Hacking Windows IPC
-
Upload
gueste041bc -
Category
Technology
-
view
2.540 -
download
3
Transcript of Hacking Windows IPC
![Page 1: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/1.jpg)
Briefing for:
Hacking Windows Internals
Cesar CerrudoCesar Cerrudo
ArgenissArgeniss
![Page 2: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/2.jpg)
www.appsecinc.com
Hacking Shared Sections
Shared Section definition Using Shared Sections Tools Problems Searching for holes Exploitation Microsoft vulnerabilities Other vendors vulnerabilities Solutions Conclusions References
![Page 3: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/3.jpg)
www.appsecinc.com
Shared Section
Basically a Shared Section is a portion of memory shared by a process, mostly used as an IPC (Inter Process Communication) mechanism. Shared Memory. File Mapping. Named or Unnamed.
![Page 4: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/4.jpg)
www.appsecinc.com
Using Shared Sections
Loading binary images by OS. Process creation. Dll loading.
Mapping kernel mode memory into user address space !?. Used to avoid kernel transitions.
Sharing data between processes. GDI and GUI data, pointers !?, counters, any data.
![Page 5: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/5.jpg)
www.appsecinc.com
Using Shared Sections
Creating a shared section
HANDLE CreateFileMapping( HANDLE hFile, // handle to file (file mapping) //or 0xFFFFFFFF (shared memory) LPSECURITY_ATTRIBUTES lpAttributes, // security DWORD flProtect, // protection DWORD dwMaximumSizeHigh, // high-order DWORD of size DWORD dwMaximumSizeLow, // low-order DWORD of size LPCTSTR lpName // object name (named)
//or NULL (unnamed));//returns a shared section handle
![Page 6: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/6.jpg)
www.appsecinc.com
Using Shared Sections
Opening an existing shared section
HANDLE OpenFileMapping(
DWORD dwDesiredAccess, // access mode (FILE_MAP_WRITE // FILE_MAP_READ, etc.)
BOOL bInheritHandle, // inherit flag
LPCTSTR lpName // shared section name
);//returns a shared section handle
![Page 7: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/7.jpg)
www.appsecinc.com
Using Shared Sections
Mapping a shared section
LPVOID MapViewOfFile( HANDLE hFileMappingObject, // handle to created/opened
// shared section DWORD dwDesiredAccess, // access mode(FILE_MAP_WRITE
// FILE_MAP_READ, etc.) DWORD dwFileOffsetHigh, // high-order DWORD of offset DWORD dwFileOffsetLow, // low-order DWORD of offset SIZE_T dwNumberOfBytesToMap // number of bytes to map); //returns a pointer to begining of shared section memory
![Page 8: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/8.jpg)
www.appsecinc.com
Using Shared Sections
Ntdll.dll Native API NtCreateSection() Creates a new section NtOpenSection() Opens an existing section NtMapViewOfSection() Map a section on memory NtUnmapViewOfSection() Unmap a section from memory NtQuerySection() Returns section size NtExtendSection() Change section size
![Page 9: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/9.jpg)
www.appsecinc.com
Using Shared Sections
Mapping unnamed Shared Sections. Need to know shared section handle on target process. Need permissions on target process.
OpenProcess(PROCESS_DUP_HANDLE,...)
DuplicateHandle(...)
MapViewOfFile(...)
![Page 10: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/10.jpg)
www.appsecinc.com
Using Shared Sections
Demo
![Page 11: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/11.jpg)
www.appsecinc.com
Tools
Process Explorer Shows information about processes (dlls, handles, etc.).
WinObj Shows Object Manager Namespace information (objects
info, permissions, etc.)
ListSS Lists Shared Sections names (local and TS sessions).
DumpSS Dumps Shared Section data.
TestSS Overwrites Shared Section data (to detect bugs)
![Page 12: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/12.jpg)
www.appsecinc.com
Problems
Input validation Weak permissions Synchronization
![Page 13: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/13.jpg)
www.appsecinc.com
Problems
Input validation Applications don't perform data validation before using the
data. Applications trust data on shared sections.
When applications read modified data from shared sections They will crash. They will perform unexpected actions.
![Page 14: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/14.jpg)
www.appsecinc.com
Problems
Weak permissions Low privileged users can access (read/write/change
permissions) shared sections on high privileged processes (services).
Terminal Services (maybe Citrix) users can access (read/write/change permissions) shared sections on local logged on user processes, services and also on other user sessions.
![Page 15: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/15.jpg)
www.appsecinc.com
Problems
Synchronization Not built-in synchronization. Synchronization must be done by processes in order to
not corrupt data. There isn't a mechanism to force processes to
synchronize or to block shared section access. Any process (with proper rights) can alter a shared
section data while another process is using it.
![Page 16: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/16.jpg)
www.appsecinc.com
Problems
Synchronization Communication between Process A and B
ProcessA
ProcessB
ProcessC
Shared Section
2- Write data.
3- Data ready.
4- Replace data.
5- Read data.
1- Send me data.
![Page 17: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/17.jpg)
www.appsecinc.com
Searching for holes
Look for shared sections using Process Explorer, WinObj or ListSS.
Attach a process using the shared section to a debugger.
Run TestSS on shared section. Interact with process in order to make it use
(read/write) the shared section. Look at debugger for crashes :).
![Page 18: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/18.jpg)
www.appsecinc.com
Searching for holes
Windows HTML Help Demo.
![Page 19: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/19.jpg)
www.appsecinc.com
Exploitation
Elevating privileges. Reading data. Altering data. Shared section exploits.
Using shared sections on virus/rootkits/etc.
![Page 20: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/20.jpg)
www.appsecinc.com
Exploitation
Reading data. From high privileged processes (services). From local logged on user processes, services and other
sessions on Terminal Services. This leads to unauthorized access to data.
![Page 21: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/21.jpg)
www.appsecinc.com
Exploitation
Altering data. On high privileged processes (services). On local logged on user processes, services and other
sessions on Terminal Services. This leads to arbitrary code execution, unauthorized
access, processes or kernel crashing (DOS).
![Page 22: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/22.jpg)
www.appsecinc.com
Exploitation
Shared section exploits. When overwriting shared section data allow us to take
control of code execution. Some shared sections start addresses are pretty static on
same OS and Service Pack. Put shellcode on shared section. Build exploit to jump to shellcode on shared section at
static location.
![Page 23: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/23.jpg)
www.appsecinc.com
Exploitation
Shared section exploits. MS05-012 - COM Structured Storage Vulnerability
Weak permission on shared section. Structures saved on shared section can be overwriten.
By overwriting these structures is possible to execute arbitrary code.
POC Exploit Demo.
![Page 24: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/24.jpg)
www.appsecinc.com
Exploitation
Using shared sections on virus/rootkits/etc. Some shared sections are used by many processes
(InternatSHData used for Language Settings on W2k) others sections are used by all processes :).
Write code to shared section and the code will be instantly mapped on processes memory and also on new created processes. Use SetThreadContext() or CreateRemoteThread() to start executing
code. Similar to WriteProcessMemory() - SetThreadContext() technique or
DLL Injection.
![Page 25: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/25.jpg)
www.appsecinc.com
Exploitation
Using shared sections on virus/rootkits/etc. Some shared sections have execute access.
It would be possible to avoid WinXP sp2 NX and third party protections.
![Page 26: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/26.jpg)
www.appsecinc.com
Microsoft vulnerabilities
Vulnerabilities on next Microsoft products have been reported and are being fixed: Internet Explorer vulnerability. Office vulnerabilities. Windows 2k and Windows XP sp2 Kernel vulnerability. IIS 5 vulnerabiliity. Windows COM vulnerability.
![Page 27: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/27.jpg)
www.appsecinc.com
Other vendors vulnerabilities
NOD32 antivirus vulnerability. Norton Antivirus (old versions) vulnerability. Veritas software vulnerabilities. Etc.
![Page 28: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/28.jpg)
www.appsecinc.com
Solutions
Set proper permissions Set only current user (also service account if application
running as service) permissions on shared sections unless another user should access them.
Use some synchronization mechanism Remember that when working with shared sections there
isn't built in synchronization.
Validate the data before using it Data on shared sections can be easily manipulated.
![Page 29: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/29.jpg)
www.appsecinc.com
Conclusions
Windows and 3rd. party applications have a bunch of Shared Section related holes.
These kind of holes will lead to new kind of attacks “SSAtacks” (Shared Section Attacks) ;)
Microsoft forgot to include a Shared Sections audit on the trustworthy computing initiative :).
Windows guts seem rotten:).
![Page 30: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/30.jpg)
www.appsecinc.com
References
MSDN Programming Applications for MS Windows - Fourth
Edition Process Explorer (www.sysinternals.com) WinObj (www.sysinternals.com) Rattle - Using Process Infection to Bypass Windows
Software Firewalls (PHRACK #62) Crazylord - Playing with Windows /dev/(k)mem
(PHRACK #59) http://www.microsoft.com/technet/security/bulletin/
MS05-012.mspx
![Page 31: Hacking Windows IPC](https://reader035.fdocuments.us/reader035/viewer/2022081421/555c44e3d8b42a0b038b5101/html5/thumbnails/31.jpg)
Click to edit Master title style
Click to edit Master subtitle style
Briefing for:
FIN
• Questions?
• Thanks.
• Contact: cesar>at<argeniss>dot<com
Argeniss – Information SecurityGet vulnerability information before anyone!
http://www.argeniss.com/services.html