a look inside the windows kernel
play

A look inside the Windows Kernel CVE-2011-1237 Evolution from XP - PowerPoint PPT Presentation

Dec 25, 2022 •577 likes •1.55k views

A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013 Plan A look inside the

  1. A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013

  2. Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 1 Introduction Evolution from XP to 8 CVE-2013-3660 Conclusion

  3. Introduction A look inside the Windows Kernel Bruno Pujos What this talk is about? Introduction • Security of the Windows Kernel Basics of Windows Kernel • Presentation of some exploits CVE-2011-1237 • What changed in the security of the kernel, since Evolution from XP to 8 Windows NT 5.1 (Windows XP) CVE-2013-3660 Conclusion Motivation for attacking the kernel • Sandbox bypassing • Full access to everything • The fun

  4. Plan A look inside the Windows Kernel Bruno Pujos Introduction 1 Introduction Basics of Windows Kernel Basics of Windows Kernel 2 CVE-2011-1237 Evolution from XP to 8 CVE-2011-1237 3 CVE-2013-3660 Conclusion Evolution from XP to 8 4 CVE-2013-3660 5 Conclusion 6

  5. Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 2 Basics of Windows Kernel Evolution from XP to 8 CVE-2013-3660 Conclusion

  6. Basics of Windows Kernel A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660 Conclusion

  7. HAL A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • HAL : The hardware abstraction layer (hal.dll) Kernel CVE-2011-1237 • ”a layer of software that deals directly with your Evolution from XP computer hardware.” (msdn) to 8 CVE-2013-3660 • Layer for suporting different hardware with the same Conclusion software • HalDispatchTable : holds the addresses of a few HAL routines

  8. Win32k.sys A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel • Kernel mode driver CVE-2011-1237 Evolution from XP • Introduce in NT 4.0 for performance reason to 8 • Two parts : CVE-2013-3660 Conclusion • The Graphics Device Interface (GDI) • The Window Manager

  9. User objects A look inside the Windows Kernel Bruno Pujos Introduction • User entities (Windows, menu, keyboard layout. . . ) Basics of Windows • Managed by the Window Manager Kernel CVE-2011-1237 • Represented by a handle Evolution from XP • Handle table keeps track of each user object to 8 CVE-2013-3660 • The address of the object Conclusion • The type of the object • A flag • The owner and a wUniq value

  10. User objects A look inside the Windows Kernel Bruno Pujos Introduction • User entities (Windows, menu, keyboard layout. . . ) Basics of Windows • Managed by the Window Manager Kernel CVE-2011-1237 • Represented by a handle Evolution from XP • Handle table keeps track of each user object to 8 CVE-2013-3660 • The address of the object Conclusion • The type of the object • A flag • The owner and a wUniq value

  11. User objects A look inside the Windows Kernel • User entities (Windows, menu, keyboard layout. . . ) Bruno Pujos • Managed by the Window Manager Introduction • Represented by a handle Basics of Windows Kernel • Handle table keeps track of each user object CVE-2011-1237 • The address of the object Evolution from XP to 8 • The type of the object CVE-2013-3660 • A flag Conclusion • The owner and a wUniq value

  12. User-Mode Callback A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • A way to communicate between kernel and user: Kernel CVE-2011-1237 • access to some structures in user mode Evolution from XP • used to support hooking to 8 • . . . CVE-2013-3660 • CBT-Hook: receive notifications from windows Conclusion • WindowProc: callback function wich processes the messages sent to a window

  13. User-Mode Callback A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • A way to communicate between kernel and user: Kernel CVE-2011-1237 • access to some structures in user mode Evolution from XP • used to support hooking to 8 • . . . CVE-2013-3660 • CBT-Hook: receive notifications from windows Conclusion • WindowProc: callback function wich processes the messages sent to a window

  14. Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 3 CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660 Conclusion

  15. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  16. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  17. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  18. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  19. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

  20. Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it

Recommend

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

CSCE Intro to Computer Systems System Programming in Windows System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles Processes, Jobs, Threads Synchronization Kernel Objects Whenever you want to

416 views • 13 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan & Chan Lee Yee Ministry of Science, Technology and Innovation Agenda Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration MS11

788 views • 65 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon,

Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon,

CPSC-663: Real-Time Systems Windows NT/2000 and Real-Time Windows NT and Real-Time? Reading: Inside Microsoft Windows 2000, (Solomon, Russinovich, Microsoft Programming Series) Real-Time Systems and Microsoft Windows NT

208 views • 8 slides
Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @ ZeroNights E.0x02 November 2012 PS C:\Users\j00ru> whoami nt authority\system Microsoft Windows internals fanboy Also into reverse

976 views • 80 slides
Kernel Implementations I 15 January 2019 OSU CSE 1 So, Whats Inside the Computer?

Kernel Implementations I 15 January 2019 OSU CSE 1 So, Whats Inside the Computer?

Kernel Implementations I 15 January 2019 OSU CSE 1 So, Whats Inside the Computer? Consider any popular video game, e.g., Nintendo Wii bowling Are there bowling balls and bowling pins inside the game consoles computer? 15

681 views • 27 slides
Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security Researcher at Norman Malware Detection Team (MDT) Interests Vulnerability research Operating systems internals Exploit mitigations

2.17k views • 100 slides
Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru"

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru"

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz "j00ru" Jurczyk ZeroNights 2013 E.0x03 Moscow, Russia Introduction Mateusz j00ru Jurczyk Information Security Engineer @ Extremely into Windows

1.11k views • 110 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged

Platform Convergence Journey Windows Embedded Standard 7 Windows Embedded Standard 8 Converged OS kernel Windows Embedded 8.1 Windows Embedded 8 Converged app model Windows 10 Windows Embedded 8.1 Windows Embedded 8 Handheld Handheld

792 views • 29 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel

Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel

Rainbow over the Window(s) ... more colors than you could expect $whoami Peter Daniel @zer0mem @long123king Windows kernel research at Windows kernel research at KeenLab, Tencent KeenLab, Tencent pwn2own winner (2015

1.12k views • 52 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel

0-to-hero 07/10 Mentors <> 07/10 Sessions Me Kernel developer(Windows/Linux/Own)/Microarchitecture geek (Intel)/Security Researcher (Lenovo, Microsoft, Mysql, Python etc.)/ Software Engineer Architect/Hardware Engineer (FPGA, ASIC,

300 views • 12 slides
UPPAAL tutorial Modeling Verification 1 2 Architecture of UPPAAL Whats inside UPPAAL

UPPAAL tutorial Modeling Verification 1 2 Architecture of UPPAAL Whats inside UPPAAL

UPPAAL Tool Simulation UPPAAL tutorial Modeling Verification 1 2 Architecture of UPPAAL Whats inside UPPAAL Linux, Windows, Solaris, MacOS 3 4 All Operations on Zones Inside the UPPAAL tool (needed for verification)

468 views • 13 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Emulating Windows file serving on POSIX Jeremy Allison Samba Team jra@samba.org But isn't it

Emulating Windows file serving on POSIX Jeremy Allison Samba Team jra@samba.org But isn't it

Wider World Opening Windows to a Emulating Windows file serving on POSIX Jeremy Allison Samba Team jra@samba.org But isn't it easy ? Wider World Opening Windows to a Just take a kernel, add your own file system and.. Not if you don't own

549 views • 30 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides
1 Kernel methods & optimization One example of a kernel that is frequently used in practice

1 Kernel methods & optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods & optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

241 views • 5 slides
Roadmap for Section 2.1. Architecture Overview Program Execution Environment Kernel Mode

Roadmap for Section 2.1. Architecture Overview Program Execution Environment Kernel Mode

Unit OS2: Operating System Principles 2.1. Structuring of the Windows Operating System Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 2.1. Architecture Overview Program

438 views • 26 slides

More recommend