1. Introduction Jon Oberheide Dan RosenbergStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #2

2. Introduction In reference to the HES CFP: I get excited every time I see a conference add requirements to their talk selection along the lines of exploitation presentations must be against grsecurity/PaX -- but then there never ends up being any presentations of this kind. spender prattStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #3 3. Agenda A review of Linux kernel security Exploitation vs. grsecurity/PaX Bypassing grsecurity/PaXStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #4 4. A decade of kernel security Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #5 5. A decade of kernel security Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #6 6. Upstream attitude Security is hard when upstream ignores the problems Linux still hasnt had its security awakening Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #7 7. How about last year? 142 CVEs assigned 30% worse than the previous worst year (2009) Based on public CVE requests, issues tracked atRed Hat Bugzilla, and Eugenes tagged git tree Missing dozens of non-CVE vulnerabilities (i.e. theDan Carpenter factor) 61 (43%) discovered by six people Kees (4), Brad (3), Tavis (7), Vasiliy (4), Dan (37),Nelson (6)Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #8 8. Kernel vulns in 2010 12 known exploits for local privilegeescalation 13 remotely triggerable issues 33 potential privilege escalationsStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #9 9. Breakdown by Target231 76 33CoreDistroExoticRed Hat Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #10 10. Breakdown by Impact 13126 765 Bypass30 DOS Info Priv Esc? Priv Esc Nothing Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan RosenbergSlide #11 11. Interesting exploits of 2010 full-nelson.c Combined three vulns to get a NULL write half-nelson.c First Linux kernel stack overflow (not buffer overflow) exploit linux-rds-exploit.c Arbitrary write in RDS packet family i-CAN-haz-MODHARDEN.c SLUB overflow in CAN packet family american-sign-language.c Exploit payload written in ACPIs ASL/AMLStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #12 12. Agenda A review of Linux kernel security Exploitation vs. grsecurity/PaX Bypassing grsecurity/PaXStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #13 13. Traditional Linux exploitation Perhaps most general exploitationprimitive is an arbitrary kernel write Sometimes occurs naturally, othertimes can be constructed (e.g.overwriting pointers in an overflow totrigger a write)Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #14 14. Linux exploitation examples Writes to known addresses (IDT) Function pointer overwrites Redirecting control flow to userspace Influencing privesc-related kernel data(eg. credentials structures) Relying on kallsyms and other infoStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #15 15. Overview of grsecurity/PaX grsecurity/PaX Third-party patchset to harden Linuxuserspace/kernel security Attempts to prevent Introduction/execution of arbitrary code Execution of existing code out of original order Execution of existing code in original order witharbitrary dataStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #16 16. grsecurity/PaX hardening Kernel hardening features: KERNEXEC Prevent the introduction of new executable code UDEREF Prevent invalid userspace pointer dereferences HIDESYM Hide info that may be useful to an attacker (kallsyms,slabinfo, kernel address leaks, etc) MODHARDEN Prevent auto-loading of crappy unused packet families(CAN, RDS, econet, etc)Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #17 17. Agenda A review of Linux kernel security Exploitation vs. grsecurity/PaX Bypassing grsecurity/PaXStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #18 18. The main event A technique we call stackjacking Enables the bypass of common grsecurity/PaX configurations with common exploit primatives Independently discovered, collaboratively exploited, with slightly different techniques Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #19 19. Plan of attack! ??? STACKJACKINGROOT??? OVERVIEW ??? ?????? Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #20 20. Target kernel assumptions Hardened kernel with grsec/PaX Config level GRKERNSEC_HIGH KERNEXEC UDEREF HIDESYM MODHARDEN Etc...Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #21 21. Stronger target assumptions Lets make some extra assumptions We like a challenge, and these are assumptions thatmay possibly be obtainable now or in the future Stronger target assumptions Zero knowledge of kernel address space Fully randomized kernel text/data Cannot introduce new code into kernel address space Cannot modify kernel control flow (eg. data-only)Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #22 22. Attacker assumption #1 Assumption: arbitrary kmem write A common kernel exploitation primitive Examples: RDS, MCAST_MSFILTER Other vulns can be turned into writes, e.g.overflowing into a pointer thats written to Wut? You mean I cant escalate privs with an arbitrarykernel memory write normally? NOPE.Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #23 23. Arbitrary write into the abyssDARKNESS!0xffffffff kernel0xc0000000(TASK_SIZE)userNo clue where to write!0x00000000 Exploitation is infeasible.Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #24 24. Whats the secret sauce?ARBITRARYWRITE + ? = ru_utime.tv_sec)||...}Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #73 73. compat_sys_waitid disasmDumpofassemblercodeforfunctioncompat_sys_waitid:...0xffffffff810aba4e: lea0x140(%rbp),%r14 1) compat_sys_waitid() stores address of ru in r14...0xffffffff810aba8b: callq0xffffffff81063b702) compat_sys_waitid() calls sys_waitid()... 3) sys_waitid() calls do_wait()0xffffffff810abaae: mov%r14,%rdi0xffffffff810abab1: callq0xffffffff810aa7004) do_wait() pushes r14 on kstack... 5) do_wait() sleeps indefinitelyDumpofassemblercodeforfunctionsys_waitid:6) we clobber the saved r14 reg on the kstack...0xffffffff81063bf9: callq0xffffffff810637e0 7) do_wait() wakes up 8) do_wait() pops r14 off the kstack...9) do_wait() returnsDumpofassemblercodeforfunctiondo_wait:10) sys_waitid() returns...0xffffffff810637e6: push%r14 11) compat_sys_waitid() calls put_compat_rusage()...PROCESSGOESTOSLEEPHERE 12) put_compat_rusage() uses clobbered source addr...0xffffffff810639fb: pop%r14 13) put_user() copies from source addr to userspace...Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan RosenbergSlide #74 74. compat_sys_waitid reliability Is this reliable across kernel versions? Yes, tested on: Lucid default build vmlinuz-2.6.32-24-generic Lucid custom build vmlinuz-2.6.32.26+drm33.12 Vanilla build vmlinuz-2.6.36.3 Vanilla build + grsec vmlinuz-2.6.36.3-grsec How about compilers? Across most gcc 4.x? Needs more investigation Potentially could runtime fingerprint compilerStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #75 75. High-level exploit flow1. jacker forks/execs groper8. helper wakes up from sleep2. groper gets its own kstack addr9. groper returns from waitid3. groper passes kstack addr up to10. groper leaks task_struct addressjackerback to userspace4. groper forks/execs helper11. groper passes leaked addressback up with jacker5. helper goes to sleep fora bit 12. steps 4-11 are repeated to leaktask/cred addresses6. groper calls waitid on helper13. jacker modifies gropers cred7. jacker overwrites the required struct in-placeoffset on gropers stack14. groper forks off a root shellStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #76 76. Plan of attack! Arbitrary writeSTACK JACKINGROOT Kstack disclosureOVERVIEWSTACKSTACKSTACKSELF-DISCOVERYGROPINGJACKINGManual analysisKERNEL_DS trick ??? Read thread / task Auto with libkstack Clobber saved reg Overwrite credsStackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #77 77. Live demo! Exploit againstlive hardenedsystem...Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #78 78. Defenses? Mitigate the exploitation vectors? Remove thread_info metadata from kstack RANDKSTACK Eliminate all kstack disclosures? Clear kstack between syscalls? Compiler/toolchain foo? ???Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #79 79. Greetz #busticati $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/ Those who were already aware of thisbypass vector ;-)Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #80 80. Q&A QUESTIONS? Jon OberheideDan Rosenberg jon@oberheide.org dan.j.rosenberg@gmail.comDuo Security Virtual Security Research Stackjacking Your Way to grsecurity/PaX Bypass Jon Oberheide / Dan Rosenberg Slide #81