Derbycon Bromium Labs: Sandboxes

Download Derbycon Bromium Labs: Sandboxes

Post on 20-Aug-2015




5 download


  1. 1. Sandboxes: A Pen-testers perspective Rahul Kashyap Rahul Kashyap,
  2. 2. Bromium Confidential Previously led McAfee Labs vuln research Done security startups and offense/defense security research Bromium Labs Team has discovered several vulnerabilities in multiple platforms Spoken at several cool conferences About Im Hiring!
  3. 3. Bromium Confidential Sandboxes: Introduction Architecture Types Sandboxes: Exploitation Kernel Mode User Mode Conclusion Agenda
  4. 4. Bromium Confidential Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code from damaging the rest of the system The aim of a sandbox is to isolate threats Our research focuses on security effectiveness of the isolation primitives for application sandboxes What is a sandbox?
  5. 5. Bromium Confidential Type A: OS enhancement based (Sandboxie, Buffer Zone Pro, Dell DDP) Type B: Master/slave model (Adobe ReaderX, Chrome browser) Types of Sandboxes
  6. 6. Bromium Confidential A lot of commonly used code reliant on kernel components and various services Large exposure to kernel interfaces Digression: Windows OS
  7. 7. Bromium Confidential Sandboxed app: dear kernel, please open a file for me, the file name is at address X Kernel: X points to allowed_file.txt string; here goes a file handle for you Sandboxed app: dear kernel, please open a file for me, the file name is at address Y Kernel: Y points to secret_file.txt string; you are a sandboxed app, I will not let you access this file How kernel enforces access control
  8. 8. Bromium Confidential Sandboxed app: dear kernel, please draw the text Hello world for me please, using the true type font stored at address X Kernel: You are a sandboxed app, but using a font is a benign operation which you need to function properly Kernel: OK, just a moment, I need to parse this font While processing the font, kernel corrupts its own memory because the parser code in the kernel is buggy Because of memory corruption, kernel starts executing code at X, which allows the app to do anything it wants How kernel exploits work (example)
  9. 9. Bromium Confidential Example: Sandboxie, BufferZone Pro, Dell DDP Custom kernel driver modifies Windows behavior, so that change to protected system components is prevented Use cases: Most of such sandboxes are used for controlled execution of applications Sandboxie is widely used for malware analysis TYPE A
  10. 10. Bromium Confidential Application Sandbox Type A
  11. 11. Bromium Confidential Example: Google Chrome, Adobe Reader Two processes - master and slave, talking over IPC channel Slave is confined using OS access control facilities Master mediates access to resources Use case: protect the application from exploitation Google Chrome and Adobe Reader are popular applications mainly for web and content rendering TYPE B
  12. 12. Architecture: Type B Master has smaller codebase, the point being it should be tougher to exploit it Slave has a bigger attack surface that needs to be brokered by the master Slave still directly interacts with the OS Kernel Slave also has access to certain user mode components
  13. 13. Bromium Confidential Application Sandbox Type B
  14. 14. Bromium Confidential Slave runs with low privileges restricted token job object desktop object integrity level Chromium sandbox on Windows
  15. 15. Bromium Confidential How exhaustive is the OS-based confinement, according to the documentation [2]? Mounted FAT or FAT32 volumes no protection TCP/IP no protection Access to most existing securable resources denied Everybody agrees it is good enough Chromium sandbox on Windows
  16. 16. Bromium Confidential Chromium sandbox in action Slave Master
  17. 17. Bromium Confidential How resistant is Master to a malicious Slave? This is what most authors focused on How resistant is OS to a malicious Slave? We focus on the last aspect Recently MWRLabs also bypassed Chrome using similar vector Pwn2Own 2013[11] Chromium sandbox on Windows
  18. 18. Bromium Confidential Master/slave type sandbox on Windows, Adobe Reader Observe Low Integrity level
  19. 19. Bromium Confidential Exhaustive previous related work on methodology of attacking the Master [3], [4] The first case of Adobe sandbox vulnerability exploited in the wild reported in Feb 2013 [9] This escape possible because of a bug in Master Master/slave type sandbox on Windows, Adobe Reader
  20. 20. Bromium Confidential Master/slave type sandbox on Windows, Chrome browser Observe untrusted Integrity level
  21. 21. Bromium Confidential Slave de-privileged even more than stated in chrome sandbox documentation Untrusted integrity level Particularly, access to FAT32 file system denied Master/slave type sandbox on Windows, Chrome browser
  22. 22. Bromium Confidential Well-known cases of successful attacks against the master (shown at Pwnium[5], Pwn2own[6]) The attacks against the master are complex and relatively rare Master/slave type sandbox on Windows, Chrome browser
  23. 23. Bromium Confidential Slave can still exploit a kernel vulnerability bpf syscall filter on Linux - designed to limit exposure of OS #nice Some vulnerabilities are not exploitable by Slave If need to create a process If need to alter specific locations in the registry win32k.sys still much exposed A vulnerability in win32k.sys can potentially be exploited at the browser level, yielding full control over the machine directly, without the need to achieve code execution in the sandbox first. Master/slave type sandbox on Windows, Chrome browser
  24. 24. Bromium Confidential Exploitation
  25. 25. CVE-2012-0217 Exploit: MS12-042 SANDBOX BYPASS DEMO (Kernel Mode Exploitation) Sandbox PWNY!
  26. 26. Bromium Confidential Windows kernel issues are discovered increasingly frequently 25 CVE for Windows kernel in 2012 73+ CVE till Sept 2013 There have been attacks like Duqu that have targeted kernel vulnerabilities Yes its a large attack surface Is this a problem?
  27. 27. User Mode Exploitation Type A and Type B do not restrict network connectivity for a sandboxed process. The exception to this rule is Google Chrome that has been hardened to restrict TCP/IP networking in case the renderer got exploited. All vulns in these services are a potential sandbox escape vector Even properly functioning code can be abused
  28. 28. Bromium Confidential ALPC ports are a low-level mechanism used for interprocess communication on the Windows OS. Again, many Windows services listen on ALPC ports; if a sandboxed code can connect to these services, it can attempt to exploit a vulnerability in it. Type A sandboxes are wide open to all of these ALPC Ports
  29. 29. ALPC Ports: Adobe Reader vs Chrome Adobe Reader XI (version 11.0.3): lkd> !alpc /lpp fffffa80052ffb30 Ports created by the process fffffa80052ffb30: fffffa8004f9fb50('OLEB45817786DEF457D9394B3110F6 B') 0, 1 connections fffffa8005312070 0 -> fffffa8005279990 0 fffffa80078ddb30('svchost.exe') Ports the process fffffa80052ffb30 is connected to: fffffa80053073c0 0 -> fffffa80078bf090('ApiPort') 0 fffffa8007ce3060('csrss.exe') fffffa80050b7070 0 -> fffffa8007b4ea10('ThemeApiPort') 0 fffffa8007aaab30('svchost.exe') fffffa800b4b9e60 0 -> fffffa8007912c30('lsasspirpc') 0 fffffa8007883210('lsass.exe') fffffa8004f1adc0 0 -> fffffa8007b34e60('Audiosrv') 0 fffffa8007a1e9e0('svchost.exe') fffffa8004f0e3f0 0 -> fffffa80079d4e60('epmapper') 31 fffffa80078ddb30('svchost.exe') fffffa800535cb20 0 -> fffffa800798ea70('plugplay') 0 fffffa800797db30('svchost.exe') Google Chrome browser (Version 27.0.1453.110 m) lkd> !alpc /lpp fffffa80053a1060 Ports created by the process fffffa80053a1060: Ports the process fffffa80053a1060 is connected to: fffffa8005397b30 0 -> fffffa80078bf090('ApiPort') 0 fffffa8007ce3060('csrss.exe') fffffa80052c8dd0 0 -> fffffa8007b4ea10('ThemeApiPort') 0 fffffa8007aaab30('svchost.exe')
  30. 30. Bromium Confidential The vulnerability is caused by CSRSS improperly validating permissions when a lower-integrity process communicates a device event message to a higher-integrity process. Actually, the vulnerable versions of CSRSS performed no validation or permission check at all, blindly executing PostMessage with all parameters controllable by the peer. Errr... Shatter attack redux?? Example: CSRSS vulnerability (MS11-063)
  31. 31. CVE-2011-1967 Exploit: MS11-063 SANDBOX User-Mode Exploitation
  32. 32. Bromium Confidential Summary perspective/
  33. 33. CVE-2011-3402 Exploit: MS11-087 SiSeh: Sandbox-in-Sandbox?Sandbox) !) Clueless PWNY! DiDi :- Defense in Depth indeed!
  34. 34. Bromium Confidential Conclusion Application sandboxes are fundamentally vulnerable to kernel mode and certain user mode vulnerabilities on the OS Breaking out of a sandbox by exploiting OS vulns provides far better ROI for the attackers In our analysis Type A were far easier to escape out than Type B #$$ #Chrome Definitely avoid malware analysis inside application sandboxes! #D0h!
  35. 35. Bromium Confidential Rafal Wojtczuk, Bromium Labs [1] [2] [3] "A Castle Made of Sand - Adobe Reader X Sandbox" Richard Johnson [4] Breeding Sandworms - Zhenhua Liu, Guillaume Lovet [5] [6] "Pwn2Own 2012: Google Chrome browser sandbox first to fall" [7] Dennis Fisher [8] BufferZone Pro, [9] [10] Duqu malware, [11] Credits/References
  36. 36. @rckashyap Thanks!