windows kernel reference count vulnerabilities case study
play

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz - PowerPoint PPT Presentation

Jun 18, 2023 •166 likes •976 views

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @ ZeroNights E.0x02 November 2012 PS C:\Users\j00ru> whoami nt authority\system Microsoft Windows internals fanboy Also into reverse

  1. Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz "j00ru" Jurczyk @ ZeroNights E.0x02 November 2012

  2. PS C:\Users\j00ru> whoami nt authority\system • Microsoft Windows internals fanboy • Also into reverse engineering and low-level software security • Currently in Switzerland working at Google

  3. Why this talk? • Lost of stuff in a sandbox o Google Chrome, Adobe Reader, Apple Safari, pepper plugins, ... o Escapes are becoming valuable • Also, escapes are super exciting! o https://krebsonsecurity.com/2012/11/experts-warn- of-zero-day-exploit-for-adobe-reader/ (just recently) o ... really, is this so shocking? • "New" old class of bugs in the Windows kernel • Otherwise, a bunch of technically interesting bugs

  4. Topics covered • Reference counting philosophy and problems • Case study a. 1-day (NT Object Manager PointerCount weakness) b. 0-day (generic device driver image use-after-free) c. CVE-2010-2549 (win32k!NtUserCheckAccessForIntegrityLevel use-after-free) d. CVE-2012-2527 (win32k!NtUserAttachThreadInput use-after-free) e. CVE-2012-1867 (win32k!NtGdiAddFontResource use-after-free) • Mitigations and lessons learned

  5. Reference counting

  6. Fundamentals • From now on, considering ring-0 refcounting • System state → graph o resources → nodes o dependencies (refs) → directed edges o lonely node → destroy  dynamic memory management = vulnerabilities hal.dll ntoskrnl.exe dxg.sys win32k.sys

  7. Fundamentals • In the graph scenario, a vertex doesn't have to know who points at him o Just the total number • Common expression in garbage collectors: if (!pObject->Refcount) { free(pObject); } • Unsurprisingly, refcounting is usually implemented using plain integers

  8. Fundamentals • Typical code pattern pObject guaranteed to persist POBJECT pObject = TargetObject; PCLIENT pClient = ClientObject; pObject->Refcount++; pClient->InternalPtr = pObject; /* Perform operations on pClient assuming initialized InternalPtr */ pClient->InternalPtr = NULL; pObject->Refcount--;

  9. Fundamentals • Windows kernel primarily written in C • Everything is (described by) a structure • Lack of common interface to manage references o Implemented from scratch every single time when needed... o ... always in a different way

  10. Examples? kd> dt tagQ win32k!tagQ kd> dt _OBJECT_HEADER +0x000 mlInput : tagMLIST nt!_OBJECT_HEADER [...] +0x000 PointerCount : Int8B +0x070 hwndDblClk : Ptr64 HWND__ +0x008 HandleCount : Int8B +0x078 ptDblClk : tagPOINT +0x008 NextToFree : Ptr64 Void +0x080 ptMouseMove : tagPOINT +0x010 Lock : _EX_PUSH_LOCK +0x088 afKeyRecentDown : [32] UChar [...] +0x0a8 afKeyState : [64] UChar +0x0e8 caret : tagCARET +0x130 spcurCurrent : Ptr64 tagCURSOR +0x138 iCursorLevel : Int4B +0x13c QF_flags : Uint4B kd> dt _LDR_DATA_TABLE_ENTRY +0x140 cThreads : Uint2B nt!_LDR_DATA_TABLE_ENTRY +0x142 cLockCount : Uint2B [...] [...] +0x068 Flags : Uint4B +0x06c LoadCount : Uint2B +0x06e TlsIndex : Uint2B +0x070 HashLinks : _LIST_ENTRY [...]

  11. Reference counting: problems

  12. Logical issues • Crucial requirement: refcount must be adequate to number of references by pointer • Obviously, two erroneous conditions o Refcount is inadequately small o Refcount is inadequately large • Depending on the context, both may have serious implications

  13. Overly small refcounts • Two typical reasons Reference-by-pointer without refcount incrementation o More decrementations in a destroy phase than o incrementations performed before • Foundation of modern user-mode vulnerability hunting (web browsers et al) http://zerodayinitiative.com/advisories/published/ o http://blog.chromium.org/2012/06/tale-of-two-pwnies-part- o 2.html https://www.google.pl/#q=metasploit+use-after-free o ... o

  14. Overly small refcounts • Typical outcome in ring-3 object vtable lookup + call mov eax, dword ptr [ecx] mov edx, dword ptr [eax+70h] call edx • Still use-after-free in ring-0, but not so trivial almost no vtable calls in kernel o exploitation of each case is bug specific and usually requires a o lot of work kernel pools feng shui is far less developed and documented o compared to userland Tarjei Mandt has exploited a few, check his BH slides and o white-paper

  15. Overly large refcounts • Expected result → resource is never freed o Memory leak o Potential DoS via memory exhaustion o Not very useful • But refcounts are integers, remember? o Finite precision. o Integer arithmetic problems apply! o Yes, we can try to overflow • This can become a typical "small refcount" problem o use-after-free again

  16. Reference count leaks • If we can trigger a leak for free, it's exploitable while (1) { TriggerRefcountLeak(pObject); } • Unless the integer range is too large o uint16_t is not enough o uint32_t is (usually) not enough anymore o uint64_t is enough

  17. Reference count leaks • Or unless object pinning implemented ( ntdll!LdrpUpdateLoadCount2 ) if (Entry->LoadCount != 0xffff) { // Increment or decrement the refcount }

  18. Legitimately large refcounts • Sometimes even those can be a problem • We can bump up refcounts up to a specific value • Depends on bound memory allocations never happens Per-iteration byte limit Reference counter size impossible 64 bits 0-2 bytes 32 bits 16,384 - 131,072 bytes 16 bits 4,194,304 - 33,554,432 bytes 8 bits

  19. Perfect reference counting Qualities • Implementation: 32-bit or 64-bit (safe choice) integers. • Implementation: sanity checking, e.g. refcount ≥ 0x80000000 ⇒ bail out • Usage: reference# = dereference# o Random idea: investigate system state at shutdown • Usage: never use object outside of its reference block • Mitigation: reference typing

  20. Reference counting bugs: case study

  21. NT Object Manager PointerCount weakness • Manages common resources o files, security tokens, events, mutants, timers, ... o around 50 types in total (most very obscure) • Provides means to (de)reference objects o Public kernel API functions  ObReferenceObject, ObReferenceObjectByHandle, ObReferenceObjectByHandleWithTag, ObReferenceObjectByPointer, ObReferenceObjectByPointerWithTag, ObReferenceObjectWithTag  ObDereferenceObject, ObDereferenceObjectDeferDelete, ObDereferenceObjectDeferDeleteWithTag, ObDereferenceObjectWithTag o Extensively used by the kernel itself and third-party drivers

  22. NT Object Manager PointerCount weakness Fundamentals • Each object comprised of a header + body o Header common across all objects, body specific to type (e.g ETHREAD , EPROCESS , ERESOURCE ) native word-wide kd> dt _OBJECT_HEADER reference counters win32k!_OBJECT_HEADER +0x000 PointerCount : Int4B +0x004 HandleCount : Int4B [...] type specifier +0x008 Type : Ptr32 _OBJECT_TYPE [...] type specific structure +0x018 Body : _QUAD

  23. NT Object Manager PointerCount weakness Fundamentals • Two reference counters o PointerCount - # of direct kernel-mode pointer references o HandleCount - # of indirect references via HANDLE (both ring-3 and ring-0) • Object free condition (PointerCount == 0) && (HandleCount == 0)

  24. NT Object Manager PointerCount weakness • Security responsibility put on the caller o Allows arbitrary number of decrementations o Allows reference count integer overflows • Excessive dereferences rather uncommon o CVE-2010-2549 is the only I can remember • Reference leaks on the other hand... o can theoretically only lead to memory leak  who'd care? o sometimes you just forget to close something o much more popular (in third-parties, not Windows)

  25. NT Object Manager PointerCount weakness • Userland can't overflow HandleCount o At least 32GB required to store four billion descriptors. o HANDLE address space is four times smaller than a native word. • But random drivers can overflow PointerCount o grep through %system32%\drivers? < Binary file ./cpqdap01.sys matches < Binary file ./isapnp.sys matches Import a Reference , < Binary file ./modem.sys matches but no Dereference < Binary file ./nwlnkipx.sys matches symbol. < Binary file ./pcmcia.sys matches < Binary file ./sdbus.sys matches < Binary file ./wmilib.sys matches

  26. NT Object Manager PointerCount weakness • Refcount leaks are as dangerous as double derefs (only on 32-bit platforms) o just take longer to exploit • Had a chat with Microsoft security • A few months later, Windows 8 ships with a fix: [...] v8 = _InterlockedIncrement((signed __int32 *)v5); if ( (signed int)v8 <= 1 ) KeBugCheckEx(0x18u, 0, ObjectBase, 0x10u, v8); [...] " The REFERENCE_BY_POINTER bug check has a value of 0x00000018. This indicates that the reference count of an object is illegal for the current state of the object. "

  27. NT Object Manager PointerCount weakness • Ken Johnson and Matt Miller covered this and other mitigations during their BH USA 2012 presentation o "Exploit Mitigation Improvements in Windows 8", check it out • Mitigation only released for Windows 8 o older platforms still affected o go and find your own unpaired ObReferenceObject invocations?

Recommend

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz &quot;j00ru&quot;

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz &quot;j00ru&quot;

Windows Kernel Trap Handler and NTVDM Vulnerabilities Case Study Mateusz &quot;j00ru&quot; Jurczyk ZeroNights 2013 E.0x03 Moscow, Russia Introduction Mateusz j00ru Jurczyk Information Security Engineer @ Extremely into Windows

1.11k views • 110 slides
System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles

CSCE Intro to Computer Systems System Programming in Windows System Programming in Windows Naming in Windows: Kernel Objects and Kernel Object Handles Processes, Jobs, Threads Synchronization Kernel Objects Whenever you want to

416 views • 13 slides
A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos

A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos

A look inside the Windows Kernel Bruno Pujos Introduction Basics of Windows Kernel A look inside the Windows Kernel CVE-2011-1237 Evolution from XP to 8 Bruno Pujos CVE-2013-3660 Conclusion LSE July 18, 2013 Plan A look inside the

1.55k views • 95 slides
Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis

Attacking the Windows Kernel Below The Root Jonathan Lindsay, Reverse Engineer in extremis Introduction Limited to Windows, and aimed at IA32: Outline of protected mode and the kernel Attack vectors Useful tools Examples

672 views • 36 slides
GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee

GDI Font Fuzzing in Windows Kernel for Fun Kernel for Fun Lee Ling Chuan &amp; Chan Lee Yee Ministry of Science, Technology and Innovation Agenda Agenda Introduction TrueType Font (.TTF) TTF Fuzzer Exploit Demonstration MS11

788 views • 65 slides
Case Study: Jackie Ensley, MLS(ASCP) CM SBB CM Immunohematology Reference Laboratory Manager

Case Study: Jackie Ensley, MLS(ASCP) CM SBB CM Immunohematology Reference Laboratory Manager

Case Study: Jackie Ensley, MLS(ASCP) CM SBB CM Immunohematology Reference Laboratory Manager Kentucky Blood Center 1 Objectives 1. To discuss a case study which required more complex antibody detection and identification 2. To review

466 views • 27 slides
Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016

Exploiting COF Vulnerabilities in the Linux kernel Vitaly Nikolenko @vnik5287 Ruxcon - 2016 Who am I? Security researcher @ SpiderLabs Exploit dev / bug hunting / reverse engineering Agenda 1. Counter overflows in the kernel

1.02k views • 70 slides
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

CHAPTER 26 W INDOWS S ECURITY 26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE.................. 2 26.2 WINDOWS VULNERABILITIES ................................................. 18 26.3 WINDOWS SECURITY DEFENSES

537 views • 43 slides
Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz

Windows Metafiles An Analysis of the EMF Attack Surface &amp; Recent Vulnerabilities Mateusz j00ru Jurczyk PacSec, Tokyo 2016 PS&gt; whoami Project Zero @ Google Low-level security researcher with interest in all sorts of

1.62k views • 150 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
Vulnerability Prediction Models: A case study on the Linux Kernel Matthieu Jimenez Mike

Vulnerability Prediction Models: A case study on the Linux Kernel Matthieu Jimenez Mike

Vulnerability Prediction Models: A case study on the Linux Kernel Matthieu Jimenez Mike Papadakis Yves Le Traon Jimenez et al. Vulnerability Prediction Models: A Case Study on the Linux Kernel SCAM16 1 Slides: Matthieu

777 views • 64 slides
FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu

FUZE: Towards Facilitating Exploit Generation for Kernel Use-After- Free Vulnerabilities Wei Wu 1,2,3 , Yueqi Chen 2 , Jun Xu 2 , Xinyu Xing 2 , XiaoruiGong 1,3 , and Wei Zou 1,3 1. School of Cyber Security, University of Chinese Academy of

782 views • 29 slides
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS One of the best information Who are we? security labs in

870 views • 58 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

912 views • 4 slides
Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu , Juanru Li, Junliang Shu, Wenbo

Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu , Juanru Li, Junliang Shu, Wenbo

From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel Wen Xu , Juanru Li, Junliang Shu, Wenbo Yang, Tianyi Xie, Yuanyuan Zhang, Dawu Gu Group of Software Security In Progress Lab of Cryptology and Computer

584 views • 25 slides
The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov https://s2e.systems Ready-for-use docker image, demos, tutorials, source code, documentation Vitaly Chipounov Ph.D. in 2014 at EPFL, Switzerland

827 views • 57 slides
GUI Basics and Windowing Systems Using X Windows as a case study 1 CS 349: Windowing Systems CS

GUI Basics and Windowing Systems Using X Windows as a case study 1 CS 349: Windowing Systems CS

GUI Basics and Windowing Systems Using X Windows as a case study 1 CS 349: Windowing Systems CS 349: Windowing Systems 2 Evolution of GUIs Apple Macintosh (1984) Xero Star (1981) Inspired by Xerox PARC Developed at Xerox PARC Not

814 views • 37 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista

Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista

Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista By C. Bird, N. Nagappan, P. Devanbu, H. Gall, B. Murphy Presented by Tanja Werthmller 1 Overview 1.What is distributed development - What does

412 views • 12 slides
Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016

Using Static Checking To Find Security Vulnerabilities In The Linux Kernel Linuxcon Europe 2016 Vaishali Thakkar (vaishali.thakkar@oracle.com) 1 Self Introduction Linux Kernel developer at Oracle Working in kernel security engineering group

659 views • 46 slides
Presented by Jason A. Donenfeld Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 .

Presented by Jason A. Donenfeld Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 .

Presented by Jason A. Donenfeld Who Who Am I? Am I? Jason Donenfeld, also known as zx2c4 . Background in exploitation, kernel vulnerabilities, crypto vulnerabilities, and been doing kernel-related development for a long time.

1.07k views • 43 slides
LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL Saar Amar Recon brx 2018 WHO AM I? Saar Amar Security Researcher Pasten CTF team member @AmarSaar saaramar OUTLINE World rld s quic ickest t in intr tro to

743 views • 43 slides
An incremental approach RCGC Defined Each object has associated count of references to it

An incremental approach RCGC Defined Each object has associated count of references to it

An incremental approach RCGC Defined Each object has associated count of references to it Objects reference count When reference to object created Pointer copied from one place to another assignment RC of pointee is

313 views • 19 slides
Overview Evolution in Open Source Software: What is software evolution? A Case Study Why

Overview Evolution in Open Source Software: What is software evolution? A Case Study Why

Overview Evolution in Open Source Software: What is software evolution? A Case Study Why should we care? Previous research Michael W. Godfrey A case study: The Linux OS kernel Qiang Tu Observations, hypotheses, and future

179 views • 6 slides

More recommend