Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team
About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own 2015 Pwn2Own winners 2016 .pwned Chrome pwn2own 2016 .pwned Flash pwn2own 2016 Pwnfest winners 2016 .pwned Edge PwnFest 2016 .pwned Flash PwnFest 2016
�
Agdenda Direct Composition Overview 0day & Exploitation Fuzzing M itigation & Bypass
Direct Composition Overview • High-performance bitmap composition with transforms, effects and animations graphic engine • Introduced from windows 8. • Working based on dwm(desktop windows manager).
Direction Composition Architecture dwmcore dcomp . . . userland kernel CExpressionMarshaler CFilterEffectMarshaler CScaleTransformMarshaler . . . visual CApplicaAonChannel DirectComposiAon submit DWM (desktop windows manager) call DXGK (directX graphic kernel)
Significant Change since win10 RS1 • kernel implement changed Lots of funcAon has been rewrite, not fix vuln • Interface changed Remove lots of interface. 10+? Add some interface. eg:
Before win10 RS1 Exist independently and some in the win32k filter table This func1on is out of Win32k filter list � Since win10 RS1 all included in
Why attack DirectComposition • Reachable in AppContainer and out of win32k filter • This part implement with c++ in kernel • Introduced from windows 8, ever been focus by another researchers, !!!as far as we know!!!
Important functions
Channel Object • know as Device Object in user interface • owner of resource, use to create resource • pArgSec(onBaseMapInProcess return a batch buffer we need later
� Resource Object • know as visual in user interface • similar to win32k surface • It has a lots of types. CScaleTransformMarshaler CTranslateTransformMarshaler CRectangleClipMarshaler CBaseClipMarshaler CSharedSecAonMarshaler CMatrixTransformMarshaler CMatrixTransform3DMarshaler CShadowEffectMarshaler . . .
Batch Buffer • Associate with a channel • Returned from NtDComposiAonCreateChannel • NtDComposiAonProcessChannelBatchBuffer parse it • This funcAon support a lot of commands
How to fuzz
By default is 1, we increase those funcAon’s probability to 100. �
• They need a channel we give them one. • They need a resource we give them one. • If we do not known what they want, give them a random one.
0day & Exploition �
Resource Double free (CVE-2017-XXXX)
Root Cause Free the resource(visual)'s property buffer forget to clear resource->Databuffer. result in free again when resource is free First time free
Second time free
Exploition Free this one First time free Res1 Res2 Res3 Res4 … ResY Occupy with palette palette Res1 Res2 Res3 Res4 … Free palette Second time free palette Res1 Res2 Res3 Res4 … Occupy with ResX ResX Res1 Res2 Res3 Res4 …
Modify the palette->pEntries to what you want when occupy palette with a ResourceBuffer palette pEntries Content Replace xxxxx ResX- >DataBuf occupy second time Usually, cover palette1->pEntries to a bitmap address pEntries pScan0 bitma palette p
Read & Write primity Replace process token, exploited
Fix BSOD • We finished privilege escalation, but BSOD when process exit • There still has double either Palette or ResX's DataBuffer, because they share the same kernel buffer • Double free happened in clear process handle table when process exit • Close palette handle first, Resource handle next • So? must clear ResX->DataBuffer or remove ResX handle from handle table before process exit
Clear ResX->DataBuffer 1. Locate ResX address Resource address store in channel's resource table GenericTable 2. Locate channel address channel1 • Channel handle table locate in: _EPROCESS->Win32Process->GenericTable channel2 channel3 • It's a binary tree struct, search the binary tree to find the channel that Resource belongs to. channel4 channel5
Resource table in channel implement as a array Clear void* ptrNull=0; AddressWrite(&ResX->DataBuffer, sizeof(void*), &ptrNull);
BagMarshaler Integer overflow (CVE-2016-XXXX)
Root cause Integer overflow while dataOffset < DataSize-0xc if DataSize < 0xc Exploitation : If (dwOffet < (DWORD)(0x1-0xc)) { • By default,this->Databuffer==NULL && this->DataSize==0 if (DataBuffer[dwOffset]==0x66) { • Write anywhere in x86 system. DataBuffer[dwOffset+0xc]=xxxx; • Not so easy in x64 system. } 1.this->Databuffer must not NULL } � 2.this->DataSize < 0xC && this->DataSize!=0 3.*(this->Databuffer + inbuf->offset)==(0x45 or 0x66)
1.this->Databuffer must not NULL we could call CPropertyBagMarshaler::SetBufferProperty(...) with property==2 to alloc a buffer, then store in this->DataBuffer
*(this->DataBuffer+inbuf->offset)==(0x45 or 0x66) Spray lots of bufferX to enable that bufferX behind this->DataBuffer DataBuffer bufferX bufferX ... Calc inbuf->offset value, it must be saAsfy: • (Databuffer+offset) locate in bufferX, ( bufferX->Filed1 ) bufferX->Flied1 must be modifyable from usermod, set it to (0x45 or 0x66) • (Databuffer+offset+0xc) locate in bufferX, and it must be exploitable. • 0xc DataBuffer Flied 1 Flied2 ... bufferX Offset
Fortunately, we found bitmap saAsfy this case perfectly 0xc pScan0 Height DataBuffer ... bitmap Offset Now, bitmap->pScan0 has benn changed to the value we set. so we got Read/Write primary 1. GetBitmapbits (....) 2. SetBitmapbits (....) Replace ps token, exploited !
Complier Warning? WARNING!! �
Mitigation & bypass �
Read/Write ability object
1. tagWND abuse Write what? tagWND.strName ? (UNICODE_STRING) GetWindowText ? NtUserDefSetText ? Unfortunately, the destination address has been modify when write to, just desktop heap range is legal.
2.BITMAP ABUSED 2016.10 2014 2016.3 We use Acclerator Object To Guess Bitmap Object Address. Then We used Pwn2Own: We used Twice. Twice again in PwnFast. Maybe Pwn2Own: KeenTeam used Coresecurity guys release a paper to Once. talk about is. 2015.3 2016.8 Pwn2Own:KeenTeam used once. HackingTeam leaked 0day. Someone write it to a public paper
�
14393 VS 15xxx: �
A New way
limitation But Only The Object which Allocate at desktop heap: 1. Window 2. Menu 3. InputContext 4. CallProc But It is enough, I believe you guys could find something useful!! �
We are just on the way. Thank you.
Recommend
More recommend