derbycon bromium labs: sandboxes

Sandboxes:

A Pen-tester’s perspective

Rahul Kashyap [email protected]

Rahul Kashyap, [email protected]

mailto:[email protected]

Bromium Confidential

• Previously led McAfee Labs vuln research

• Done security startups and offense/defense security

research

• Bromium Labs

• Team has discovered several vulnerabilities in multiple platforms

• Spoken at several cool conferences

About

I’m

Hiring!


• Sandboxes: Introduction

Architecture

Types

• Sandboxes: Exploitation

Kernel Mode

User Mode

• Conclusion

Agenda


• Environment designed to run untrusted (or exploitable)

code, in a manner that prevents the encapsulated code

from damaging the rest of the system

• The aim of a sandbox is to isolate threats

• Our research focuses on security effectiveness of the

isolation primitives for application sandboxes

What is a sandbox?


• Type A: OS enhancement based (Sandboxie, Buffer Zone

Pro, Dell DDP)

• Type B: Master/slave model (Adobe ReaderX, Chrome

browser)

Types of Sandboxes


• A lot of commonly used code reliant on kernel components

and various services

• Large exposure to kernel interfaces

Digression: Windows OS


• Sandboxed app: dear kernel, please open a file for me, the

file name is at address X

• Kernel: X points to “allowed_file.txt” string; here goes a file

handle for you

• Sandboxed app: dear kernel, please open a file for me, the

file name is at address Y

• Kernel: Y points to “secret_file.txt” string; you are a

sandboxed app, I will not let you access this file

How kernel enforces access control


• Sandboxed app: dear kernel, please draw the text “Hello world”

for me please, using the true type font stored at address X

• Kernel: You are a sandboxed app, but using a font is a benign

operation which you need to function properly

• Kernel: OK, just a moment, I need to parse this font

• While processing the font, kernel corrupts its own memory

because the parser code in the kernel is buggy

• Because of memory corruption, kernel starts executing code at

X, which allows the app to do anything it wants

How kernel exploits work (example)


• Example: Sandboxie, BufferZone Pro, Dell DDP

• Custom kernel driver modifies Windows behavior, so that

change to protected system components is prevented

• Use cases: Most of such sandboxes are used for controlled

execution of applications

• Sandboxie is widely used for malware analysis

TYPE A


Application Sandbox Type A


• Example: Google Chrome, Adobe Reader

• Two processes - master and slave, talking over IPC channel

• Slave is confined using OS access control facilities

• Master mediates access to resources

• Use case: protect the application from exploitation

• Google Chrome and Adobe Reader are popular applications

mainly for web and content rendering

TYPE B

Architecture: Type B

• Master has smaller codebase, the point being – it should be tougher to exploit it

• Slave has a bigger attack surface that needs to be „brokered‟ by the master

• Slave still directly interacts with the OS Kernel

• Slave also has access to certain user mode components


Application Sandbox Type B


• Slave runs with low privileges

• restricted token

• job object

• desktop object

• integrity level

Chromium sandbox on Windows


• How exhaustive is the OS-based confinement, according to

the documentation [2]?

• Mounted FAT or FAT32 volumes – no protection

• TCP/IP – no protection

• Access to most existing securable resources denied

• Everybody agrees it is good enough…



Chromium sandbox in action

Slave

Master


• How resistant is Master to a malicious Slave?

• This is what most authors focused on

• How resistant is OS to a malicious Slave?

• We focus on the last aspect

• Recently MWRLabs also bypassed Chrome using similar vector

Pwn2Own 2013[11]



Master/slave type sandbox on Windows,

Adobe Reader

Observe “Low”

Integrity level


• Exhaustive previous related work on methodology of

attacking the Master [3], [4]

• The first case of Adobe sandbox vulnerability exploited in

the wild reported in Feb 2013 [9]

• This escape possible because of a bug in Master

Master/slave type sandbox on Windows, Adobe

Reader


Master/slave type sandbox on Windows, Chrome

browser

Observe “untrusted”

Integrity level


• Slave de-privileged even more than stated in chrome

sandbox documentation

• “Untrusted” integrity level

• Particularly, access to FAT32 file system denied

Master/slave type sandbox on Windows, Chrome

browser


• Well-known cases of successful attacks against the master

(shown at Pwnium[5], Pwn2own[6])

• The attacks against the master are complex and relatively

rare


Chrome browser


• Slave can still exploit a kernel vulnerability

• bpf syscall filter on Linux - designed to limit exposure of OS #nice

• Some vulnerabilities are not exploitable by Slave

• If need to create a process

• If need to alter specific locations in the registry

• win32k.sys still much exposed

A vulnerability in win32k.sys can potentially be exploited at the

browser level, yielding full control over the machine directly, without

the need to achieve code execution in the sandbox first.


Chrome browser


Exploitation

CVE-2011-3402 CVE-2011-2018 CVE-2012-2527 CVE-2012-1890 CVE-2012-1893 CVE-2012-0178 CVE-2012-1515 CVE-2012-1864 CVE-2012-1865 CVE-2012-1866 CVE-2012-1867 CVE-2012-1868 CVE-2012-0217 CVE-2012-0179 CVE-2012-0157 CVE-2012-0148 CVE-2012-0149 CVE-2011-5046 CVE-2012-0154 CVE-2012-0001 CVE-2013-1278 CVE-2013-1279 CVE-2013-1280 CVE-2013-0008 CVE-2012-2556 CVE-2012-4786 CVE-2012-2530 CVE-2012-2553 CVE-2012-2897 CVE-2013-1248 CVE-2013-1249 CVE-2013-1250 CVE-2013-1251 CVE-2013-1252 CVE-2013-1253 CVE-2013-1254 CVE-2013-1255 CVE-2013-1256 CVE-2013-1257 CVE-2013-1258 CVE-2013-1259 CVE-2013-1260 CVE-2013-1261 CVE-2013-1262 CVE-2013-1263 CVE-2013-1264 CVE-2013-1265 CVE-2013-1266 CVE-2013-1267 CVE-2013-1268 CVE-2013-1269 CVE-2013-1270 CVE-2013-1271 CVE-2013-1272 CVE-2013-1273 CVE-2013-1274 CVE-2013-1275 CVE-2013-1276 CVE-2013-1277

CVE-2012-0217 Exploit: MS12-042 SANDBOX BYPASS DEMO (Kernel Mode Exploitation)

Sandbox

PWNY!


• Windows kernel issues are discovered increasingly

frequently

• 25 CVE for Windows kernel in 2012

• 73+ CVE till Sept 2013

• There have been attacks like Duqu that have targeted

kernel vulnerabilities

• Yes… it‟s a large attack surface

Is this a problem?

User Mode Exploitation

• Type A and Type B do not restrict network connectivity for a sandboxed process.

• The exception to this rule is Google Chrome that has been hardened to restrict TCP/IP networking in case the renderer got exploited.

• All vulns in these services are a potential sandbox escape vector

• Even properly functioning code can be abused


• ALPC ports are a low-level mechanism used for

interprocess communication on the Windows OS. Again,

many Windows services listen on ALPC ports; if a

sandboxed code can connect to these services, it can

attempt to exploit a vulnerability in it.

• Type A sandboxes are wide open to all of these

ALPC Ports

ALPC Ports: Adobe Reader vs Chrome

Adobe Reader XI (version 11.0.3):

lkd> !alpc /lpp fffffa80052ffb30

Ports created by the process fffffa80052ffb30:

fffffa8004f9fb50('OLEB45817786DEF457D9394B3110F6B') 0, 1 connections fffffa8005312070 0 -> fffffa8005279990 0 fffffa80078ddb30('svchost.exe')

Ports the process fffffa80052ffb30 is connected to:

fffffa80053073c0 0 -> fffffa80078bf090('ApiPort') 0 fffffa8007ce3060('csrss.exe')

fffffa80050b7070 0 -> fffffa8007b4ea10('ThemeApiPort') 0 fffffa8007aaab30('svchost.exe')

fffffa800b4b9e60 0 -> fffffa8007912c30('lsasspirpc') 0 fffffa8007883210('lsass.exe')

fffffa8004f1adc0 0 -> fffffa8007b34e60('Audiosrv') 0 fffffa8007a1e9e0('svchost.exe')

fffffa8004f0e3f0 0 -> fffffa80079d4e60('epmapper') 31 fffffa80078ddb30('svchost.exe')

fffffa800535cb20 0 -> fffffa800798ea70('plugplay') 0 fffffa800797db30('svchost.exe')

Google Chrome browser (Version 27.0.1453.110 m)

lkd> !alpc /lpp fffffa80053a1060

Ports created by the process fffffa80053a1060:

<none>

Ports the process fffffa80053a1060 is connected to:

fffffa8005397b30 0 -> fffffa80078bf090('ApiPort') 0 fffffa8007ce3060('csrss.exe')

fffffa80052c8dd0 0 -> fffffa8007b4ea10('ThemeApiPort') 0 fffffa8007aaab30('svchost.exe')


• “The vulnerability is caused by CSRSS improperly

validating permissions when a lower-integrity process

communicates a device event message to a higher-integrity

process.”

• Actually, the vulnerable versions of CSRSS performed no

validation or permission check at all, blindly executing

PostMessage with all parameters controllable by the peer.

• Errr... Shatter attack redux??

Example: CSRSS vulnerability (MS11-063)

CVE-2011-1967

Exploit: MS11-063 SANDBOX User-Mode Exploitation


Summary

http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-

perspective/

http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-perspective/











CVE-2011-3402

Exploit: MS11-087 SiS’eh: Sandbox-in-Sandbox?Sandbox) !)

Clueless

PWNY!

DiDi ™ :- Defense in Depth indeed!


Conclusion

• Application sandboxes are fundamentally vulnerable to kernel mode and certain

user mode vulnerabilities on the OS

• Breaking out of a sandbox by exploiting OS vulns provides far better ROI for the

attackers

• In our analysis Type A were far easier to escape out than Type B #$$ #Chrome

• Definitely avoid malware analysis inside application sandboxes! #D‟0h!


• Rafal Wojtczuk, Bromium Labs

• [1] http://www.sandboxie.com/

• [2] http://dev.chromium.org/developers/design-documents/sandbox

• [3] "A Castle Made of Sand - Adobe Reader X Sandbox" Richard Johnson

• [4] “Breeding Sandworms” - Zhenhua Liu, Guillaume Lovet

• [5] http://blog.chromium.org/2012/10/pwnium-2-results-and-wrap-up_10.html

• [6] "Pwn2Own 2012: Google Chrome browser sandbox first to fall" http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588

• [7] Dennis Fisher http://threatpost.com/en_us/blogs/its-time-abandon-java-012113

• [8] BufferZone Pro, http://www.trustware.com/BufferZone-Pro/

• [9] arstechnica.com/security/2013/02/zero-day-attack-exploits-latest-version-of-adobe-reader/

• [10] Duqu malware, http://em.wikipedia.org/wiki/Duqu

• [11] https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/

Credits/References

http://em.wikipedia.org/wiki/Duqu

http://em.wikipedia.org/wiki/Duqu

@rckashyap

Thanks!

http://labs.bromium.com/

derbycon bromium labs: sandboxes

Technology

bromium confidential

bromium confidential

kernel components

dear kernel

bromium confidential

kernel exploits

os kernel slave

address x kernel