Win32k Dark Composition Attacking the Shadow Part of Graphic - - PowerPoint PPT Presentation

win32k dark composition
SMART_READER_LITE
LIVE PREVIEW

Win32k Dark Composition Attacking the Shadow Part of Graphic - - PowerPoint PPT Presentation

Dec 11, 2023 730 likes •1.3k views

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own

slide-1
SLIDE 1

Win32k Dark Composition

Attacking the Shadow Part of Graphic Subsystem

@360Vulcan Team Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf)

slide-2
SLIDE 2

About US

Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2016

.pwned Chrome pwn2own 2016 .pwned Flash pwn2own 2016

Pwnfest winners 2016

.pwned Edge PwnFest 2016 .pwned Flash PwnFest 2016

Pwn2Own winners 2015

.pwned IE pwn2own 2015

slide-3
SLIDE 3
slide-4
SLIDE 4

Agdenda

Direct Composition Overview 0day & Exploitation Fuzzing Mitigation & Bypass

slide-5
SLIDE 5
  • High-performance bitmap composition with transforms,

effects and animations graphic engine

  • Introduced from windows 8.
  • Working based on dwm(desktop

windows manager).

Direct Composition Overview

slide-6
SLIDE 6

Direction Composition Architecture

dwmcore dcomp

. . .

userland kernel

DirectComposiAon CApplicaAonChannel visual

CExpressionMarshaler CFilterEffectMarshaler CScaleTransformMarshaler . . .

submit DWM (desktop windows manager) DXGK (directX graphic kernel) call

slide-7
SLIDE 7

Significant Change since win10 RS1

  • kernel implement changed
  • Interface changed

Remove lots of interface. 10+? Lots of funcAon has been rewrite, not fix vuln Add some interface. eg:

slide-8
SLIDE 8

Before win10 RS1

Exist independently and some in the win32k filter table

Since win10 RS1

all included in

This func1on is out of Win32k filter list

slide-9
SLIDE 9
slide-10
SLIDE 10

Why attack DirectComposition

  • Reachable in AppContainer and out of win32k filter
  • This part implement with c++ in kernel
  • Introduced from windows 8, ever been focus by

another researchers, !!!as far as we know!!!

slide-11
SLIDE 11

Important functions

slide-12
SLIDE 12

Channel Object

  • know as Device Object in user interface
  • owner of resource, use to create resource
  • pArgSec(onBaseMapInProcess return a batch buffer we

need later

slide-13
SLIDE 13

Resource Object

  • know as visual in user interface
  • similar to win32k surface
  • It has a lots of types.

CScaleTransformMarshaler CTranslateTransformMarshaler CRectangleClipMarshaler CBaseClipMarshaler CSharedSecAonMarshaler CMatrixTransformMarshaler CMatrixTransform3DMarshaler CShadowEffectMarshaler

. . .

slide-14
SLIDE 14

Batch Buffer

  • Associate with a channel
  • Returned from NtDComposiAonCreateChannel
  • NtDComposiAonProcessChannelBatchBuffer parse it
  • This funcAon support a lot of commands
slide-15
SLIDE 15
slide-16
SLIDE 16

How to fuzz

slide-17
SLIDE 17

By default is 1, we increase those funcAon’s probability to 100.

slide-18
SLIDE 18
slide-19
SLIDE 19
  • They need a channel we give them one.
  • They need a resource we give them one.
  • If we do not known what they want, give them a random
  • ne.
slide-20
SLIDE 20
  • 0day & Exploition
slide-21
SLIDE 21

Resource Double free (CVE-2017-XXXX)

slide-22
SLIDE 22

Root Cause

Free the resource(visual)'s property buffer forget to clear resource->Databuffer. result in free again when resource is free

First time free

slide-23
SLIDE 23
slide-24
SLIDE 24

Second time free

slide-25
SLIDE 25

Exploition

Res1

First time free

ResY Free this one Res2 Res3 Res4 … Res1 palette Occupy with palette Res2 Res3 Res4 … Res1 palette Free palette Res2 Res3 Res4 …

Second time free

Res1 ResX Occupy with ResX Res2 Res3 Res4 …

slide-26
SLIDE 26

Modify the palette->pEntries to what you want when

  • ccupy palette with a ResourceBuffer

palette

pEntries

ResX- >DataBuf

xxxxx

  • ccupy second time

Content Replace

palette

pEntries

bitma p

pScan0

Usually, cover palette1->pEntries to a bitmap address

slide-27
SLIDE 27

Read & Write primity Replace process token, exploited

slide-28
SLIDE 28

Fix BSOD

  • We finished privilege escalation, but BSOD

when process exit

  • There still has double either Palette or ResX's

DataBuffer, because they share the same kernel buffer

  • Double free happened in clear process

handle table when process exit

  • Close palette handle first, Resource handle next
  • So? must clear ResX->DataBuffer or remove ResX

handle from handle table before process exit

slide-29
SLIDE 29

Clear ResX->DataBuffer

  • It's a binary tree struct, search the binary tree to

find the channel that Resource belongs to.

  • Channel handle table locate in:

_EPROCESS->Win32Process->GenericTable

GenericTable channel1 channel2 channel3 channel4 channel5

  • 1. Locate ResX address
  • 2. Locate channel address

Resource address store in channel's resource table

slide-30
SLIDE 30

Resource table in channel implement as a array

void* ptrNull=0; AddressWrite(&ResX->DataBuffer, sizeof(void*), &ptrNull);

Clear

slide-31
SLIDE 31
slide-32
SLIDE 32

BagMarshaler Integer overflow (CVE-2016-XXXX)

slide-33
SLIDE 33

Root cause

Integer overflow while dataOffset < DataSize-0xc if DataSize < 0xc

If (dwOffet < (DWORD)(0x1-0xc)) { if (DataBuffer[dwOffset]==0x66) { DataBuffer[dwOffset+0xc]=xxxx; } }

  • By default,this->Databuffer==NULL

&& this->DataSize==0

  • Write anywhere in x86 system.
  • Not so easy in x64 system.

1.this->Databuffer must not NULL 2.this->DataSize < 0xC && this->DataSize!=0 3.*(this->Databuffer + inbuf->offset)==(0x45 or 0x66)

Exploitation:

slide-34
SLIDE 34

1.this->Databuffer must not NULL

we could call CPropertyBagMarshaler::SetBufferProperty(...) with property==2 to alloc a buffer, then store in this->DataBuffer

slide-35
SLIDE 35

*(this->DataBuffer+inbuf->offset)==(0x45 or 0x66)

Spray lots of bufferX to enable that bufferX behind this->DataBuffer

DataBuffer

bufferX ...

Calc inbuf->offset value, it must be saAsfy:

bufferX

  • (Databuffer+offset) locate in bufferX, ( bufferX->Filed1 )
  • bufferX->Flied1 must be modifyable from usermod, set it to (0x45 or 0x66)
  • (Databuffer+offset+0xc) locate in bufferX, and it must be exploitable.

DataBuffer bufferX

...

Offset

0xc Flied1 Flied2

slide-36
SLIDE 36

Fortunately, we found bitmap saAsfy this case perfectly

DataBuffer

bitmap

...

Offset 0xc Height pScan0

Now, bitmap->pScan0 has benn changed to the value we set. so we got Read/Write primary

  • 1. GetBitmapbits (....)
  • 2. SetBitmapbits (....)

Replace ps token, exploited !

slide-37
SLIDE 37

Complier Warning?

WARNING!!

slide-38
SLIDE 38
slide-39
SLIDE 39
  • Mitigation & bypass
slide-40
SLIDE 40

Read/Write ability object

slide-41
SLIDE 41
  • 1. tagWND abuse

Write what? tagWND.strName ? (UNICODE_STRING)

GetWindowText ? NtUserDefSetText ?

Unfortunately, the destination address has been modify when write to,

just desktop heap range is legal.

slide-42
SLIDE 42

Maybe

2014

Pwn2Own:KeenTeam used once. HackingTeam leaked 0day. Someone write it to a public paper

2015.3

Pwn2Own: We used Twice. Pwn2Own: KeenTeam used Once.

2016.3 2016.8

2.BITMAP ABUSED

2016.10

We use Acclerator Object To Guess Bitmap Object Address. Then We used Twice again in PwnFast. Coresecurity guys release a paper to talk about is.

slide-43
SLIDE 43
slide-44
SLIDE 44
slide-45
SLIDE 45
slide-46
SLIDE 46

14393 VS 15xxx:

slide-47
SLIDE 47
slide-48
SLIDE 48
slide-49
SLIDE 49

A New way

slide-50
SLIDE 50
slide-51
SLIDE 51

But Only The Object which Allocate at desktop heap:

  • 1. Window
  • 2. Menu
  • 3. InputContext
  • 4. CallProc

limitation

But It is enough, I believe you guys could find something useful!!

slide-52
SLIDE 52
slide-53
SLIDE 53
slide-54
SLIDE 54

We are just on the way. Thank you.