openbsd remote exploit
play

OpenBSD Remote Exploit Only two remote holes in the default install - PowerPoint PPT Presentation

Mar 27, 2024 •354 likes •587 views

OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability was found: The m dup1()

  1. OpenBSD Remote Exploit ”Only two remote holes in the default install” Alfredo A. Ortega June 30, 2007

  2. Mbuf buffer overflow Buffer overflow Researching the “OpenBSD 008: RELIABILITY FIX” a new vulnerability was found: The m dup1() function causes an overflow on the mbuf structure, used by the kernel to store network packets. Copy direction mbuf1 mbuf2 mbuf3 mbuf4 End of overflow Figure: mbuf chain overflow direction The function m freem() crashed...

  3. Searching for a way to gain code execution

  4. Searching for a way to gain code execution

  5. C code equivalent / s y s /mbuf . h #d e f i n e MEXTREMOVE(m) do { \ i f (MCLISREFERENCED(m)) { \ MCLDEREFERENCE(m) ; \ } e l s e i f ((m ) − > m f l a g s & M CLUSTER) { \ p o o l p u t (&mclpool , (m ) − > m ext . e x t b u f ) ; \ } e l s e i f ((m ) − > m ext . e x t f r e e ) { \ ( ∗ ((m ) − > m ext . e x t f r e e ) ) ( (m ) − > m ext . ext buf , \ (m ) − > m ext . e x t s i z e , (m ) − > m ext . e x t a r g ) ; \ } { \ e l s e f r e e ((m ) − > m ext . ext buf , (m ) − > m ext . e x t t y p e ) ; \ } \ (m ) − > m f l a g s &= ˜(M CLUSTER | M EXT ) ; \ (m ) − > m ext . e x t s i z e = 0; / ∗ why ??? ∗ / \ } while (/ ∗ CONSTCOND ∗ / 0)

  6. IcmpV6 packets Attack vector We use two IcmpV6 packets as the attack vector Mbuf chain Fragment 1 Fragment 2 Header IPv6 Header IPv6 Header mbuf 1 Hop−by−Hop Header Fragmentation Header Fragmentation Header Icmpv6 Icmpv6 Header Header Trampoline mbuf 2 ShellCode SyscallHook Payload Header mbuf 3 Figure: Detail of IcmpV6 fragments

  7. Where are we? Code execution We really don’t know where in kernel-land we are. But ESI is pointing to our code. Initial situation Final situation User process Kernel ? Ring 3 ? Hooked syscall Ring 0 ? ? ? ? ShellCode ESI ShellCode iret Int 0x80 ? ? ? ? Kernel Ring 0 ? Where we are? Figure: Initial and final situations

  8. Now what? Hook (remember DOS TSRs?) We hook the system call (Int 0x80) Normal System Call Hooked System Call User process User process Ring 3 Normal syscall Hooked syscall INT 0x80 INT 0x80 return return Kernel Kernel Ring 0 Hook Figure: System call hook Note: If the OS uses SYSENTER for system calls, the operation is slightly different.

  9. New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions)

  10. New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process)

  11. New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process) 3. Get user Id (curproc − > userID)

  12. New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process) 3. Get user Id (curproc − > userID) 4. If userID == 0 : 4.1 Get LDT position 4.2 Extend DS and CS on the LDT (This disables WˆX!) 4.3 Copy the user-mode code to the the stack of the process 4.4 Modify return address for the syscall to point to our code

  13. New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process) 3. Get user Id (curproc − > userID) 4. If userID == 0 : 4.1 Get LDT position 4.2 Extend DS and CS on the LDT (This disables WˆX!) 4.3 Copy the user-mode code to the the stack of the process 4.4 Modify return address for the syscall to point to our code 5. Restore the original Int 0x80 vector (remove the hook)

  14. New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process) 3. Get user Id (curproc − > userID) 4. If userID == 0 : 4.1 Get LDT position 4.2 Extend DS and CS on the LDT (This disables WˆX!) 4.3 Copy the user-mode code to the the stack of the process 4.4 Modify return address for the syscall to point to our code 5. Restore the original Int 0x80 vector (remove the hook) 6. Continue with the original syscall

  15. OpenBSD WˆX internals WˆX: Writable memory is never executable i386: uses CS selector to limit the execution. To disable WˆX, we extend CS from ring0. 0x00000000 0xffffffff 4 GB .text .so .so heap stack 512 MB User Code Segment (CS) Extension User Data Segment (DS) stack Extension Figure: OpenBSD selector scheme and extension

  16. Defeating WˆX from ring0 Our algorithm, independent of the Kernel: s l d t ax ; Store LDT index on EAX sub esp , byte 0 x7f sgdt [ esp +4] ; Store g l o b a l d e s c r i p t o r t a b l e mov ebx , [ esp +6] add esp , byte 0 x7f push eax ; Save l o c a l d e s c r i p t o r t a b l e index edx , [ ebx + eax ] mov ecx , [ ebx + eax +0x4 ] mov edx ,16 ; base low − − > edx shr eax , ecx mov eax ,24 ; base middle − − edx s h l > eax ,8 shr edx , eax or eax , ecx ; b a s e h i g h − − > edx mov eax ,0 xff000000 and edx , eax or mov ebx , edx ; ldt − − > ebx ; Extend CS s e l e c t o r or dword [ ebx +0x1c ] , 0 x000f0000 ; Extend DS s e l e c t o r or dword [ ebx +0x24 ] , 0 x000f0000

  17. Injected code WˆX will be restored on the next context switch, so we have two choices to do safe execution from user-mode: Turning off W^X (from usermode) Creating a W+X section From kernel... From kernel... User User Stack Stack 1. mprotect() 1. fork() Ring 3 Ring 3 mprotect() extends 2.fork() 2.mmap() CS permanently 3.Standard 3.copy user−mode code 4.jmp to mmaped 5. Standard user−mode code Figure: Payload injection options

  18. Questions before going on? Now we are executing standard user-mode code, and the system has been compromised.

  19. Proposed protection Limit the Kernel CS selector The same strategy than on user-space. Used on PaX (http://pax.grsecurity.net) for Linux. 0x00000000 0xffffffff 4 GB 0xD0000000 0xD1000000 kernel mbuf chains, etc CS shrink Kernel Code Segment (CS) Kernel Data Segment (DS) Figure: OpenBSD Kernel CS selector shrink

  20. A third remote vulnerability? IPv6 Routing Headers Uninitialized variable on the processing of IPv6 headers. 1. DoS or Code Execution (depending who you ask!) 2. Present on CVS from January to March of 2007 (very few systems affected)

  21. Conclusions In this article we presented: 1. Generic kernel execution code and strategy 2. Possible security improvement of the kernel

  22. Conclusions In this article we presented: 1. Generic kernel execution code and strategy 2. Possible security improvement of the kernel 3. A third bug - No software is perfect

  23. Final Questions? Thanks to: Gerardo Richarte: Exploit Architecture Mario Vilas and Nico Economou: Coding support

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org> OpenCON, 2005 Outline 1 Porting OpenBSD What It Takes Preparation Cross-Development The Boot Loader Building The Kernel Adapting Startup

1.59k views • 88 slides
Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17 (24 hours)! Due: form your team and submit your CTF challenge by Nov 13! Due: Lab07 is out and its due on Nov 2 (two weeks!) NSA

596 views • 33 slides
Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD BSDConTr, Istanbul, Turkey Agenda 1 Introduction 2 Radio Clocks 3 Architectural Overview 4 Support for GPS-Receivers 5 Support for Time Signal

745 views • 35 slides
Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia No class on Oct 28 If you are interested in, check out EKOPARTY CTF 2016 Due: Lab08 is out and its due on Nov 3 (two weeks!)

530 views • 21 slides
Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Reflections|Projections 2007 Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org Overview of OpenBSD History Berkeley Software Distribution (BSD) First freely distributable BSD was released in June

810 views • 24 slides
Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

668 views • 15 slides
Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler phessler@openbsd.org OpenBSD 17 March, 2013 1 / 27 what is this spamd uses IP host entries, to whitelist, blacklist or greylist hosts spamd can import and

412 views • 27 slides
Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation

Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation

Motivation Starting Position Local Improvements Remote Logging Conclusion Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017 Motivation Starting Position Local Improvements Remote Logging Conclusion Agenda

741 views • 34 slides
Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe akoshibe@openbsd.org AsiaBSDCon 2018 SDN? Network split into programmable nodes that handle traffic and entities that program them

372 views • 26 slides
LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1)

LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1)

OpenBSD rc.d(8) LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1) OpenBSD developer since 2006 ajacoutot@ aka aja@ sysmerge, rc.d, rcctl, libtool, stuff, other stuff >400 ports,

1.19k views • 64 slides
OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to be able to create VM images on OpenBSD for VMM and many other virtualizers. Philipp Bhler <pb@sysfive.com> @pb_double sysfive.com portfolio

510 views • 20 slides
OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org> Fosdem 2020, Brussels Historical setup some OpenBSD mail servers Postfix + Apache SpamAssassin + Amavisd-new + Courier Imap no shared

310 views • 20 slides
Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview Return Oriented Programming Removing ROP Gadgets Unaligned / Polymorphic Gadget Reduction Aligned Gadget Reduction Results Return

1.99k views • 99 slides
Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

455 views • 33 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

What did exist before? How does it work? What are the findings? What is the Conclusion? Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019 What did exist before? How does it work? What are the

491 views • 48 slides
IPv6 Tutorial ICANN Sao Paulo December, 2006 Jordi Palet (jordi.palet@consulintel.es) - 1

IPv6 Tutorial ICANN Sao Paulo December, 2006 Jordi Palet (jordi.palet@consulintel.es) - 1

IPv6 Tutorial ICANN Sao Paulo December, 2006 Jordi Palet (jordi.palet@consulintel.es) - 1 Why a New IP? Only compelling reason: more addresses! for billions of new devices, e.g., cell phones, PDAs, appliances, cars, etc. for

615 views • 48 slides
How To I/O? Todd L. Montgomery @toddlmontgomery I/O? Really? What used to be true is still

How To I/O? Todd L. Montgomery @toddlmontgomery I/O? Really? What used to be true is still

StoneTor How To I/O? Todd L. Montgomery @toddlmontgomery I/O? Really? What used to be true is still true Except when it isnt Case Study: Aeron Takeaways I/O? Really? M.2 DDRSSD PCIe - 3/4 100 GbE OmniPath CPUs Cache /

1.35k views • 98 slides
The Btrfs Filesystem Chris Mason The Btrfs Filesystem Jointly developed by a number of

The Btrfs Filesystem Chris Mason The Btrfs Filesystem Jointly developed by a number of

The Btrfs Filesystem Chris Mason The Btrfs Filesystem Jointly developed by a number of companies Oracle, Redhat, Fujitsu, Intel, SUSE, many others All data and metadata is written via copy-on-write CRCs maintained for all metadata

288 views • 18 slides
for Heavy Ion Therapy D. Bolst 1 , G.A.P. Cirrone 2 , G. Cuttone 2 , G. Folger 3 , S. Incerti 4,5 ,

for Heavy Ion Therapy D. Bolst 1 , G.A.P. Cirrone 2 , G. Cuttone 2 , G. Folger 3 , S. Incerti 4,5 ,

Validation of Geant4 fragmentation for Heavy Ion Therapy D. Bolst 1 , G.A.P. Cirrone 2 , G. Cuttone 2 , G. Folger 3 , S. Incerti 4,5 , V. Ivanchenko 3,6 , T. Koi 7 , D. Mancusi 8 , L. Pandola 2 , F. Romano 2,9 , A. Rosenfeld 1 and S. Guatelli 1 1

502 views • 25 slides
DNA Replication and Repair http://hyperphysics.phy-astr.gsu.edu/hbase/organic/imgorg/cendog.gif

DNA Replication and Repair http://hyperphysics.phy-astr.gsu.edu/hbase/organic/imgorg/cendog.gif

DNA Replication and Repair http://hyperphysics.phy-astr.gsu.edu/hbase/organic/imgorg/cendog.gif genetic information is passed on DNA to the next generation Replication semi-conservative T A T T A T A A A T A T G C G G C

320 views • 15 slides
Design and realisation of a pilot site for monitoring Infiltrated soil water under a real on-site

Design and realisation of a pilot site for monitoring Infiltrated soil water under a real on-site

Design and realisation of a pilot site for monitoring Infiltrated soil water under a real on-site treatment system; evaluation of soil functions Behzad NASRI*, Olivier FOUCH*and**, Christophe SAILL**, David RAMIER*** and Martin SEIDL* *

297 views • 28 slides
Elisabeth George, Technology Appraisals Centre for Health Technology Evaluation, NICE Workshop on

Elisabeth George, Technology Appraisals Centre for Health Technology Evaluation, NICE Workshop on

HTA of Companion Diagnostics Elisabeth George, Technology Appraisals Centre for Health Technology Evaluation, NICE Workshop on Pharmacogenomics: from science to clinical care 8-9 October 2012 European Medicines Agency, London, United Kingdom

411 views • 23 slides
Novel Platform Using LC-MS and Ligand Binding Assays for Characterization and PK analysis of ADCs

Novel Platform Using LC-MS and Ligand Binding Assays for Characterization and PK analysis of ADCs

Novel Platform Using LC-MS and Ligand Binding Assays for Characterization and PK analysis of ADCs Jasja Wolthoorn, TNO Triskelion BV EBF Barcelona, 22 nd November 2013 THE DEVELOPMENT OF LARGE MOLECULES Recombinant Therapeutic Novel

497 views • 30 slides

More recommend