![Page 1: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/1.jpg)
Who’s Watching the Watchdog? Uncovering A Privilege Escalation Vulnerability in OEM Driver
Amit Rapaport, Microsoft
![Page 2: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/2.jpg)
> whoami
• Amit Rapaport (@realAmitRap)
• Security researcher @ THRIL Team, Windows Defender ATP
• Born & raised on Windows OS
• Deeply interested in low-level, OS internals, reverse engineering and exploitation
![Page 3: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/3.jpg)
Talk Scope
• The story of Windows Defender ATP alert -> zero-day discovery
• CVE-2019-5241 & CVE-2019-5242
• Demo
![Page 4: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/4.jpg)
Where Our Story Begins
![Page 5: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/5.jpg)
WannaCry Ransomware
• Major outbreak during May 2017
• Demands 300$-600$ to recover encrypted files
• Infected more than 200k machines
• Propagates mainly through SMBv1 kernel exploit - ETERNALBLUE
![Page 6: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/6.jpg)
WannaCry Ransomware - Infection
• Machine exploitation ends up loading a lightweight, non-persistent, kernel-mode backdoor – known as DOUBLEPULSAR
• DOUBLEPULSAR allows an attacker to inject a custom payload into user-mode
• Victim process is lsass.exe
• Used for the initial loading of WannaCry main payload
![Page 7: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/7.jpg)
DOUBLEPULSAR Injection Technique
Kernel lsass.exe
![Page 8: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/8.jpg)
DOUBLEPULSAR Injection Technique
Kernel lsass.exe
ZwAllocateVirtualMemoryRWX
![Page 9: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/9.jpg)
DOUBLEPULSAR Injection Technique
Kernel lsass.exe
ZwAllocateVirtualMemory
Userland shellcode
RWX
memcpy
![Page 10: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/10.jpg)
DOUBLEPULSAR Injection Technique
Kernel lsass.exe
ZwAllocateVirtualMemory
Userland shellcode
RWX
memcpy
Victim thread
KeInitializeApcKeInsertQueueApc
![Page 11: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/11.jpg)
DOUBLEPULSAR Injection Technique
Kernel
ZwAllocateVirtualMemory
lsass.exe
Userland shellcode
memcpy
Victim thread
KeInitializeApcKeInsertQueueApc
RWX
![Page 12: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/12.jpg)
How to Detect Kernel->User APC Injection
• No hooks are allowed
• No notify callback on Mm operations
• No notify callback on APC operations…
KernelZwAllocateVirtual
Memory
lsass.exe
Userland shellcode
memcpy
Victim thread
KeInitializeApcKeInsertQueueApc
RWX
![Page 13: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/13.jpg)
How to Detect Kernel->User APC Injection
• We instrumented NTOSKRNL in Windows 10 October 2018 update to trace kernel callers doing
• Mm operations
• APC insert operations
• Events are traced through Microsoft-Windows-Threat-IntelligenceETW provider
![Page 14: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/14.jpg)
![Page 15: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/15.jpg)
![Page 16: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/16.jpg)
Collecting the Evidence
• Careful analysis of the alert showed that:
• Kernel code allocated an executable region
• Kernel code injected User APC targeting that region
• services.exe – the only affected process on the machine
• Sounds familiar?
![Page 17: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/17.jpg)
Hunting The Source
• Which kernel code triggered the injection?
• Can become quite challenging…
![Page 18: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/18.jpg)
Hunting The Source
• Which kernel code triggered the injection?
• Can become quite challenging…
Let’s dump driver-load events on that machine:
…
C:\Program Files\Huawei\PCManager\HwOs2Ec10x64.sys
…
![Page 19: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/19.jpg)
PC Manager
![Page 20: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/20.jpg)
PC Manager
![Page 21: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/21.jpg)
Hunting The Source
• Long shot, but let’s analyze these drivers import section
• Looks promising!
![Page 22: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/22.jpg)
Kernel->User Code Injector
} User mem alloc
![Page 23: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/23.jpg)
Kernel->User Code Injector
} User mem alloc
} Resolve user functions
![Page 24: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/24.jpg)
Kernel->User Code Injector
} User mem alloc
} Resolve user functions
} Copy user params
![Page 25: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/25.jpg)
Kernel->User Code Injector
} User mem alloc
} Resolve user functions
} Copy user params
} Inject user APC
![Page 26: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/26.jpg)
Kernel->User Code Injector
PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine
} User mem alloc
} Resolve user functions
} Copy user params
} Inject user APC
![Page 27: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/27.jpg)
Kernel->User Code Injector
Kernel
ZwAllocateVirtualMemory
services.exe
Userland shellcode
memcpy
Victim thread
KeInitializeApcKeInsertQueueApc
![Page 28: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/28.jpg)
The Shellcode
![Page 29: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/29.jpg)
What process gets created?
• Let’s set a breakpoint on the locationwhere the parameter block is copied
![Page 30: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/30.jpg)
What process gets created?
• Let’s set a breakpoint on the locationwhere the parameter block is copied
“C:\Program Files\Huawei\PCManager\MateBookService.exe /startup”
![Page 31: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/31.jpg)
MateBookService.exe Analysis
![Page 32: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/32.jpg)
Watching out for MateBookServiceTermination
![Page 33: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/33.jpg)
Watching out for MateBookServiceTermination
![Page 34: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/34.jpg)
Watching out for MateBookServiceTermination
![Page 35: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/35.jpg)
Quick Recap
• MateBookService.exe process terminates -> Revived by the driver
• Watched processes are held in a driver’s global list variable
services.exe
MateBookService.exe /startup
UserKernel
HwOs2Ec10x64.sys
![Page 36: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/36.jpg)
I Wonder….
• If that’s a list, then there might be a way to extend it
• How does the watched processes list get extended?
![Page 37: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/37.jpg)
I Wonder….
• If that’s a list, then there might be a way to extend it
• How does the watched processes list get extended?
-> There’s a designated IOCTL handler exactly for that purpose!
• No validation checks on the executable directory
• Just need to get a valid handle to the device object
![Page 38: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/38.jpg)
Obtaining a Device Handle
• Finding #1: The device is created with DACL granting Everyone RW access
![Page 39: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/39.jpg)
Obtaining a Device Handle
• Finding #2: the caller process is validated by its main executable path
• Must belong to a whitelist
![Page 40: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/40.jpg)
Obtaining a Device Handle
• BUT there’s no guarantee on integrity of the caller process!
![Page 41: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/41.jpg)
Obtaining a Device Handle
• BUT there’s no guarantee on integrity of the caller process!
• Malicious MateBookService.exe process might bypass this integrity check
![Page 42: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/42.jpg)
Obtaining a Device Handle
• BUT there’s no guarantee on integrity of the caller process!
• Malicious MateBookService.exe process might bypass this integrity check
• Infecting our own MateBookService.exe process can be done by a low-privilege process
• Thanks to the fact a parent process has PROCESS_ALL_ACCESS permissions over its children
![Page 43: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/43.jpg)
![Page 44: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/44.jpg)
Abusing the Watchdog to Gain LPE
Create & inject malicious code into a MateBookService.exe
process
Craft special IOCTL to register LPE_POC.exe
Run LPE_POC.exe which exits
immediately
The watchdog revives LPE_POC.exe as child
of services.exe
Standard User Standard User Standard User NT AUTHORITY\SYSTEM
![Page 45: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/45.jpg)
Abusing the Watchdog to Gain LPE
Create & inject malicious code into a MateBookService.exe
process
Craft special IOCTL to register LPE_POC.exe
Run LPE_POC.exe which exits
immediately
The watchdog revives LPE_POC.exe as child
of services.exe
CVE-2019-5241
Standard User Standard User Standard User NT AUTHORITY\SYSTEM
![Page 46: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/46.jpg)
![Page 47: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/47.jpg)
Wrap up
• EDR alert -> investigation -> vulnerability find
• Reversing isn’t always the entry point
• OEM drivers – low hanging fruits for attackers
• Software devs – use OS supplied mechanisms
![Page 48: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/48.jpg)
Acknowledgements
• A fix was released on January 9, 2019
• Special thanks to Huawei PSIRT!
• Itai Kollmann Dekel – I wouldn’t have made it without you!
![Page 49: Who’s Watching the Watchdog? Uncovering A …...Talk Scope •The story of Windows Defender ATP alert -> zero-day discovery •CVE-2019-5241 & CVE-2019-5242 •Demo Where Our Story](https://reader033.vdocument.in/reader033/viewer/2022050101/5f4074ad5afe3253703b746c/html5/thumbnails/49.jpg)
References
• https://cloudblogs.microsoft.com/microsoftsecure/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/
• https://www.huawei.com/en/psirt
• https://github.com/idan1288/ProcessHollowing32-64