social engineering the windows kernel by james forshaw
TRANSCRIPT
Social Engineering the Windows Kernel
James Forshaw @tiraniddoShakacon 2015
1
James Forshaw @tiraniddo
Obligatory Background Slide
● Researcher in Google’s Project Zero team
● Specialize in Windows○ Especially local privilege
escalation● Never met a logical
vulnerability I didn’t like
2
James Forshaw @tiraniddo
What I’m Going to Talk About
● Windows Access Security○ Security Reference Monitor○ Access Tokens○ Impersonation
● Kernel Token Handling Vulnerability Classes and Descriptions● Kernel Token Handling Vulnerability Exploitation
3
James Forshaw @tiraniddo
Windows Kernel
Windows Security Components
4
Security Reference Monitor
Process
ResourceGroup SID
SACL
DACL
Security Descriptor
Owner SID
Access Token
User Calls System Call Handlers
Kernel and Driver Code
Resource Access Check
Se* API
James Forshaw @tiraniddo
Security Reference Monitor
5
James Forshaw @tiraniddo
Security Access Check (SeAccessCheck)
6
Deny AccessGrant Access
IL Check
Owner Check
DACL Check
Desired Access: e.g. Read and Write
Access Token
Group SID
SACL
DACL
Security Descriptor
Owner SID
James Forshaw @tiraniddo
Access Token
7
User Security Identifier
Groups
Privileges
Mandatory Label
James Forshaw @tiraniddo
Just Another Kernel Object
kd> dt nt!_TOKEN +0x000 TokenSource : _TOKEN_SOURCE +0x010 TokenId : _LUID +0x018 AuthenticationId : _LUID +0x020 ParentTokenId : _LUID +0x028 ExpirationTime : _LARGE_INTEGER +0x030 TokenLock : Ptr32 _ERESOURCE +0x034 ModifiedId : _LUID +0x040 Privileges : _SEP_TOKEN_PRIVILEGES +0x058 AuditPolicy : _SEP_AUDIT_POLICY +0x078 SessionId : Uint4B ....
8
James Forshaw @tiraniddo
Token Categories
9
Normal Token Linked Token
Filtered Token LowBox Token
UAC
NtFilte
rTok
en
NtCreateLowBoxToken
James Forshaw @tiraniddo
Important Token Fields
● Token User SID● Token ID (unique 64 bit value assigned when token created)● Parent Token ID (parent token ID when creating filtered tokens)● Token Group SIDs● Token Privileges● Token Authentication ID (64 bit value ties it to a logon session)● Token Flags (holds pre-tested privilege check values for speed)● Restricted Token SIDs● Lowbox Token SIDs
10
James Forshaw @tiraniddo
● Tokens in user mode accessed via handles● Can specify certain access rights based on DACL access check
Important Token Access Rights
11
TOKEN_DUPLICATE Required to duplicate the token
TOKEN_ASSIGN_PRIMARY Required to assign the token to a new process
TOKEN_IMPERSONATE Required to impersonate the token
TOKEN_ADJUST_DEFAULT Required to set the integrity level of a token
TOKEN_ADJUST_PRIVILEGES Required to enable/disable privileges
James Forshaw @tiraniddo
Access Token Types
12
Primary Impersonation
James Forshaw @tiraniddo
Impersonation Security Level
13
Anonymous
Identification
Impersonation
Delegation
James Forshaw @tiraniddo
Token Duplication
14
Primary Impersonation
Always Allowed
Can duplicate token’s between types if have TOKEN_DUPLICATE access on handleDuplicated Token can be referenced with any set of access rights
James Forshaw @tiraniddo
Token Duplication
15
Primary Impersonation
Always Allowed
Only if level >= Impersonate
Can duplicate token’s between types if have TOKEN_DUPLICATE access on handleDuplicated Token can be referenced with any set of access rights
James Forshaw @tiraniddo
Token Duplication
16
Primary Impersonation
New Token LUID for Each Token
Can duplicate token’s between types if have TOKEN_DUPLICATE access on handleDuplicated Token can be referenced with any set of access rights
James Forshaw @tiraniddo
Setting an Impersonation Token
● Impersonation assigns a token to a thread, replaced the token used in access checks for the majority of system calls
17
Direct SettingSetThreadToken()ImpersonateLoggedOnUser()NtSetInformationThread(...)
Indirect SettingImpersonateNamedPipeClient()RpcImpersonateClient()CoImpersonateClient()
Kernel SettingPsImpersonateClient()SeImpersonateClient/Ex()
James Forshaw @tiraniddo
Impersonation Security
18
If Token Level < Impersonate
If Process has Impersonate
Privilege
ALLOWEDRestrict to
Identification Level
If Process IL < Token IL
If Process User == Token User
PsImpersonateClient(...) ► SeTokenCanImpersonate(...)
James Forshaw @tiraniddo
NtAccessCheck versus SeAccessCheck
NtAccessCheck ● User mode system call ● Takes an impersonation token
handle● Only verifies impersonation level
>= Identification
19
SeAccessCheck● Kernel mode only● Takes a subject context● Verifies impersonation level >=
Impersonation
James Forshaw @tiraniddo
Identification Tokens == Fake IDs
20
● Would seem the biggest challenge is getting an impersonation token as a normal user
● Want to get hold of local system, or potentially arbitrary user
James Forshaw @tiraniddo
Capturing Identification Tokens
21
James Forshaw @tiraniddo
LogonUser
● Can be used to get a token if the user’s password is known● Returns a full impersonation token which is configured for the caller
to impersonate with no additional privileges● No need to play games
22
HANDLE hToken;LogonUser("UserName", ".", "Password", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &hToken);
ImpersonateLoggedOnUser(hToken);
James Forshaw @tiraniddo
UAC Linked Tokens
● If split token admin get linked token using GetTokenInformation● Without TCB privilege you only get back an identification token
23
TOKEN_LINKED_TOKEN linked_token;
GetTokenInformation(hToken, TokenLinkedToken, &linked_token, ...);
// Identification level token for the adminHANDLE hToken = linked_token.LinkedToken;
James Forshaw @tiraniddo
Named Pipes
● Well known trick, get a system service to open a named pipe● Call ImpersonateNamedPipeClient on pipe server handle
○ Normally needs pipe to be written to to get impersonation token so send over SMB (\\localhost\pipe\mynamedpipe)
● Get service like Anti-Virus to scan the path to capture token
24
HANDLE hPipe = CreateNamedPipe("\\\\.\\dummy", ...);
// Start Windows defender to scan \\localhost\pipe\dummy
ConnectNamedPipe(hPipe, NULL);ImpersonateNamedPipeClient(hPipe);
James Forshaw @tiraniddo
RPC/DCOM
● Many DCOM services over RPC support impersonation● Plenty of scope for callbacks to be made as privileged user
25
// Set callback in system COM object (e.g. BITS)
HRESULT ComCallback() { if(SUCCEEDED(CoImpersonateClient())) { HANDLE hToken; OpenThreadToken(GetCurrentThread(), ..., &hToken); }}
James Forshaw @tiraniddo
NTLM Negotiation
● LSASS exposes APIs to do network authentication● Can get localhost NTLM authentication using redirected WebDAV● Creates an impersonation level token even for a normal user
26
// Start fake WebDAV service on localhost// Init a AV scan to \\localhost\fake\fakeBYTE* type1 = GetType1();BYTE* challenge;
AcceptSecurityContext(hContext type1, &challenge);BYTE* result = SetChallengeAndGetResult(challenge);AcceptSecurityContext(hContext, result, ...);
QuerySecurityContextToken(hContext, &hToken);
James Forshaw @tiraniddo
Services For User (S4U)
● LsaLogonUser has an S4U mode● At least on Windows 8.1 can get you a identification token for any
local and remote user without any privileges● Can’t get local system/local service/network service tokens● Can craft token source which might be useful for certain things
27
James Forshaw @tiraniddo
DEMOCapturing Access Tokens
28
James Forshaw @tiraniddo
Vulnerability Examples
29
James Forshaw @tiraniddo
How the Kernel Code Interacts with Tokens
30
System Calls (returns a HANDLE)● ZwCreateToken(Ex)● ZwOpenProcessToken(Ex)● ZwOpenThreadToken(Ex)● ZwFilterToken
Process/Thread Manager Calls (returns a ACCESS_TOKEN pointer)● PsReferencePrimaryToken● PsReferenceImpersonationToken● PsReferenceEffectiveToken● SeCaptureSubjectContext
Direct Access (returns a TOKEN pointer)● EPROCESS::Token● ETHREAD::ClientSecurity::ImpersonationToken
○ Only valid if ETHREAD::CrossThreadFlags bit 4 is set
IO Manager● IRP_MJ_CREATE SecurityContext
James Forshaw @tiraniddo
Not Checking Impersonation Level
31
● When checking the token it’s important kernel code verifies impersonation level
struct SECURITY_SUBJECT_CONTEXT { PACCESS_TOKEN ClientToken; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; PACCESS_TOKEN PrimaryToken; PVOID ProcessAuditId;} context;
#define SeQuerySubjectContextToken(c) (c->ClientToken ? c->ClientToken : c->PrimaryToken)
SeCaptureSubjectContext(&context);
// Get impersonation token or primary tokenPACCESS_TOKEN token = SeQuerySubjectContextToken(&context)
// Do something with token Bad!, no check on ImpersonationLevel
James Forshaw @tiraniddo
Variants
32
SECURITY_IMPERSONATION_LEVEL imp_level;
PACCESS_TOKEN token = PsReferenceImpersonationToken( PsGetCurrentThread(), ..., &imp_level);
if (token == NULL) { token = PsReferencePrimaryToken(PsGetCurrentProcess());}// Do something with token
SECURITY_IMPERSONATION_LEVEL imp_level;TOKEN_TYPE token_type;
PACCESS_TOKEN token = PsReferenceEffectiveToken( PsGetCurrentThread(), &token_type, ..., &imp_level);
// Do something with token
James Forshaw @tiraniddo
Real Example CVE-2015-0002
33
BOOLEAN AhcVerifyAdminContext(){ TOKEN_USER *user; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel;
PACCESS_TOKEN token = PsReferenceImpersonationToken( PsCurrentThread(), ..., &ImpersonationLevel); if (token == NULL) { token = PsReferencePrimaryToken(PsCurrentProcess()); } SeQueryInformationToken(token, TokenUser, &user);
if(RtlEqualSid(user->User->Sid, LocalSystemSid) || SeTokenIsAdmin(token)) { return TRUE; }
return FALSE;}
Bad!, no check on ImpersonationLevel
James Forshaw @tiraniddo
DEMOCVE-2015-0002 AppHelp Cache Control
EoP
34
James Forshaw @tiraniddo
Is SeTokenIsAdmin Also Bad?
● CVE-2015-0002 was Windows 8+ only● Similar bug existed on Windows 7, but could also bypass
SeTokenIsAdmin as well
35
// Win7BOOLEAN SeTokenIsAdmin(PACCESS_TOKEN Token) { return SepSidInToken(Token, SeExports->AdminGroupSid);}
// Win8+BOOLEAN SeTokenIsAdmin(PACCESS_TOKEN Token) { if (Token->TokenType == TokenImpersonation && Token->SecurityLevel < SecurityImpersonation) return FALSE; return SepSidInToken(Token, SeExports->AdminGroupSid);}
James Forshaw @tiraniddo
Crafted Subject Context
36
PSECURITY_DESCRIPTOR sd = ...;PACCESS_TOKEN primary_token = PsReferenceEffectiveToken(...);
SECURITY_SUBJECT_CONTEXT context = {0};
context->PrimaryToken = primary_token;
if (SeAccessCheck(sd, &context, ...) { // Do a privileged action}
James Forshaw @tiraniddo
Crafted Subject Context
37
PSECURITY_DESCRIPTOR sd = ...;PACCESS_TOKEN primary_token = PsReferenceEffectiveToken(...);
SECURITY_SUBJECT_CONTEXT context = {0};
context->PrimaryToken = primary_token;
if (SeAccessCheck(sd, &context, ...) { // Do a privileged action}
BOOLEAN SeAccessCheck(..., PSECURITY_SUBJECT_CONTEXT context, ..., PNTSTATUS AccessStatus) {
// Some initialization if (context.ClientToken && context.ImpersonationLevel < SecurityImpersonation) { *AccessStatus = STATUS_ACCESS_DENIED; return FALSE; }
// Do access check with token}
James Forshaw @tiraniddo
Real Example RtlpAllowsLowBoxAccess
38
NTSTATUS RtlpAllowsLowBoxAccess(wchar_t* atomname) { SubjectSecurityContext.PrimaryToken = PsReferenceEffectiveToken( PsGetCurrentThread(), ...); SubjectSecurityContext.ProcessAuditId = PsGetCurrentProcess()->UniqueProcessId; BOOLEAN result = SeAccessCheckWithHint( SeAtomSd, 0, &SubjectSecurityContext,
...);
// Handle result}
James Forshaw @tiraniddo
System Thread Impersonation
● Impersonation usually through SeImpersonateClient● Can also use PsImpersonateClient● If an explicit impersonation level is passed it will override what’s in
the token
39
VOID DoWorkThread(LPVOID arg) { PACCESS_TOKEN token = arg;
PsImpersonateClient(PsCurrentThread(), token, ..., SecurityImpersonation);}
PACCESS_TOKEN token = PsReferenceImpersonationToken(...);
PsCreateSystemThread(&hThread, ..., DoWorkThread, token);
James Forshaw @tiraniddo
Leaky Tokens
● Kernel code can capture access token objects just like any other kernel object and manipulate it
● Bad code could return the token to user mode as a handle○ Only requires you pass the access check
● This goes against the leakage of tokens through impersonation as you can get hold of primary tokens from other processes
● Can be used to elevate privileges in restricted token scenarios
40
// Capture token in one processPACCESS_TOKEN token = PsReferenceEffectiveToken();CapturedAccessToken = token;
// Read in anotherOpenCapturedAccessToken(PHANDLE TokenHandle, ACCESS_MASK Access) { ObOpenObjectByPointer(CapturedAccessToken, Access, TokenHandle);}
James Forshaw @tiraniddo
Real Example CVE-2015-0078
● Undocumented win32k system call NtUserGetClipboardToken introduced in Windows 8.1
41
Win32k
Medium ILProcess 1
Write
to C
lipbo
ard
Captured Token
Low IL ProcessProcess 1
NtUserGetClipboardToken
Open for read access
James Forshaw @tiraniddo
Why Is This a Problem?
● GENERIC_READ access gives TOKEN_DUPLICATE access right● Duplicate to get a writable token then lower IL level● As long as the same user allows us to assign the token.
42
TOKEN_MANDATORY_LABEL TokenMandatoryLabel; TokenMandatoryLabel.Label.Attributes = SE_GROUP_INTEGRITY;TokenMandatoryLabel.Label.Sid = MediumMandatoryLevelSid;
SetTokenInformation(hNewToken,TokenIntegrityLevel,&TokenMandatoryLabel,sizeof(TOKEN_MANDATORY_LABEL));
James Forshaw @tiraniddo
DEMOCVE-2015-0078
Win32k Leaky Tokens
43
James Forshaw @tiraniddo
Incorrect Token Duplication
● External duplication APIs, NtDuplicateToken and SeDuplicateToken check for impersonation level < Impersonate
● Kernel code can also use internal duplication function SepDuplicatetoken
● No checks done on the original token that it’s compatible for duplication
44
James Forshaw @tiraniddo
Real Example CVE-2015-0078
● CreateProcessAsUser takes a token handle to assign as primary token
● Documented as requiring a Primary Token
45
James Forshaw @tiraniddo
Digging into NtCreateUserProcess
46
NTSTATUS PspReferenceTokenForNewProcess( HANDLE token, KPROCESSOR_MODE AccessMode, TOKEN **outtok){ result = ObReferenceObjectByHandle(token, TOKEN_ASSIGN_PRIMARY, SeTokenObjectType, AccessMode, outtok);
return result;}
Only requires TOKEN_ASSIGN_PRIMARY privileges
James Forshaw @tiraniddo
Token Creation
NSTATUS SeSubProcessToken(_EPROCESS *process, _TOKEN *token, _TOKEN **subtoken){ OBJECT_ATTRIBUTES objattr; InitializeObjectAttributes(&objattr); SepDuplicateToken(token, &objattr, TokenPrimary, SecurityAnonymous, subtoken); // Do rest of initialization}
47
Explicitly Duplicate as Primary
James Forshaw @tiraniddo
SeAssignPrimaryTokenPrivilege
● Limit to general exploitability, caller process must have privilege or meet a set of criteria to assign token
● System services (such as IIS) have privilege so can be used as an EoP there, but what about user processes?
48
BOOLEAN has_assign_privilege = FALSE;if (SeSinglePrivilegeCheck(SeAssignPrimaryTokenPrivilege)) has_assign_privilege = TRUE; BOOLEAN can_assign;SeIsTokenAssignableToProcess(tokena, &can_assign); if ( !can_assign && !has_assign_privilege ) return STATUS_PRIVILEGE_NOT_HELD;
James Forshaw @tiraniddo
SeIsTokenAssignableToProcess
49
Parent Token Sibling Token
Process Token
Token ID
Assigned Token
Parent Token ID
Equal
CreateRestrictedToken
Process TokenParent
Token ID
Auth ID
Assigned TokenParent
Token ID
Auth ID
Equal
Equal
DuplicateTokenNtCreateLowBoxToken
OR
James Forshaw @tiraniddo
LowBox Token Hierarchy
● LowBox Tokens used in things like IE EPM are siblings of the main user’s token.
● Using this issue can capture an identification token from main user and use that to create a new process with elevated privileges
● Only restriction is must be at same IL, which for IE EPM is Low
50
James Forshaw @tiraniddo
DEMOCVE-2015-0078
NtCreateUserProcess
51
James Forshaw @tiraniddo
TOCTOU Issues
● Some bugs need to change the token between one call and the next
● Can be done from another thread● Useful to bypass lower SeAccessCheck then subsequent additional
checks
52
void DoUserAction(){ if (SeAccessCheck(...)) { PACCESS_TOKEN token = PsReferenceEffectiveToken();
PSID sid = GetUserSid(token);
// Do operations as that use }}
James Forshaw @tiraniddo
IO Manager TOCTOU
● IO Manager Only Captures Security during IRP_MJ_CREATE processing
● No subsequent IO calls are explicitly checked, so sometimes drivers do it manually
53
void UseDriver(){ // Security check made here HANDLE hDevice = CreateFile("\\\\.\\DeviceName", ...);
ImpersonateLoggedOnUser(hFakeId);
// No further security checks DeviceIoControl(hDevice, ...);}
James Forshaw @tiraniddo
Real Example CVE-2015-0011
● MRXDAV driver implements kernel mode component of WebDAV UNC path support
● Accessible through \Device\WebDavRedirector device, which does a security check
● Functionality implemented in Device IO Control commands, which does the following:
54
// Do Device IO ControlSeCaptureSubjectContext(&ctx)SeQueryAuthenticationId(SeQuerySubjectContextToken(&ctx), &luid);if(luid == LocalSystemLUID) is_local_system = true;
if (is_local_system) // Do privileged operation
James Forshaw @tiraniddo
Vulnerable Zw Calls
● Calls to ZwOpenThreadToken and ZwOpenProcessToken are deprecated, replaced with Ex Variants.
● This is because these calls were supposed to only be used from user mode and not the kernel○ Didn’t specify a handles flag option○ Meant all handles were opened as user-mode handles○ Potential for a user-mode process to get access to privileged handles
55
James Forshaw @tiraniddo
Changes in Token Handling
56
James Forshaw @tiraniddo
SeTokenIsAdmin Fixed in Windows 7
57
James Forshaw @tiraniddo
Windows 10 Changes (Build 10159)
58
If Token Level < Impersonate
If Process has Impersonate
Privilege
ALLOWEDRestrict to
Identification Level
If Process IL < Token IL
If Process User == Token User
Elevation Check
Capability Check
James Forshaw @tiraniddo
Windows 10 Impersonation Capability
● New Group and Capability SIDs to add impersonation capability○ Session Impersonation Group○ Constrained Impersonation Group○ Constrained Impersonation Capability
59
If Same Session and Process Token has
Session Impersonation Group
If LowBox Token and Process Token has
Constrained Impersonation Group
If LowBox Token and Process Token has
Constrained Impersonation Group
If same LowBox Package SID
Also needs SepAllowSessionImpersonationCap set in Kernel Flags
James Forshaw @tiraniddo
Windows 10 Elevated Token Impersonation
● Blocks impersonating an elevated token unless process token is also elevated
● Must be enabled in SeCompatFlags kernel flag● Blocks trick used to elevate privileges with
NtUserGetClipboardToken
60
if (SeTokenIsElevated(ImpersonationToken)) { if ((SeCompatFlags & 1) && !SeTokenIsElevated(ProcessToken)) { return STATUS_PRIVILEGE_NOT_HELD; }}
James Forshaw @tiraniddo
Questions?
61