SlideShare una empresa de Scribd logo

Csw2016 economou nissim-getting_physical

CanSecWest
CanSecWest

CanSecWest2016

Internet
1 de 85
Descargar para leer sin conexión
PAGE Getting Physical Extreme abuse of Intel based Paging Systems Nicolas A. Economou Enrique E. Nissim
PAGE About us - Enrique Elias Nissim - Information System Engineer - Previously worked at Core Security as an Information Security Consultant - Now joining Intel Corp at Mexico to work in Graphics Security - Infosec Enthusiast (Exploit Writing, Reversing, Pentest, Programming) - Discovered some 0Days in Kernel components - @kiqueNissim - Nicolas Alejandro Economou - Exploit Writer specialized in Windows kernel exploitation at Core Security Technologies for +10 years. - Infosec Enthusiast (Exploit Writing, Reversing, Patch Diffing and Programming) - Several defensive/offensive research, presentations and security tools as turbodiff, Sentinel and Agafi - @NicoEconomou 2
PAGE Agenda - Arbitrary Write: Explanation - Reviewing Modern Kernel Protections - Current ways of abusing kernel arbitrary writes - Intel Paging Mechanism - Windows - Implementation - Attacks - Live Demo - Linux - Implementation - Attacks - Live Demo - Conclusions 3
PAGE What is an arbitrary write? 4 - Arbitrary Write: - This is the result of exploiting a binary bug. - You can write a crafted value (or not) where you want (write-what- where) -> MOV [EAX], EBX - As a result: If you write in the correct place, you can get primitives to read/write memory or you can control EIP/RIP - Examples: - Heap overflows – overwrite pointers that point to specific structs - Memory Corruptions – idem above - Use after free – nt/win32k – Decrementing one unit (“DEC [EAX]”)
PAGE Reviewing Modern Protections 5 - DEP/NX: is a security feature included in modern operating systems. It marks areas of memory as either "executable" or "nonexecutable". - KASLR: Address-space layout randomization (ASLR) is a well- known technique to make exploits harder by placing various objects at random, rather than fixed, memory addresses. - Integrity Levels: call restrictions for applications running in low integrity level – since Windows 8.1
PAGE Reviewing Modern Protections 6 - SMEP: Supervisor Mode Execution Prevention allows pages to be protected from supervisor-mode instruction fetches. If SMEP = 1, software operating in supervisor mode cannot fetch instructions from linear addresses that are accessible in user mode. - SMAP: allows pages to be protected from supervisor-mode data accesses. If SMAP = 1, software operating in supervisor mode cannot access data at linear addresses that are accessible in user mode.
PAGE Current techniques
PAGE Current techniques 8 - Low Integrity Level in “Windows 8.1” suppressed all the kernel addresses returned by “NtQuerySystemInformation” - The most affected exploits are “Local Privilege Escalation” launched from sandboxes like IE, Chrome, etc.
PAGE Call Restrictions 9 - Running in Medium Integrity Level - You know where the kernel base is, process tokens, some kernel structs, etc - Exploitation tends to be “trivial” - Running in Low Integrity Level - You DON’T know where the kernel base is, process tokens, some kernel structs, etc - You need a memory leak (second vulnerability) to get some predictable kernel address - Without memory leaks exploitation tends to be much harder.
PAGE What can be done? 10 If you are running in Low/Medium Integrity Level and you have: - Full arbitrary write (DWORD/QWORD): - You can overwrite GDI objects - Kernel GDI objects addresses are in USER SPACE – “Keen Team” technique. - This technique consists of linking one GDI object to another one - Partial arbitrary write (WORD): - You can overwrite GDI objects - It depends on the low part of the object address what you want to overwrite, sometimes it is not possible.
PAGE What about… 11 - Partial writes? - Single BIT controlled? - Decrement a controlled position? - You don’t have control over the value? - Let’s see…
PAGE Intel Paging Mechanism
PAGE Paging 101 - Paging is a functionality provided by the MMU and used by the processor to implement virtual memory. - A virtual address is the one used in processor instructions; this must be translated into a physical address to actually refer a memory location. 13
PAGE PAE Paging 14
PAGE x64 Paging 15
PAGE PxE Structure (entry) 16 Interesting fields to know for our purposes: - R/W: readonly/readwrite - U/S: if set, the range mapped by the entry is accessible at CPL3. Otherwise it is only accessible at CPL0. - PS: if set, the entry describes a LARGE_PAGE. - XD: if set, instruction fetching is not allowed for the region mapped by the entry. 63 62:52 51:12 11 10 9 8 7 6 5 4 3 2 1 0 X D I PFN (physical address >> 12) I I I G P S D A P C D P W T U / S R / W P
PAGE Paging Implications - All memory accesses and instruction fetching done by the processor will use virtual addresses. - Given that the OS needs to manipulate the table entries not only for memory allocation but also for page level protection, all the paging structures of the current process are mapped to virtual memory. - In order to comply with performance and memory savings requirements, a common approach taken by operating systems is to make use a of self-reference table entry or a fixed location where all the paging structures will reside. 17
PAGE Windows Paging Implementation
PAGE Windows Implementation - Each process has its own set of paging tables - All paging structures virtual addresses can be calculated - 512GB of virtual range is assigned for Paging Structures (x64) 19
PAGE Windows Implementation - Only one PML4 entry is used for Paging management (0x1ED) - Entry 0x1ED is self-referential (physical address points to PML4 physical address) - Virtual range described: - 0xFFFFF680’00000000 – 0xFFFFF6FF’FFFFFFFF 20
PAGE Quick Formula 21 _int64 get_pxe_address(_int64 address) { _int64 result = address>>9; result = result | 0xFFFFF68000000000; result = result & 0xFFFFF6FFFFFFFFF8; return result; }
PAGE Quick Formula 22 int get_pxe_32(int address) { int result = address>>9; result = result | 0xC0000000; result = result & 0xC07FFFF8; return result; }
PAGE - Strengths: - Paging structures reside in random physical addresses - Weaknesses: - Paging tables are in fixed virtual addresses - Paging tables are writables Strengths and Weaknesses 23
PAGE Windows Paging Attacks some clarifications
PAGE - We are going to show 2 different ways of abusing write-what-where conditions. (3 ways in the full-slide version) - They do not require memory leaks. - The 3 ways work from Low Integrity Level included. - All Windows versions are affected. Specially Win 8, 8.1 and Win 10. Techniques Overview 25
PAGE Windows Paging Attacks “HAL’s heap”
PAGE - Same virtual address for all Windows versions: 0xffffffff’ffd00000 - Same physical address by OS version - Some juicy kernel function pointers located there HAL’s Heap 27
PAGE - HAL’s heap x64 – physical address list HAL’s Heap 28 OS Version Virtual Address Physical Address Windows 7/2008 R2 0xffffffff’ffd00000 0x100000 (1mb) Windows 8/2012 0xffffffff’ffd00000 0x100000 (1mb) Windows 8.1/2012 R2 0xffffffff’ffd00000 0x1000 (4kb) Windows 10/10 TH2 0xffffffff’ffd00000 0x1000 (4kb)
PAGE - HAL’s heap x64 – ‘HalpInterruptController’ pointer list: +20: hal!HalpApicInitializeLocalUnit +28: hal!HalpApicInitializeIoUnit +30: hal!HalpApicSetPriority +38: hal!HalpApicGetLocalUnitError +40: hal!HalpApicClearLocalUnitError +48: NULL +50: hal!HalpApicSetLogicalId +58: NULL +60: hal!HalpApicWriteEndOfInterrupt +68: hal!HalpApic1EndOfInterrupt +70: hal!HalpApicSetLineState +78: hal!HalpApicRequestInterrupt HAL’s Heap 29
PAGE - We know the physical address of the HAL’s heap - We know where our Page Table Entries are - And we are able to allocate memory in USER SPACE (VirtualAlloc) - It means that - We can use an arbitrary write to modify a PTE of our allocated virtual memory - We can point this PTE to the HAL’s heap physical address HAL’s Heap 30
PAGE HAL’s Heap 31 HAL’s heap User allocation PTE mapping VA 0xFFFFFFFF’FFD00000 PTE mapping VA 0x401000 Physical address 0x1000 Physical address 0xNNNNNNNN kernel space read-write user space read-write !
PAGE - As a result: - We get read/write access from USER SPACE to the HAL’s heap - We get access to some HAL’s heap function pointers - We use this information to get the “HAL.DLL” base address - We overwrite “hal!HalpApicRequestInterrupt” pointer - We disable SMEP by ROPing (Ekoparty 2015: “Windows SMEP bypass: U=S”) - And finally, we get system privileges … HAL’s Heap 32
PAGE Some days before Cansec…
PAGE - We can improve the approach considerably by using a LARGE_PAGE. - If we write a single byte into an EMPTY PDE, we map 2MB starting from PFN 0 (this will include the physical address of the HAL’s Heap) with R/W access from user mode. - E.g: 00 00 00 00 00 00 00 00 -> E7 00 00 00 00 00 00 00 Improving the Technique 34
PAGE - Let’s say we have a simple DEC [RAX] (Win32k UAF) - We can use it to decrement an empty PDE in a shifted way. 00 00 00 00 00 00 00 00 – 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF – FF 00 00 00 00 00 00 00 - We effectively mapped a User R/W LARGE_PAGE starting at PFN 0 by enabling all the bits! Improving -= 1 35
PAGE Windows Paging Attacks “Heap Spraying Page Directories”
PAGE - PDPTs are in fixed virtual addresses (we can calculate this) - PDPT entries point to Page Directories - A Page Directory maps up to 1GB (if all entries used) Heap spraying Page Directories 37
PAGE - Page Directories points to Page Tables or LARGE PAGES - A Large Page maps 2MB of physical memory (bit PS=1) - PDPT entries can be overwritten (via a partial arb.write – value controlled or not) Heap spraying Page Directories 38
PAGE - We can heap spray our PROCESS MEMORY with fake Page Directories with all entries used (by using “VirtualAlloc” + “memcpy”) - The idea is to produce a physical memory exhaustion - If we choose a valid random physical address, we will probably find our data in high physical addresses! Heap spraying Page Directories 39
PAGE - So, if we overwrite a PDPTE that maps memory in our process (E.g PDPTE that maps VA 1GB ~ 2GB) - And we point this entry to an “arbitrary physical address“ used by our heap spray - It means that we had just mapped 1GB of memory as read-write Heap spraying Page Directories 40
PAGE Heap spraying Page Directories 41 PDPTE mapping VA 1GB-2GB addr. chosen by Windows addr. chosen by us user space read-write User Allocation (Fake PD) Kernel allocation (Real PD)
PAGE Depending on the chosen physical address, we can: - Map the HAL’s heap - Find a valid Page Table and dump the rest of the target memory - Find and modify the kernel code, structures, etc, without any restriction. Heap spraying Page Directories 42
PAGE - As a result - We can insert ring-0 shellcode by replacing kernel code - We don’t need to bypass SMEP - And finally, we get system privileges… Heap spraying Page Directories 43
PAGE Windows Paging Attacks ”Self-ref of death”
PAGE Self-ref of Death - We know that PML4 entry 0x1ED is used for Memory Paging management - We know that this entry is referencing itself - And we know that it’s at 0xfffff6fb`7dbedf68 45 Sign Extension PML4 PDPT PD PT Offset 0xFFFFF 0x1ED 0x1ED 0x1ED 0x1ED 0xF68
PAGE Self-ref of Death 46 PML4 PDPT PDPT PD PD PT PT 0x1ED U U U U U U U U S S S S S S S S S If we replace SUPERVISOR by USER ?
PAGE Self-ref of Death 47 PML4 PDPT PDPT PD PD PT PT 0x1ED U U U U U U U U S S S U S S S S S We get access from USER SPACE to all USER tables !!!
PAGE Self-ref of Death - So, if we have a “bit/byte/word/dword” arbitrary write, we can get access from USER MODE to all User Tables including the PML4! - There is a weakness in the self-referential technique, only one entry is set a SUPERVISOR, the rest is USER - To be clear, after our arbitrary write, if we read from user space at 0xfffff6fb`7dbed000, we see our PML4 ! 48
PAGE Self-ref of Death - It means that we can add/modify/delete entries in the four paging levels - So, we can do the same as seen before - Point one PTE to the HAL’s heap - or dump the complete physical memory - or modify kernel parts 49
PAGE Windows Live Demo
PAGE Windows Demo - Target: - “Windows 10” 64 bits - Scenario: - Running in Low Integrity Level - Objective: - Dump physical memory and get SYSTEM privileges by using “Self-ref of Death” 51
PAGE Linux Paging Implementation
PAGE Linux Implementation - Only one PML4 entry is used for Paging management (0x110) - Entry 0x110 is NOT self-referential like Windows - Virtual range described: - 0xFFFF8800’00000000 – 0xFFFF887F’FFFFFFFF 53
PAGE Linux Implementation - Each process has its own PML4 table in a unique virtual address (opposite to Windows) - Physical addresses can be read as virtual addresses by adding a base. - This base is called __PAGE_OFFSET: - For 32 bits: 0xc0000000 - For 64 bits: 0xffff8800’00000000 54
PAGE Linux Implementation - Most of page table entries reside in random virtual and physical addresses. - But… there are some PDPTs, PDs and PTs in fixed physical addresses. 55
PAGE Linux Implementation - PDPT physical address list (pointed by entry 0x110) 56 OS version Virtual Address Physical Address Debian 8.3 3.16.0-4- amd64 0xFFFF8800’01AF4000 0x01AF4000 (~26mb) Xubuntu 14.04 3.19.0- 25-gen 0xFFFF8800’01FD4000 0x01FD4000 (~31mb) Ubuntu 15.10 4.2.0- 16-gen 0xFFFF8800’01FF0000 0x01FF0000 (~32mb) Ubuntu 14.04.3 LTS 3.19.0-25-generic 0xC1B51000 0x01B51000 (~27mb)
PAGE - Strengths: - None - Weaknesses: - Some PDPTs, PDs and PTs are in fixed virtual addresses - Paging structures are writable Strengths and Weaknesses 57
PAGE Linux Paging Attacks “Setting the vDSO as rwx”
PAGE What is the vDSO? - vDSO (virtual dynamic shared object) - Small shared library mapped into all user processes - It was created to reduce the context-switch overhead 59
PAGE vDSO Page Entry - It’s set as “r-x” in user space - The vDSO virtual address changes per process - The PDE that describes this user space area is RANDOM 60
PAGE Setting the vDSO as “rwx” - But … the physical address is fixed - E.g: “Debian 8.3” 64 bits: 0x1805000 - So, we can calculate the kernel virtual address - E.g: “Debian 8.3” 64 bits: 0xffff880001805000 - For “Debian 8.3”, the PDE (large page) which maps the vDSO physical address is fixed and writable! 61
PAGE Setting the vDSO as “rwx” - Even worse, the PML4 and the PDPT entries are set with the USER bit!!! - So, What if we set the PDE as USER by using an arb.write? 62
PAGE Setting the vDSO as “rwx” 63 PML4 0x110 U PDPT If we set U ? 0 U PD 0x0C S VA 0xffff880001805000 vDSO (2mb) S
PAGE Setting the vDSO as “rwx” 64 PML4 0x110 U PDPT 0 U PD 0x0C S VA 0xffff880001805000 vDSO (2mb) Now it can be read from USER ! U
PAGE Setting the vDSO as “rwx” - As a result: - We get read-write access to the vDSO from USER SPACE - We can modify/hook functions located there like “gettimeofday” - When a UID 0 process invokes this function, our shellcode will be called and will spawn a new root shell 65
PAGE Linux Paging Attacks “Creating self-ref entries”
PAGE Creating self-ref entries - There are several entries that always use the same fixed physical addresses: - PML4E 0x110 - PML4E 0x192 - PLM4E 0x1FE - PLM4E 0x1FF - … To be continued… - There are fixed entries for ALL levels of the paging hierarchy (PML4, PDPTs, PDs, PTs) 67
PAGE Creating self-ref entries - PML4 entry 0x110 points to a fixed PDPT - This PML entry is set as USER (0x67) - We know the virtual and physical address pointed by this entry 68
PAGE Creating self-ref entries 69 PML4 0x110 U PDPT we’ll add a self-ref entry
PAGE Creating self-ref entries 70 PML4 0x110 U PDPT 0x6 U
PAGE Creating self-ref entries 71 PDPT 0x6 U PD 0x6 U PT 0x6 U  PDPT DATA
PAGE Creating self-ref entries - Real example - “Debian 8.3 x64” - We add a PDPT entry at 0xFFFF8800’01AF4010 (entry 0x2) - The written value is “67 04 AF 01 00 00 00 00” - This entry is self-referential - Calculating the mapped virtual address by this entry:  va = 0xFFFF8800’00000000  va += 512gb * 0x110 PML entries  va += ( 1gb + 2mb + 4kb ) * 0x2 PDPT entries  va = 0xFFFF8880’80402000 72
PAGE Creating self-ref entries - So, we are able to add/modify/delete PDPT entries - We then add another entry in this PDPT and it’s used as PTE. - This SPURIOUS PTE allows us to read and write the complete target’s physical memory! 73
PAGE Linux Live Demo
PAGE Linux Demo - Target: - Debian 8.3 64 bits - 3.16.0-4-amd64 - Scenario: - Running as normal-unprivileged user - Objective: - Getting root privileges by modifying the vDSO 75
PAGE Linux Paging Attacks(bonus track): ”PaX/Grsec notes”
PAGE Pax/Grsec notes - PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. - Grsecurity is a set of patches for the Linux kernel which emphasizes security enhancements. - Grsec + PaX change the rules of what we saw previously 77
PAGE Pax/Grsec notes - PaX/Grsec implements SMEP/SMAP by software - It uses two differents PML tables, one for USER MODE and one for KERNEL MODE - When a syscall is invoked, the kernel changes CR3 by pointing to the KERNEL MODE PML table 78
PAGE Pax/Grsec notes - The same physical address is used to map the PML for all current processes - In our Debian 8.3 compiled/focused to server mode - CR3 for kernel mode points to 0x15f0000 - CR3 for user mode points to 0x15f1000 - Each process has a PGD (Page Global Directory) 79
PAGE Pax/Grsec notes - These PGDs are “mirrored “ in CR3 by Pax/Grsec - For KERNEL SPACE entries: The first three level page tables are in fixed “virtual/physical” addresses - For USER SPACE entries: PDPTs, PDs and PTs are RANDOM 80
PAGE Pax/Grsec notes - A small detail, all not RANDOM page tables are set as READ-ONLY … - So, it’s not possible to overwrite a fixed page directory/table entry  - We will find another way to bypass it … ;-) 81
PAGE Conclusions
PAGE Windows conclusions - Paging tables shouldn’t be in fixed VA addresses - It can be abused by LOCAL and REMOTE kernel exploits - The PML entry (0x1ed) should be RANDOMIZED - 256 entries are available for the OS kernel - Only ~20 entries are used by Windows - All fixed paging structures should be read-only 83
PAGE Linux conclusions - Paging tables shouldn’t be in fixed addresses - It can be abused by LOCAL and REMOTE kernel exploits - All fixed paging structures should be read-only - Some advice, compile the kernel with Grsec ;-) 84
PAGE Enrique Nissim @kiqueNissim n3k1990@gmail.com Nicolas Economou @NicoEconomou neconomou@coresecurity.com Questions? Thanks

Recomendados

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
CanSecWest
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooks
CanSecWest
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
CanSecWest
 
Csw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCsw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploit
CanSecWest
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 

Recomendados

Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
CanSecWest
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CanSecWest
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooks
CanSecWest
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
CanSecWest
 
Csw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploitCsw2016 julien moinard-hardsploit
Csw2016 julien moinard-hardsploit
CanSecWest
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
CanSecWest
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat Security Conference
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
PacSecJP
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Liang Chen
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Ivan Piskunov
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
CanSecWest
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat Security Conference
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_CompromisedCansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Liang Chen
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CanSecWest
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Magic Clusters and Where to Find Them - Eugene Pirogov
Magic Clusters and Where to Find Them - Eugene PirogovMagic Clusters and Where to Find Them - Eugene Pirogov
Magic Clusters and Where to Find Them - Eugene Pirogov
Elixir Club
 
Audit
AuditAudit
Audit
Mark Ellzey Thomas
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
CanSecWest
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
CanSecWest
 

Más contenido relacionado

La actualidad más candente

Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
CanSecWest
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat Security Conference
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat Security Conference
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
CanSecWest
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat Security Conference
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CanSecWest
 

La actualidad más candente (20)

Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_heRecon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
Recon2016 shooting the_osx_el_capitan_kernel_like_a_sniper_chen_he
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
BlueHat v18 || Straight outta v mware - modern exploitation of the svga devic...
 
syzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugssyzbot and the tale of million kernel bugs
syzbot and the tale of million kernel bugs
 
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_CompromisedCansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
Cansecwest_16_Dont_Trust_Your_Eye_Apple_Graphics_Is_Compromised
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Magic Clusters and Where to Find Them - Eugene Pirogov
Magic Clusters and Where to Find Them - Eugene PirogovMagic Clusters and Where to Find Them - Eugene Pirogov
Magic Clusters and Where to Find Them - Eugene Pirogov
 
Audit
AuditAudit
Audit
 

Destacado

Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
CanSecWest
 
Csw2016 evron sysman_apt_reports_and_opsec_evolution
Csw2016 evron sysman_apt_reports_and_opsec_evolutionCsw2016 evron sysman_apt_reports_and_opsec_evolution
Csw2016 evron sysman_apt_reports_and_opsec_evolution
CanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
CanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CanSecWest
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CanSecWest
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
CanSecWest
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CanSecWest
 

Destacado (19)

Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
Csw2016 evron sysman_apt_reports_and_opsec_evolution
Csw2016 evron sysman_apt_reports_and_opsec_evolutionCsw2016 evron sysman_apt_reports_and_opsec_evolution
Csw2016 evron sysman_apt_reports_and_opsec_evolution
 
Csw2016 song li-smart_wars
Csw2016 song li-smart_warsCsw2016 song li-smart_wars
Csw2016 song li-smart_wars
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 final
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 

Similar a Csw2016 economou nissim-getting_physical

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structu
EstelaJeffery653
 
Networking question
Networking questionNetworking question
Networking question
DEVBEJ
 

Similar a Csw2016 economou nissim-getting_physical (20)

Vxcon 2016
Vxcon 2016Vxcon 2016
Vxcon 2016
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 
Chapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structuChapter 1SyllabusCatalog Description Computer structu
Chapter 1SyllabusCatalog Description Computer structu
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
מצגת פרויקט
מצגת פרויקטמצגת פרויקט
מצגת פרויקט
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprise
 
Cao 2012
Cao 2012Cao 2012
Cao 2012
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)
 
Activity 5
Activity 5Activity 5
Activity 5
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Aci dp
Aci dpAci dp
Aci dp
 
Networking question
Networking questionNetworking question
Networking question
 
x86_1.ppt
x86_1.pptx86_1.ppt
x86_1.ppt
 
Intro xp linux
Intro xp linuxIntro xp linux
Intro xp linux
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems Administrator
 
Interview Questions
Interview QuestionsInterview Questions
Interview Questions
 

Último

Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
soniya singh
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
kojalkojal131
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
SUHANI PANDEY
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
SUHANI PANDEY
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Delhi Call girls
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Escorts Call Girls
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Delhi Call girls
 

Último (20)

Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 

Csw2016 economou nissim-getting_physical

  • 1. PAGE Getting Physical Extreme abuse of Intel based Paging Systems Nicolas A. Economou Enrique E. Nissim
  • 2. PAGE About us - Enrique Elias Nissim - Information System Engineer - Previously worked at Core Security as an Information Security Consultant - Now joining Intel Corp at Mexico to work in Graphics Security - Infosec Enthusiast (Exploit Writing, Reversing, Pentest, Programming) - Discovered some 0Days in Kernel components - @kiqueNissim - Nicolas Alejandro Economou - Exploit Writer specialized in Windows kernel exploitation at Core Security Technologies for +10 years. - Infosec Enthusiast (Exploit Writing, Reversing, Patch Diffing and Programming) - Several defensive/offensive research, presentations and security tools as turbodiff, Sentinel and Agafi - @NicoEconomou 2
  • 3. PAGE Agenda - Arbitrary Write: Explanation - Reviewing Modern Kernel Protections - Current ways of abusing kernel arbitrary writes - Intel Paging Mechanism - Windows - Implementation - Attacks - Live Demo - Linux - Implementation - Attacks - Live Demo - Conclusions 3
  • 4. PAGE What is an arbitrary write? 4 - Arbitrary Write: - This is the result of exploiting a binary bug. - You can write a crafted value (or not) where you want (write-what- where) -> MOV [EAX], EBX - As a result: If you write in the correct place, you can get primitives to read/write memory or you can control EIP/RIP - Examples: - Heap overflows – overwrite pointers that point to specific structs - Memory Corruptions – idem above - Use after free – nt/win32k – Decrementing one unit (“DEC [EAX]”)
  • 5. PAGE Reviewing Modern Protections 5 - DEP/NX: is a security feature included in modern operating systems. It marks areas of memory as either "executable" or "nonexecutable". - KASLR: Address-space layout randomization (ASLR) is a well- known technique to make exploits harder by placing various objects at random, rather than fixed, memory addresses. - Integrity Levels: call restrictions for applications running in low integrity level – since Windows 8.1
  • 6. PAGE Reviewing Modern Protections 6 - SMEP: Supervisor Mode Execution Prevention allows pages to be protected from supervisor-mode instruction fetches. If SMEP = 1, software operating in supervisor mode cannot fetch instructions from linear addresses that are accessible in user mode. - SMAP: allows pages to be protected from supervisor-mode data accesses. If SMAP = 1, software operating in supervisor mode cannot access data at linear addresses that are accessible in user mode.
  • 8. PAGE Current techniques 8 - Low Integrity Level in “Windows 8.1” suppressed all the kernel addresses returned by “NtQuerySystemInformation” - The most affected exploits are “Local Privilege Escalation” launched from sandboxes like IE, Chrome, etc.
  • 9. PAGE Call Restrictions 9 - Running in Medium Integrity Level - You know where the kernel base is, process tokens, some kernel structs, etc - Exploitation tends to be “trivial” - Running in Low Integrity Level - You DON’T know where the kernel base is, process tokens, some kernel structs, etc - You need a memory leak (second vulnerability) to get some predictable kernel address - Without memory leaks exploitation tends to be much harder.
  • 10. PAGE What can be done? 10 If you are running in Low/Medium Integrity Level and you have: - Full arbitrary write (DWORD/QWORD): - You can overwrite GDI objects - Kernel GDI objects addresses are in USER SPACE – “Keen Team” technique. - This technique consists of linking one GDI object to another one - Partial arbitrary write (WORD): - You can overwrite GDI objects - It depends on the low part of the object address what you want to overwrite, sometimes it is not possible.
  • 11. PAGE What about… 11 - Partial writes? - Single BIT controlled? - Decrement a controlled position? - You don’t have control over the value? - Let’s see…
  • 13. PAGE Paging 101 - Paging is a functionality provided by the MMU and used by the processor to implement virtual memory. - A virtual address is the one used in processor instructions; this must be translated into a physical address to actually refer a memory location. 13
  • 16. PAGE PxE Structure (entry) 16 Interesting fields to know for our purposes: - R/W: readonly/readwrite - U/S: if set, the range mapped by the entry is accessible at CPL3. Otherwise it is only accessible at CPL0. - PS: if set, the entry describes a LARGE_PAGE. - XD: if set, instruction fetching is not allowed for the region mapped by the entry. 63 62:52 51:12 11 10 9 8 7 6 5 4 3 2 1 0 X D I PFN (physical address >> 12) I I I G P S D A P C D P W T U / S R / W P
  • 17. PAGE Paging Implications - All memory accesses and instruction fetching done by the processor will use virtual addresses. - Given that the OS needs to manipulate the table entries not only for memory allocation but also for page level protection, all the paging structures of the current process are mapped to virtual memory. - In order to comply with performance and memory savings requirements, a common approach taken by operating systems is to make use a of self-reference table entry or a fixed location where all the paging structures will reside. 17
  • 19. PAGE Windows Implementation - Each process has its own set of paging tables - All paging structures virtual addresses can be calculated - 512GB of virtual range is assigned for Paging Structures (x64) 19
  • 20. PAGE Windows Implementation - Only one PML4 entry is used for Paging management (0x1ED) - Entry 0x1ED is self-referential (physical address points to PML4 physical address) - Virtual range described: - 0xFFFFF680’00000000 – 0xFFFFF6FF’FFFFFFFF 20
  • 21. PAGE Quick Formula 21 _int64 get_pxe_address(_int64 address) { _int64 result = address>>9; result = result | 0xFFFFF68000000000; result = result & 0xFFFFF6FFFFFFFFF8; return result; }
  • 22. PAGE Quick Formula 22 int get_pxe_32(int address) { int result = address>>9; result = result | 0xC0000000; result = result & 0xC07FFFF8; return result; }
  • 23. PAGE - Strengths: - Paging structures reside in random physical addresses - Weaknesses: - Paging tables are in fixed virtual addresses - Paging tables are writables Strengths and Weaknesses 23
  • 25. PAGE - We are going to show 2 different ways of abusing write-what-where conditions. (3 ways in the full-slide version) - They do not require memory leaks. - The 3 ways work from Low Integrity Level included. - All Windows versions are affected. Specially Win 8, 8.1 and Win 10. Techniques Overview 25
  • 27. PAGE - Same virtual address for all Windows versions: 0xffffffff’ffd00000 - Same physical address by OS version - Some juicy kernel function pointers located there HAL’s Heap 27
  • 28. PAGE - HAL’s heap x64 – physical address list HAL’s Heap 28 OS Version Virtual Address Physical Address Windows 7/2008 R2 0xffffffff’ffd00000 0x100000 (1mb) Windows 8/2012 0xffffffff’ffd00000 0x100000 (1mb) Windows 8.1/2012 R2 0xffffffff’ffd00000 0x1000 (4kb) Windows 10/10 TH2 0xffffffff’ffd00000 0x1000 (4kb)
  • 29. PAGE - HAL’s heap x64 – ‘HalpInterruptController’ pointer list: +20: hal!HalpApicInitializeLocalUnit +28: hal!HalpApicInitializeIoUnit +30: hal!HalpApicSetPriority +38: hal!HalpApicGetLocalUnitError +40: hal!HalpApicClearLocalUnitError +48: NULL +50: hal!HalpApicSetLogicalId +58: NULL +60: hal!HalpApicWriteEndOfInterrupt +68: hal!HalpApic1EndOfInterrupt +70: hal!HalpApicSetLineState +78: hal!HalpApicRequestInterrupt HAL’s Heap 29
  • 30. PAGE - We know the physical address of the HAL’s heap - We know where our Page Table Entries are - And we are able to allocate memory in USER SPACE (VirtualAlloc) - It means that - We can use an arbitrary write to modify a PTE of our allocated virtual memory - We can point this PTE to the HAL’s heap physical address HAL’s Heap 30
  • 31. PAGE HAL’s Heap 31 HAL’s heap User allocation PTE mapping VA 0xFFFFFFFF’FFD00000 PTE mapping VA 0x401000 Physical address 0x1000 Physical address 0xNNNNNNNN kernel space read-write user space read-write !
  • 32. PAGE - As a result: - We get read/write access from USER SPACE to the HAL’s heap - We get access to some HAL’s heap function pointers - We use this information to get the “HAL.DLL” base address - We overwrite “hal!HalpApicRequestInterrupt” pointer - We disable SMEP by ROPing (Ekoparty 2015: “Windows SMEP bypass: U=S”) - And finally, we get system privileges … HAL’s Heap 32
  • 34. PAGE - We can improve the approach considerably by using a LARGE_PAGE. - If we write a single byte into an EMPTY PDE, we map 2MB starting from PFN 0 (this will include the physical address of the HAL’s Heap) with R/W access from user mode. - E.g: 00 00 00 00 00 00 00 00 -> E7 00 00 00 00 00 00 00 Improving the Technique 34
  • 35. PAGE - Let’s say we have a simple DEC [RAX] (Win32k UAF) - We can use it to decrement an empty PDE in a shifted way. 00 00 00 00 00 00 00 00 – 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF – FF 00 00 00 00 00 00 00 - We effectively mapped a User R/W LARGE_PAGE starting at PFN 0 by enabling all the bits! Improving -= 1 35
  • 36. PAGE Windows Paging Attacks “Heap Spraying Page Directories”
  • 37. PAGE - PDPTs are in fixed virtual addresses (we can calculate this) - PDPT entries point to Page Directories - A Page Directory maps up to 1GB (if all entries used) Heap spraying Page Directories 37
  • 38. PAGE - Page Directories points to Page Tables or LARGE PAGES - A Large Page maps 2MB of physical memory (bit PS=1) - PDPT entries can be overwritten (via a partial arb.write – value controlled or not) Heap spraying Page Directories 38
  • 39. PAGE - We can heap spray our PROCESS MEMORY with fake Page Directories with all entries used (by using “VirtualAlloc” + “memcpy”) - The idea is to produce a physical memory exhaustion - If we choose a valid random physical address, we will probably find our data in high physical addresses! Heap spraying Page Directories 39
  • 40. PAGE - So, if we overwrite a PDPTE that maps memory in our process (E.g PDPTE that maps VA 1GB ~ 2GB) - And we point this entry to an “arbitrary physical address“ used by our heap spray - It means that we had just mapped 1GB of memory as read-write Heap spraying Page Directories 40
  • 41. PAGE Heap spraying Page Directories 41 PDPTE mapping VA 1GB-2GB addr. chosen by Windows addr. chosen by us user space read-write User Allocation (Fake PD) Kernel allocation (Real PD)
  • 42. PAGE Depending on the chosen physical address, we can: - Map the HAL’s heap - Find a valid Page Table and dump the rest of the target memory - Find and modify the kernel code, structures, etc, without any restriction. Heap spraying Page Directories 42
  • 43. PAGE - As a result - We can insert ring-0 shellcode by replacing kernel code - We don’t need to bypass SMEP - And finally, we get system privileges… Heap spraying Page Directories 43
  • 45. PAGE Self-ref of Death - We know that PML4 entry 0x1ED is used for Memory Paging management - We know that this entry is referencing itself - And we know that it’s at 0xfffff6fb`7dbedf68 45 Sign Extension PML4 PDPT PD PT Offset 0xFFFFF 0x1ED 0x1ED 0x1ED 0x1ED 0xF68
  • 46. PAGE Self-ref of Death 46 PML4 PDPT PDPT PD PD PT PT 0x1ED U U U U U U U U S S S S S S S S S If we replace SUPERVISOR by USER ?
  • 47. PAGE Self-ref of Death 47 PML4 PDPT PDPT PD PD PT PT 0x1ED U U U U U U U U S S S U S S S S S We get access from USER SPACE to all USER tables !!!
  • 48. PAGE Self-ref of Death - So, if we have a “bit/byte/word/dword” arbitrary write, we can get access from USER MODE to all User Tables including the PML4! - There is a weakness in the self-referential technique, only one entry is set a SUPERVISOR, the rest is USER - To be clear, after our arbitrary write, if we read from user space at 0xfffff6fb`7dbed000, we see our PML4 ! 48
  • 49. PAGE Self-ref of Death - It means that we can add/modify/delete entries in the four paging levels - So, we can do the same as seen before - Point one PTE to the HAL’s heap - or dump the complete physical memory - or modify kernel parts 49
  • 51. PAGE Windows Demo - Target: - “Windows 10” 64 bits - Scenario: - Running in Low Integrity Level - Objective: - Dump physical memory and get SYSTEM privileges by using “Self-ref of Death” 51
  • 53. PAGE Linux Implementation - Only one PML4 entry is used for Paging management (0x110) - Entry 0x110 is NOT self-referential like Windows - Virtual range described: - 0xFFFF8800’00000000 – 0xFFFF887F’FFFFFFFF 53
  • 54. PAGE Linux Implementation - Each process has its own PML4 table in a unique virtual address (opposite to Windows) - Physical addresses can be read as virtual addresses by adding a base. - This base is called __PAGE_OFFSET: - For 32 bits: 0xc0000000 - For 64 bits: 0xffff8800’00000000 54
  • 55. PAGE Linux Implementation - Most of page table entries reside in random virtual and physical addresses. - But… there are some PDPTs, PDs and PTs in fixed physical addresses. 55
  • 56. PAGE Linux Implementation - PDPT physical address list (pointed by entry 0x110) 56 OS version Virtual Address Physical Address Debian 8.3 3.16.0-4- amd64 0xFFFF8800’01AF4000 0x01AF4000 (~26mb) Xubuntu 14.04 3.19.0- 25-gen 0xFFFF8800’01FD4000 0x01FD4000 (~31mb) Ubuntu 15.10 4.2.0- 16-gen 0xFFFF8800’01FF0000 0x01FF0000 (~32mb) Ubuntu 14.04.3 LTS 3.19.0-25-generic 0xC1B51000 0x01B51000 (~27mb)
  • 57. PAGE - Strengths: - None - Weaknesses: - Some PDPTs, PDs and PTs are in fixed virtual addresses - Paging structures are writable Strengths and Weaknesses 57
  • 59. PAGE What is the vDSO? - vDSO (virtual dynamic shared object) - Small shared library mapped into all user processes - It was created to reduce the context-switch overhead 59
  • 60. PAGE vDSO Page Entry - It’s set as “r-x” in user space - The vDSO virtual address changes per process - The PDE that describes this user space area is RANDOM 60
  • 61. PAGE Setting the vDSO as “rwx” - But … the physical address is fixed - E.g: “Debian 8.3” 64 bits: 0x1805000 - So, we can calculate the kernel virtual address - E.g: “Debian 8.3” 64 bits: 0xffff880001805000 - For “Debian 8.3”, the PDE (large page) which maps the vDSO physical address is fixed and writable! 61
  • 62. PAGE Setting the vDSO as “rwx” - Even worse, the PML4 and the PDPT entries are set with the USER bit!!! - So, What if we set the PDE as USER by using an arb.write? 62
  • 63. PAGE Setting the vDSO as “rwx” 63 PML4 0x110 U PDPT If we set U ? 0 U PD 0x0C S VA 0xffff880001805000 vDSO (2mb) S
  • 64. PAGE Setting the vDSO as “rwx” 64 PML4 0x110 U PDPT 0 U PD 0x0C S VA 0xffff880001805000 vDSO (2mb) Now it can be read from USER ! U
  • 65. PAGE Setting the vDSO as “rwx” - As a result: - We get read-write access to the vDSO from USER SPACE - We can modify/hook functions located there like “gettimeofday” - When a UID 0 process invokes this function, our shellcode will be called and will spawn a new root shell 65
  • 67. PAGE Creating self-ref entries - There are several entries that always use the same fixed physical addresses: - PML4E 0x110 - PML4E 0x192 - PLM4E 0x1FE - PLM4E 0x1FF - … To be continued… - There are fixed entries for ALL levels of the paging hierarchy (PML4, PDPTs, PDs, PTs) 67
  • 68. PAGE Creating self-ref entries - PML4 entry 0x110 points to a fixed PDPT - This PML entry is set as USER (0x67) - We know the virtual and physical address pointed by this entry 68
  • 69. PAGE Creating self-ref entries 69 PML4 0x110 U PDPT we’ll add a self-ref entry
  • 71. PAGE Creating self-ref entries 71 PDPT 0x6 U PD 0x6 U PT 0x6 U  PDPT DATA
  • 72. PAGE Creating self-ref entries - Real example - “Debian 8.3 x64” - We add a PDPT entry at 0xFFFF8800’01AF4010 (entry 0x2) - The written value is “67 04 AF 01 00 00 00 00” - This entry is self-referential - Calculating the mapped virtual address by this entry:  va = 0xFFFF8800’00000000  va += 512gb * 0x110 PML entries  va += ( 1gb + 2mb + 4kb ) * 0x2 PDPT entries  va = 0xFFFF8880’80402000 72
  • 73. PAGE Creating self-ref entries - So, we are able to add/modify/delete PDPT entries - We then add another entry in this PDPT and it’s used as PTE. - This SPURIOUS PTE allows us to read and write the complete target’s physical memory! 73
  • 75. PAGE Linux Demo - Target: - Debian 8.3 64 bits - 3.16.0-4-amd64 - Scenario: - Running as normal-unprivileged user - Objective: - Getting root privileges by modifying the vDSO 75
  • 77. PAGE Pax/Grsec notes - PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. - Grsecurity is a set of patches for the Linux kernel which emphasizes security enhancements. - Grsec + PaX change the rules of what we saw previously 77
  • 78. PAGE Pax/Grsec notes - PaX/Grsec implements SMEP/SMAP by software - It uses two differents PML tables, one for USER MODE and one for KERNEL MODE - When a syscall is invoked, the kernel changes CR3 by pointing to the KERNEL MODE PML table 78
  • 79. PAGE Pax/Grsec notes - The same physical address is used to map the PML for all current processes - In our Debian 8.3 compiled/focused to server mode - CR3 for kernel mode points to 0x15f0000 - CR3 for user mode points to 0x15f1000 - Each process has a PGD (Page Global Directory) 79
  • 80. PAGE Pax/Grsec notes - These PGDs are “mirrored “ in CR3 by Pax/Grsec - For KERNEL SPACE entries: The first three level page tables are in fixed “virtual/physical” addresses - For USER SPACE entries: PDPTs, PDs and PTs are RANDOM 80
  • 81. PAGE Pax/Grsec notes - A small detail, all not RANDOM page tables are set as READ-ONLY … - So, it’s not possible to overwrite a fixed page directory/table entry  - We will find another way to bypass it … ;-) 81
  • 83. PAGE Windows conclusions - Paging tables shouldn’t be in fixed VA addresses - It can be abused by LOCAL and REMOTE kernel exploits - The PML entry (0x1ed) should be RANDOMIZED - 256 entries are available for the OS kernel - Only ~20 entries are used by Windows - All fixed paging structures should be read-only 83
  • 84. PAGE Linux conclusions - Paging tables shouldn’t be in fixed addresses - It can be abused by LOCAL and REMOTE kernel exploits - All fixed paging structures should be read-only - Some advice, compile the kernel with Grsec ;-) 84