win32k dark composition
play

Win32k Dark Composition Attacking the Shadow Part of Graphic - PowerPoint PPT Presentation

Dec 11, 2023 •730 likes •1.29k views

Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own

  1. Win32k Dark Composition Attacking the Shadow Part of Graphic Subsystem Peng Qiu (@pgboy) SheFang Zhong (@zhong_sf) @360Vulcan Team

  2. About US Member of 360 vulcan team. Windows kernel security researcher Pwn2Own winners 2015 .pwned IE pwn2own 2015 Pwn2Own winners 2016 .pwned Chrome pwn2own 2016 .pwned Flash pwn2own 2016 Pwnfest winners 2016 .pwned Edge PwnFest 2016 .pwned Flash PwnFest 2016

  4. Agdenda Direct Composition Overview 0day & Exploitation Fuzzing M itigation & Bypass

  5. Direct Composition Overview • High-performance bitmap composition with transforms, effects and animations graphic engine • Introduced from windows 8. • Working based on dwm(desktop windows manager).

  6. Direction Composition Architecture dwmcore dcomp . . . userland kernel CExpressionMarshaler CFilterEffectMarshaler CScaleTransformMarshaler . . . visual CApplicaAonChannel DirectComposiAon submit DWM (desktop windows manager) call DXGK (directX graphic kernel)

  7. Significant Change since win10 RS1 • kernel implement changed Lots of funcAon has been rewrite, not fix vuln • Interface changed Remove lots of interface. 10+? Add some interface. eg:

  8. Before win10 RS1 Exist independently and some in the win32k filter table This func1on is out of Win32k filter list � Since win10 RS1 all included in

  10. Why attack DirectComposition • Reachable in AppContainer and out of win32k filter • This part implement with c++ in kernel • Introduced from windows 8, ever been focus by another researchers, !!!as far as we know!!!

  11. Important functions

  12. Channel Object • know as Device Object in user interface • owner of resource, use to create resource • pArgSec(onBaseMapInProcess return a batch buffer we need later

  13. � Resource Object • know as visual in user interface • similar to win32k surface • It has a lots of types. CScaleTransformMarshaler CTranslateTransformMarshaler CRectangleClipMarshaler CBaseClipMarshaler CSharedSecAonMarshaler CMatrixTransformMarshaler CMatrixTransform3DMarshaler CShadowEffectMarshaler . . .

  14. Batch Buffer • Associate with a channel • Returned from NtDComposiAonCreateChannel • NtDComposiAonProcessChannelBatchBuffer parse it • This funcAon support a lot of commands

  16. How to fuzz

  17. By default is 1, we increase those funcAon’s probability to 100. �

  19. • They need a channel we give them one. • They need a resource we give them one. • If we do not known what they want, give them a random one.

  20. 0day & Exploition �

  21. Resource Double free (CVE-2017-XXXX)

  22. Root Cause Free the resource(visual)'s property buffer forget to clear resource->Databuffer. result in free again when resource is free First time free

  24. Second time free

  25. Exploition Free this one First time free Res1 Res2 Res3 Res4 … ResY Occupy with palette palette Res1 Res2 Res3 Res4 … Free palette Second time free palette Res1 Res2 Res3 Res4 … Occupy with ResX ResX Res1 Res2 Res3 Res4 …

  26. Modify the palette->pEntries to what you want when occupy palette with a ResourceBuffer palette pEntries Content Replace xxxxx ResX- >DataBuf occupy second time Usually, cover palette1->pEntries to a bitmap address pEntries pScan0 bitma palette p

  27. Read & Write primity Replace process token, exploited

  28. Fix BSOD • We finished privilege escalation, but BSOD when process exit • There still has double either Palette or ResX's DataBuffer, because they share the same kernel buffer • Double free happened in clear process handle table when process exit • Close palette handle first, Resource handle next • So? must clear ResX->DataBuffer or remove ResX handle from handle table before process exit

  29. Clear ResX->DataBuffer 1. Locate ResX address Resource address store in channel's resource table GenericTable 2. Locate channel address channel1 • Channel handle table locate in: _EPROCESS->Win32Process->GenericTable channel2 channel3 • It's a binary tree struct, search the binary tree to find the channel that Resource belongs to. channel4 channel5

  30. Resource table in channel implement as a array Clear void* ptrNull=0; AddressWrite(&ResX->DataBuffer, sizeof(void*), &ptrNull);

  32. BagMarshaler Integer overflow (CVE-2016-XXXX)

  33. Root cause Integer overflow while dataOffset < DataSize-0xc if DataSize < 0xc Exploitation : If (dwOffet < (DWORD)(0x1-0xc)) { • By default,this->Databuffer==NULL && this->DataSize==0 if (DataBuffer[dwOffset]==0x66) { • Write anywhere in x86 system. DataBuffer[dwOffset+0xc]=xxxx; • Not so easy in x64 system. } 1.this->Databuffer must not NULL } � 2.this->DataSize < 0xC && this->DataSize!=0 3.*(this->Databuffer + inbuf->offset)==(0x45 or 0x66)

  34. 1.this->Databuffer must not NULL we could call CPropertyBagMarshaler::SetBufferProperty(...) with property==2 to alloc a buffer, then store in this->DataBuffer

  35. *(this->DataBuffer+inbuf->offset)==(0x45 or 0x66) Spray lots of bufferX to enable that bufferX behind this->DataBuffer DataBuffer bufferX bufferX ... Calc inbuf->offset value, it must be saAsfy: • (Databuffer+offset) locate in bufferX, ( bufferX->Filed1 ) bufferX->Flied1 must be modifyable from usermod, set it to (0x45 or 0x66) • (Databuffer+offset+0xc) locate in bufferX, and it must be exploitable. • 0xc DataBuffer Flied 1 Flied2 ... bufferX Offset

  36. Fortunately, we found bitmap saAsfy this case perfectly 0xc pScan0 Height DataBuffer ... bitmap Offset Now, bitmap->pScan0 has benn changed to the value we set. so we got Read/Write primary 1. GetBitmapbits (....) 2. SetBitmapbits (....) Replace ps token, exploited !

  37. Complier Warning? WARNING!! �

  39. Mitigation & bypass �

  40. Read/Write ability object

  41. 1. tagWND abuse Write what? tagWND.strName ? (UNICODE_STRING) GetWindowText ? NtUserDefSetText ? Unfortunately, the destination address has been modify when write to, just desktop heap range is legal.

  42. 2.BITMAP ABUSED 2016.10 2014 2016.3 We use Acclerator Object To Guess Bitmap Object Address. Then We used Pwn2Own: We used Twice. Twice again in PwnFast. Maybe Pwn2Own: KeenTeam used Coresecurity guys release a paper to Once. talk about is. 2015.3 2016.8 Pwn2Own:KeenTeam used once. HackingTeam leaked 0day. Someone write it to a public paper

  46. 14393 VS 15xxx: �

  49. A New way

  51. limitation But Only The Object which Allocate at desktop heap: 1. Window 2. Menu 3. InputContext 4. CallProc But It is enough, I believe you guys could find something useful!! �

  54. We are just on the way. Thank you.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dark Matter A simple model for the Universe Standard model: homogeneous, isotropic,

Dark Matter A simple model for the Universe Standard model: homogeneous, isotropic,

Dark Matter A simple model for the Universe Standard model: homogeneous, isotropic, expanding Universe Astronomers time unit: redshift z [z+1: inverse of expansion factor] Simple composition: Dark Energy Dark Matter

789 views • 39 slides
Alternatives to Dark Energy and Dark Matter and their implications Evidence for Dark Energy and

Alternatives to Dark Energy and Dark Matter and their implications Evidence for Dark Energy and

Alternatives to Dark Energy and Dark Matter and their implications Evidence for Dark Energy and Dark Matter Modified Gravity Models and their observational implications Orfeu Bertolami Instituto Superior Tcnico Departamento de Fsica

610 views • 46 slides
Automated Web Service Composition in Practice: from Composition Requirements Specification to

Automated Web Service Composition in Practice: from Composition Requirements Specification to

Outline Automated Web Service Composition The Amazon-MPS Case study Conclusions and Future Works Automated Web Service Composition in Practice: from Composition Requirements Specification to Process Run. Annapaola Marconi , Marco Pistore and

730 views • 59 slides
Composition vs. Inheritance, Cloud Computing, and REST-based Architectures Reid Holmes Store

Composition vs. Inheritance, Cloud Computing, and REST-based Architectures Reid Holmes Store

Material and some slide content from: - Atif Kahn SERVICES COMPONENTS OBJECTS MODULES Composition vs. Inheritance, Cloud Computing, and REST-based Architectures Reid Holmes Store Example Starbucks example Beverages: house, dark

288 views • 26 slides
Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al

Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al

Framework for Metric Composition + Spatial Composition of Spatial Composition of Metrics Al Morton + many others M March, 2008 h 2008 draft-ietf-ippm-framework-compagg-06.txt Overall Framework (includes common concepts and concepts and

257 views • 9 slides
Search for Dark Matter in the Lab. A personal bit of history OR from Dark MatterWhats

Search for Dark Matter in the Lab. A personal bit of history OR from Dark MatterWhats

Search for Dark Matter in the Lab. A personal bit of history OR from Dark MatterWhats that?? to Dark MatterWhat is it?? Transition was not easy Until mid-80s particle physicists never heard of DMand couldnt care less

424 views • 18 slides
Idea: why not directly couple dark energy and dark matter? Ein eqn : G = 8 GT

Idea: why not directly couple dark energy and dark matter? Ein eqn : G = 8 GT

Interacting Dark Energy [Kodama &amp; Sasaki (1985), Wetterich (1995), Amendola (2000) + many others ] Idea: why not directly couple dark energy and dark matter? Ein eqn : G = 8 GT General covariance : G = 0

537 views • 27 slides
Beyond Dark Matter and Dark Energy Sean Carroll Beyond Dark Matter and Dark Energy Sean Carroll,

Beyond Dark Matter and Dark Energy Sean Carroll Beyond Dark Matter and Dark Energy Sean Carroll,

Beyond Dark Matter and Dark Energy Sean Carroll Beyond Dark Matter and Dark Energy Sean Carroll, Caltech 70% dark energy We think that 95% of the universe is dark. But what if gravity is tricking us? 5% ordinary 25% dark matter matter

632 views • 47 slides
DARK MATTER IN DSPH Paolo Salucci (&amp; G. Gilmore) SISSA (Oxford) Outline of the Review Dark

DARK MATTER IN DSPH Paolo Salucci (&amp; G. Gilmore) SISSA (Oxford) Outline of the Review Dark

DARK MATTER IN DSPH Paolo Salucci (&amp; G. Gilmore) SISSA (Oxford) Outline of the Review Dark Matter is main protagonist in the Universe The concept of Dark Matter in virialized objects Dark Matter in Spirals, Ellipticals, dSphs Dark and

551 views • 28 slides
Lecture 3 WIMPs as dark matter WIMPs with a new mediating force Dark

Lecture 3 WIMPs as dark matter WIMPs with a new mediating force Dark

Lecture 3 WIMPs as dark matter WIMPs with a new mediating force Dark photon as a mediator of a dark force Chasing anomalies with light new particles: galactic positrons, muon g-2, charge radius problem, etc

616 views • 35 slides
JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave &amp; Piano

JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave &amp; Piano

JLO Composition for Voice, Iyl, Gngan, kb, Agogo, Skr , Clave &amp; Piano Ay Olrnt Music Composition &amp; Theory University of Pittsburgh USA A Symposium &amp; Festival Bridging Musicology &amp; Composition:

553 views • 16 slides
Dark matter and its implications at the LHC Conclusions . Numerical Calculation Motivation MC

Dark matter and its implications at the LHC Conclusions . Numerical Calculation Motivation MC

. . . . . . . . . Dark matter Sep 8, 2012 Dark matter implications at the LHC Zhao-Huan YU (IHEP) Sep 8, 2012 Institute of High Energy Physics, CAS Work in progress with Xiao-Jun BI, Qi-Shu YAN and Peng-Fei YIN Dark matter and its

340 views • 21 slides
AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and

AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and

AP VS DE ENGLISH 11 th : AP Language and Composition or DE 111 and 112 12 th : AP Literature and Composition or DE 243 and 244 11 th grade AP English Language and DE 111 and 112: Composition Composition Credit: 1 Unit; GPA bump

620 views • 7 slides
Searching for the Dark Matter Wind: a Novel Approach to Dark Matter Detection Jocelyn Monroe, MIT

Searching for the Dark Matter Wind: a Novel Approach to Dark Matter Detection Jocelyn Monroe, MIT

Searching for the Dark Matter Wind: a Novel Approach to Dark Matter Detection Jocelyn Monroe, MIT Imperial College HEP Seminar November 8, 2007 Outline The Dark Matter Wind Dark Matter Search Strategy Directionality Where We Are Now: DMTPC

628 views • 59 slides
Dark Energy: Observations Gil Holder Outline How dark energy affects cosmological

Dark Energy: Observations Gil Holder Outline How dark energy affects cosmological

Dark Energy: Observations Gil Holder Outline How dark energy affects cosmological observables a(t) =&gt; distances(z), growth of structure(z) Dark energy probes cosmic microwave background supernovae (type IA) galaxy

961 views • 45 slides
What are dark forces? The universe appears to be filled with cold dark matter, which could be a

What are dark forces? The universe appears to be filled with cold dark matter, which could be a

Searching for dark forces with D ARK L IGHT at the Jefferson Laboratory Free Electron Laser Rebecca Russell, MIT July 25, 2011 19th Particles &amp; Nuclei International Conference What are dark forces? The universe appears to be filled with

161 views • 15 slides
Implications of early LHC Results Fermilab CMS limits CMS E XOTICA LQ1, =0.5 LQ1, =1.0

Implications of early LHC Results Fermilab CMS limits CMS E XOTICA LQ1, =0.5 LQ1, =1.0

Toward an Energy Frontier Muon Collider Fermilab Estia Eichten Fermilab The Long View Return to the Energy Frontier Staging Physics Milestones Summary 2013 Community Summer Study Snowmass on the Mississippi University of

282 views • 24 slides
Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17,

Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17,

Functional Pearl: Four slot asynchronous communication mechanism Matthew Danish September 17, 2013 Introduction Low-level systems programming with dependent types Simpson, 1989. Four slot fully asynchronous communication mechanism .

703 views • 24 slides
Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V

Design and Implementatjon of a Dynamic Informatjon Flow Tracking Architecture to Secure a RISC-V Core for IoT Applicatjons Christjan Palmiero , Giuseppe Di Guglielmo , Luciano Lavagno , Luca P. Carloni Politecnico Di Torino

218 views • 18 slides
Lisa Randall, Harvard University Entering LHC Era Entering LHC Era Many challenges as LHC

Lisa Randall, Harvard University Entering LHC Era Entering LHC Era Many challenges as LHC

Lisa Randall, Harvard University Entering LHC Era Entering LHC Era Many challenges as LHC approaches Many challenges as LHC approaches Critical questions: Critical questions: Are we optimizing existing searches? Are we

560 views • 44 slides
Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work

Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work

Runtime Monitoring of Object Invariants with Guarantees Sriram Rajamani, MSR India (joint work with Madhu Gopinathan, Indian Institute of Science) Object invariants interface Key{ //this &lt; k? boolean Less(Key k); } class Node { Key

637 views • 31 slides
QWR cavities for HIE-ISOLDE project Silvia Teixeira K. Artoos, A. Miyazaki, G. Rosaz, K.Schirm,

QWR cavities for HIE-ISOLDE project Silvia Teixeira K. Artoos, A. Miyazaki, G. Rosaz, K.Schirm,

The surface impedance of Nb/Cu coated QWR cavities for HIE-ISOLDE project Silvia Teixeira K. Artoos, A. Miyazaki, G. Rosaz, K.Schirm, A.Sublet, M. Therasse, W.Venturini Delsolaro Outline HIE-ISOLDE Project Quarter-Wave Resonator

225 views • 18 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
t P

t P

t P rs r s t r t

464 views • 29 slides

More recommend