Presentation is loading. Please wait.

Presentation is loading. Please wait.

Briefing for: Hacking Windows Internals Cesar Cerrudo Argeniss.

Published byAnabel Penelope Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "Briefing for: Hacking Windows Internals Cesar Cerrudo Argeniss."— Presentation transcript:

1 Briefing for: Hacking Windows Internals Cesar Cerrudo Argeniss

2 www.appsecinc.com Hacking Shared Sections  Shared Section definition  Using Shared Sections  Tools  Problems  Searching for holes  Exploitation  Microsoft vulnerabilities  Other vendors vulnerabilities  Solutions  Conclusions  References

3 www.appsecinc.com Shared Section  Basically a Shared Section is a portion of memory shared by a process, mostly used as an IPC (Inter Process Communication) mechanism.  Shared Memory.  File Mapping.  Named or Unnamed.

4 www.appsecinc.com Using Shared Sections  Loading binary images by OS.  Process creation.  Dll loading.  Mapping kernel mode memory into user address space !?.  Used to avoid kernel transitions.  Sharing data between processes.  GDI and GUI data, pointers !?, counters, any data.

5 www.appsecinc.com Using Shared Sections  Creating a shared section HANDLE CreateFileMapping( HANDLE hFile, // handle to file (file mapping) //or 0xFFFFFFFF (shared memory) LPSECURITY_ATTRIBUTES lpAttributes, // security DWORD flProtect, // protection DWORD dwMaximumSizeHigh, // high-order DWORD of size DWORD dwMaximumSizeLow, // low-order DWORD of size LPCTSTR lpName // object name (named) //or NULL (unnamed) );//returns a shared section handle

6 www.appsecinc.com Using Shared Sections  Opening an existing shared section HANDLE OpenFileMapping( DWORD dwDesiredAccess, // access mode (FILE_MAP_WRITE // FILE_MAP_READ, etc.) BOOL bInheritHandle, // inherit flag LPCTSTR lpName // shared section name );//returns a shared section handle

7 www.appsecinc.com Using Shared Sections  Mapping a shared section LPVOID MapViewOfFile( HANDLE hFileMappingObject, // handle to created/opened // shared section DWORD dwDesiredAccess, // access mode(FILE_MAP_WRITE // FILE_MAP_READ, etc.) DWORD dwFileOffsetHigh, // high-order DWORD of offset DWORD dwFileOffsetLow, // low-order DWORD of offset SIZE_T dwNumberOfBytesToMap // number of bytes to map ); //returns a pointer to begining of shared section memory

8 www.appsecinc.com Using Shared Sections  Ntdll.dll Native API  NtCreateSection() Creates a new section  NtOpenSection() Opens an existing section  NtMapViewOfSection() Map a section on memory  NtUnmapViewOfSection() Unmap a section from memory  NtQuerySection() Returns section size  NtExtendSection() Change section size

9 www.appsecinc.com Using Shared Sections  Mapping unnamed Shared Sections.  Need to know shared section handle on target process.  Need permissions on target process. OpenProcess(PROCESS_DUP_HANDLE,...) DuplicateHandle(...) MapViewOfFile(...)

10 www.appsecinc.com Using Shared Sections  Demo

11 www.appsecinc.com Tools  Process Explorer  Shows information about processes (dlls, handles, etc.).  WinObj  Shows Object Manager Namespace information (objects info, permissions, etc.)  ListSS  Lists Shared Sections names (local and TS sessions).  DumpSS  Dumps Shared Section data.  TestSS  Overwrites Shared Section data (to detect bugs)

12 www.appsecinc.com Problems  Input validation  Weak permissions  Synchronization

13 www.appsecinc.com Problems  Input validation  Applications don't perform data validation before using the data.  Applications trust data on shared sections.  When applications read modified data from shared sections  They will crash.  They will perform unexpected actions.

14 www.appsecinc.com Problems  Weak permissions  Low privileged users can access (read/write/change permissions) shared sections on high privileged processes (services).  Terminal Services (maybe Citrix) users can access (read/write/change permissions) shared sections on local logged on user processes, services and also on other user sessions.

15 www.appsecinc.com Problems  Synchronization  Not built-in synchronization.  Synchronization must be done by processes in order to not corrupt data.  There isn't a mechanism to force processes to synchronize or to block shared section access.  Any process (with proper rights) can alter a shared section data while another process is using it.

16 www.appsecinc.com Problems  Synchronization  Communication between Process A and B Process A Process B Process C Shared Section 2- Write data. 3- Data ready. 4- Replace data. 5- Read data. 1- Send me data.

17 www.appsecinc.com Searching for holes  Look for shared sections using Process Explorer, WinObj or ListSS.  Attach a process using the shared section to a debugger.  Run TestSS on shared section.  Interact with process in order to make it use (read/write) the shared section.  Look at debugger for crashes :).

18 www.appsecinc.com Searching for holes  Windows HTML Help  Demo.

19 www.appsecinc.com Exploitation  Elevating privileges.  Reading data.  Altering data.  Shared section exploits.  Using shared sections on virus/rootkits/etc.

20 www.appsecinc.com Exploitation  Reading data.  From high privileged processes (services).  From local logged on user processes, services and other sessions on Terminal Services.  This leads to unauthorized access to data.

21 www.appsecinc.com Exploitation  Altering data.  On high privileged processes (services).  On local logged on user processes, services and other sessions on Terminal Services.  This leads to arbitrary code execution, unauthorized access, processes or kernel crashing (DOS).

22 www.appsecinc.com Exploitation  Shared section exploits.  When overwriting shared section data allow us to take control of code execution.  Some shared sections start addresses are pretty static on same OS and Service Pack.  Put shellcode on shared section.  Build exploit to jump to shellcode on shared section at static location.

23 www.appsecinc.com Exploitation  Shared section exploits.  MS05-012 - COM Structured Storage Vulnerability  Weak permission on shared section.  Structures saved on shared section can be overwriten.  By overwriting these structures is possible to execute arbitrary code.  POC Exploit Demo.

24 www.appsecinc.com Exploitation  Using shared sections on virus/rootkits/etc.  Some shared sections are used by many processes (InternatSHData used for Language Settings on W2k) others sections are used by all processes :).  Write code to shared section and the code will be instantly mapped on processes memory and also on new created processes.  Use SetThreadContext() or CreateRemoteThread() to start executing code.  Similar to WriteProcessMemory() - SetThreadContext() technique or DLL Injection.

25 www.appsecinc.com Exploitation  Using shared sections on virus/rootkits/etc.  Some shared sections have execute access.  It would be possible to avoid WinXP sp2 NX and third party protections.

26 www.appsecinc.com Microsoft vulnerabilities  Vulnerabilities on next Microsoft products have been reported and are being fixed:  Internet Explorer vulnerability.  Office vulnerabilities.  Windows 2k and Windows XP sp2 Kernel vulnerability.  IIS 5 vulnerabiliity.  Windows COM vulnerability.

27 www.appsecinc.com Other vendors vulnerabilities  NOD32 antivirus vulnerability.  Norton Antivirus (old versions) vulnerability.  Veritas software vulnerabilities.  Etc.

28 www.appsecinc.com Solutions  Set proper permissions  Set only current user (also service account if application running as service) permissions on shared sections unless another user should access them.  Use some synchronization mechanism  Remember that when working with shared sections there isn't built in synchronization.  Validate the data before using it  Data on shared sections can be easily manipulated.

29 www.appsecinc.com Conclusions  Windows and 3rd. party applications have a bunch of Shared Section related holes.  These kind of holes will lead to new kind of attacks “SSAtacks” (Shared Section Attacks) ;)  Microsoft forgot to include a Shared Sections audit on the trustworthy computing initiative :).  Windows guts seem rotten:).

30 www.appsecinc.com References  MSDN  Programming Applications for MS Windows - Fourth Edition  Process Explorer (www.sysinternals.com)www.sysinternals.com  WinObj (www.sysinternals.com)www.sysinternals.com  Rattle - Using Process Infection to Bypass Windows Software Firewalls (PHRACK #62)  Crazylord - Playing with Windows /dev/(k)mem (PHRACK #59)  http://www.microsoft.com/technet/security/bulletin/MS 05-012.mspx

31 Click to edit Master title style Click to edit Master subtitle style Briefing for: FIN Questions? Thanks. Contact: cesar>at dot<com Argeniss – Information Security Get vulnerability information before anyone! http://www.argeniss.com/services.html

Download ppt "Briefing for: Hacking Windows Internals Cesar Cerrudo Argeniss."

Similar presentations

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.

Dynamic Analysis of Windows Phone 7 apps Behrang Fouladi, SensePost.
Secure Operating Systems Lesson 3: OS Structures.

Secure Operating Systems Lesson 3: OS Structures.
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Anti-Cheating Mechanisms for Computer Games Michael Rudolph Jason Cook.

Anti-Cheating Mechanisms for Computer Games Michael Rudolph Jason Cook.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
Understand Database Security Concepts

Understand Database Security Concepts
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Token Kidnapping's Revenge Cesar Cerrudo Argeniss.

Token Kidnapping's Revenge Cesar Cerrudo Argeniss.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.

2: OS Structures 1 Jerry Breecher OPERATING SYSTEMS STRUCTURES.
Process Processes are executing or executable instances of programs. Processes in a modern OS haveOS –management information –resources –unique process.

Process Processes are executing or executable instances of programs. Processes in a modern OS haveOS –management information –resources –unique process.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Similar presentations

Ads by Google