Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
3. Enso.security
● Head of Research at Enso.security
● Securing scale cloud-computing and serverless environments.
● Former Incident response and digital forensics @ Israel National Cyber Directorate
● Former Mentor for Israel's national cyber education program
Omer Yaron
4. Enso.security
Agenda
What is an IDE ?
Developers and supply chain attacks
Research of IDE extensions/plugins
Findings
Takeaways
6. Integrated Development Environment
Microsoft - VScode JetBrains - IntelliJ IDEA
An integrated development environment (IDE) is a software application that provides
comprehensive facilities to computer programmers for software development. An IDE
normally consists of at least a source code editor, build automation tools and a debugger.
From wikipedia
8. Supply chain and malicious packages
Google Trends
Dependency Confusion
Feb 2021
ESLint-scope incident
Jul 2018
Log4shell
Dec 2021
Some Context:
Biden’s executive order
May 2021
And more…
10. What we wanted to check?
● Can we use supply chain malicious packages attacks for IDE plugins?
○ Can anonymous users publish packages?
○ Are name-squatting attacks possible?
○ Star-Jacking?
○ Download counter manipulation?
○ Indication of validity?
27. Code is a vast and constantly changing resource
● IDEs are a potential threat!
● Developers awareness to this threat, and tools to assess extension’s security are lacking
● Code repositories hold crucial security relevant data
● It is easy, free and anonymous to publish publicly available extensions/plugins
● Follow up - hunt for malicious extensions/plugins
Takeaways
Original Blog Post
29. Some extra time? (CVE-2022-30129)
reference: https://blog.sonarsource.com/securing-developer-tools-argument-injection-in-
vscode
Deep links allow for code execution:
vscode:// - vscode-insiders://
39. Red Teaming is not about achieving DA!
Red Teaming is about simulating Real-World threats!
40. The purpose of Red Teams is to provide a real-world picture of business-related threats
Act like the adversary based on accurate TI of threat actors targeting your business
Simulate potential threat actors' TTPs as accurate as possible
To help the organization grow its security posture
49. Both Malware Analysis and Red Teaming are not about
the tools one is using, but the ability to research and
understand technical and abstract concepts
50. So why does Malware Analysis need to concern Red Teamers?
86. Always understand your tools and malware
Go as deep as possible, you will be surprised as what you will learn
Learn Malware Analysis to understand and think like a blue teamer
Research malware to gain deeper knowledge and inspirations
Follow the MDLC model, malware development is like any other SDLC process
Be curious, passionate, and innovative
And take some break in between!
94. PAGE
About me:
• 25 years old
• Served in a classified unit in the IDF, specializing in malware analysis,
reverse engineering and incident response
• Worked at Pentera for 2 years (current Team Lead)
• Areas of research: Vulnerability hunting and exploitation, codeql,
linux lateral movement.
94
95. PAGE
AMA
Feel free to ask questions!
I’ll be sure to answer them at the end of the presentation.
95
96. PAGE
What is eBPF?
• Technology for operating systems that allows
programs to analyze network traffic
• Provides a raw interface to data link layers
(i.e. Layer 2 connectivity), allowing a user space
process to supply a filter program specifying
which packets it wants to receive
96
LINUX KERNEL
Process
write() read()
File Descriptor
VFS
Block Device
Storage
Syscall
sendmsg() recvmsg()
Sockets
TCP/IP
Network Device
Network
Syscall
Process
eBPF
eBPF
eBPF
eBPF eBPF
eBPF
98. PAGE
eBPF Attack Surface
98
A malicious payload with
kernel mode privileges
basically compromises
the entire system!
Allows a user mode
process to supply a
program which will run with
kernel mode privileges
99. PAGE
eBPF verifier
Prevents the user provided program from acting maliciously
• Pointer bounds checking
• Verifies that the stack’s reads are preceded by stack writes
• Disallowing writing of pointers to the stack
• And much more…
99
100. PAGE
CVE-2022-23222
• eBPF has several types of pointers, some of which have the phrase
`OR_NULL` in their names used for operations that may yield null
• Pointer arithmetic should not be allowed for this type of pointers
• Due to improper type checking, pointer arithmetic is allowed for some
of these types
• Can lead to Privilege Escalation
100
101. PAGE
BPF Maps
What are Maps used for?
101
Memory Layout:
• Program state
• Program coniguration
• Share data between programs
• Share state, metrics and statics with user space
Map Types
Hash tables, Arrays
LRU (Least Recently Used)
Ring Buffer
Stack Trace
LPM (Longest Prefix match)
MAP Struct (Metadata) Map Value (Data)
Controller
Syscall
Admin
Syscall
BPF
Map
LINUX
KERNEL
sendmsg() recvmsg()
Sockets
TCP/IP
Network Device
Syscall
</> Process
eBPF
eBPF
103. PAGE
Exploitation - Step 1
• Bypass the verifier – make some sort of action that is supposed to be prohibited
• Using a series of carefully crafted instructions, we can achieve a state in which
the register holds the value X, but the verifier believes the value is 1
103
105. PAGE
Exploitation - Ideal Scheme
• R0 = Map value pointer
• R1 = Invalid register holding X (verifier thinks it’s 0)
• R0= R0-R1
• Store data at R0
105
Map Struct Map Value
106. PAGE
Exploitation - Verifier
• R0 = Map value pointer
• R1 = Invalid register holding X (verifier thinks it’s 0)
• R0= R0-R1
• Store data at R0
106
ALU sanitation renders the subtraction obsolete. (R0 = R0-0)
107. PAGE
Exploitation - Step 2
• We need to find a way to achieve some kind of overflow/underflow
that the verifier does not intervene with
• No pointer arithmetics!
107
108. PAGE
Exploitation - Step 2 – BPF Helpers
108
• Random numbers
• Get current time
• Map access
• Get process/cgroup context
• Manipulate network packets and forwarding
What helpers exist?
LINUX
KERNEL
sendmsg() recvmsg()
Sockets
TCP/IP
Network Device
Syscall
</> Process
eBPF
eBPF
• Access socket data
• Perform tail call
• Access process stack
• Access syscall arguments
109. PAGE
Exploitation - Step 2 – BPF Helpers
• bpf_skb_load_bytes(skb, len, to)
• Used to read data from packet into memory
• Using to as a pointer to a map and with out invalid register as len value we can
write to it
109
111. PAGE
• Using our pointer from step 1, which holds the value X but the verifier thinks is
1, we can trick the verifier into thinking we are still In bounds.
• We have successfully achieved out-of-bound read and write!
Exploitation - Step 2
111
Map Struct Map Value
Memory
Beyond Map
114. PAGE
Exploitation
• What if we could get the following layout:
114
Map Struct Map Value Map Struct Map Value
115. PAGE
Exploitation
• We want to allocate two maps that would reside one after the other
• Allocation order is random – we are not guaranteed that the maps
will be allocated contiguously
115
Map Struct Map Value Map Struct Map Value
…
…
116. PAGE
Exploitation – step 3
• We can control map values
• Keep allocating maps and assign each map a unique value
116
Map Struct Map Struct
… … … …
Value A
Map
Value B
Map
117. PAGE
Exploitation – step 3
• Now read out of bounds from our maps
• Most likely at the start we won’t find anything interesting
117
Map Struct Map Struct
… … … …
Value A
Map
Value B
Map
118. PAGE
Exploitation – step 3
• But after allocating enough maps we can be certain we have two contiguous
maps by encountering one of our generated values at an expected offset
118
Map
Struct
… …
Value B
Map
Map
Struct
Value C
Map
Map
Struct
Value A
Map
119. PAGE
Exploitation – step 3
• Finally, we can use our out of bound write to use the tried-and-true map
structure overwrite technique for LPE
• Linux Kernel Privilege Escalation Via Improper EBPF Program Verification –
Manfred Paul
119
Map
Struct
… …
Value B
Map
Map
Struct
Value C
Map
Map
Struct
Value A
Map
121. PAGE
Conclusion
• Went from a relatively small bug to full blown LPE
• New technique to achieve map structure overwrite using map value overflows
121
122.
123. • Thank You!
• Questions?
• To be continued…
Join Us:
https://www.linkedin.com/company/ap
plication-security-virtual-meetups