KEMBAR78
Anatomy of A Remote Kernel Exploit: Dan Rosenberg | PDF | Operating System | Process (Computing)
Scribd
Upload
205 views80 pages

Anatomy of A Remote Kernel Exploit: Dan Rosenberg

Uploaded by

rodrigoduoc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
205 views80 pages

Anatomy of A Remote Kernel Exploit: Dan Rosenberg

Uploaded by

rodrigoduoc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 80

Anatomy of a Remote

Kernel Exploit

(Dartmouth Edition)

Dan Rosenberg

Copyright © 2011 Virtual Security Research, LLC. 1


All Rights Reserved.
Who am I?

▪ Security consultant and vulnerability researcher at


Virtual Security Research in Boston
▫ App/net pentesting, code review, etc.
▫ Published some bugs
▫ Rooted a few Android phones
▫ Focus on Linux kernel
▫ Research on kernel exploitation and mitigation

Copyright © 2011 Virtual Security Research, LLC. 2


All Rights Reserved.
Agenda
▪ Motivation

▪ Challenges of remote exploitation

▪ Prior work

▪ Case study: ROSE remote stack overflow


▫ Exploitation
▫ Backdoor

▪ Future work

Copyright © 2011 Virtual Security Research, LLC. 3


All Rights Reserved.
Motivation

Why am I giving this talk?

Copyright © 2011 Virtual Security Research, LLC. 4


All Rights Reserved.
Why Remote Kernel Exploits?

▪ Instant root
▫ No need to escalate privileges

▪ Remote userland exploitation is hard!


▫ Full ASLR + NX/DEP
▫ Sandboxing
▫ Reduced privileges

Copyright © 2011 Virtual Security Research, LLC. 5


All Rights Reserved.
Goals of This Talk

▪ Explore operating system internals from perspective of


an attacker

▪ Discuss kernel data structures and subsystems

▪ Exploit development methodology

▪ Individual bugs vs. exploit techniques

▪ Discuss next steps for kernel hardening

Copyright © 2011 Virtual Security Research, LLC. 6


All Rights Reserved.
Challenges of
Remote Kernel
Exploitation
Wait, so you mean this is kind of hard?

Copyright © 2011 Virtual Security Research, LLC. 7


All Rights Reserved.
Warning: Fragile

▪ Consequence of failed remote userland exploit:


▫ Crash application/service, wait until restarted
▫ Crash child process, try again immediately

▪ Consequence of failed remote kernel exploit:


▫ Kernel panic, game over

Copyright © 2011 Virtual Security Research, LLC. 8


All Rights Reserved.
Lack of Environment Control

▪ Typical local kernel exploit:


▫ Can trigger allocation of heap structures
▫ Can trigger calling of function pointers
▫ High amount of information leakage available to local
users

▪ Remote kernel exploit:


▫?

Copyright © 2011 Virtual Security Research, LLC. 9


All Rights Reserved.
Primer: Process vs. Interrupt Context
▪ Systems calls occur in “process context”:
▫ Kernel is executing code, but is associated with
userland process
▫ Has credentials, network/filesystem namespace, etc.

▪ On Linux, asynchronous events (e.g. network data)


occur in “interrupt context”:
▫ Network driver generates hardware interrupt
▫ Kernel dispatches data to appropriate softirq handler
▫ No userland process associated with execution
▫ On Linux, associated with softirqd kernel thread

Copyright © 2011 Virtual Security Research, LLC. 10


All Rights Reserved.
Escape From Interrupt Context

▪ End goal: userland code execution (remote shell)


▫ How do we get there?
▫ No process backing execution

▪ Need to transition
▫ Interrupt context to process context to userland

Copyright © 2011 Virtual Security Research, LLC. 11


All Rights Reserved.
Prior Work

What's been done before?

Copyright © 2011 Virtual Security Research, LLC. 12


All Rights Reserved.
A Few Statistics

▪ 18 known exploits for 16 vulnerabilities


▫ 19 authors
▫ 9 with full public source code
▫ 3 with partial or PoC source

▪ Wide range of platforms


▫ Solaris and OS X still need some remote love

Copyright © 2011 Virtual Security Research, LLC. 13


All Rights Reserved.
By Operating System

8
3

Windows
Linux
2 *BSD
NetWare

Copyright © 2011 Virtual Security Research, LLC. 14


All Rights Reserved.
By Vulnerability Class

12 Stack Overflow
Heap Overflow
Array Indexing

Copyright © 2011 Virtual Security Research, LLC. 15


All Rights Reserved.
By Year

0
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Copyright © 2011 Virtual Security Research, LLC. 16


All Rights Reserved.
Highlights

▪ Barnaby Jack: Step into the Ring 0 (August 2005)


▫ First publication on remote kernel exploitation
▫ Transition to userland and kernel backdoor

▪ Sinan Eren: GREENAPPLE (May 2006)


▫ First remote kernel exploit in Immunity CANVAS

Copyright © 2011 Virtual Security Research, LLC. 17


All Rights Reserved.
Highlights (cont.)

▪ hdm, skape, Johnny Cache (November 2006)


▫ Broadcom, Dlink, and Netgear wifi drivers
▫ First remote kernel exploits in Metasploit

▪ Alfredo Ortega, Gerardo Richarte: OpenBSD IPv6 mbuf


overflow (April 2007)
▫ First public remote kernel heap overflow
▫ Bypasses userland NX

Copyright © 2011 Virtual Security Research, LLC. 18


All Rights Reserved.
Primer: NX (Non-Executable Pages)
▪ Pages have permissions: read, write, execute
▫ Initially, on Intel chips, page table entries only
supported read and write flags
▫ Read implied executable

▪ Before long, realized this was a bad idea


▫ Malicious data can be executed as code!

▪ NX is implemented using 63rd bit of page table entry:


▫ Natively supported on 64-bit platforms
▫ Supported on PAE CPUs (need hardware + software)
▫ Emulated in userland by kernel

Copyright © 2011 Virtual Security Research, LLC. 19


All Rights Reserved.
Highlights (cont.)

▪ Kostya Kortchinsky: MS08-001 (January 2008)


▫ Immunity CANVAS
▫ First publicized remote Windows kernel pool overflow

▪ sgrakkyu: sctp-houdini (April 2009)


▫ First remote Linux sl*b overflow
▫ Introduced vsyscall trick to transition from interrupt
context to userland

Copyright © 2011 Virtual Security Research, LLC. 20


All Rights Reserved.
Primer: Linux Virtual Syscalls
▪ On x86-64 machines, Linux supports “virtual syscalls”
▫ Three system calls that can be implemented entirely
in userland: gettimeofday, getcpu, time

▪ Trapping to kernel mode is relatively expensive


▫ Check CPL, switch stack, store trap frame, reload %cs
and %ss

▪ Faster to just stay in userland

▪ “vsyscall” page accomplishes this by mapping a page


exported by the kernel into every userland process

Copyright © 2011 Virtual Security Research, LLC. 21


All Rights Reserved.
So What Was That Trick?
▪ Sgrakkyu realized this is a good attack vector

▪ vsyscall page is a shadowed mapping: read-write


version in kernel memory, read-execute in user
memory

▪ In interrupt context, we can write into the kernel


mapping of this page, overwriting a virtual syscall

▪ Now every userland process will execute our userland


shellcode whenever they call a virtual syscall!

Copyright © 2011 Virtual Security Research, LLC. 22


All Rights Reserved.
Observations
▪ Majority stack overflows, but none dealt with NX kernel
stack
▫ Let's fix that

▪ No Linux interrupt context stack overflows


▫ sgrakkyu and twiz showed us how in Phrack 64, let's
do it in real life

▪ Wireless drivers suck


▫ Six 802.11 remote kernel exploits

Copyright © 2011 Virtual Security Research, LLC. 23


All Rights Reserved.
Building the Exploit

Or: How I Learned to Stop Worrying and


Love the Ham

Copyright © 2011 Virtual Security Research, LLC. 24


All Rights Reserved.
Target: 32-bit x86 PAE Kernel

▪ Kernel has NX support (CONFIG_DEBUG_RODATA)


▫ Only enforced on PAE (32-bit) or 64-bit kernels

▪ Can't execute first-stage shellcode on kernel stack

▪ Can't introduce code into userspace without proper


page permissions

▪ No vsyscall trick for easy transitions

Copyright © 2011 Virtual Security Research, LLC. 25


All Rights Reserved.
Test Setup

▪ Attacker and victim VMs (Ubuntu 10.04)

▪ Debugging using KGDB over virtual serial port (host


pipe)

▪ BPQ (AX.25 over Ethernet)

▪ Except for glue code, exploit written entirely in x86


assembly

Copyright © 2011 Virtual Security Research, LLC. 26


All Rights Reserved.
Famous Last Words

Debian Security Advisory DSA-2240-1:

Dan Rosenburg reported two issues in


the Linux implementation of the
Amateur Radio X.25 PLP (Rose)
protocol. A remote user can cause a
denial of service by providing
specially crafted facilities fields.

Copyright © 2011 Virtual Security Research, LLC. 27


All Rights Reserved.
Intro to ROSE

▪ Rarely used amateur radio protocol

▪ Provides network layer on top of AX.25's link layer

▪ Uses 10-digit addresses and AX.25 callsigns

▪ Static routing only

Copyright © 2011 Virtual Security Research, LLC. 28


All Rights Reserved.
CVE-2011-1493

▪ On initiating a ROSE connection, parties exchange


facilities (supported features)

▪ FAC_NATIONAL_DIGIS allows host to provide list of


digipeaters

▪ Parsing for this field reads length value from frame and
copies digipeater addresses without bounds checking,
causing a stack overflow

Copyright © 2011 Virtual Security Research, LLC. 29


All Rights Reserved.
Sad Code :-(
...
l = p[1];
...
else if (*p == FAC_NATIONAL_DIGIS) {
fac_national_digis_received = 1;
facilities->source_ndigis = 0;
facilities->dest_ndigis = 0;
for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) {
if (pt[6] & AX25_HBIT)
memcpy(&facilities->dest_digis[facilities->dest_ndigis++],
memcpy pt, AX25_ADDR_LEN);
else
memcpy(&facilities->source_digis[facilities->source_ndigis++],
memcpy pt, AX25_ADDR_LEN);
}
}
...

Copyright © 2011 Virtual Security Research, LLC. 30


All Rights Reserved.
Constraint #1

▪ The seventh byte of an AX.25 address is AND'd with


AX25_HBIT (0x80) if it's a destination digipeater
▫ Otherwise, treated as a source digipeater

▪ Every seventh byte of our payload needs to be


consistently greater or less than 0x80, or we'll copy
into the wrong array

▪ Requires manual tweaking

Copyright © 2011 Virtual Security Research, LLC. 31


All Rights Reserved.
Plan of Attack

Get EIP

Unrestricted code
execution

Install kernel
backdoor

Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 32


All Rights Reserved.
Triggering the Bug

Get EIP
▪ Fairly trivial

Unrestricted code ▪ Modify ROSE facilities


execution
output functions to craft
frame with overly large
length field for
Install kernel FAC_NATIONAL_DIGIS,
backdoor
followed by lots of NOPs
(0x90)
Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 33


All Rights Reserved.
Evil ROSE Frame

Facilities
ROSE Total len =
0x00 FAC_NATIONAL FAC_NATIONAL_DIGIS 0x9090...
header Length = 0xff
XX

Copyright © 2011 Virtual Security Research, LLC. 34


All Rights Reserved.
Got EIP
Program received signal SIGSEGV,
▪ Recompile ROSE module, Segmentation fault.
reload, and use rose_call [Switching to Thread 1456]
0x90909090 in ?? ()
to initiate connection to (gdb) i r
eax 0x0 0
target ecx 0xde3a5f3c -566599876
edx 0x296 662
ebx 0x90909090 -1869574000
esp 0xd11e199c 0xd11e199c
▪ Overflowed softirq stack ebp
esi
0x90909090 0x90909090
0x90909090 -1869574000
(interrupt handler) edi
eip
0x90909090 -1869574000
0x90909090 0x90909090
eflags 0x10286 [ PF SF IF RF ]
cs 0x60 96
ss 0x68 104
ds 0x9090007b -1869610885
es 0x9090007b -1869610885
fs 0xffff 65535
gs 0xffff 65535

Copyright © 2011 Virtual Security Research, LLC. 35


All Rights Reserved.
How to Execute Code?

Get EIP
▪ Traditionally, return into
shellcode on stack
Unrestricted code
execution ▪ Problem 1: we don't
know where we are
▫ Trampolines are easy
Install kernel
backdoor
▪ Problem 2: softirq stack
is non-executable
Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 36


All Rights Reserved.
Primer: Registers
▪ x86-32 has several general purpose registers:
▫ %eax, %ebx, %ecx, %edx, %esi, %edi

▪ Some have “traditional” uses


▫ %eax is return code
▫ %ecx is a counter
▫ %esi/%edi are source and destination of copy

▪ Special registers: %esp (stack pointer), %ebp (frame


pointer), %eip (instruction pointer)

Copyright © 2011 Virtual Security Research, LLC. 37


All Rights Reserved.
Primer: Calling Convention

▪ How do we invoke functions?


▫ Traditionally, put arguments on stack (%esp), and
issue a “call” instruction

▪ Different in kernel mode:


● First argument in %eax
● Second in %edx
● Third in %ecx
● Others on stack

Copyright © 2011 Virtual Security Research, LLC. 38


All Rights Reserved.
Primer: ROP
▪ We control the return address and data at %esp

▪ Each return will direct execution to address at stack


pointer and increment it

▪ Chain together function epilogues (“gadgets”) to


perform arbitrary computation

▪ Relies on homogeneity of distribution (binary) kernels


and lack of randomization
▫ Choose gadgets that are more likely to appear in
constant locations across kernels

Copyright © 2011 Virtual Security Research, LLC. 39


All Rights Reserved.
Making our Stack Executable
▪ Kernel has nice function static unsigned long rop_stub[] = {
/*1*/ PUSH_ESP_POP_EAX,
to do this for us: /*4*/ 0xffffffff,
0xffffffff,
▫ set_memory_x() /*3*/ 0xffffffff,

ALIGN_EAX,
/*2*/ 0xffffffff,
▪ Calling convention has 0xffffffff,
arguments in registers /*1*/ RET,

/*4*/ POP_EDX,
0x00000004,
▪ ROP stub steps: /*3*/ 0xffffffff,
0xffffffff,
▫ Load (%esp & ~0xfff) /*2*/ 0xffffffff,
into %eax 0xffffffff,

▫ Load 4 into %edx /*1*/ RET,

▫ Call set_memory_x() /*4*/ SET_MEMORY_X,


JMP_ESP,
▫ Jump into stack };

Copyright © 2011 Virtual Security Research, LLC. 40


All Rights Reserved.
Overcoming Space Constraints

Get EIP
▪ We now have traditional
shellcode executing on
the softirq stack!

Unrestricted code
execution ▪ Problem: length is
limited to 0xff (255),
minus what we've
Install kernel already used
backdoor

▪ Not enough room for a


Restore and
useful payload
recover

Copyright © 2011 Virtual Security Research, LLC. 41


All Rights Reserved.
Needle in a Haystack
▪ Full ROSE frame is intact somewhere on the kernel
heap

▪ Pointer to a memory region containing our socket data


lives on the stack

▪ Walk up the stack, following kernel heap pointers

▪ Search general area for tag included in ROSE frame

▪ Mark it executable and jump to it

Copyright © 2011 Virtual Security Research, LLC. 42


All Rights Reserved.
What Now?

Get EIP

▪ We can execute
Unrestricted code arbitrary-length
execution payloads now!

▪ Goal: install kernel


Install kernel
backdoor backdoor in ICMP
handler

Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 43


All Rights Reserved.
Primer: Linux Networking
▪ What happens when network data is received?

▪ Hardware magic happens, driver layer


(linux/drivers/net) receives low-level frame

▪ Driver identifies “this is an IP packet”, sends to


network layer (linux/net/ipv{4,6})

▪ Network layer checks “what protocol is this” (TCP,


UDP, ICMP, etc.) and dispatches to appropriate protocol
handler (linux/net/*)

Copyright © 2011 Virtual Security Research, LLC. 44


All Rights Reserved.
Protocol Handlers
/* Array of network protocol structure */
const struct net_protocol __rcu
*inet_protos[MAX_INET_PROTOS] __read_mostly;

/* Definition of network protocol structure */


struct net_protocol {
int (*handler)(struct sk_buff *skb);
void (*err_handler)(struct sk_buff *skb, u32 info);
...
};

/* Standard well-defined IP protocols. */


enum {
IPPROTO_IP = 0, /* Dummy protocol for TCP */
IPPROTO_ICMP = 1, /* Internet Control Message Protocol */
...
};

Copyright © 2011 Virtual Security Research, LLC. 45


All Rights Reserved.
Hooking ICMP
▪ Storage on softirq stack
▫ Already executable, safe, persistent

▪ Copy hook and address of original ICMP handler


▫ We'll need this later

▪ Handler is in read-only memory


▫ Flip write-protect bit in %cr0 register

▪ Write address of our hook into ICMP handler function


pointer

Copyright © 2011 Virtual Security Research, LLC. 46


All Rights Reserved.
Hooked In

inet_protos:
hook:
IPPROTO_IP <hook>: push edi
<hook+1>: push esi
IPPROTO_ICMP <hook+2>: push ebx
<hook+3>: push eax
...
...

net_protocol:
icmp_rcv:
handler <icmp_rcv>: push ebp
<icmp_rcv+1>: mov ebp,esp
err_handler <icmp_rcv+3>: push edi
<icmp_rcv+4>: push esi
... ...

Copyright © 2011 Virtual Security Research, LLC. 47


All Rights Reserved.
Time to Rebuild...

Get EIP

▪ We've destroyed large


Unrestricted code portions of the softirq
execution stack

▪ How can we keep the


Install kernel
backdoor kernel running?

Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 48


All Rights Reserved.
Cleaning Up the Locks

▪ ROSE protocol is holding


two spinlocks
▫ If we don't release
these, the ROSE stack
will deadlock soon

▪ Problem: ROSE is a
module, we don't know
where the locks live

Copyright © 2011 Virtual Security Research, LLC. 49


All Rights Reserved.
Needle in a Haystack, Again
▪ Global modules variable: linked list of loaded kernel
modules

▪ A plan!
▫ Follow linked list until we find ROSE module
▫ Read module structure, find start of .data section
▫ Scan .data section for byte pattern of two
consecutive spinlocks (distinctive signature)
▫ Release them

Copyright © 2011 Virtual Security Research, LLC. 50


All Rights Reserved.
Preemption Woes
▪ Preemption count must be consistent with what the
kernel is expecting, or scheduler will...

...complain and fix it for you?!


if (unlikely(prev_count != preempt_count())) {
printk(KERN_ERR "huh, entered softirq %u %s %p"
"with preempt_count %08x,"
" exited with %08x?\n", vec_nr,
softirq_to_name[vec_nr], h->action,
prev_count, preempt_count());
preempt_count() = prev_count;
}

▪ Let's avoid that warning...

Copyright © 2011 Virtual Security Research, LLC. 51


All Rights Reserved.
Has Anybody Seen a Preemption Count?
▪ Preempt count lives at known location in thread_info
struct, at base of kernel stack:

struct thread_info {
struct task_struct *task; /* main task structure */
struct exec_domain *exec_domain; /* execution domain */
__u32 flags; /* low level flags */
__u32 status; /* thread synchronous flags */
__u32 cpu; /* current CPU */
int preempt_count; /* 0 => preemptable,
<0 => BUG */
...
};

▪ Decrement it and we're done

Copyright © 2011 Virtual Security Research, LLC. 52


All Rights Reserved.
Unwinding the Stack
▪ Stack is partially
Unwind to
corrupted from overflow
frame
boundary
▪ Need to restore it to
recoverable state

▪ Walk up stack from


current location until we
Overflow match a signature of a
known good state

▪ Adjust ESP to good state,


and return

Copyright © 2011 Virtual Security Research, LLC. 53


All Rights Reserved.
Refresher: What Have We Achieved?
▪ Trigger the overflow, gain control of EIP

▪ Leverage ROP to mark softirq stack executable, jump


into shellcode

▪ Search for intact ROSE frame on kernel heap, mark


executable, jump into it

▪ Install kernel backdoor by hooking ICMP handler

▪ Do some necessary cleanup and unwind stack for safe


return from softirq

Copyright © 2011 Virtual Security Research, LLC. 54


All Rights Reserved.
Kernel Backdoors
for Fun and Profit

(Insert “backdoor” joke)

Copyright © 2011 Virtual Security Research, LLC. 55


All Rights Reserved.
What About That Backdoor Part?

▪ Whenever an ICMP packet is received, our hook is


called

▪ Check for magic tag in ICMP header

▪ Two distinct types of packets


▫ “Install” packets contain userland shellcode
▫ “Trigger” packets cause shellcode to execute

▪ May be sent independently


▫ Install payload, trigger it repeatedly at later date

Copyright © 2011 Virtual Security Research, LLC. 56


All Rights Reserved.
Backdoor Strategy

▪ Problem: ICMP handler also runs in softirq context


▫ Want userland code execution

▪ Phase 1: transition to kernel-mode process context

▪ Phase 2: hijack userland control flow

Copyright © 2011 Virtual Security Research, LLC. 57


All Rights Reserved.
Backdoor Phase 1

Install userland
payload
▪ Check for magic tag and
packet type

Hook system call ▪ If “install” packet, copy


userland payload into
safe place (softirq stack)

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 58


All Rights Reserved.
Transition to Process Context

Install userland
payload
▪ If “trigger” packet, need
to transition to process
context

Hook system call


▪ Easiest way: hook
system call

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 59


All Rights Reserved.
Primer: System Calls
▪ Userland process invokes a system call (read, write,
fork, etc.)

▪ Traditional mechanism is int 0x80 (more recently


everything uses systenter/syscall)

▪ Index into Interrupt Descriptor Table, check privileges

▪ Invokes handler specified by IDT (syscall entry point)

▪ Syscall entry point parses arguments, indexes into


syscall table, and calls appropriate system call handler

Copyright © 2011 Virtual Security Research, LLC. 60


All Rights Reserved.
System Call Hijacking
▪ How to find system call table at runtime?
▫ sidt instruction retrieves IDT address
▫ Find handler for INT 0x80 (syscall)
▫ Scan function for byte pattern calling into syscall
table

▪ Read-only syscall table


▫ More flipping write-protect bit in %cr0

▪ Store original syscall handler for later, write address of


hook into syscall table

Copyright © 2011 Virtual Security Research, LLC. 61


All Rights Reserved.
Carry On...

Install userland
payload
▪ Want working ICMP stack

Hook system call ▪ Call original ICMP


handler

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 62


All Rights Reserved.
Backdoor Phase 2

▪ We've copied userland payload to kernel memory

▪ Some process comes along and calls our hooked


system call...

▪ Need to hijack process for userland code execution

Copyright © 2011 Virtual Security Research, LLC. 63


All Rights Reserved.
Only Root, Please

Check root privileges


▪ Only interested in root
processes

Inject userland
payload ▪ How to verify?
▫ thread_info →
task_struct → cred
Divert userland
execution ▫ Unstable, annoying...

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 64


All Rights Reserved.
System Calls from Kernel Mode?

▪ System calls are extremely useful abstractions


▫ Friendly interface, kernel does most of the work

▪ Poll: is it possible to call system calls via INT 0x80


from kernel mode?
▫ Tally your votes...

Copyright © 2011 Virtual Security Research, LLC. 65


All Rights Reserved.
System Calls from Kernel Mode!

▪ Most system calls will work when called from kernel

▪ Stack switch only occurs on inter-PL interrupts


▫ Based on CPL vs. DPL of GDT descriptor
▫ Happens on int and iret

▪ When called from kernel mode, just an ordinary intra-


PL interrupt

Copyright © 2011 Virtual Security Research, LLC. 66


All Rights Reserved.
Exceptions (No Pun Intended)

▪ Doesn't work quite right with some system calls


▫ Some require pt_regs (per-thread register) structure
▫ Assumptions about state of stack at time of system
call

▪ fork, execve, iopl, vm86old, sigreturn, clone, vm86,


rt_sigreturn, sigaltstack, vfork

Copyright © 2011 Virtual Security Research, LLC. 67


All Rights Reserved.
Checking for Root

▪ Easy: load %eax with 0x18 (getuid), INT 0x80

▪ Check %eax (return code) for 0

▪ If not zero, call original syscall handler for hooked


function

▪ If zero, unhook syscall and continue payload

Copyright © 2011 Virtual Security Research, LLC. 68


All Rights Reserved.
Lethal Injection

Check root privileges

▪ Kernel stack contains


pointer to saved
Inject userland
payload userland %esp

▪ Copy userland payload


Divert userland
execution
from kernel memory to
userland stack

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 69


All Rights Reserved.
Let it Run...

Check root privileges

▪ Userland stack is non-


executable (NX)
Inject userland
payload

▪ Call mprotect syscall via


INT 0x80 to mark
Divert userland
execution userland stack
executable

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 70


All Rights Reserved.
It's a Diversion!
▪ Need to redirect
Check root privileges userland control flow

▪ Kernel stack contains


Inject userland
payload pointer to saved
userland %eip

Divert userland
execution
▪ Give original saved %eip
to userland shellcode for
later
Continue execution
▪ Overwrite pointer with
address of payload on
userland stack
Copyright © 2011 Virtual Security Research, LLC. 71
All Rights Reserved.
Keep on Running

Check root privileges

▪ Want hijacked process to


keep running
Inject userland
payload

▪ Jump to original handler


for hijacked system call
Divert userland
execution

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 72


All Rights Reserved.
Userland Payloads

▪ Use your imagination!


▫ Connect-back root shells work just fine

▪ Payloads are prefixed with stub that keeps hijacked


process running
▫ Fork new process
▫ Child runs shellcode
▫ Parent jumps to original saved %eip

Copyright © 2011 Virtual Security Research, LLC. 73


All Rights Reserved.
ROSE Exploitation Demo

Copyright © 2011 Virtual Security Research, LLC. 74


All Rights Reserved.
Future Work

No, this isn't a perfect exploit.

Copyright © 2011 Virtual Security Research, LLC. 75


All Rights Reserved.
Hard-Coding
▪ Advantages over signatures / fingerprinting
▫ Reliability vs. portability

▪ On PAE kernel, ROP gadgets seem unavoidable


▫ Minimize number of ROP gadgets
▫ Minimize hard-coding of other data structures

▪ On non-PAE kernel, situation is better


▫ Can survive with one JMP ESP (if you know saved EIP
offset)
▫ Partial overwrites or spraying possible

Copyright © 2011 Virtual Security Research, LLC. 76


All Rights Reserved.
Future Work: Offense

▪ Remote fingerprinting of kernel


▫ Automatic generation of ROP gadgets

▪ Exploiting other packet families


▫ IrDA, Bluetooth, X.25?

▪ Finding that TCP/IP bug that breaks the Internet

Copyright © 2011 Virtual Security Research, LLC. 77


All Rights Reserved.
Future Work: Defense
▪ Randomize kernel base at boot
▫ Prevents code reuse (e.g. ROP) remotely in absence
of remote kernel memory disclosure

▪ Fuzz and audit networking protocols more rigorously

▪ Inline functions that alter page permissions directly


(prevent easy ROP)

▪ Policies on preventing page permission modification


after initialization

Copyright © 2011 Virtual Security Research, LLC. 78


All Rights Reserved.
Thanks To...

▪ Ralf Baechle

▪ Nelson Elhage

▪ Kees Cook

▪ twiz, sgrakkyu

Copyright © 2011 Virtual Security Research, LLC. 79


All Rights Reserved.
Questions?
E-mail: drosenberg@vsecurity.com
Twitter: @djrbliss

Company:
http://www.vsecurity.com

Personal:
http://www.vulnfactory.org

Exploit code:
https://github.com/djrbliss/rose-exploit

Copyright © 2011 Virtual Security Research, LLC. 80


All Rights Reserved.

You might also like