Rafal Wojtczuk: LoL (Layers on Layers) - Bypassing Security for Fun and Profit V2

good morning everyone my name is Rafa vagyok I work for the company name bromium and this talk is titled layers on layers by passing endpoint security we will talk about Mariah's endpoint security solutions and they come on balance more specifically the agendas will start about explaining the difference between kernel mode and user mode execution I hope you all know more or less about you so just quick introduction then again i will do a little bit on why Colonel exploits are important and relevant especially nowadays and then we'll go through all this nice acronyms AV image maps and boxy deep safe hips and we'll just try to figure out how these security solutions relate to problems with

Colonel exploits okay so different between come about in user mode so it's all rooted in the hardware from hardware perspective Intel compatible CPUs have for privilege levels named drinks and numbered from 0 to 3 most of the operating system use only two of them ring 0 and rings three innings 0 with the privileged one effectively there is no restrictions on what ring 0 God code can do to the rest of the system and that's why the colonel part of the operating system that needs all the privileges needs to talk to the hardware must execute with ring 0 privileges so that's that's when Colonel Ellis and ring 0 is a non privileged mode of execution right and all the user

application browsers spreadsheets whatever live in ring ring free and again because it's unprivileged it can do only what ring 0 allows it to do or configure it to do so for instance particularly ring 3 code cannot access the memory used by ring 0 code directly it's it's not allowed and that's why ring 0 code is protected from malicious links and it also means that all the security controls access controls etc should live in ring 0 which is protected from malicious rings ago so really quick interaction ok so we say ring 0 is privileged all-powerful so no wonder that malicious code attackers would like to get a very key to execute code in this mode in this all-powerful mode

however normally kernel is not exposed directly to the malicious payload from the attacker usually attacker interacts directly with some application like a browser or office application so stages of an attack when we talk about Colonel exploits usually involve these three steps first attacker means to achieve code execution in context of the user mode application so it for instance you craft some malformed HTML file we just passed the browser and then you exploit a browser you have ability to run arbitrary code and then once we have it we can prepare and run special user mode code that interacts with the colonel and try to exploit vulnerability in it and as as a result get ability to run

arbitrary kernel mode code and then the purpose of the exercise is ability to run something useful in in the in the kernel mode to do something useful with disability and again these three steps of attacks are pretty common nowadays especially for skilled attackers if you look at some high-profile events for instance like bound to own at consequence similar things this pattern is in all the time when when trying to for instance get full bypass of the security imposed by the browser sandbox etc and for instance mwr guys are pretty effective at it so you can talk to them about it okay so let's assume we already managed to be able to run arbitrary code in the context of the colonel so what we

should should we do and depends on the goal and the most typical scenario is that all we do we just grant the calling user mode process the highest possible privileged in user mode so the system token and we just returned to decisional process so that's that's how it goes we start with some CMD shell that's not privileged it runs some low privileged user we run an exploit code and then suddenly kadam we run as anti-authority system and again this is the highest possible user mode privilege this particular tool I wrote for the purpose of this presentation to exercise a couple of things see more of it later so again if you look for instance that

public exploits related to the carnival Rob youjizz ninety-nine percent of the time you see this all an attacker needs from a camera payload is to grant highest possible privilege to the user mode and it usually is enough especially when there is no other security software running the problem is that many people have become very fixed on this pattern of exploitation that they think it's one to one relationship but whenever you have an elaborately and cannot exploit you have to do this elevation of usable process and that's totally not true it's totally the other way around again once we have ability to run arbitrary code in in kernel mode we can essentially do anything particularly again once we have

ability to run code in kernel mode all the security measures implemented in camel or in the user mode can be bypassed and one obvious reason why it is possible is that as I mentioned before kernel memory is protected from malicious user mode by page tables but there is no way to protect kernel memory or kernel code from itself right so once an attacker has ability to run code in the kernel mode it can do anything it wants with all the code running in the colonel it can overwrite it with schnapps it can zero it out completely or can force your favorite security solution to compute like 1 million digits of pi number simply there is there is no barrier anymore at least

that the theory because in reality you cannot just you know not out wipe out all the executable code running in the colonel for instance um kernel driver because the system would probably crash so in reality it's non-trivial to actually disable completely a given security solution say hips or whatever because what you would have to do is to thoroughly reverse-engineer its internals learn how the code operates which have the ways that you can disable it all together and it takes a little bit more time and it's really dull job because it's specific to a single security solutions might be even bound a particular version of the software so it's not much much interesting it's possible though in principle what's more

interesting is that there are a couple of methods which are generic that should work against almost all security solutions and even though they do not disable it complete your toki wipe it out from the system they're good enough to break some protection methods and these are the most most interesting and it is what I would like to talk about so again just remember this single sentence from the whole presentation that once you are in the kernel mode all security protections methods that are in kernel mode are gone and for the majority of the presentation we'll just talk about a few generic methods which may not be complete but can be sufficiently effective and again such methods are

well known in the literature the oldest one i found was just clearing her callback tables so essentially make the water blind so how it works for instance again let's think about typical hips scenario the hips kernel driver would like to know whenever a new process is created right so it can hook it inspected cetera so the common way to do it is to register a call back with a colonel using certain API so that's saying dear Colonel please let me know another new process is created and because this API is well defined the malware running in kernel mode can match the data structures used by the api's it can simply clear all registered colonel called Commerce and it's very easy

malware actually does it there are examples of it and the effect is that again the suit is this security product no longer receive notifications on the colonel so it's still resides in the memory but it gets no events from the colonel so essentially it gets blind I think the unreal rootkit work was the first one to include another generic technique is migration of code injection tar Beach our user mode processes so again we're not trying to talk you wipe out a given security solution from the system instead what we try to achieve is to get control over each and every process user mode process which is again good enough it means usually means you have all access to the system we see

examples so once again these are examples of generic approaches not guaranteed to work every time but we'll see it works good enough aunt in generally theoretically you can really disabled or wipe out any code that resides in the colonel once you have ability to execute code in the camera okay and why it is all relevant nowadays there would be no much not big deal if the colonel was secure again the stock is exclusively about windows so whenever I would say Caroline windows cannot so if there was no easy way to exploit windows kernel and get code execution in context of it it would be not a problem unfortunate reality is a bit different again in 2013 only there are 76 seguin

identifiers allocated for Windows vulnerabilities only windows camera so yes it is a big problem and again if you look at events like bone bone cancer quest or HP the DI that's really what's what's happening now ok so that was kind of introduction and now let's just briefly look at many security solutions and see how they relate to or how how they are supposed to protect against kernel-mode vulnerabilities so first antiviruses again what they trying to do typically what typical AV tries to do is to well prevent this first stage of attack so even not allow some malicious payload enter the vulnerable application right and nowadays the term ad is not well defined again for the purpose of the

presentation I mean IV is just scanning for signatures in user mode that's typical what we expect from from ad they can do other things but let's focus on that so it means it's not very relevant to the subject right ad has no way to interact to prevent exploiting Colonel violet Van rabbit and it would be relevant if ad was capable of actually preventing the malicious code running in user mode right if it worked but if he does not work does not work 40 days almost by definition because 0 days means now available signatures and in fact even if you try to exploit a well-known all vulnerability it's usually trivial to just you know tweak exploit code just to not carry some

offending pattern in it so instance if you try to use some well-known she'll call from metasploit we cannot include it in the clear because IV will catch a TD you just need to encode it in some stupid and smell all offers are well-known to test their malware against men ids before their wrist and they do a pretty decent job with it and again I uploaded this tool that exploits a single vulnerability and as you see none of the supported antivirus see anything crumble so generally AV is not relevant and for the topic of carnarvon army Frankie does not work so another nice acronym image again it tries to disrupt this first stage of exploitation but a little bit later it

does not prevent the entry of malformed data to the application but it tries to prevent actual execution of arbitrary code so it does not prevent triggering of the actual vulnerability in the user mode but tries to prevent attacker from running urban area code and how it works Emmitt is essentially a set of hooks in user mode libraries like kernel32.dll or anti dll that tries to catch many behaviors exposed by common shellcode or or opting for instance whenever it sees that sounding tries to write to execute virtual protect function on the stack so make a stack executable then it panics right because that behavior will not be exhibited by any normal software the only case when it happens is when the

rope chain is running again not very much relevant to the topic of carnarvon remedies Emmitt is not related to preventing Colonel exploits and again it would be nice if it worked but even Microsoft admits that it's just you know hires the bar makes exploitation more difficult but it's all by possible and I won't dwell on it because it's not much relevant but you can see the paper of my colleague Jared chess pub recently broke all the protection in image 4.1 so again not relevant and not three words ok so now finally we get to something related to Colonel vulnerabilities SME T now it tries to break the latest stage of exploits so running useful Colonel

payload and SME p is actually a feature in more or less new Intel CPUs the trick is to forbid running the code that stored in user mode memory if it runs with Colonel privileges that's the common way how Colonel XO it works you prepare your shellcode in the memory that you have access to so new thermal memory then corrupt the kernel state so the execution is diverted into your shellcode that you have people and Anthony peep prevents exactly that well for in order for it to work at all there is an assumption that attacker must prepare its shell code in user mode right if it was possible for an attacker to prepare arbitrary memory contents in

kernel mode which is executable then s MEP would be relevant because attacker would just try to execute code that is stored in internal pages and window site on 64 bits that's pretty decent job about it on 32 bits easily broken but let's assume that it's fine okay so that's that is pretty cool it's very sensible thing to do it should be done from the very beginning but again the generic bypasses is available so just like around 2003 malware authors begin to bypass dep or an X by using a rope in user mode so you can generally bypass SME p by doing return oriented programming within the kernel and the usually suggested way is that first you

jump into the piece of the kernel code that will disable a semi p by clearing this particular bit and then you're allowed to execute code in user mode membranous yeah yeah so the vulnerability that I studied a little bit for the purpose of this presentation is 2013 360 this vulnerability primitive allows you to override arbitrary location in the kernel doing the kernel with an address of the kernel buffer and let's see what how the public proof-of-concept calls from tablets or Mandy how it works it over us a kernel code pointer so it overrides a location in the kernel memory that stores the pointer to the code and it's over eyes again it with the address of the user mode share code

the code stored in the user mode ladies and then because of this vulnerability the state of the colonel is corrupted so that it jumps into this user mode payload and if you run this exploit on windows 8 on your cpu you get this you get a bag check as you can see in the bottom attempted execute of non-executive never so this protections reworks of this particular exploit right it's it's it works how design so that's nice um again there is no attacker has other ways right if it gets a little bit more constructive it can be bypassed so I came with with this little bit interesting tweak how to exploit this vulnerability so first you do not

overwrite the code pointer immediately but first you override a certain current variable named NTN i'm using probe address which stores the highest user mode address so this is the rabbit is consulted by the kernel whenever it wants to check is a given address kernel mode or user mode so if you corrupt it it means that the result is you can write to any colonel location again because you corrupted this threshold memory and if you have it because this this approach is well known it was like published in 2011 but the new thing particularly for SME p is that you can use this ability to mess with page tables you can set the user mode bit in

the page table for some page eggs which initially was user mode but now you set this bit and now Colonel stinks its kernel mode so the flow is you prepare your shellcode in your user memory and then using this vulnerability you mark your user memory s camera right from from this moment on this page look like a corrado and then proceed as before just buy some corrupting some code pointer and diverting execution direction and it works surprisingly so in this stall all you need to do is to enable this behavior of messing with page table by adding command-line switch and then it works exactly as before again user mode cmd.exe is granted elevated privileges and its really works

on windows 8 vulnerable versions of Windows I to this honorably right because it was patched like a year ago ok so again it's a common pattern that there is a protection method that blocks many common ways of expectation but if you just work a little bit harder you can get around so a very short note about sandboxie version 4 and chrome sandbox bolívar sandbox is a generic sandbox when you can run any programs and boxed and chrome sandbox is sound box designed only for the browser interestingly in both these cases the isolations of the sandbox process from the rest of the system is implemented using usual OS security mechanisms so the sandbox runs for instance with a restricted token as

low integrity level etc etc all using normal windows operating system mechanisms and the problem is that if you are able to well steal the authentication token like we saw before all these protections are gone immediately right because again things like restricted token an immediate instant integrity level are derived from the current authentication tokens read process so in order to bypass these two solutions you don't need to do anything fancy almost but in principle yes you just run this common most common kernel mode payload you get elevated user more privileges and the sandbox is totally gone and this time its total bypass there is nothing left one thing that can run one positive thing that can be said

about chrome sandbox it it limits the number of usable exploits that's interesting because it runs in inner environment in which some resources required for lunch menu Colonel actually are not available for instance you cannot run a debugger in such an environment so that's good but the problem is that all the exploits related to the graphics subsystem arcilla exploitable and in fact it's the fact that within the windows kernel there is this giant blob implementing all the graphics subsystem it is one of the reasons why there are so many vulnerabilities in windows kernel again such a large code base running in kernel means usually the ladder code base the more vulnerability severe right that's one of the direct reasons again

so this is not interesting so maybe let's get to something interesting for a change sandboxie version 3 so all the one happens to be more interesting I would say it was not designed with protecting colonel exploits in mind but it happens too well offer some resistance and this time this latest again stage of the execution is targeted so running useful Colonel x-play so how sandbox aversions three works is you can label some process as a sandbox it said some flag in internal data structures and now whenever this process wants to request Colonel to do anything so it makes a system call then the sandbox the kernel driver places additional checks so this time we do not rely on the

protection implemented by the windows operating system we play some extra additional checks and that's that's different that's definitely different and what happens is if you run the typical colonel exploit that just elevates user mode within sandbox see it seems to succeed so you get anti-authority system shell but still it cannot do anything to their solar system it's cool because it breaches the windows built-in protection the access control implemented by the windows pc system but since sandbox driver is effective let's that's nice definitely

okay and some similar capability can be expected from host intrusion prevention system hips is again very fuzzy term millions of flavors of hits and again I cannot claim my I even know about all of them but generally what you can expect some hedges first user not exploitation prevention so some cooks in in user mode that tries to disrupt shellcode or objects again not not relevant to do to the the subject of this talk it might be quite interesting if it works but again not relevant for now many hips feature some extra logging confuser actions right so whenever you access some resource it's logged for something or forensic purposes nice but again not much relevant it can do system integrity

checks similarly to both particle does it's nice but again for the purpose of the stock the most instances interesting part is again limiting ability of user processes again by some extra code not relying on mere security boundaries and sorted on faulty iOS so if you have a decent hips then no matter what the privilege of the user mode process is whether it's done to the admin or system would forever you should not be able to stop hips user mode services right it should should defend itself it should prevent loading non whitelisted karna drivers so it should again disallow entering unknown cannon drivers into the system also it should forbid messing with some protected systems like certain

processes are valuable like LS a SS holds the cached credential for every user so a decent in Turin prevention systems should not allow to inject code into LS iess to steal credentials from it and again it's a little bit similar to what sandboxie version 3 does in a way that it should implement its own set of security controls access control again something additional to the bare operating system does okay and that's it leads us to her to this another generic bypass method which is user mode code injection from the colonel again it beats all this process restrictions right for instance let's get back to them yeah okay even if this process cannot do anything even if

you elevated if our Colonel payload can inject arbitrary code here to non sandbox process then we effectively bypass all the sandbox and similarly at least to some extent it's similar with hips generally if if there is some results that's coveted by the attacker like some some files some contents of memory and if it is present in any process why I think any process on the system then we can grab this resource by injecting code into process why right well is there is a resource that's not accessible by any process on the system then it's not useful I would say you usually resources are also the purpose of being used by at least one process right so we can assume there should be

at least one process capable of accessing diseases so okay so how can we inject cold into the context of the user mode process from the kernel mode because in user mode it's pretty simple you have API for it there is an API named creative mode thread that you can just call and Adam you get code execution in another process but again in user mode it is simple to stop because in order to use creative mode thread first you'll need to call open process and it's easy to hook open process to disallow opening protected process and there is no such protection in kernel mode so the most widely discussed method is this this kernel API okay instant queue a PC which

effectively queues and synchronous procedure call in the context of other given process and it's nice it works the problem with it is that it's heavy dependent on Colonel ap ice so you have to prepare the APC then you have to queue it then there is a problem with alert abell DVS none other to the threat and the main problem is that because it's must use some kernel API is some security solution like hips or sandbox monitors usage of this API it can catch the exploit right it seizes huh someone tries to kill a PC for protected process it won't be allowed right and also this method allows you to our inject cold into a single process at a time only

which might be the problem and much nicer and more elegant method is cisco less the center MSR overwrite with this method there is no current API use at all all you need to do is to write to a cpu register and again there is no way to hook right the cpu register almost will we get back to that so how it works you attack the method how system calls are dispatched from user mode so whenever a process wants service from the colonel so it involves a system call then the cpu looks at a particular cpu register where in the kernel mode there is a cisco handle and it jumps so this kernel mode code and obviously if we can

just override this single cpu register it means whenever closest wants to do something it will call our it will call the code of our choosing right it means we can control the behavior of all the SIS calls and this particular means we can inject out and again it is quite elegant it works very well and the best the best thing is that you control all the processes at the same time right you control the behavior of all the process so that's that's pretty nice and how do beat it the only I think the only reliable way to beat it is by using virtualization and McAfee deep safe does exactly that so what McAfee how deep

safe works it actually de privileges all the operating system so it turns all the operating system including the colonel into virtual machine and that's quite a change of paradigm here because from this moment on I said that ring 0 is all-powerful there are no limits are no boundaries right it's not true in this scenario in this scenario your operating system is controlled by the hypervisor and there are limits and particularly deep safe is pretty good at detecting anomalous behavior affecting the state of the CPU particularly writing to the model specific registers next yeah and that tips I've deep sigh generally tries to detect the rootkit like behavior so it tries to monitor the memory of the

operating system right and see some anomalous behaviour so particularly it can despite besides changes to the registers it can find out whenever the interrupt descriptor table is changed or system service descriptor table is changed again these data structures are commonly used by the rootkit to you get get control of the operating system and many many other things it's quite impressive and it works quite well again what's important to note here is it's the change change of paradigm now your operating system is not well in control of the machine it runs under the control of the hypervisor right that's a difference and that that's why you can detect reliably things like all the writing model-specific registers so

that's nice particularly if you run any color mode code that messes with model-specific registers you get big alerts from deep sighs saying that yeah the rootkit behavior right to the MSR register I have no idea why it says some some do gbv is responsible for it but never mind anyway that that is reliable it works it really works again it works reliably because we have another layer of control right okay so how do we did okay that's one more thing just the straight right on the fact that deep safe is very good at detecting anomalous changes to the state of the CPU and i said previously that the commonly suggested method of bypassing SME p is just to clear this

particular bit in the cfl register and again deep safe is in a position to reliably detect this behavior I'm not sure if it does it I know it is one another security solution that based on virtualization that does exactly that detects clearing of SME pivot okay so what's the problem deep safe is incomplete in a way that it really does not have a good way of detecting the mere escalation to the kernel mode it can detect some malicious behavior right but it cannot prevent the mere escalation to the kernel mode that there is no easy way so it means that your exploits were work fine to the point when you reach Colonel shellcode you just need to be very careful to not use

any methods that's that are covered by deep safe and then you'll find so okay so MSR of the right will not do for the purpose of user mode injection so what works the thing that actually works is direct right to the memory of the user mode process which can be dubbed as backing physical frame over right so how it works it it is based by the fact that all the decent operating system implement memory sharing so when you have a read-only memory in any process it can be shared with other processes so for instance anti dll code is read only so the page tables are set up so that this location memory map to the same

physical frame in memory so we have two different processes but they all map to the same location in and again it's it's it's possible only because the mapping is read only if this mapping was read right then it would not work because a single process could corrupt the memory used by other process so that wouldn't work but as long as it's read only that it actually works again when we are in kernel mode all the protection and falls by page tables are irrelevant because we can change it right so we can easily write to any memory frame that starves code of the user mode process okay yeah so once again how to overwrite this physical

memory just mess with page tables again one extra bonus on on Windows platform is that on windows page tables are mapped at the fixed address so it's very easy to find them so again you don't need any Colonel api's you don't need to actually walk the pay tables it does fixed at the given virtual address that's nice okay so what what this method gives us again it gives us ability to modify the contents of all the processes or say libraries that I used by all the processes again with a single right that's pretty nice again so yeah so there are two questions what to overwrite and where to place the hook coat and again this this idea of

overwriting the the process of the user mode the memory physical process was discussed before and guys suggested that shared user data structure is the best one again because it's shared in all the processes and also on 32 bits 32 bits it controls how the Cisco's are dispatched there is a pointer in it means that it says this is the actual function that is part of the system code so that it works if you overwrite this pointer in the Strad user data you can divert the system called execution the problem is were to direct it to divert it though again initially authors suggested that you can just make shared user data executable and start the hook coat

instead user data as well and again it is very nice because this page is presented all the process at the same virtual address right again you just need a single right and you have total hook of all the system calls in all the process but when I tried it it actually does not work on windows 7 or older or newer apparently because each process has a separate page table entry for the shut data so if you you would need to change in order to make it executable you would need to alter page tables for each process and that's that's bad especially if you consider what happens when you create a new process then there is a race you would need to alter the

page tables of this process very early otherwise it it would be killed so a better method is just to overwrite the actual cisco invocation NT dll so this particular see center final season during instruction or cisco and similarly the good working way of placing the hook code is again in anti dll library at some unused end of the section location because again sections are aligned at the paint boundaries right so usually at the end of the section you have some slack space which you can use and that works as we see in a moment actually when when i was on the plane to hear i came upon this really perverted idea of storing the hook coat

in the kernel pages that would be really cool but it's untested i need to find out if it works but if it works it's even better okay so what's what's the effect unfortunately okay so that's a final demonstration you would need fortunately the font is pretty small but I cannot do anything about it but so what what you see here is you have semantic critical system protection agent running you have deep sighs defender running as well and on top of it all you run sandboxie you run the cmd.exe under the control of sandboxie so again it has its own additional layers of the code ok so this is CSP running and here ok battery went

dead ok so here you have properties of services eggsy process so it's supposed to be protected right and you can see it has to tcp ports open presumably for its RPC interface that's normal and what we will do huh ok so what we'll do we'll just again run this tool at this time trying to migrate code into the context of this services EG process and you'll see it works so find waldo find the difference between two pictures right so this is another one so the difference is it has completed no alert whatever from the defender 10 boxy or semantics hips and another thing that changes is you see additional tcp port opening service disagree suddenly services eggsy listen

some on port 44 44 and why it is so because it got injecting with the default metasploit bantul so again using this approach we can inject arbitrary code into arbitrary process again get get full control over it again nobody none of the protections deployed had any comments about it and it also highlights the problem that it doesn't help if you stack one security solution upon each other if they share the common weakness right the problem with all of them is that they share the common vulnerability they are well prone to Colonel exploits right so even if you just stuck one apparent each other you can just bypass them all the single exploit and that's it's pretty bad so obviously other any

solutions that are resilient to Colonel exploits there is one we saw the defender at least architectural he has some potential to defend again against cannot extract because it's implemented additional layer of control implemented in virtualization and generally virtualization is the way to go if implemented properly better than deep safe because again it changes the paradigm implements another layer of control which cannot be altered if you get caught in the context of the camera ah yeah references thank you okay that's about it any questions for a minute