A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013
Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 1 Introduction Evolution from XP to 8 CVE-2013-3660 Conclusion
Introduction A look inside the Windows Kernel Bruno Pujos What this talk is about? Introduction • Security of the Windows Kernel Basics of Windows Kernel • Presentation of some exploits CVE-2011-1237 • What changed in the security of the kernel, since Evolution from XP to 8 Windows NT 5.1 (Windows XP) CVE-2013-3660 Conclusion Motivation for attacking the kernel • Sandbox bypassing • Full access to everything • The fun
Plan A look inside the Windows Kernel Bruno Pujos Introduction 1 Introduction Basics of Windows Kernel Basics of Windows Kernel 2 CVE-2011-1237 Evolution from XP to 8 CVE-2011-1237 3 CVE-2013-3660 Conclusion Evolution from XP to 8 4 CVE-2013-3660 5 Conclusion 6
Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 2 Basics of Windows Kernel Evolution from XP to 8 CVE-2013-3660 Conclusion
Basics of Windows Kernel A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660 Conclusion
HAL A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • HAL : The hardware abstraction layer (hal.dll) Kernel CVE-2011-1237 • ”a layer of software that deals directly with your Evolution from XP computer hardware.” (msdn) to 8 CVE-2013-3660 • Layer for suporting different hardware with the same Conclusion software • HalDispatchTable : holds the addresses of a few HAL routines
Win32k.sys A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel • Kernel mode driver CVE-2011-1237 Evolution from XP • Introduce in NT 4.0 for performance reason to 8 • Two parts : CVE-2013-3660 Conclusion • The Graphics Device Interface (GDI) • The Window Manager
User objects A look inside the Windows Kernel Bruno Pujos Introduction • User entities (Windows, menu, keyboard layout. . . ) Basics of Windows • Managed by the Window Manager Kernel CVE-2011-1237 • Represented by a handle Evolution from XP • Handle table keeps track of each user object to 8 CVE-2013-3660 • The address of the object Conclusion • The type of the object • A flag • The owner and a wUniq value
User objects A look inside the Windows Kernel Bruno Pujos Introduction • User entities (Windows, menu, keyboard layout. . . ) Basics of Windows • Managed by the Window Manager Kernel CVE-2011-1237 • Represented by a handle Evolution from XP • Handle table keeps track of each user object to 8 CVE-2013-3660 • The address of the object Conclusion • The type of the object • A flag • The owner and a wUniq value
User objects A look inside the Windows Kernel • User entities (Windows, menu, keyboard layout. . . ) Bruno Pujos • Managed by the Window Manager Introduction • Represented by a handle Basics of Windows Kernel • Handle table keeps track of each user object CVE-2011-1237 • The address of the object Evolution from XP to 8 • The type of the object CVE-2013-3660 • A flag Conclusion • The owner and a wUniq value
User-Mode Callback A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • A way to communicate between kernel and user: Kernel CVE-2011-1237 • access to some structures in user mode Evolution from XP • used to support hooking to 8 • . . . CVE-2013-3660 • CBT-Hook: receive notifications from windows Conclusion • WindowProc: callback function wich processes the messages sent to a window
User-Mode Callback A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows • A way to communicate between kernel and user: Kernel CVE-2011-1237 • access to some structures in user mode Evolution from XP • used to support hooking to 8 • . . . CVE-2013-3660 • CBT-Hook: receive notifications from windows Conclusion • WindowProc: callback function wich processes the messages sent to a window
Plan A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel CVE-2011-1237 3 CVE-2011-1237 Evolution from XP to 8 CVE-2013-3660 Conclusion
Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it
Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it
Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it
Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it
Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it
Vulnerability A look inside the Windows Kernel • Vulnerability discovered by Tarjei Mandt Bruno Pujos (@kernelpool), based on his paper Kernel Attacks Introduction through User-Mode Callbacks Basics of Windows • Use After Free of a window object (User Object) Kernel CVE-2011-1237 • During the creation of a new window, you can give a parent in a CBT-Hook Evolution from XP to 8 • Using another hook during the creation, you can CVE-2013-3660 destroy this window Conclusion • We have a way to allocate a buffer with our content and the size we want with SetWindowTextW . We will use it to put what we want at the position of the free window • The parent is used at the end of LinkWindow , and it has been freed • We can map the Null page and put our shellcode in it, in userland. Our goal is to call it
Recommend
More recommend