abusing interrupts for reliable windows kernel exploitation (en)

28
Abusing Interrupts for Reliable Windows Kernel Exploitation 2015/11/14 AVTOKYO2015 inaz2

Upload: inaz2

Post on 16-Apr-2017

1.957 views

Category:

Technology


2 download

TRANSCRIPT

Page 1: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Abusing Interrupts for Reliable Windows Kernel Exploitation

2015/11/14

AVTOKYO2015

inaz2

Page 2: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

About me

• inaz2

• Security engineer & Python programmer• Working at NTT Communications

• Weblog “momoiro technology”• http://inaz2.hatenablog.com/

2

Page 3: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Windows kernel exploitation

• Attacks that exploit the vulnerability in the kernel land• Including the vulnerability in device drivers

• Write-what-where condition/vulnerability is widely used• Enables to write an arbitrary value to the arbitrary address

• Execute the shellcode to escalate privilege of the attacking process• Then launch the administrator command prompt

3

Page 4: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Classic technique: halDispatchTable overwrite

• nt!NtQueryIntervalProfile internal API• call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile

• Overwrite [nt!halDispatchTable+4] to shellcode

4

Page 5: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Replace token shellcode

• Copy the token object from System process (PID=4)

5

Replace 41414141h to the attacking process’ PID

Page 6: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

It works but …

• Depending on the implementation of nt!NtQueryIntervalProfile• Kernel implementation may be changed in the future (i.e. not reliable)

• Is there the more reliable target to overwrite?

6

Page 7: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

It works but …

• Depending on the implementation of nt!NtQueryIntervalProfile• Kernel implementation may be changed in the future (i.e. not reliable)

• Is there the more reliable target to overwrite?

7

Page 8: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

x86 interrupt handling

• There are hardware interrupts (keyboard etc.) and software interrupts (zero division etc.)• Software interrupts are triggered by “int n” instruction

• Interrupt Descriptor Table (IDT)• Stores the addresses of hander functions (Interrupt Software Routines; ISR)

in each entry (interrupt gate)

• ISRs are executed in Ring 0• Can do everything

8

Page 9: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

x86 privilege levels (protection rings)

• 4 privilege levels numbered from 0 to 3• The greater number means lesser privileges

• Most OS including Windows use only two rings• Ring 0 corresponding to kernel mode and Ring 3 to user mode

9

Page 10: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Interrupt Descriptor Table (1/4)

• Intel Developer’s Manual Volume 3, Chapter 6

10

Page 11: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Interrupt Descriptor Table (2/4)

• Intel Developer’s Manual Volume 3, Chapter 6

11

Can be interrupted from Ring 3 if DPL=3

Page 12: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Interrupt Descriptor Table (3/4)

• WinDbg (KD) view

12

Page 13: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Interrupt Descriptor Table (4/4)

• Overwrite the interrupt gate for interrupt #0

13

414184fc

000884fc 4141ee00

DPL=3

Page 14: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

IDT overwrite technique

14

Get the IDT address

Overwrite the interrupt gate for interrupt #n

Trigger interrupt #n by “int n” instruction

Execute shellcode

Page 15: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Detailed procedure

16

Page 16: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Find the write-what-where vulnerability

• Write and install the vulnerable device driver• Enables to attack write-what-where vulnerability via IOCTL

17

Page 17: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Get the IDT address (1/2)

18

Can be used even in Ring 3!

Page 18: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Get the IDT address (2/2)

• The function that returns the IDT address

19

Disable alignment

Page 19: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Write the Interrupt Software Routine (ISR)

• Switch the value of fs segment register• 0x33 (TEB) → 0x30 (KPCR)

• Call the shellcode right after ISR

• Return by iretd instruction instead of ret

20

Page 20: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Allocate memory & put the codes

• Allocate nop-sled from 0x41410000 to 0x41420000

• Put the ISR code + shellcode from 0x41420000

21

Page 21: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Overwrite the interrupt gate

• Write 0x4141ee00 to the latter half of the interrupt gate for interrupt #32• #32-255 are designated as user-defined interrupts (not reserved)

22

Page 22: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Trigger the software interrupt

• Execute “int 32”• Shellcode is executed via ISR

• Then launch cmd.exe

23

Page 23: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Demo

24

Page 24: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

What about 64 bit Windows?

• The size of interrupt gate increases to 16 bytes

• As 0x100000000 bytes nop-sled is quite hard, overwriting entire interrupt gate is required (i.e. write 2 times)

• However, my VirtualBox VM hangs up when the interrupt is triggered (PatchGuard??)

25

Page 25: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Comparison with halDispatchTable overwrite

• Pros• Reliable against all versions of x86-based Windows

• Easy to determine the address to be overwritten

• Cons• Need to prepare the ISR code

• Need to allocate nop-sled

• Not confirmed on 64 bit

26

Page 26: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Recap

• IDT overwrite technique is reliable against all versions of x86-based Windows• Independent with kernel implementation changes

• We can get the IDT address even in Ring 3

• There’s more than one way to do it

27

Page 27: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

References

• Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる -ももいろテクノロジー• http://inaz2.hatenablog.com/entry/2015/09/15/121926

• Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation• http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule-

them-all_21.html

• Interrupt Service Routines - OSDev Wiki• http://wiki.osdev.org/Interrupt_Service_Routines

• SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ?• http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html

28

Page 28: Abusing Interrupts for Reliable Windows Kernel Exploitation (en)

Thank you!inaz2

29