SlideShare a Scribd company logo

Vulnerability desing patterns

Download as PPTX, PDF
P
Peter Hlavaty

This document discusses vulnerability design patterns for kernel exploitation. It outlines several common vulnerability classes for the kernel including out of boundary errors, buffer overflows, and null pointer writes. It provides examples of how these vulnerabilities could be used to achieve kernel code execution or privilege escalation. It also notes how kernel exploitation techniques have evolved over time to bypass defenses like KASLR and discusses developing exploitation tools instead of just shellcode.

Software
1 of 31
Downloaded 146 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Vulnerability design PATTERNS case: Kernel mode
PAST
Environment for exploitation Simple ioctl W^X NX KASLR Hardened Pool SMEP SMAP
Why kernel exploitation Full control of system Simple exploitation Simple bugs
KERNEL ESCAPE few lines of code, simple, effective – for that time Modified sample from : https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb
EVOLUTION
Exploitation hierarchy User Elevated user (admin / root) supervisor
Past exploitation shortcut User Elevated user (admin / root) supervisor
Present (+-) & Future : Step by step User Elevated user (admin / root) Supervisor • DEP, ASLR, SEHOP, ProtectedFree, Isolated Heap, CFG, Virtual Table Guards, EMET... • sandbox, SELinux and alikes • KASLR, SMEP, SMAP, ..
Why kernel escape • Going to be more and more difficult, but ... • still .. sometimes easier .. shortcut • Natural bypass of SELinux • Full control (cpl0 > cpl3) • for now do not considering cpl-1, ...
exploitation ==> developing • In past was very easy elevate privileges • Now everything is fast moving • You need to adapt to all changes & diversity • Things are getting more complex • Your exploitation code is expanding dramatically • Every change can broke your black-box • + Process of exploitation need more than ioctl • Race conditions, complex mechanism break (ttf), sandbox escapes ...
VULNERABILITY DESIGN PATTERNS kernel case
selected vulnerability classes • Out Of Boundary • Basic types Over/Under flows • Stack overflows • Buffer overflows • nullptr writes • Race conditions –not generic, but ... • may create other bug from above group
Out Of Boundary Simple, mighty, generic
OOB • Read • Write • SMAP – limitation, but not eliminate oob • GENERIC approach
Basic type Over/Under-flow Generic, simple and useful when it comes to aligned rw
Stack Overflow sometimes protected, sometimes not .. local vars ? .. depends on compilation ..
Stack overview • Local vars • canaries • Protect ret & args • ... sometimes ... missing • UNprotected inner calls ? • Arg in main func preserved in register • Inner call invoked, register may be putted onto stack • Rewrite arg (or directly ret) on stack in inner call • Return to main func with altered arg (in register) • Can help more than it seems ;) • Controlled copy, overwrite save your day
Buffer Overflow Common case, can be also byproduct, heap hardening can be problem
Buffer overview • Windows kernel pool, SLUB • not so predictable anymore • but still far from not-predictable at some level • kmalloc • targeted kmalloc from user mode ? • not so hard as can seems • help with predictability • Pool spray • thread, process, pipe, socket ... • caches (linux) • can be problem for precise pool layout, but can be solved
nullptr pwn spray, write, pwn .. 64b bit more effort ...
user part of cake Pool spray kmalloc Pipes ThreadsLocks ret2dir Kernel IO
kernel pool pipes, threads .. kmalloc .. spray
Kernel IO If doable, then almighty ...
workers, locks, helpers a lot of common issues per vuln task
CODING STYLE MATTERS
Elevation of Privilages USER • Find nt!_eprocess / thread_info • Patch credentials • Bypass ACL policy • Reverse engineer per policy • Implement • Keep up to date • Good if not change frequently .. Not that case  KERNEL • Elevate process • Grant access important operations (callbacks) • File access • Process access • Registry access • Network • How effective without framework ?
Kernel part of cake • Boosting privs • Why patching ? • Recognize and grant access instead • No LKM ? Are you sure ? • Kernel exploitation may be equals to enable LKM
CC-shellcoding framework • developing instead of shellcoding ? • C++, boost, std ? • Loading your own kernel modules ? https://github.com/k33nteam/cc-shellcoding more info : http://www.k33nteam.org/blog.htm - CC-SHELLCODING @KEENTEAM
2014 - $500,000 2015 - $??????? Pick a device, name your own challenge!
We are hiring!  Kernel & app sec  A LOT of research  mobile, pc  M$, android, OSX .. Thank You! Q & A @K33nTeam

More Related Content

PPTX
Guardians of your CODE
Peter Hlavaty
 
PPTX
Back to the CORE
Peter Hlavaty
 
PPTX
Racing with Droids
Peter Hlavaty
 
PPTX
Power of linked list
Peter Hlavaty
 
PPTX
Attack on the Core
Peter Hlavaty
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
PDF
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Guardians of your CODE
Peter Hlavaty
 
Back to the CORE
Peter Hlavaty
 
Racing with Droids
Peter Hlavaty
 
Power of linked list
Peter Hlavaty
 
Attack on the Core
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 

What's hot (20)

PDF
When is something overflowing
Peter Hlavaty
 
PPTX
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PPTX
How Safe is your Link ?
Peter Hlavaty
 
PPTX
Hacking - high school intro
Peter Hlavaty
 
PDF
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
PPTX
Steelcon 2014 - Process Injection with Python
infodox
 
PPTX
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
PDF
Packers
Ange Albertini
 
PPTX
Practical Windows Kernel Exploitation
zeroSteiner
 
PDF
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
PDF
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
PDF
Modern Evasion Techniques
Jason Lang
 
PPTX
Software to the slaughter
Quinn Wilton
 
PDF
Process injection - Malware style
Sander Demeester
 
PDF
Is That A Penguin In My Windows?
zeroSteiner
 
PDF
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
PPTX
BSides Hannover 2015 - Shell on Wheels
infodox
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
When is something overflowing
Peter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Security research over Windows #defcon china
Peter Hlavaty
 
How Safe is your Link ?
Peter Hlavaty
 
Hacking - high school intro
Peter Hlavaty
 
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Steelcon 2014 - Process Injection with Python
infodox
 
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
Packers
Ange Albertini
 
Practical Windows Kernel Exploitation
zeroSteiner
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Modern Evasion Techniques
Jason Lang
 
Software to the slaughter
Quinn Wilton
 
Process injection - Malware style
Sander Demeester
 
Is That A Penguin In My Windows?
zeroSteiner
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
BSides Hannover 2015 - Shell on Wheels
infodox
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Ad

Similar to Vulnerability desing patterns (20)

PDF
1000 to 0
Sunny Neo
 
PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
PDF
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PPTX
Operating system enhancements to prevent misuse of systems
Dayal Dilli
 
PDF
Linux Kernel Exploitation
Scio Security
 
PPTX
Fun with exploits old and new
Larry Cashdollar
 
PDF
Hacking the Linux Kernel - An Introduction
Levente Kurusa
 
PPTX
Linux remote
yarden hanan
 
PDF
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
PDF
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
PPTX
Fundamentals of Linux Privilege Escalation
nullthreat
 
PDF
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
PPTX
Linux privilege escalation 101
Rashid feroz
 
PDF
DefCon 2012 - Rooting SOHO Routers
Michael Smith
 
PPTX
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
PDF
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
PPTX
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
PPTX
Linux security
trilokchandra prakash
 
PDF
Linux Security Crash Course
UTD Computer Security Group
 
ODP
CISSP Week 14
jemtallon
 
1000 to 0
Sunny Neo
 
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Operating system enhancements to prevent misuse of systems
Dayal Dilli
 
Linux Kernel Exploitation
Scio Security
 
Fun with exploits old and new
Larry Cashdollar
 
Hacking the Linux Kernel - An Introduction
Levente Kurusa
 
Linux remote
yarden hanan
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Fundamentals of Linux Privilege Escalation
nullthreat
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
Linux privilege escalation 101
Rashid feroz
 
DefCon 2012 - Rooting SOHO Routers
Michael Smith
 
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Anatomy of a Buffer Overflow Attack
Rob Gillen
 
Linux security
trilokchandra prakash
 
Linux Security Crash Course
UTD Computer Security Group
 
CISSP Week 14
jemtallon
 
Ad

Recently uploaded (20)

PPTX
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Materi-Enum-and-Record-Data-Type (1).pptx
RanuFajar1
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPT
JAVA ppt tutorial basics to learn java programming
pradeepjava2016
 
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
Introduction Database Management System for Course Database
ReinertYosua
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Materi-Enum-and-Record-Data-Type (1).pptx
RanuFajar1
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
System and Network Administration Chapter 2
jaramharo
 
JAVA ppt tutorial basics to learn java programming
pradeepjava2016
 

Vulnerability desing patterns

  • 3. Environment for exploitation Simple ioctl W^X NX KASLR Hardened Pool SMEP SMAP
  • 4. Why kernel exploitation Full control of system Simple exploitation Simple bugs
  • 5. KERNEL ESCAPE few lines of code, simple, effective – for that time Modified sample from : https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb
  • 8. Past exploitation shortcut User Elevated user (admin / root) supervisor
  • 9. Present (+-) & Future : Step by step User Elevated user (admin / root) Supervisor • DEP, ASLR, SEHOP, ProtectedFree, Isolated Heap, CFG, Virtual Table Guards, EMET... • sandbox, SELinux and alikes • KASLR, SMEP, SMAP, ..
  • 10. Why kernel escape • Going to be more and more difficult, but ... • still .. sometimes easier .. shortcut • Natural bypass of SELinux • Full control (cpl0 > cpl3) • for now do not considering cpl-1, ...
  • 11. exploitation ==> developing • In past was very easy elevate privileges • Now everything is fast moving • You need to adapt to all changes & diversity • Things are getting more complex • Your exploitation code is expanding dramatically • Every change can broke your black-box • + Process of exploitation need more than ioctl • Race conditions, complex mechanism break (ttf), sandbox escapes ...
  • 13. selected vulnerability classes • Out Of Boundary • Basic types Over/Under flows • Stack overflows • Buffer overflows • nullptr writes • Race conditions –not generic, but ... • may create other bug from above group
  • 14. Out Of Boundary Simple, mighty, generic
  • 15. OOB • Read • Write • SMAP – limitation, but not eliminate oob • GENERIC approach
  • 16. Basic type Over/Under-flow Generic, simple and useful when it comes to aligned rw
  • 17. Stack Overflow sometimes protected, sometimes not .. local vars ? .. depends on compilation ..
  • 18. Stack overview • Local vars • canaries • Protect ret & args • ... sometimes ... missing • UNprotected inner calls ? • Arg in main func preserved in register • Inner call invoked, register may be putted onto stack • Rewrite arg (or directly ret) on stack in inner call • Return to main func with altered arg (in register) • Can help more than it seems ;) • Controlled copy, overwrite save your day
  • 19. Buffer Overflow Common case, can be also byproduct, heap hardening can be problem
  • 20. Buffer overview • Windows kernel pool, SLUB • not so predictable anymore • but still far from not-predictable at some level • kmalloc • targeted kmalloc from user mode ? • not so hard as can seems • help with predictability • Pool spray • thread, process, pipe, socket ... • caches (linux) • can be problem for precise pool layout, but can be solved
  • 21. nullptr pwn spray, write, pwn .. 64b bit more effort ...
  • 22. user part of cake Pool spray kmalloc Pipes ThreadsLocks ret2dir Kernel IO
  • 23. kernel pool pipes, threads .. kmalloc .. spray
  • 24. Kernel IO If doable, then almighty ...
  • 25. workers, locks, helpers a lot of common issues per vuln task
  • 27. Elevation of Privilages USER • Find nt!_eprocess / thread_info • Patch credentials • Bypass ACL policy • Reverse engineer per policy • Implement • Keep up to date • Good if not change frequently .. Not that case  KERNEL • Elevate process • Grant access important operations (callbacks) • File access • Process access • Registry access • Network • How effective without framework ?
  • 28. Kernel part of cake • Boosting privs • Why patching ? • Recognize and grant access instead • No LKM ? Are you sure ? • Kernel exploitation may be equals to enable LKM
  • 29. CC-shellcoding framework • developing instead of shellcoding ? • C++, boost, std ? • Loading your own kernel modules ? https://github.com/k33nteam/cc-shellcoding more info : http://www.k33nteam.org/blog.htm - CC-SHELLCODING @KEENTEAM
  • 30. 2014 - $500,000 2015 - $??????? Pick a device, name your own challenge!
  • 31. We are hiring!  Kernel & app sec  A LOT of research  mobile, pc  M$, android, OSX .. Thank You! Q & A @K33nTeam