scoop the windows 10 pool
play

Scoop the Windows 10 Pool! 05 Juin 2020 Paul Fariello - PowerPoint PPT Presentation

Oct 25, 2022 •362 likes •959 views

Scoop the Windows 10 Pool! 05 Juin 2020 Paul Fariello (@paulfariello) Corentin Bayet (@OnlyTheDuck) Who are we? Corentin @OnlyTheDuck Bayet Previous work on Windows kernel heap exploitation. Paul Fariello @paulfariello Previous

  1. Scoop the Windows 10 Pool! 05 Juin 2020 Paul Fariello (@paulfariello) Corentin Bayet (@OnlyTheDuck)

  2. Who are we? Corentin ”@OnlyTheDuck” Bayet Previous work on Windows kernel heap exploitation. Paul Fariello ”@paulfariello” Previous work on VM escape and exploiting Linux stuff. Both employees @Synacktiv Offensive security company created in 2012. Soon 74 ninjas! pentest, reverse engineering, development. Paris, Toulouse, Lyon, Rennes

  3. Windows Pool Windows Pool is the Windows Kernel Heap allocator Used since Windows 7 Segment Heap allocator introduced in Windows 10 kernel - 19H1 Goals of the research Discover what changed What is the impact on specifjc pool materials? What is the impact on an exploitation point of view? 2/54

  4. Plan Windows Pool 101 1 Exploiting a Heap Overfmow 2 Exploitation 3 Conclusion 4 3/54

  5. Plan Windows Pool 101 1 2 Exploiting a Heap Overfmow 3 Exploitation 4 Conclusion

  6. void * ExAllocatePoolWithTag(POOL_TYPE PoolType , size_t NumberOfBytes , unsigned int Tag); void ExFreePoolWithTag(void * P, unsigned int Tag); Pool Allocator - API 4/54

  7. Pool Allocator Allocation associated with a tag 32-bit value, usually printable Mostly used for debug Allocation of different memory types NonPagedPool (NonPagedPoolNx since Windows 8) PagedPool SessionPool Additionnal features Quota Alignment 5/54

  8. Pool Allocator 6/54

  9. Segment Heap Introduced in userland with Windows 10 Used in kernel since Windows 10 - 19H1 Aims at providing different features depending on allocation size 7/54

  10. Segment Heap – Backends Allocation delegated to different backend Depends on requested size Each backend has its own allocation/free mechanism Low Fragmentation Heap Variable Size Segment Large 8/54

  11. Segment Heap – Backends 9/54

  12. Segment Heap – LFH LFH allocation <= 512 B backed by multiple SubSegments chunk grouped by size in buckets affjnity slots if contention detected bitmap of free/used blocks (kind of) randomize access 10/54

  13. Segment Heap – VS VS 512 B < allocation <= 128 KiB backed by multiple SubSegment RB tree maintaining list of free chunks Chunk are prefjxed with a dedicated struct _HEAP_VS_CHUNK_HEADER Contiguous free chunks are coalesced 11/54

  14. }; PoolIndex; Ptr64 ProcessBilled; PoolTag; int PoolType; char BlockSize; char char PreviousSize; char { struct POOL_HEADER Pool Allocator - POOL_HEADER Present before each allocated chunk Was used by the previous allocator Not needed by the Segment Heap, but still present 12/54

  15. Pool Allocator 13/54

  16. DynamicLookaside 512 B < allocation <= 4064 B Dedicated linked list of free chunk Prevent usage of backend’s free mechanism Grouped by size Size recovered from POOL_HEADER Enabled only if size is heavily used (Balance Set Manager) 14/54

  17. Pool Allocator - PoolQuota Mechanism to monitor heap usage Enabled with PoolQuota bit in PoolType (bit 3) Pointer to EPROCESS stored in ProcessBilled of POOL_HEADER A counter is incremented when an allocation occurs ... and decremented when a free occurs 15/54

  18. Pool Allocator - PoolQuota 16/54

  19. Quota Process Pointer Overwrite attack Quota Process Pointer Overwrite is an attack leveraging a heap overfmow Described by @kernelpool in 2011 Overwrite the POOL_HEADER of the next allocation Make ProcessBilled point to a fake EPROCESS Provides arbitrary decrement primitive Might be enough to elevate privileges to SYSTEM 17/54

  20. Quota Process Pointer Overwrite attack 18/54

  21. Quota Process Pointer Overwrite Mitigation Mitigated since Windows 8 ProcessBilled pointer xored with a randomly generated Cookie ProcessBilled = addrof(EPROCESS) ⊕ addrof(Chunk) ⊕ ExpPoolQuotaCookie Cannot be forged without a strong leak / read primitive Previous work on this at Nuit du Hack XV. 19/54

  22. Alignment mechanism Request memory aligned on CPU cache line Set CacheAligned bit in POOL_TYPE (bit 2) But chunk must respect two conditions: POOL_HEADER present at the very start of the chunk POOL_HEADER present 0x10 bytes before the returned pointer Might endup with two POOL_HEADER in the chunk PreviousSize of second POOL_HEADER = offset to fjrst POOL_HEADER 20/54

  23. Alignment mechanism 21/54

  24. Returned memory A chunk can be shaped with various headers Depends on used backend requested POOL_TYPE 22/54

  25. Returned memory 23/54

  26. Plan Windows Pool 101 1 2 Exploiting a Heap Overfmow 3 Exploitation 4 Conclusion

  27. Exploiting a Pool Overfmow after Windows 10 19H1 When having a big and controlled heap overfmow primitive, probably better to do a full data attack Overwrite the POOL_HEADER with values that won’t make crash Ensure PoolQuota bit is not set in PoolType Target next chunk content Fix VS header But overfmow of 4 bytes on POOL_HEADER of the next chunk is enough Aligned Chunk Confusion 24/54

  28. OriginalHdr = AlignedHdr - (AlignedHdr ->PreviousSize * 0x10) Aligned Chunk Freeing Mechanism When freeing an aligned chunk, the allocator needs to fjnd the real address of the start of the chunk. Uses the PreviousSize fjeld of the second POOL_HEADER to retrieve the start of the chunk The values stored in the OriginalHeader are then used to free the chunk 25/54

  29. Aligned Chunk Freeing Mechanism Mechanism exists since introduction of Pool allocator But before introduction of Segment Heap, there were multiple checks when freeing an aligned chunk : The offset between the two headers were recomputed and checked The BlockSize of the second header was recomputed and checked The AlignedPoolHeader pointer was checked to match the address of the aligned header 26/54

  30. Aligned Chunk Freeing Mechanism 27/54

  31. Aligned Chunk Freeing Mechanism Since Segment Heap introduction, all checks are gone 28/54

  32. POOL_HEADER Aligned Chunk Confusion Overwrite PreviousSize and PoolType of next chunk to change it into a CacheAligned chunk Trigger free of overwritten chunk, but actually frees controlled Leverage DynamicLookaside to reuse the created chunk 29/54

  33. Plan Windows Pool 101 1 2 Exploiting a Heap Overfmow 3 Exploitation 4 Conclusion

  34. Notice Goals Demonstrate exploitation technique Not vulnerability Setup Demo driver with dedicated fake vulnerability 30/54

  35. Aligned Chunk Confusion Exploitation Goals Leverage Aligned Chunk Confusion to elevate privilege Develop a generic exploitation technique That can work in PagedPool or NonPagedPoolNx That is independent of the size of the vulnerable chunk Overfmow primitive constraints Overfmow 1st and 4th byte of following POOL_HEADER Control allocation and free of vulnerable chunk 31/54

  36. Exploitation strategy 1 Leverage Aligned Chunk Confusion 2 Create a ghost chunk 3 Allocate an object in the ghost chunk 4 Overwrite this object to obtain read/write primitives 32/54

  37. Finding an object – Requirements Need objects that can be sprayed and that are interesting to control. Object properties Controlled allocation and free, to be sprayable Provides arbitrary read or write if fully user controlled Variable size, to be generic to any heap overfmow Object residence One in PagedPool One in NonPagedPoolNx 33/54

  38. LIST_ENTRY attribute_list; struct PipeAttribute { char * AttributeName; uint64_t AttributeValueSize; char * AttributeValue; char data[0]; }; Targeted object – PagedPool PipeAttribute Linked to a Pipe User controlled insertion and deletion Controlled size Provide arbitrary read Easy way to write data in kernel 34/54

  39. Exploitation strategy - updated 1 Overwrite next POOL_HEADER 2 Create a ghost chunk 3 Use PipeAttribute to get a leak and an arbitrary read 4 Use Quota Process Pointer Overwrite to get SYSTEM privileges Note Following example is only about PagedPool. But the same applies to NonPagedPoolNx with a different object. 35/54

  40. Shaping 36/54

  41. Creating the ghost chunk 37/54

  42. Creating the ghost chunk 38/54

  43. Creating the ghost chunk 39/54

  44. Getting a leak 40/54

  45. Getting a leak 41/54

  46. Getting an arbitrary read 42/54

  47. Getting an arbitrary read 43/54

  48. Getting an arbitrary read 44/54

  49. Getting an arbitrary read 45/54

  50. Exploitation - Arbitrary read We got an arbitrary read and a heap leak We can use it this to retrieve some values Value of ExpPoolQuotaCookie Address of self EPROCESS Address of self TOKEN And use a Quota Process Pointer Overwrite to get an arbitrary decrement ! 46/54

  51. Getting an arbitrary decrement 47/54

  52. Getting an arbitrary decrement 48/54

  53. Getting an arbitrary decrement 49/54

  54. Exploitation - Use the arbitrary decrement Use the arbitrary decrement twice by reallocating an refreeing the ghost chunk Decrement TOKEN.Prileges.Enabled Decrement TOKEN.Prileges.Present Provides SeDebugPrivilege to our process Debug a SYSTEM process and inject a shellcode 50/54

  55. DEMO 51/54

  56. Exploitation - Discussion Could use the same exploitation technique to achieve different outcomes (code execution, etc.) Not perfectly stable, spraying could be improved Tested on one version of Windows 10 only Offsets of ntoskrnl hardcoded, that can be easily fjxed using the arbitrary read https://github.com/synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk- Confusion 52/54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Its time to go scoop me some mud! Its time to go scoop me some mud! STOP

Its time to go scoop me some mud! Its time to go scoop me some mud! STOP

on ORK with Eric Chester at HOW TO IGNITE PASSION IN YOUR PEOPLE IGNITE PASSION WITHOUT BURNING THEM OUT Its time to go scoop me some mud! Its time to go scoop me some mud! STOP FISHING and START HUNTING HUNT SCHOOLS

479 views • 16 slides
Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security

Kernel Pool Exploitation on Windows 7 Tarjei Mandt | Black Hat DC 2011 About Me Security Researcher at Norman Malware Detection Team (MDT) Interests Vulnerability research Operating systems internals Exploit mitigations

2.17k views • 100 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
The impact of Microsoft Windows pool allocation strategies on memory forensics Andreas Schuster

The impact of Microsoft Windows pool allocation strategies on memory forensics Andreas Schuster

The impact of Microsoft Windows pool allocation strategies on memory forensics Andreas Schuster Andreas Schuster / DFRWS 2008 2008-08-12 1 Introduction. A simulated attack. Attacker launches shell (cmd.exe) launches payload

511 views • 25 slides
PVC Swimming Pool Lin iners 1 PVC Swimming Pool Lin iners In ground pre-tailored pool liners A

PVC Swimming Pool Lin iners 1 PVC Swimming Pool Lin iners In ground pre-tailored pool liners A

PVC Swimming Pool Lin iners 1 PVC Swimming Pool Lin iners In ground pre-tailored pool liners A pool engineers guide to their manufacture, fitting and care An ISPE &amp; SPATA Workshop 2 Welcome 1. Background 2. The basics of

1.11k views • 84 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
SCOOP New Ocean Observing System for NDBC Craig A. Kohler, P.E. Chief of Engineering, NDBC

SCOOP New Ocean Observing System for NDBC Craig A. Kohler, P.E. Chief of Engineering, NDBC

SCOOP New Ocean Observing System for NDBC Craig A. Kohler, P.E. Chief of Engineering, NDBC Self-Contained Ocean Observations Payload (SCOOP) Background - Typical NDBC Buoy Met Data Self-Contained Ocean Observations Payload (SCOOP) Future

645 views • 20 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Pool::count Pool::grow() Pool::alloc() Pool_element_header Pool_element_header::next

Pool::count Pool::grow() Pool::alloc() Pool_element_header Pool_element_header::next

Pool::count Pool::grow() Pool::alloc() Pool_element_header Pool_element_header::next Pool::head Pool::free(void *) Pool Pool::purge() Block_pool_ATTLC::free() Block_header_ATTLC Block_header_ATTLC::next Block_pool_ATTLC::head

362 views • 12 slides
Section 2 Vernal Pool Slides Vernal Pools By Ava, Si, Leighton,and Cindy What is a Vernal Pool?

Section 2 Vernal Pool Slides Vernal Pools By Ava, Si, Leighton,and Cindy What is a Vernal Pool?

Section 2 Vernal Pool Slides Vernal Pools By Ava, Si, Leighton,and Cindy What is a Vernal Pool? A Vernal Pool is a pool that isnt always wet and consists of lots of special wild life. It provides habitat for unique plants and animals and

906 views • 35 slides
My Neck, My Back, My Neck and My Back: Airrosti Musculoskeletal Cost by Pool TAC Pool 2017 Paid

My Neck, My Back, My Neck and My Back: Airrosti Musculoskeletal Cost by Pool TAC Pool 2017 Paid

My Neck, My Back, My Neck and My Back: Airrosti Musculoskeletal Cost by Pool TAC Pool 2017 Paid Claims Health and Employee $24,988,191.99 Benefits Pool Risk Management Pool $9,600,234.64 Diagnoses (Health Pool ) Nature of Injury (Risk Mgt Pool)

358 views • 20 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Th The Sco e Scoop op abo about ut Poo oop: p: San anita itation tion Les essons sons

Th The Sco e Scoop op abo about ut Poo oop: p: San anita itation tion Les essons sons

Th The Sco e Scoop op abo about ut Poo oop: p: San anita itation tion Les essons sons from om WAS ASHp Hplus lus Renuka Bery FHI 360 October 29, 2015 This presentation is made possible by the generous support of the American

1.16k views • 9 slides
Geometry and Integrable Billiards Vladimir Dragovi c GFM University of Lisbon / Mathematical

Geometry and Integrable Billiards Vladimir Dragovi c GFM University of Lisbon / Mathematical

The Articles Outline Preliminaries Billiard Algebra on A Theorems of Poncelet Type Continued Fractions Approximation Geometry and Integrable Billiards Vladimir Dragovi c GFM University of Lisbon / Mathematical Institute SANU, Belgrade

656 views • 54 slides
The pool next to the ocean How to bring open source skills to more people Johannes Tigges

The pool next to the ocean How to bring open source skills to more people Johannes Tigges

The pool next to the ocean How to bring open source skills to more people Johannes Tigges @lenucksi The pool next to to the ocean Johannes Tigges FOSDEM 2020 Bondi Icebergs swimming pool. Corvevette CC Attribution-Share Alike 3.0

270 views • 23 slides
! Belohlavek R., Trnecka M. (DAMOL) Basic Level of Concepts April 11, 2013 1 / 21 Motivation

! Belohlavek R., Trnecka M. (DAMOL) Basic Level of Concepts April 11, 2013 1 / 21 Motivation

Basic Level of Concepts in Formal Concept Analysis Radim Belohlavek, Martin Trnecka Palacky University, Olomouc, Czech Republic ! ! ! Belohlavek R., Trnecka M. (DAMOL) Basic Level of Concepts April 11, 2013 1 / 21 Motivation Belohlavek

1.01k views • 21 slides
Competition performances are related to technique test measures in elite rifle shooters Simo

Competition performances are related to technique test measures in elite rifle shooters Simo

Competition performances are related to technique test measures in elite rifle shooters Simo Ihalainen KIHU Research Institute for Olympic Sports University of Jyvskyl, Department of Biology of Physical Activity 16.9.2016 BACKGROUND

270 views • 11 slides
W HAT S N EXT ? T HE MATHEMATICAL LEGACY OF B ILL T HURSTON Cornell, June 24, 2014 1 /

W HAT S N EXT ? T HE MATHEMATICAL LEGACY OF B ILL T HURSTON Cornell, June 24, 2014 1 /

Lyapunov exponents of the Hodge bundle and diffusion in periodic billiards Anton Zorich W HAT S N EXT ? T HE MATHEMATICAL LEGACY OF B ILL T HURSTON Cornell, June 24, 2014 1 / 40 0. Model problem: diffusion in a periodic billiard

1.18k views • 99 slides
Pseudo-integrable billiards and arithmetic dynamics Vladimir Dragovi c University of Texas at

Pseudo-integrable billiards and arithmetic dynamics Vladimir Dragovi c University of Texas at

Pseudo-integrable billiards and arithmetic dynamics Vladimir Dragovi c University of Texas at Dallas joint work with Milena Radnovi c Tex AMP, Rice University, Houston October 26, 2013 V. Dragovi c, M. Radnovi c, Bicentennial of

489 views • 22 slides
There exists a weakly mixing billiard in a polygon Jon Chaika University of Utah June 11, 2020

There exists a weakly mixing billiard in a polygon Jon Chaika University of Utah June 11, 2020

There exists a weakly mixing billiard in a polygon Jon Chaika University of Utah June 11, 2020 Joint with Giovanni Forni Billiard in a polygon, Q Rules: Point mass in the polygon. Billiard in a polygon, Q Rules: Point mass in the

1.17k views • 81 slides
Knudsen billiards and random walks in random environment with unbounded jumps Random billiards

Knudsen billiards and random walks in random environment with unbounded jumps Random billiards

Random billiards with cosine reflection law Stationary random tube: quenched invariance principles Finite tube: crossing probabilities and crossing time Knudsen billiards with drift A strongly transient RWRE with unbounded jumps Knudsen

761 views • 29 slides

More recommend