2013 01-03 --ncc_group_-_crash_course_-_windows_filter_driver_security
DESCRIPTION
A short presentation from an internal NCC Group monthly tech team meeting on Windows Filter Driver architecture, implementation, attack surfaces and security considerations.TRANSCRIPT
Windows File System Filter Drivers … plus a little about security …
A crash course in 15 minutes…
What are legacy filter drivers?
• Standard Windows
• Registers handlers / call backs during init
• Filters I/O requests for FSs or volumes
• Each I/O request is an I/O request packet (IRP)
• Their load order dictates where they filter
• … old clunky basically
What are file system mini filter drivers?
What are mini filter altitudes?Filter 420000-429999
FSFilter Top 400000-409999
FSFilter Activity Monitor 360000-389999
FSFilter Undelete 340000-349999
FSFilter Anti-Virus 320000-329998
FSFilter Replication 300000-309998
FSFilter Continuous Backup 280000-289998
FSFilter Content Screener 260000-269998
FSFilter Quota Management 240000-249999
FSFilter System Recovery 220000-229999
FSFilter Cluster File System 200000-209999
FSFilter HSM 180000-189999
*FSFilter Imaging (ex: .ZIP) 170000-174999
FSFilter Compression 160000-169999
FSFilter Encryption 140000-149999
FSFilter Virtualization 130000-139999
FSFilter Physical Quota management 120000-129999
FSFilter Open File 100000-109999
FSFilter Security Enhancer 80000-89999
FSFilter Copy Protection 60000-69999
FSFilter Bottom 40000-49999
Why do we care?
Enumeration - fltmc
Enumeration - fltmc
Enumeration - sc
How it works - fltmc
How it works - fltmc
• Filter Manager is a legacy filter driver which exposes:• \\.\FltMgr
• Standard Windows APIs then
Mini filter attack surface – msg handling
• FltCreateCommunicationPort
• Registers handlers / call backs during initialization
Mini filter attack surface – msg handling
Mini filter attack surface – msg handling
• 64bit Windows calling conventions
Using the x64 convention, the first four integer arguments (from left to right) are passed in 64-bit registers designated for that purpose:RCX: 1st integer argumentRDX: 2nd integer argumentR8: 3rd integer argumentR9: 4th integer argumentInteger arguments beyond the first four are passed on the stack.
Mini filter attack surface – msg handling
Attacks to consider
• Logic issues / dangerous functionality in custom message handling
• Information leakage vulnerabilities
• Memory corruption issues
• State machine problems (i.e. lack of locking / unlocking)
• Incorrect return values
• Poor handling of file system API parameters
• Issues listed on the Security Considerations for Filter Drivers• http://msdn.microsoft.com/en-gb/library/windows/hardware/ff55
6606(v=vs.85).aspx
• … the unloading of filters on breakout assessments …
Further reading
• User-Mode Library for Filter Manager• http://msdn.microsoft.com/en-gb/library/windows/hardware/ff557247(v=vs.85).a
spx
• FltXxx (Minifilter Driver) Routines• http://msdn.microsoft.com/en-us/library/ff544617(v=vs.85).aspx
• Enumerating Minifilter Callbacks• http://www.inreverse.net/?p=1334
• Windows Driver Kit Samples• http://code.msdn.microsoft.com/windowshardware/site/search?f%5B0%5D.Typ
e=Technology&f%5B0%5D.Value=File%20System
• Filter Driver Development Guide• http://
download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/filterdriverdeveloperguide.doc
UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Chicago
Atlanta
New York
Seattle
Boston
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Thanks! Questions?
Ollie [email protected]