Vulnerability design

PATTERNS

case: Kernel mode

PAST

Environment for exploitation

Simple ioctl

W^X NX KASLRHardened

PoolSMEP SMAP

Why kernel exploitation

Full control of system

Simple exploitation

Simple bugs

KERNEL ESCAPE

few lines of code, simple, effective – for that time

Modified sample from : https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb

EVOLUTION

Exploitation hierarchy

User

Elevated user

(admin / root)

supervisor

Past exploitation shortcut

User

Elevated user

(admin / root)

supervisor

Present (+-) & Future : Step by step

UserElevated user

(admin / root)Supervisor

• DEP, ASLR, SEHOP, ProtectedFree, Isolated Heap, CFG,

Virtual Table Guards, EMET...

• sandbox, SELinux and alikes

• KASLR, SMEP, SMAP, ..

Why kernel escape

• Going to be more and more difficult, but ...

• still .. sometimes easier .. shortcut

• Natural bypass of SELinux

• Full control (cpl0 > cpl3)• for now do not considering cpl-1, ...

exploitation ==> developing

• In past was very easy elevate privileges

• Now everything is fast moving

• You need to adapt to all changes & diversity

• Things are getting more complex

• Your exploitation code is expanding dramatically

• Every change can broke your black-box

• + Process of exploitation need more than ioctl

• Race conditions, complex mechanism break (ttf), sandbox escapes ...

VULNERABILITY DESIGN PATTERNS

kernel case

selected vulnerability classes

• Out Of Boundary

• Basic types Over/Under flows

• Stack overflows

• Buffer overflows

• nullptr writes

• Race conditions –not generic, but ...

• may create other bug from above group

Out Of Boundary

Simple, mighty, generic

OOB

• Read

• Write

• SMAP – limitation, but not

eliminate oob

• GENERIC approach

Basic type Over/Under-flow

Generic, simple and useful when it comes to aligned rw

Stack Overflow

sometimes protected, sometimes not .. local vars ?

.. depends on compilation ..

Stack overview

• Local vars

• canaries

• Protect ret & args

• ... sometimes ... missing

• UNprotected inner calls ?

• Arg in main func preserved in register

• Inner call invoked, register may be putted onto stack

• Rewrite arg (or directly ret) on stack in inner call

• Return to main func with altered arg (in register)

• Can help more than it seems ;)

• Controlled copy, overwrite save your day

Buffer Overflow

Common case, can be also byproduct, heap hardening can be

problem

Buffer overview

• Windows kernel pool, SLUB

• not so predictable anymore

• but still far from not-predictable at some level

• kmalloc

• targeted kmalloc from user mode ?

• not so hard as can seems

• help with predictability

• Pool spray

• thread, process, pipe, socket ...

• caches (linux)

• can be problem for precise pool layout, but can be solved

nullptr pwn

spray, write, pwn .. 64b bit more effort ...

user part of cake

Pool spray

kmalloc

Pipes

ThreadsLocks

ret2dir

Kernel IO

kernel pool

pipes, threads .. kmalloc .. spray

Kernel IO

If doable, then almighty ...

workers, locks, helpers

a lot of common issues per vuln task

CODING STYLE MATTERS

Elevation of Privilages

USER

• Find nt!_eprocess / thread_info

• Patch credentials

• Bypass ACL policy

• Reverse engineer per policy

• Implement

• Keep up to date

• Good if not change frequently .. Not that case

KERNEL

• Elevate process

• Grant access important operations (callbacks)

• File access

• Process access

• Registry access

• Network

• How effective without framework ?

Kernel part of cake

• Boosting privs

• Why patching ?

• Recognize and grant access instead

• No LKM ? Are you sure ?

• Kernel exploitation may be equals to enable LKM

CC-shellcoding framework

• developing instead of shellcoding ?

• C++, boost, std ?

• Loading your own kernel modules ?

https://github.com/k33nteam/cc-shellcoding

more info : http://www.k33nteam.org/blog.htm -

CC-SHELLCODING

@KEENTEAM

2014 - $500,0002015 - $??????? Pick a device, name your own challenge!

We are hiring! Kernel & app sec

A LOT of research

mobile, pc

M$, android, OSX ..

Thank You! Q & A

@K33nTeam