Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Hacking Windows Internals

advertisement 
Briefing for:
Hacking Windows Internals
Cesar Cerrudo
Argeniss
Hacking Shared Sections
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Shared Section definition
Using Shared Sections
Tools
Problems
Searching for holes
Exploitation
Conclusions
References
www.appsecinc.com
Shared Section
ƒ Basically a Shared Section is a portion of memory
shared by a process, mostly used as an IPC (Inter
Process Communication) mechanism.
ƒ Shared Memory.
ƒ File Mapping.
ƒ Named or Unnamed.
www.appsecinc.com
Using Shared Sections
ƒ Loading binary images by OS.
ƒ Process creation.
ƒ Dll loading.
ƒ Mapping kernel mode memory into user address space !?.
ƒ Used to avoid kernel transitions.
ƒ Sharing data between processes.
ƒ GDI and GUI data, pointers !?, counters, any data.
www.appsecinc.com
Using Shared Sections
ƒ Creating a shared section
HANDLE CreateFileMapping(
HANDLE hFile,
// handle to file (file mapping)
//or 0xFFFFFFFF (shared memory)
LPSECURITY_ATTRIBUTES lpAttributes,
// security
DWORD flProtect,
// protection
DWORD dwMaximumSizeHigh,
// high-order DWORD of size
DWORD dwMaximumSizeLow,
// low-order DWORD of size
LPCTSTR lpName
// object name (named)
//or NULL (unnamed)
);//returns a shared section handle
www.appsecinc.com
Using Shared Sections
ƒ Opening an existing shared section
HANDLE OpenFileMapping(
DWORD dwDesiredAccess,
// access mode (FILE_MAP_WRITE
// FILE_MAP_READ, etc.)
BOOL bInheritHandle,
// inherit flag
LPCTSTR lpName
// shared section name
);//returns a shared section handle
www.appsecinc.com
Using Shared Sections
ƒ Mapping a shared section
LPVOID MapViewOfFile(
HANDLE hFileMappingObject,
// handle to created/opened
// shared section
DWORD dwDesiredAccess,
// access mode(FILE_MAP_WRITE
// FILE_MAP_READ, etc.)
DWORD dwFileOffsetHigh,
// high-order DWORD of offset
DWORD dwFileOffsetLow,
// low-order DWORD of offset
SIZE_T dwNumberOfBytesToMap // number of bytes to map
); //returns a pointer to begining of shared section memory
www.appsecinc.com
Using Shared Sections
ƒ Ntdll.dll Native API
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
NtCreateSection()
NtOpenSection()
NtMapViewOfSection()
NtUnmapViewOfSection()
NtQuerySection()
NtExtendSection()
Creates a new section
Opens an existing section
Map a section on memory
Unmap a section from memory
Returns section size
Change section size
www.appsecinc.com
Using Shared Sections
ƒ Mapping unnamed Shared Sections.
OpenProcess(PROCESS_DUP_HANDLE,...)
DuplicateHandle(...)
MapViewOfFile(...)
ƒ Need permissions on target process
www.appsecinc.com
Using Shared Sections
ƒ Demo
www.appsecinc.com
Tools
ƒ Process Explorer
ƒ Shows information about processes (dlls, handles, etc.).
ƒ WinObj
ƒ Shows Object Manager Namespace information (objects
info, permissions, etc.)
ƒ ListSS
ƒ Lists Shared Sections names (local and TS sessions).
ƒ DumpSS
ƒ Dumps Shared Section data.
ƒ TestSS
ƒ Overwrites Shared Section data (to detect bugs)
www.appsecinc.com
Problems
ƒ Input validation
ƒ Weak permissions
ƒ Synchronization
www.appsecinc.com
Problems
ƒ Input validation
ƒ Applications don't perform data validation before using the
data.
ƒ Processes trust data on shared sections.
www.appsecinc.com
Problems
ƒ Weak permissions
ƒ Low privileged users can access (read/write/change
permissions) shared sections on high privileged
processes (services).
ƒ Terminal Services (maybe Citrix) users can access
(read/write/change permissions) shared sections on local
logged on user processes, services and other user
sessions.
www.appsecinc.com
Problems
ƒ Weak permissions
ƒ Demo
www.appsecinc.com
Problems
ƒ Synchronization
ƒ Not built-in synchronization.
ƒ Synchronization must be done by processes in order to
not corrupt data.
ƒ There isn't a mechanism to force processes to
synchronize or to block shared section access.
ƒ Any process (with proper rights) can alter a shared
section data while another process is using it.
www.appsecinc.com
Problems
ƒ Synchronization
ƒ Communication between Process A and B
Proces
s
A
2- Write
data.
1- Send me
data.
3- Data
ready.
Shared
Section
5- Read data.
Proces
s
B
4- Replace
data.
Proces
s
C
www.appsecinc.com
Searching for holes
ƒ
ƒ
ƒ
ƒ
ƒ
Look for shared sections using Process Explorer or
ListSS.
Attach a process using the shared section to a
debugger.
Run TestSS on shared section.
Interact with process in order to make it use
(read/write) the shared section.
Look at debugger for crashes :).
www.appsecinc.com
Searching for holes
ƒ Demo
www.appsecinc.com
Exploitation
ƒ Elevating privileges.
ƒ Reading data.
ƒ Altering data.
ƒ Shared section exploits.
ƒ Using shared sections on virus/rootkits/ etc.
www.appsecinc.com
Exploitation
ƒ Reading data.
ƒ From high privileged processes (services).
ƒ From local logged on user processes, services and other
sessions on Terminal Services.
ƒ This leads to unauthorized access to data.
www.appsecinc.com
Exploitation
ƒ Reading data.
ƒ Reading Internet Explorer cookies and history information.
(Demo)
www.appsecinc.com
Exploitation
ƒ Altering data.
ƒ On high privileged processes (services).
ƒ On local logged on user processes, services and other
sessions on Terminal Services.
ƒ This leads to arbitrary code execution, unauthorized
access, processes or kernel crashing (DOS).
www.appsecinc.com
Exploitation
ƒ Altering data.
ƒ IIS 5 DOS. (Demo)
www.appsecinc.com
Exploitation
ƒ Shared section exploits.
ƒ When overwriting shared section data allow us to take
control of code execution.
ƒ Some shared sections start addresses are pretty static on
same OS and Service Pack.
ƒ Put shellcode on shared section.
ƒ Build exploit to jump to shellcode on shared section at
static location.
www.appsecinc.com
Exploitation
ƒ Shared section exploits.
ƒ MS05-012 - COM Structured Storage Vulnerability
ƒ Exploit (Demo)
www.appsecinc.com
Exploitation
ƒ Using shared sections on virus/rootkits/etc.
ƒ Some shared sections are used by many processes
(InternatSHData used for Language Settings) others are used by
all processes :).
ƒ Write code to shared section and the code will be instantly mapped
on processes memory and also on new created processes.
ƒ Use SetThreadContext() or CreateRemoteThread() to start
executing code.
ƒ Similar to WriteProcessMemory() - SetThreadContext() technique
or DLL Injection.
www.appsecinc.com
Exploitation
ƒ Using shared sections on virus/rootkits/etc.
ƒ Some shared sections have execute access.
ƒ It would be possible to avoid WinXP sp2 NX .
www.appsecinc.com
Conclusions
ƒ Windows and 3rd. Party applications have a bunch of
Shared Section related holes.
ƒ These kind of holes will lead to new kind of attacks
“SSAtacks” (Shared Section Attacks) ;)
ƒ Microsoft forgot to include a Shared Sections audit on
the trustworthy computing initiative :).
ƒ Windows guts are rotten:).
www.appsecinc.com
References
ƒ MSDN
ƒ Programming Applications for MS Windows - Fourth
Edition
ƒ Process Explorer (www.sysinternals.com)
ƒ WinObj (www.sysinternals.com)
ƒ Rattle - Using Process Infection to Bypass Windows
Software Firewalls (PHRACK #62)
ƒ Crazylord - Playing with Windows /dev/(k)mem
(PHRACK #59)
www.appsecinc.com
FIN
Briefing for:
• Questions?
Click to edit Master title style
• Thanks.
• Contact: sqlsec>at<yahoo>dot<com
Click to edit Master subtitle style
• Argeniss – http://www.argenis.com
Related documents
Database Auditing Best Practices
Database Auditing Best Practices
Unit 2: Rhetoric of the Op-Ed Writing Prompt An organization called
Unit 2: Rhetoric of the Op-Ed Writing Prompt An organization called
Wzór wniosku grantowego do Horyzontu 2020
Wzór wniosku grantowego do Horyzontu 2020
Hacking the Big 4 – Jan 2013 FG
Hacking the Big 4 – Jan 2013 FG
Organizations of Domination
Organizations of Domination
View - Stronger Together
View - Stronger Together
Download
advertisement