Kernel Exploitation Via Uninitialized Stack

Video thumbnail (Frame 0) Video thumbnail (Frame 337) Video thumbnail (Frame 1862) Video thumbnail (Frame 5256) Video thumbnail (Frame 5561) Video thumbnail (Frame 6999) Video thumbnail (Frame 8265) Video thumbnail (Frame 9613) Video thumbnail (Frame 10214) Video thumbnail (Frame 10636) Video thumbnail (Frame 11605) Video thumbnail (Frame 12568) Video thumbnail (Frame 13245) Video thumbnail (Frame 13801) Video thumbnail (Frame 14193) Video thumbnail (Frame 15826) Video thumbnail (Frame 16171) Video thumbnail (Frame 16629) Video thumbnail (Frame 17780) Video thumbnail (Frame 18297) Video thumbnail (Frame 18736) Video thumbnail (Frame 19026) Video thumbnail (Frame 21125)
Video in TIB AV-Portal: Kernel Exploitation Via Uninitialized Stack

Formal Metadata

Kernel Exploitation Via Uninitialized Stack
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Leveraging uninitialized stack memory into a full-blown root escalation is easier than it sounds. See how to find these vulnerabilities, avoid the pitfalls of priming the stack, and turn your "memory corruption" into full root privileges. Kees Cook is part of the Ubuntu Security Team, where he tries to harden Ubuntu in particular, and Linux in general, against attack. In addition to being an Ubuntu developer, he's a member of the Ubuntu Technical Board, a Debian Developer, and a admin. As a long-time DEF CON Capture the Flag participant, he's especially proud of being part of Team 1@stPlace and winning in 2006 and 2007. Twitter: @kees cook

Related Material

Video is accompanying material for the following resource
Pointer (computer programming) Kernel (computing) Canonical ensemble Kernel (computing) Bit Stack (abstract data type) Exploit (computer security)
Multiplication sign Motion capture Bit Motion capture Shape (magazine) Control flow Compiler Twitter Root Personal digital assistant Kernel (computing) Function (mathematics) Directed set Information security Information security Flag
Point (geometry) Dataflow Game controller Functional (mathematics) Group action Mobile app Table (information) Code 1 (number) Control flow Bookmark (World Wide Web) Normal operator Latent heat Mathematics Goodness of fit Read-only memory Kernel (computing) Network socket Operator (mathematics) Single-precision floating-point format Boundary value problem Information security Physical system Module (mathematics) Interface (computing) Electronic mailing list Theory Bit Control flow Exploit (computer security) Kernel (computing) Process (computing) Pointer (computer programming) Function (mathematics) Interface (computing) Right angle Ideal (ethics) Boundary value problem Table (information) Routing Writing
Standard deviation Regulärer Ausdruck <Textverarbeitung> Information Intel Length Multiplication sign Patch (Unix) Source code Mathematical analysis Bit Mathematical analysis Regulärer Ausdruck <Textverarbeitung> Semantics (computer science) Revision control Fluid statics Digital rights management Fluid statics Data structure Spacetime
Area System call Code Interface (computing) Multiplication sign Electronic mailing list Computer network Focus (optics) Revision control CAN bus Goodness of fit Different (Kate Ryan album) Interface (computing) Revision control Videoconferencing Pattern language Data structure Communications protocol Extension (kinesiology) Communications protocol Position operator Address space Vulnerability (computing)
Area Reading (process) Game controller Code Patch (Unix) Strut Maxima and minima Semantics (computer science) CAN bus Pointer (computer programming) Shooting method Oval Semiconductor memory Function (mathematics) Videoconferencing
Reading (process) Execution unit Multiplication sign Code Maxima and minima Stack (abstract data type) Content (media) Compiler CAN bus Arithmetic mean Pointer (computer programming) Fluid statics Integrated development environment Function (mathematics) Convex hull Videoconferencing
Asynchronous Transfer Mode Game controller Functional (mathematics) Theory of relativity State of matter Range (statistics) Variable (mathematics) Oval Personal digital assistant Computer configuration Function (mathematics) String (computer science) Videoconferencing output Data structure Data compression Spacetime Flag
Source code Game controller Functional (mathematics) Read-only memory Length Source code Maxima and minima output Stack (abstract data type) Data structure Greatest element Field (computer science)
Game controller System call Seitentabelle Table (information) Code Interior (topology) Hoax Multiplication sign Web page Stack (abstract data type) Line (geometry) Parameter (computer programming) 32-bit System call Prime ideal Process (computing) Kernel (computing) Function (mathematics) Order (biology) Spacetime Process (computing) output Row (database) Library (computing)
Game controller Group action Root Read-only memory Code Semiconductor memory Multiplication sign Code
Link (knot theory) Code Weight Strut Code Bit Entire function Revision control Uniform resource locator Hexagon Pointer (computer programming) Process (computing) Kernel (computing) Root Oval Network socket Computer worm Gamma function Buffer overflow Computer worm
Functional (mathematics) Demo (music) Network socket Network socket Demo (music) Function (mathematics) System call
Demo (music) Information security
Game controller Demo (music) Stack (abstract data type) Open set System call Semiconductor memory Computer configuration Kernel (computing) Network socket Videoconferencing Figurate number Quicksort Asynchronous Transfer Mode
Source code Slide rule Canonical ensemble Interface (computing) Theory Code Stack (abstract data type) Boundary value problem
this is going to cover a little bit about linux kernel exploitation specifically using an uninitialized stack pointer i thought it was an interesting exploit but i'll get to that
so this is a 20 minute talk so i'm going to blast through as much as i can with a
quick intro I'm case it's pronounced
case the spelling is Dutch and it's my grandfather's fault but um you can see me on twitter there I've been coming to DEFCON for quite some time started participating in capture the flag in about 2003 and along with the rest of team last place we won CTF in two thousand six and two thousand seven so that was quite a bit of fun but since we played CTF so much I rarely actually went out to go see any talks or try to give any talks since we were doing CTF the whole time but I still playing qualls because that's fun I'm a member of the abundant a security team I started that in 2006 so my background is in trying to get compiler hardening in better shape for it one two and now I'm looking a little bit more at Colonel hardening so a quick overview of Linux
kernel exploitation the main the main
goal for any kind of colonel attack is to get control over execution flow usually you can just set the user ID of the process you're using 20 and your route and you have full control over the system but actually finding targets to do this is is what's tricky you need an arbitrary right to start with and then going from there is what what makes things more fun so with an arbitrary right once you've got that the way to change program flow is to change function pointers so you can aim the the normal operation of the colonel into something that you have written as the attacker function tables are great for that because they're just lists of functions that if you can find a way to trigger that function then you have managed to trick the colonel into running your code one of the first ones that I played with a bit was security ops since I was familiar with the Linux security module interfaces that's basically for selinux app armor other el SMS used the security ops function table for high-level actions so I like replacing the ptrace access check because it was up the top didn't require too much clean up after you used it there's plenty of other things you could use the IDT there's a good frack article in that there's plenty of stuff to read on that but uh my favorite at this point is now using a single Sox truck so if you can create a socket you've got a you've got the destructor when the socket goes away that gets called and if you can write overwrite that function when you close the specific socket it'll actually run the code that you wanted wanted it to run and it's very easy to find that function because it's exported by the kernel for you to see but all that's unimportant if you don't have a flaw obviously you need that arbitrary right to begin with so I started looking at interface boundaries you know where things make transitions and I was especially interested in a copy from
user because that's where you're pulling you're pulling information from user space and putting it somewhere in the colonel so anything that goes wrong in that is going to be an issue is going to be a nice thing so there are a lot of
callers about 4000 so it was a bit daunting to just start with that but uh so looking I'm looking for things that were length isn't tracked sources and check destinations and checked all that we don't really need advanced static analysis grep will work most of the time in fact there's a version of copy from user that does not perform access checks at all there were very very few callers of that and one of them was in intel drm another one was in RDS but a with just standard copy from user i thought that i should go a little bit beyond standard regular expressions so I started looking at a tool called cooks NL which is traditionally used for semantic patching you want to you want a patch of behavior that's going on in a source tree you know replace the something about a structure it was much easier to do that but I was really using it for semantic grep and I'll give you a quick example the first thing I would do is
basically you define a position so the copy from user is at position P is the first top of the top of that and then a whole extensive list of white lists of things that are verifiably correct and so an example whitelist pattern here is copy from user into the address of a of a structure that we've actually done a size of on so that's not overflowed we know it's the right size so you can create a huge list of white of good patterns that make sense and you don't need to pay attention to and then the final chunk of the semantic grep is just too if you have a copy from user and it is not at the same position as any of the whitelist then you have something that actually needs analysis and that
let me look at a bunch of different things so I tried to focus on areas that didn't have a lot of usage or users there's there have been plenty of vulnerabilities in rare network protocols or interfaces if not a lot of consumers especially compat so when you're dealing with running 32-bit on a 64-bit or you'd have different API versions like the Linux for video stuff there's a lot of issues in fact the issues are so bad that you have severe problems come back the this CVE that i mentioned cv 2007 4573 and 2010 3301 it's the same issue they just reintroduced it three years later so what I found was actually a compat interface that had no users because the code could not possibly have ever worked the first time so I apologize for dense
code hopefully you can read some of this but um this was in the v4l compat issues and the the first top bold piece was a copy from user that immediately jumped out on a semantic patch because KP data which is the target and you p data size have no relationship at all that's obvious and as I went back
through it I realized that KP this this pointer in KP was not validated anywhere in fact it wasn't even filled in any where it came from a local stack of area of memory and they're just there was no way to control KP data so if you ever called this i/o control you would crash
your system because you'd be writing crap into who knows where but I got the thinking you know it's uninitialized
which really is a means that it was initialized but you just didn't know from what so if you can control the execution environment leading up to that then it is initialized because you put something there ahead of time so and the question is one of the questions is why you know why does this even show up why didn't anyone notice it and the problem is that we passed everything bye-bye pointer value so the compiler just ignored it figured we knew what we're doing we built it so to control this
variable you find something else that builds the stack in a similar fashion lucky for me this was in an i/o control which means that you just pick a different option for your i/o control and you'll actually have exactly the same stack layout and and in this case they had a union of options it was like it was made to be overlapped so there's this other function get video tuner 32 that would copy everything from user space into this Union on the stack and do some other stuff in return and that would actually leave us with the stack in the state that we had left it so I
you had to take a look at the two different structures that are there are our target here is the video code 32 we want data we want to be able to control data so we have to figure out where it is in relation to the other structure in the Union and it was relatively straightforward because in video tuner there was this large name string so looking at it more graphically there's
all the crap before the i/o control on the stack and then after we have returned from from the the tuner i/o control what's left on the stack is whatever we had put in in that structure and then we can go and call the microcode function and whatever was there will end up in inside the data field and there are no special
tricks for data size and for the length and source that we're doing the only thing we need to do is calculate and that's the c4 just quickly calculating where we are offset inside the other the other structure now that one problem you
run into is that you have to you have to call these io controls in order because if you do anything else between the 2i Oh controls you just used the stack for something else so you can't use any any syscall rappers like lib sees Siskel you can actually use that because it's going to go off and do other things with your stack you have to actually call it directly an assembly you can't you know aid in debugging by sticking a printf between the two because of course you're making yet another syscall in between so you have to be very careful about that additionally the colonel may go off and do other work between the two on behalf of your process if it's a new code path so the the solution for that was just to call the i/o control a whole bunch of times in a row first that it finished any work it had to do with page tables got everything in line for you to then call the final one another small challenges these are all compat syscalls so they're in 32-bit but we're actually trying to attack a 64-bit host so we have to call a 32-bit sis call from a 64-bit executable which is just some more assembly which I have here
basically the the int 80 will force a 32-bit Cisco so this is a quick see rapper to shove the arguments I need into a 32-bit cisco and return and then
the action is to beat on it with the one that will prime the stack so call it a bunch of times first the tuner io control and then go after it with the buggy code since we know what's in memory now and we can actually reliably right stuff
but that just gets us an over right how
do we actually control it I use the sox struck exploit from dan Rosenbergs code recently and you basically open up a socket and it shows up in proc net PCP and bold is the first is the port that I'm listening on in hex and the the other Bowl value is the actual colonel location of the socket that you need to target so you just ask the colonel nicely for what for what you want to overflow or overwrite rather in modern versions of the colonel k pointer restrict now blocked proc net tcp but you can still get the same information out of a net link thing that is still open so you just have to modify your code a little bit so then we're going to
create a payload that we want the kernel to run this is based on Brad Spengler's enlightenment code where you basically just create new credentials as root and commit them to the local process you're just setting your uid to 0 this is the this is the entire function that the colonel needs to run to give you root as that process and finally you just after
you perform the override you just close the socket and it'll call that function for you and everything is nice the colonel cleans up for you and I can show you a small demo of this running if I can see it hopefully everyone can see
and flip back
it's not gonna let me
how about that okay so a lot of demos sort of aren't very interesting because they effectively just show you a prompt like that's not very useful that doesn't prove much and it's not very exciting it's not very dramatic so I decided I ought to have this demo with a useless Hollywood drama mode so you can it can be exciting and we can be on the edge of our seats waiting for something to happen so this is resolving the credentials that the cred the cred calls and we have to find where we are in memory open the socket and figure out where it is in memory open the video device is very exciting do the i/o control did it work it did it did work and if you don't wanna wait for you just run it without the dash dash Hollywood option will just run straight through and that's basically it I can go all the
way through all of my slides again and
get to the end that says questions and
that's it