Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nelson Elhage Black Hat USA 2011. Introduction Related work Background Knowledge Attack Detailed CVE 2011-1751 Bug Detailed Exploit Detailed (Take Control.

Similar presentations


Presentation on theme: "Nelson Elhage Black Hat USA 2011. Introduction Related work Background Knowledge Attack Detailed CVE 2011-1751 Bug Detailed Exploit Detailed (Take Control."— Presentation transcript:

1 Nelson Elhage Black Hat USA 2011

2 Introduction Related work Background Knowledge Attack Detailed CVE 2011-1751 Bug Detailed Exploit Detailed (Take Control of %rip) Inject Shellcode into host Disable non executable page Bypassing ASLR Conclusions Reference

3 It was found that the PIIX4 Power Management emulation layer in qemu-kvm did not properly check for hot plug eligibility during device removals. A privileged guest user could use this flaw to crash the guest or, possibly, execute arbitrary code on the host. (CVE-2011-1751)

4 a generic and open source machine emulator and virtualizer. Three components: Kvm.ko Kvm-intel.ko or kvm-amd.ko Qemu-kvm

5 The core KVM kernel module Provides ioctls for communicating the kernel module Primarily responsible for emulating the virtual CPU and MMU Emulates a few devices in-kernel for efficiency Contains an emulator for a subset of x86 used in handling certain traps

6 Provides support for Intel’s VMX and AMD’s SVM virtualization extensions Relatively small compared to the rest of KVM

7 Provides the most direct user interface to KVM Based on the classic x86 emulator Implements the bulk of the virtual devices a VM uses Implements a wide variety of possible devices and buses An order of magnitude more code than the kernel module

8

9 Static QEMUTimer *active_timers[QEMU_NUM_CLOCKS] Struct QEMUTimer { QEMUClock *clock; int64_t expire_time; QEMUTimerCB *cb; /* call back function*/ void *opaque; /* parameter */ struct QEMUTimer *next; /* link list */ }

10 Active_timers QEMUTimer

11 Related functions: Qemu_new_timer: allocate a memory region for the new timer. Qemu_mod_timer: modify the current timer add it to link list. Qemu_run_timers: loop through the link list and execute the timer structure call back function with the opaque as the parameter

12 The main_loop_wait function will iterate through the active_timers and call qemu_run_timers()

13 A computer clock that keep track of the current time MC146818 RTC hardware manual can be found http://wiki.qemu.org/File:MC146818AS.pdf

14 RTCState structure Struct RTCState { ….. QEMUTimer *second_timer; QEMUTimer *second_timer2; }

15 Related functions: Rtc_initfn : initialize the RTC Rtc_update_second : update the expire time of the QEMUTimer and add it to the link list.

16 rtc_initfn : RTCState *s = …. s->second_timer = qemu_new_timer(rtc_clock, rtc_updated_second, s) s->second_timer2 = qemu_new_timer(rtc_clock, rtc_update_second2, s) qemu_mod_timer(s->second_timer2, s->next_second_time)

17

18 ……… Second_timer Second_timer2 opaque Next RTCState Active_timer QEMUTimer opaque Next Cb ………. ……….. ………. ……….. ………. Rtc_update_second Rtc_update_second2

19

20 A south bridge chip. Default south bridge chip used by qemu-kvm Include ACPI, PCI-ISA, and an embeded MC146818 RTC. Support PCI device hotplug, write values to IO port 0xae08 Qemu use qdev_free to emulate device hotplug. Certain devices don’t support device hotplug but qemu didn’t check this.

21 It should not be possible to unplug the ISA bridge KVM’s emulated RTC is not designed to be unplugged.

22 Did not check The device can Be unplug or not

23 Being dealloc Add the second timer to link list.

24 #include Int main(){ iopl(3); outl(2, 0xae08); return 0; }

25 ……… Second_timer opaque Next Cb opaque Next Cb ………. ……….. ………. RTCState QEMUTimer Rtc_update_second Active_timerUnplug RTC

26 opaque Next Cb opaque Next Cb ………. ……….. ………. RTCState QEMUTimer Rtc_update_second Active_timerUnplug RTC Second_timer Dummy memory region ……

27 opaque Next Cb opaque Next Cb ………. ……….. ………. RTCState QEMUTimer Rtc_update_second Active_timer Return to main_loop_wait Call qemu_run_timers Second_timer Dummy memory region ……

28 opaque Next Cb opaque Next Cb ………. ……….. ………. RTCState QEMUTimer Rtc_update_second Active_timer QEMUTimer call back Rtc_update_second(opaque) Second_timer Dummy memory region ……

29 opaque Next Cb opaque Next Cb ………. ……….. ………. RTCState QEMUTimer Rtc_update_second Active_timer Next Main_loop_wait Second_timer Dummy memory region ……

30 1. Inject a Controlled QEMUTimer into qemu-kvm 2. Eject ISA bridge 3. Force an allocation into the freed RTCState, with second timer point to our fake QEMUTimer

31 The guest RAM is backed by mmap()ed region inside the qemu-kvm process. Allocate in the guest RAM and calculate the the host address by the following formula: Hva = physmem_base + gpa gpa = page_traslation(gva) <= linux kernel project 1 Gva = guest virtual address Gpa = guest physical address Hva = host virtual address Physmem_base = mmap start region For now assume we know physmem_base(no aslr)

32 Force qemu to call malloc Utilize the qemu-kvm user-mode networking stack Qemu-kvm implement DHCP server, DNS server and NAT gateway in user-mode networking stack User-mode stack normally handle packets synchronously To prevent recursion, if a second packet is emitted while handling a first packet, the second packet is queued using malloc. ICMP ping.

33 1. Allocate a Fake QEMUTimer 2. calculate the Fake timer address 3. unplug ISA bridge 4. ping the gateway containing pointers to your fake timer.

34 ……… Second_timer opaque Next Cb opaque Next Cb ………. ……….. ………. RTCState QEMUTimer Rtc_update_second Active_timerAllocate Fake QMEUTimer opaque Next Cb Fake QEMUTimer ………. ……….. ………. Evil function (Shellcode)

35 opaque Next Cb opaque Next Cb ………. ……….. ………. RTCState QEMUTimer Rtc_update_second Active_timerUnplug ISA bridge opaque Next Cb Fake QEMUTimer ………. ……….. ………. Evil function (Shellcode) Second_timer Ping the gateway

36 opaque Next Cb opaque Next Cb ………. ……….. ………. RTCState QEMUTimer Rtc_update_second Active_timerFirst Main_loop_wait opaque Next Cb Fake QEMUTimer ………. ……….. ………. Evil function (Shellcode) Second_timer

37 opaque Next Cb RTCState QEMUTimer Active_timerSecond Main_loop_wait opaque Next Cb Fake QEMUTimer ………. ……….. ………. Evil function (Shellcode) Second_timer

38 1. we have %rip control 2. Where is the Evil function Inject shellcode to host virtual memory Host virtual memory has page protection(NX bit) 3. Solutions: A. ROP B. something clever

39 1. we can control the QEMUTimer data structure. 2. create multiple QEMUTimer object and chain them together. opaque Next Cb opaque Next Cb opaque Next Cb ………. ……….. ………. ……….. ………. ……….. ………. QEMUTimer F1(X) F2(Y)F3(Z)

40 We now have multiple on argument function calls. We want to do more arguments function calls. For example, mprotect take three arguments.

41 Arguments of types Bool, char, short, int, long, long long, and pointers are in the INTEGER class. If the class is INTEGER, the next available register of the sequence %rdi, %rsi, %rdx, %rcx, %r8 and %r9 is used More detailed check out the reference 7

42 Suppose we can find a function with the following property. Let f1(x) be set_rsi %rsi register will not be modified during qemu_run_timer() in most qemu version. Therefore, F2(y) becomes F2(y,x) since we control the %rsi from f1(x) Set_rsi: movl %rdi, %rsi; return

43 This function will copy its first parameter to the second parameter of ioport_write %rdi is the first parameter and %rsi is the second parameter. Therefore we get a function with the previous property. (Movl %rdi, %rsi) Void cpu_outl(pio_addr_t addr, uint32_t val) { ioport_write(2, addr, val); }

44 Mprotect prototype: Mprotect(addr, lens, prot) PROT_EXEC = 4 Use the following function We control the “opaque/ioport” by QEMUTimer and control the “addr” by set_rsi() Seems like we control everything in this function

45

46 Allocate a fake IORangeOps with fake_ops->read = mprotect Allocate a page-aligned IORange with Fake_ioport->ops = fake_ops Fake_ioport->base = -PAGE_SIZE Copy shellcode following the IORange Construct a timer chain that calls Cpu_outl(0, *) Ioport_readl_thunk(fake_ioport, 0) Fake_ioport + 1

47 opaque Next Cb opaque Next Cb opaque Next Cb IORange (PAGE_ALIGN) ops Fill with shellcode IORangeOps Read ……. Cpu_outl Ioport_readl_thunk mprotect QEMUTimer Chain

48 The base address of the qemu-kvm binary, to find code address(such as mprotect ….) Physmem_base, the address of the physical memory mapping inside kvm Solutions: Find an information leak Assume non-PIE. Every major distribution compile qemu- kvm as non position independent executable. How about physmem_base

49 Emulated IO ports 0x510 (address) and 0x511 (data) Used to communicate various tables to the qemu BIOS (e820 map, ACPI tables, etc) Also provides support for exporting writable tables to the BIOS However, fw_cfg_write doesn’t check if the target table is supposed to be writable

50 Several fw_cfg areas are backed by statically-allocated buffers. Net result: nearly 500 writable bytes inside static variables.

51 Mprotect needs a page-aligned address, so these aren’t suitable for our shellcode We can construct fake timer chains in this space to build a read4() primitive. (Create Information Leak) Follow pointers from static variables to find physmem_base Proceed as before

52 Sandbox qemu-kvm Build qemu-kvm as PIE Lazily mmap/mprotect guest RAM XOR-encode key function pointers More auditing and fuzzing of qemu-kvm

53 VM breakouts aren’t magic Hypervisors are just as vulnerable as anything else Device drivers are the weak spot.

54 [1] http://qemu.weilnetz.de/qemu-tech.html [2] http://qemu.weilnetz.de/doxygen/structRTCState.html [3] http://www.linuxinsight.com/files/kvm_whitepaper.pdf [4] https://www.ibm.com/developerworks/cn/linux/l-virtio/ [5] http://smilejay.com/kvm_theory_practice/ [6] http://www.linux-kvm.org/page/Documents [7] http://www.cs.tufts.edu/comp/40/readings/amd64-abi.pdf [8]http://linuxfromscratch.xtra-net.org/hlfs/view/unstable/glibc- 2.4/chapter02/pie.html [8]http://linuxfromscratch.xtra-net.org/hlfs/view/unstable/glibc- 2.4/chapter02/pie.html qemu source code


Download ppt "Nelson Elhage Black Hat USA 2011. Introduction Related work Background Knowledge Attack Detailed CVE 2011-1751 Bug Detailed Exploit Detailed (Take Control."

Similar presentations


Ads by Google