mess with the best die
play

Mess with the best, die like the rest (mode) Volodymyr Pikhur - PowerPoint PPT Presentation

Dec 31, 2022 •6 likes •546 views

Mess with the best, die like the rest (mode) Volodymyr Pikhur @vpikhur REcon Brussels 2018 1 About Been doing RE for more than 15 years Privately wrote multiple tools for deobfuscation and binary analysis, PE unpackers, software VM

  1. Mess with the best, die like the rest (mode) Volodymyr Pikhur @vpikhur REcon Brussels 2018 1

  2. About • Been doing RE for more than 15 years • Privately wrote multiple tools for deobfuscation and binary analysis, PE unpackers, software VM disassemblers/decompilers, etc. • Kernel and hypervisor based security exploitation • First time public speaker • Past 5 years been learning hardware • Starting from basics Firmware, SPI, UART, etc. • Silicon decapsulation, fault injection • Past year+ been working on HW for side- channel analysis.

  3. Why doing this? • Learning and a challange. • Hardware and silicon isn’t your magic black box. • Sony has no bug bounties. • I’ve been sitting on this for 2 years. REcon Brussels 2018 3

  4. Why presenting here? FAKE NEWS! REcon Brussels 2018 4

  5. Agenda • WebKit exploitation • FreeBSD x86_64 exploitation • Hardware and firmware • Dumping FreeBSD ARM kernel of southbridge • Running user code on ARM • FreeBSD ARM exploitation • Hardware attacks and kernel bootloader extraction • Future research REcon Brussels 2018 5

  6. Finding WebKit exploit REcon Brussels 2018 6

  7. Changelog open for all! REcon Brussels 2018 7

  8. The Hunt for Red October

  9. Use existing exploit CVE-2012-3748 https://www.exploit-db.com/exploits/28081/ REcon Brussels 2018 9

  10. ROP ONLY no RWX memory!

  11. JIT how does it work? (magnets?) child WebProcess JSC-Compiler IPC RX JIT RW JIT Code Code REcon Brussels 2018 11

  12. • Create RWX JIT shared memory (SHM) • Create alias of this SHM with RW access • Map RX JIT SHM using original FD • Map RW JIT SHM using alias. • Map RX 0x30000000 • Map RW 0x30100000 • Pthead_create REcon Brussels 2018 12

  13. RWX without JIT Start End prot maxprot Info 0x000007ff3e4000 - 0x000007ff3e8000 0 3stack guard 0x000007ff3e8000 - 0x000007ff5e8000 3 3Thread1 0x000007ff5e8000 - 0x000007ff5ec000 0 3stack guard 0x000007ff5ec000 - 0x000007ff7ec000 3 3Thread2 0x000007ff7ec000 - 0x000007ff7f0000 0 3stack guard 0x000007ff7f0000 - 0x000007ff9f0000 3 3Thread3 0x000007ff9f0000 - 0x000007ff9f4000 0 3stack guard 0x000007ff9f4000 - 0x000007ffbf4000 3 3Thread4 0x000007ffdf8000 - 0x000007ffdfc000 0 33 0x000007ffdfc000 - 0x000007ffffc000 3 3main stack 0x000007ffffc000 - 0x00000800000000 5 37 REcon Brussels 2018 13

  14. Privilege escalation • Kernel • Syscall exploitation is difficult black box isn’t fun  • Maximum what we can get are info leaks in FreeBSD • Kernel callstack using sysctl KERN_PROC_KSTACK ( requires two threads ) • Pointer leak ( CVE-2014-8476 ) • Services • Still in their own jail but have more priviledges able to call more syscalls • Bugs are present but unable to get code exec • Multiple crashes via IPC REcon Brussels 2018 14

  15. Kernel code execution • BadIRET (CVE-2014-9322, CVE-2015-5675) • CVE-2015-5675 ( 2015-08-25 ) • https://www.freebsd.org/security/advisories/FreeBSD-SA- 15:21.amd64.asc • CVE-2014-9322 • Rafal’s excellent guide on this bug • https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322- linux-kernel-privilege-escalation/ REcon Brussels 2018 15

  16. FreeBSD PoC • “This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.” • https://www.exploit- db.com/exploits/36266/ REcon Brussels 2018 16

  17. Rafal’s IDT pointer redirection • Rafal’s approach action = &t->sighand->action[sig-1]; action->sa.sa_handler = SIG_DFL; // SIG_DFL = 0 • IDT overwrite • Overwrite #PF handler address in IDT • IDT[#PF] = 0xFFFFFFFF ’XXXXXXXX • IDT[#PF] = 0x00000000 ’XXXXXXXX • FreeBSD increment primitive • td->td_critnest++ • 0xFFFFFFFF + 1 = 0x0 REcon Brussels 2018 17

  18. PoC implementation #SS -> #PF -> pcb_onfault REcon Brussels 2018 18

  19. BadIRET FreeBSD PoC implementation REcon Brussels 2018 19

  20. Hardware overview HDD DDR3 WIFI/BT BD SB PCIe x4 USB AMD APU Marvell SoC ETH SPI UART/IO GDDR5 FLASH https://wikidevi.com/wiki/Marvell https://media.ccc.de/v/33c3-7946-console_hacking_2016 REcon Brussels 2018 20

  21. SPI Flash Firmware 2MB • Marvell SoC “Aeolia/Belize/Baikal” Southbridge FW • C0000001 (IPL – SRAM) aka EMC • C0010001 (KBL – DDR3) aka EAP • Torus WIFI/BT • NVS ( config etc. ) 30MB • AMD APU AMD x86 FW • AES XTS encrypted with per console key AMD SP SAMU • Secure Loader/Kernel/Modules • X86 BIOS/Kernel

  22. HDD structure overview • 15 GPT partitions • Encrypted with two sets of keys • AMD SP • X86 Services/Modules/GUI C# Mono • Updates • Southbridge • User files - 400GB+ UFS2 • User files, Games, Settings, Browser history ;) • EAP ARM User - 128MB FAT • EAP ARM Kernel - not a FS ( encrypted/signed blob ) REcon Brussels 2018 22

  23. Boot/Power sequence Marvell SoC RestMode C0010001 EAP PCIe Root Complex EAP USER EAP KBL KERNEL DDR3 DDR3 HDD DDR3 C0000001 BootROM EMC SRAM AMD BootROM PCIe Endpoint REcon Brussels 2018 23

  24. Cold Boot without cooling • DDR3 memory is directly mapped at 0xfffffe0080000000 • sbram0: <Aeolia DDR3 memory> mem 0x80000000-0xbfffffff at device 20.6 on pci0 • DRAM stays without power for very small period of time during power cycle which is enough that contents of DRAM persist hence an attacker is able to dump it! REcon Brussels 2018 24

  25. DDR3 Dump Analysis • Kernel 0x00000000 Exception vectors • Contiguous Free • 1:1 mapping L1/L2 Page Tables • Raw binary no ELF header • No ASLR Free • Kernel unpacker Free • Minimal ELF binary • Custom compression Kernel • User User • ASLR on newer FW • HMAC-SHA256 signing >2.xx FW Kernel unpacker 0x0FFFFFFF (256MB) REcon Brussels 2018 25

  26. DDR3 Dump Analysis • KBL 0x00000000 Exception vectors • memset( bootp.kbl, 0, bootp.kbl_size ); Free • KBL Stack L1/L2 Page Tables • Stack cookies • Return address to Kernel unpacker KBL • Garbage KBL Stack • No keys!  Kernel User Kernel unpacker 0x0FFFFFFF (256MB) REcon Brussels 2018 26

  27. Running code on ARM • No signing required on 1.xx ( HMAC-SHA256 on 2.xx+ ) • Signing key still can be dumped from DRAM using cold boot on newer FW • Crossbuild FreeBSD to support ARM • Override some structures and types to match correct size Sony decided default one aren’t good enough. • Mount /eap_vsh and replace binary SceEapCore.elf • No network and other things  • No RWX • LDSCRIPT • Inject your payload inside the binary and place hook to spawn new thread! • We are Root! REcon Brussels 2018 27

  28. Kernel code exec • Limited number of syscalls even less than on x86 kernel • NOT an x86 can’t use BadIRET exploit • No Sony’s syscalls like sys_dlclose, sys_namedobj, etc. • http://cturt.github.io/dlclose-overflow.html • https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/ • Old exploits? I didn't find anything useful.  • sys_kldload JACKPOT! • Basic FreeBSD functionality to load kernel modules was left behind! • Load helloworld.ko module -> CRASH!  REcon Brussels 2018 28

  29. sys_kldload crash root cause analysis • Bad ELF format? • Correct kernel version? • Did Sony change something? • Trying different binaries gives inconsistent behavior • Sometimes crashes sometimes not • Load success but no execution!? • Malloc! – kernel uses malloc to allocate memory for kernel modules • pmap_enter strips X bit and returns RW memory if ( prot & VM_PROT_WRITE ) prot = prot & ~VM_PROT_EXECUTE; REcon Brussels 2018 29

  30. ROP validation • To validate that I have working kernel module I had to redirect entry point to executable code inside kernel itself • BX LR - just return should not crash • Invalid pointer – should crash • DECLARE_MODULE macro • FreeBSD already points inside of kernel! • MODULE_METADATA(_md_##name, MDT_MODULE, &data, #name); • SYSINIT(name##module, sub, order, module_register_init, &data); • PC and R0 control • void module_register_init(const void *arg) REcon Brussels 2018 30

  31. Arbitrary kernel code execution 1) Load 1 st module • Patch L1 table to make kernel pages RWX instead RX only 2) Load 2 nd module • patch pmap_enter and allow RWX memory • Conveniently when kernel loads new module it does TLB and cache invalidate • Otherwise if we would try to do write to kernel right after we patch L1 it would crash so don’t do ROP -chain. 3) Load 3 rd module • We able to load kernel module and run own kernel code • PROFIT! (SHOTS!) REcon Brussels 2018 31

  32. Now what!? • Co-processor registers • CP0, CP14, CP15 • CP14 - ARM debug registers available to software • Data abort handler • Allows to scan memory and resume if that memory is unavailable • No other MMIO than what is already referenced in kernel • No 1MB register configuration space https://patchwork.kernel.org/patch/6169481/ • When no paging enabled ARM says it is undefined behavior • I found hard limit of 256 failed aborts until unrecoverable crash • Hangs on certain MMIO which requires power cycle manually REcon Brussels 2018 32

  33. Nothing except ability to run code in kernel REcon Brussels 2018 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Screenshot CC BY-NC 3.0 Before: the mess CC BY-NC 3.0 Before: the mess CC BY-NC

Screenshot CC BY-NC 3.0 Before: the mess CC BY-NC 3.0 Before: the mess CC BY-NC

Screenshot CC BY-NC 3.0 Before: the mess CC BY-NC 3.0 Before: the mess CC BY-NC 3.0 Before: the mess Akka &amp; Spray RabbitMQ C++ &amp; CUDA Cassandra CC BY-NC 3.0 Before: the mess scene topic (Map[String, String],

614 views • 30 slides
FRONT END FRAMEWORKS buil d we b ap ps faste r ! MP 1 TAKEAWAYS CSS is a mess (but SCSS/Sass

FRONT END FRAMEWORKS buil d we b ap ps faste r ! MP 1 TAKEAWAYS CSS is a mess (but SCSS/Sass

CS498RK SPRING 2020 FRONT END FRAMEWORKS buil d we b ap ps faste r ! MP 1 TAKEAWAYS CSS is a mess (but SCSS/Sass helps) Javascript is a mess (but ES6 helps) Javascript is way too forgiving for its own good There are often multiple ways to do

818 views • 35 slides
Cleaning Up the Mess: Using Chemistry to Cleaning Up the Mess: Using Chemistry to Degrade

Cleaning Up the Mess: Using Chemistry to Cleaning Up the Mess: Using Chemistry to Degrade

Cleaning Up the Mess: Using Chemistry to Cleaning Up the Mess: Using Chemistry to Degrade Persistent Organic Pollutants in Degrade Persistent Organic Pollutants in the Environment the Environment A Presentation for Caf Scientifique A

688 views • 40 slides
FROM THE MESS OF BIG DATA Neil Bendle &amp; Shane (Xin) Wang Ivey Business School, Western

FROM THE MESS OF BIG DATA Neil Bendle &amp; Shane (Xin) Wang Ivey Business School, Western

UNCOVERING THE MESSAGE FROM THE MESS OF BIG DATA Neil Bendle &amp; Shane (Xin) Wang Ivey Business School, Western University, London Ontario, Canada Uncovering The Message From The Mess Of Big Data Summary Consumers generate big data

316 views • 9 slides
You cant mess up your website anymore. We know from experience how frustrating it can be when

You cant mess up your website anymore. We know from experience how frustrating it can be when

You cant mess up your website anymore. We know from experience how frustrating it can be when youre trying to build a website through site builders. You often end up wasting precious time, energy, and money, trying to get the results that

251 views • 7 slides
The Relevance of the Most Irrelevant BHA and Drillstring Component (Why I decided to mess with

The Relevance of the Most Irrelevant BHA and Drillstring Component (Why I decided to mess with

The Relevance of the Most Irrelevant BHA and Drillstring Component (Why I decided to mess with the conventional blade stabiliser) Tom Newman March 10 th 2016 BAT-2 Downhole Dynamics Vibration Related Issues Directional Problems Poor BHA

391 views • 20 slides
Dirty Data Its a mess. Its your problem. Friso van Vollenhoven @fzk

Dirty Data Its a mess. Its your problem. Friso van Vollenhoven @fzk

Dirty Data Its a mess. Its your problem. Friso van Vollenhoven @fzk frisovanvollenhoven@godatadriven.com Go DataDriven PROUDLY PART OF THE XEBIA GROUP 'februari-22 2013' A: Yes, sometimes as often as 1 in every 10K calls. Or about once

455 views • 41 slides
The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF

The DNS security mess D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR9983950 Alfred P. Sloan Foundation Math Sciences Research Institute University of California at Berkeley

596 views • 33 slides
WEB ACCESS LAW Its a Mess Out There Jerry M. Brown (979) 458-6126 Managing Counsel

WEB ACCESS LAW Its a Mess Out There Jerry M. Brown (979) 458-6126 Managing Counsel

WEB ACCESS LAW Its a Mess Out There Jerry M. Brown (979) 458-6126 Managing Counsel jmbrown@tamus.edu Current State of the Law and Regulatory Guidance? 2 Agenda Question: Does Title II of the ADA require public colleges to have websites

546 views • 26 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago &amp; Technische

The DNS security mess D. J. Bernstein University of Illinois at Chicago &amp; Technische

The DNS security mess D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Paul Vixie, 1995, on DNSSEC: This sounds simple but it has deep reaching consequences in both the protocol and the

2.05k views • 180 slides
A Happy Mess: T ransitional Challenges of College Seniors who are First- Generation (1-G)

A Happy Mess: T ransitional Challenges of College Seniors who are First- Generation (1-G)

A Happy Mess: T ransitional Challenges of College Seniors who are First- Generation (1-G) Julia Overton-Healy, D. Ed. National Conference on Students in Transition November 2010, Houston, TX The purpose of this study ... T o

504 views • 19 slides
A brief history of the Web ...and how one architectural choice got us into a very big mess Tara

A brief history of the Web ...and how one architectural choice got us into a very big mess Tara

A brief history of the Web ...and how one architectural choice got us into a very big mess Tara Vancil @taravancil taravancil.com bluelinklabs.com beakerbrowser.com What is the Web? 1-1 Ted Nelson coins hypertext A

851 views • 50 slides
$ $ $ $ $ $ $ Emily Greer, Co-Founder &amp; COO Data is awesome Data is also a hot mess So

$ $ $ $ $ $ $ Emily Greer, Co-Founder &amp; COO Data is awesome Data is also a hot mess So

Data Gone Wrong Bad Tests,Terrible KPIs and Other Pitfalls $ $ $ $ $ $ $ Emily Greer, Co-Founder &amp; COO Data is awesome Data is also a hot mess So who am I to talk? A shameless data geek! Self-taught, not formally trained: I majored in

517 views • 26 slides
No More Bloody Mess: A Practical Guide to No relevant financial interests in any product

No More Bloody Mess: A Practical Guide to No relevant financial interests in any product

Disclosures No More Bloody Mess: A Practical Guide to No relevant financial interests in any product discussed today Ending ENT Bleeding H. Gene Hern, MD, MS, FACEP, FAAEM Assoc. Clinical Professor, UCSF Residency Director Alameda County

400 views • 29 slides
Debt, Money and Mephistopheles: How do we get out of this mess? Adair Turner Cass Business

Debt, Money and Mephistopheles: How do we get out of this mess? Adair Turner Cass Business

Debt, Money and Mephistopheles: How do we get out of this mess? Adair Turner Cass Business School 6 February 2013 Monetary policy and macro-demand: Two issues Targets: - Inflation rates or price levels - Nominal GDP growth rates or

981 views • 73 slides
W W W . A V I A N . A E R O The Connected Trip Building a trip is a mess Step 1 Step 2 Step 1

W W W . A V I A N . A E R O The Connected Trip Building a trip is a mess Step 1 Step 2 Step 1

W W W . A V I A N . A E R O The Connected Trip Building a trip is a mess Step 1 Step 2 Step 1 According to Google, people are browsing more than 7 different websites before they buy a ticket They are spending an average of 10 hours on

723 views • 21 slides
Lecture 7 - Applied Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network

Lecture 7 - Applied Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network

Lecture 7 - Applied Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger

817 views • 18 slides
Algorithm Discovery API WebCrypto API Proposal Israel Hilerio &amp; Vijay Bharadwaj, Microsoft

Algorithm Discovery API WebCrypto API Proposal Israel Hilerio &amp; Vijay Bharadwaj, Microsoft

Algorithm Discovery API WebCrypto API Proposal Israel Hilerio &amp; Vijay Bharadwaj, Microsoft Why? There are scenarios that have dependencies between specific algorithms in order to create a secure process Not having support for any one

77 views • 5 slides
Collision resistance Introduc3on Dan Boneh Recap: message

Collision resistance Introduc3on Dan Boneh Recap: message

Online Cryptography Course

472 views • 43 slides
Consummation of All One of the most One of the most IMP IMPORTAN TANT T courses you

Consummation of All One of the most One of the most IMP IMPORTAN TANT T courses you

Consummation of All One of the most One of the most IMP IMPORTAN TANT T courses you courses you will take!!!!!! will take!!!!!! IN INTR TRODUCTIO UCTION I. Introduction TER TERM M escato s - last logo s - words

274 views • 26 slides
1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

1 Simple Hash Functions Requirements for Hash Functions 1. can be applied to any sized message M

CPE 542: CRYPTOGRAPHY &amp; NETWORK SECURITY Using Symmetric Ciphers for MACs can use any block cipher chaining mode and use final block as a MAC Chapter 12 Hash Algorithms Data Authentication Algorithm (DAA) is a widely used MAC

305 views • 5 slides
Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe

Verified Boot: From ROM to Userspace ROM-Code Bootloader Kernel Root File System ELC Europe 2016, 12.10.2016 Marc Kleine-Budde &lt;mkl@pengutronix.de&gt; Slide 1 - http://www.pengutronix.de - 13.10.2016 Why Verified Boot? Attractive hacking

774 views • 20 slides
Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements

Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements

Outline Hash functions and MACs, contd Building a secure channel CSci 5271 Announcements intermission Introduction to Computer Security Crypto combined slides Public-key crypto basics Public key encryption and signatures Stephen McCamant

588 views • 9 slides
size_t Does Matter Hash Length Extension Attacks Explained Mika Bostrm &lt;bostik@iki.fi&gt;,

size_t Does Matter Hash Length Extension Attacks Explained Mika Bostrm &lt;bostik@iki.fi&gt;,

size_t Does Matter Hash Length Extension Attacks Explained Mika Bostrm &lt;bostik@iki.fi&gt;, &lt;mika.bostrom@smarkets.com&gt; dc4420, 2015-10-29 Cryptographic Hash Properties Digest Size (n bits) Input Block Size (m bits) m &gt;

537 views • 17 slides

More recommend