröger
530 views

WannaCry - An OS course perspective

The document discusses vulnerabilities related to the WannaCry ransomware, specifically focusing on pool corruption and the EternalBlue exploit. It describes how Windows file sharing and the kernel mode network stack facilitate attacks by exploiting memory allocation in the non-paged pool. The outlined exploitation technique involves manipulating SMB connections to trigger overflows and take control of the kernel's memory handling.

Internet
Related topics:
OS

Embed presentation

Download to read offline
WannaCry An OS course perspective
MS17-10
Pool corruption • Pools are memory regions for kernel mode code • Used by drivers and kernel software • Standard heap management • Minimal protection, performance optimization • Pool corruption: Writing over the end of your allocated region
EternalBlue Exploit • https://github.com/RiskSense-Ops/MS17-010/blob/ master/exploits/eternalblue/ ms17_010_eternalblue.rb • https://gist.github.com/worawit/ bd04bad3cd231474763b873df081c09a • https://securingtomorrow.mcafee.com/executive- perspectives/analysis-wannacry-ransomware- outbreak/
Attacking the pool (I) • Windows file sharing listens on port 445 for imcoming SMB connections • Network stack is kernel mode code (srvnet.sys) • Incoming network data is stored in kernel mode buffer from the non-paged pool • Problem: Heap allocation ‚fills the holes‘
Attacking the pool (II) • Approach: Allocate large chunks in pool • Leads to ‚de-randomization‘ • Large chunks become aligned one after the other • Exploit triggers this by opening multiple SMB connections and sending large packages (grooming)
Overflow • Send large initial SMB1 package • Kernel needs to store received data • srvnet.sys allocates space in non-paged pool • Grooming • First connection is closed, leaving adjacent hole • Sending of overflow data, hole is used
Overflow • Overflow overwrites SMB data structure stored in subsequent memory • struct SRVNET_POOLHDR • Contains a pointer being called when finalizing a SMB request • If accidental overwriting is done right, then the callback target is the data we sent before • Close connection, kernel stack calls our function
Game over.

More Related Content

PPTX
Bridging the Semantic Gap in Virtualized Environment
byAndy Lee
 
PDF
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
byJames Morris
 
PDF
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
byThe Linux Foundation
 
PDF
Linux Kernel Security Overview - KCA 2009
byJames Morris
 
PDF
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
byThe Linux Foundation
 
PDF
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...
byThe Linux Foundation
 
PPT
Introduction to Linux Kernel by Quontra Solutions
byQUONTRASOLUTIONS
 
PDF
Virtual Machine Introspection in a Hyberid Honeypot Architecture
byTamas K Lengyel
 
Bridging the Semantic Gap in Virtualized Environment
byAndy Lee
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
byJames Morris
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
byThe Linux Foundation
 
Linux Kernel Security Overview - KCA 2009
byJames Morris
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
byThe Linux Foundation
 
XPDS16: Hypervisor-based Security: Vicarious Learning via Introspektioneerin...
byThe Linux Foundation
 
Introduction to Linux Kernel by Quontra Solutions
byQUONTRASOLUTIONS
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
byTamas K Lengyel
 

What's hot

PDF
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
byThe Linux Foundation
 
PDF
PVH : PV Guest in HVM container
byThe Linux Foundation
 
PDF
Adding Extended Attribute Support to NFS
byJames Morris
 
PDF
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
byThe Linux Foundation
 
PDF
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
byThe Linux Foundation
 
PPTX
Introduction to Linux Kernel
byStryker King
 
PDF
XPDS16: Xen Development Update
byThe Linux Foundation
 
PDF
Linux kernel module programming guide
byDũng Nguyễn
 
PDF
High Performance Storage Devices in the Linux Kernel
byKernel TLV
 
PDF
Browsing Linux Kernel Source
byMotaz Saad
 
PDF
Part 01 Linux Kernel Compilation (Ubuntu)
byTushar B Kute
 
PDF
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
byThe Linux Foundation
 
PDF
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...
byThe Linux Foundation
 
PDF
Linux Kernel and Driver Development Training
byStephan Cadene
 
PDF
Directions in SELinux Networking
byJames Morris
 
PDF
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
byJames Morris
 
PDF
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
byScott K. Larson
 
PDF
Part 02 Linux Kernel Module Programming
byTushar B Kute
 
PDF
OffensiveCon2022: Case Studies of Fuzzing with Xen
byTamas K Lengyel
 
PDF
ELC21: VM-to-VM Communication Mechanisms for Embedded
byStefano Stabellini
 
XPDS16: libvirt and Tools: What's New and What's Next - James Fehlig, SUSE
byThe Linux Foundation
 
PVH : PV Guest in HVM container
byThe Linux Foundation
 
Adding Extended Attribute Support to NFS
byJames Morris
 
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
byThe Linux Foundation
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
byThe Linux Foundation
 
Introduction to Linux Kernel
byStryker King
 
XPDS16: Xen Development Update
byThe Linux Foundation
 
Linux kernel module programming guide
byDũng Nguyễn
 
High Performance Storage Devices in the Linux Kernel
byKernel TLV
 
Browsing Linux Kernel Source
byMotaz Saad
 
Part 01 Linux Kernel Compilation (Ubuntu)
byTushar B Kute
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
byThe Linux Foundation
 
XPDS16: Xen Orchestra: building a Cloud on top of Xen - Olivier Lambert & Jul...
byThe Linux Foundation
 
Linux Kernel and Driver Development Training
byStephan Cadene
 
Directions in SELinux Networking
byJames Morris
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
byJames Morris
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
byScott K. Larson
 
Part 02 Linux Kernel Module Programming
byTushar B Kute
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
byTamas K Lengyel
 
ELC21: VM-to-VM Communication Mechanisms for Embedded
byStefano Stabellini
 

More from Peter Tröger

PDF
Cloud Standards and Virtualization
byPeter Tröger
 
PDF
Distributed Resource Management Application API (DRMAA) Version 2
byPeter Tröger
 
PDF
OpenSubmit - How to grade 1200 code submissions
byPeter Tröger
 
PDF
Design of Software for Embedded Systems
byPeter Tröger
 
PDF
Humans should not write XML.
byPeter Tröger
 
PDF
What activates a bug? A refinement of the Laprie terminology model.
byPeter Tröger
 
PDF
Dependable Systems - Summary (16/16)
byPeter Tröger
 
PDF
Dependable Systems - Hardware Dependability with Redundancy (14/16)
byPeter Tröger
 
PDF
Dependable Systems - System Dependability Evaluation (8/16)
byPeter Tröger
 
PDF
Dependable Systems - Structure-Based Dependabiilty Modeling (6/16)
byPeter Tröger
 
PDF
Dependable Systems -Software Dependability (15/16)
byPeter Tröger
 
PDF
Dependable Systems -Reliability Prediction (9/16)
byPeter Tröger
 
PDF
Dependable Systems -Fault Tolerance Patterns (4/16)
byPeter Tröger
 
PDF
Dependable Systems - Introduction (1/16)
byPeter Tröger
 
PDF
Dependable Systems -Dependability Means (3/16)
byPeter Tröger
 
PDF
Dependable Systems - Hardware Dependability with Diagnosis (13/16)
byPeter Tröger
 
PDF
Dependable Systems -Dependability Attributes (5/16)
byPeter Tröger
 
PDF
Dependable Systems -Dependability Threats (2/16)
byPeter Tröger
 
PDF
Verteilte Software-Systeme im Kontext von Industrie 4.0
byPeter Tröger
 
PDF
Operating Systems 1 (12/12) - Summary
byPeter Tröger
 
Cloud Standards and Virtualization
byPeter Tröger
 
Distributed Resource Management Application API (DRMAA) Version 2
byPeter Tröger
 
OpenSubmit - How to grade 1200 code submissions
byPeter Tröger
 
Design of Software for Embedded Systems
byPeter Tröger
 
Humans should not write XML.
byPeter Tröger
 
What activates a bug? A refinement of the Laprie terminology model.
byPeter Tröger
 
Dependable Systems - Summary (16/16)
byPeter Tröger
 
Dependable Systems - Hardware Dependability with Redundancy (14/16)
byPeter Tröger
 
Dependable Systems - System Dependability Evaluation (8/16)
byPeter Tröger
 
Dependable Systems - Structure-Based Dependabiilty Modeling (6/16)
byPeter Tröger
 
Dependable Systems -Software Dependability (15/16)
byPeter Tröger
 
Dependable Systems -Reliability Prediction (9/16)
byPeter Tröger
 
Dependable Systems -Fault Tolerance Patterns (4/16)
byPeter Tröger
 
Dependable Systems - Introduction (1/16)
byPeter Tröger
 
Dependable Systems -Dependability Means (3/16)
byPeter Tröger
 
Dependable Systems - Hardware Dependability with Diagnosis (13/16)
byPeter Tröger
 
Dependable Systems -Dependability Attributes (5/16)
byPeter Tröger
 
Dependable Systems -Dependability Threats (2/16)
byPeter Tröger
 
Verteilte Software-Systeme im Kontext von Industrie 4.0
byPeter Tröger
 
Operating Systems 1 (12/12) - Summary
byPeter Tröger
 

Recently uploaded

PDF
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
PPTX
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
bynaloskihristo
 
PDF
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
PPTX
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
PDF
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
PPTX
Social media app presentation snapgram.pptx
byrayessafa21
 
PPTX
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
PPTX
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
bynaloskihristo
 
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
Social media app presentation snapgram.pptx
byrayessafa21
 
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 

WannaCry - An OS course perspective

  • 1.
  • 5.
  • 6.
    Pool corruption • Poolsare memory regions for kernel mode code • Used by drivers and kernel software • Standard heap management • Minimal protection, performance optimization • Pool corruption: Writing over the end of your allocated region
  • 7.
    EternalBlue Exploit • https://github.com/RiskSense-Ops/MS17-010/blob/ master/exploits/eternalblue/ ms17_010_eternalblue.rb •https://gist.github.com/worawit/ bd04bad3cd231474763b873df081c09a • https://securingtomorrow.mcafee.com/executive- perspectives/analysis-wannacry-ransomware- outbreak/
  • 8.
    Attacking the pool(I) • Windows file sharing listens on port 445 for imcoming SMB connections • Network stack is kernel mode code (srvnet.sys) • Incoming network data is stored in kernel mode buffer from the non-paged pool • Problem: Heap allocation ‚fills the holes‘
  • 9.
    Attacking the pool(II) • Approach: Allocate large chunks in pool • Leads to ‚de-randomization‘ • Large chunks become aligned one after the other • Exploit triggers this by opening multiple SMB connections and sending large packages (grooming)
  • 10.
    Overflow • Send largeinitial SMB1 package • Kernel needs to store received data • srvnet.sys allocates space in non-paged pool • Grooming • First connection is closed, leaving adjacent hole • Sending of overflow data, hole is used
  • 11.
    Overflow • Overflow overwritesSMB data structure stored in subsequent memory • struct SRVNET_POOLHDR • Contains a pointer being called when finalizing a SMB request • If accidental overwriting is done right, then the callback target is the data we sent before • Close connection, kernel stack calls our function
  • 12.