Automated mining Windows kernel information disclosure vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201787028
Type myhack58
Reporter 佚名
Modified 2017-06-14T00:00:00


2017 6 on patch day, to fix up before we report 5-a kernel information leak vulnerability , the end of the article have details. The year before I demonstrate how to use JS to fuzz the kernel, today we want to bring to you is not dependent on the fuzz, and to automate the mining kernel vulnerability. From the recent few months as where, select a small point, say the following kernel information leak type of vulnerability of the excavation. Background after windows vista, Microsoft kernel enabled by default. ASLR, referred to as KASLR. KASLR randomize the module's loaded base address , the kernel object address, etc., alleviate the vulnerability of the use. In win8 after the security features have been further enhanced. The introduction of the nt! ExIsRestrictedCaller to prevent the Low integrity of the program calls some can leak out of the module base address of the kernel object address and other key information of the function. Include, but are not limited to: NtQuerySystemInformation * SystemModuleInformation * SystemModuleInformationEx * SystemLocksInformation * SystemStackTraceInformation * SystemHandleInformation * SystemExtendedHandleInformation * SystemObjectInformation * SystemBigPoolInformation * SystemSessionBigPoolInformation * SystemProcessInformation * SystemFullProcessInformation NtQueryInfomationThread NtQueryInfomationProcess The above is a traditional of you can get the kernel module address and kernel address of the object method , as kernel normal function. But for the integrity in the medium following procedures in win8 after the call will fail. KASLR as one of the exploit mitigations, of which the one purpose is to so construct a generic ROP-CHAIN is more difficult. As the vulnerability of the user to dig out information leakage vulnerability, to directly leak out of the desired module base address, that is directly against KASLR approach. Features As a kernel vulnerability, in the mining process there is a special place. For example, for a traditional memory corruption class of vulnerability, the vulnerability itself will affect the normal operation of the system, The use of the verifier and other tools, can be more convenient to capture this exception. But the information leakage type of vulnerability, and will not trigger an exception, but also does not interfere with the normal operation of the system, which makes finding them more difficult. Vulnerability is an objective reality, we need to do in order to as small as possible cost to discover them. Mining ideas Leakage occurs, the kernel will necessarily be key information is written into the User Mode Memory, if we monitor all kernel mode write user mode address of the write operation, will be able to capture this behavior. Of course, the system does not provide this feature, a process by@pjf a dedicated hardware-based virtualization of the mining framework to capture. ! In order not to interfere with the target system of the operation itself, I'm in a virtual machine in the implementation of the monitoring, to obtain necessary information in the written log, and then in the host machine for secondary analysis. ! In the physical machine, to decode the log and the loading symbol, do some processing after the ! We get such a batch of logs. ! Secondary analysis Now we have a period of actual operation of the process, the kernel writes to User-Mode Memory of all records. Here the vast majority are normal function, We need to eliminate interference, find out what data is critical information. Here the main use of the two techniques. Contamination of the kernel stack Poisoning or contamination of the target data, is a common way of thinking. In network attack and Defense, also has ARP and DNS cache poisoning。 Here, the kernel stack poisoning, refers to the pollution of the entire unused kernel stack space. If a kernel stack variable is not initialized, Then this variable is written to the user mode, write the data there I the mark of the magic value ,find the magic value where the recording is the occurrence of leakage points. At the same time I noticed that j00ru in his BochsPwn project has also used a similar technique. KiFastCallEntry Hook In order to have the opportunity of contamination of the kernel stack, I Hook up KiFastCallEntry, in each system call occurs, the contamination of the current stack below the remaining stack space. ! The first use of IoGetStackLimits get the current thread's scope, and then from the stack bottom to the current stack position of the entire space is filled with 0xAA. Thus entering the system after the call, all the kernel on the stack the local variable content, will be contaminated to 0xAA. Contamination of the kernel POOL Similarly, for the dynamic allocation of memory,I use hooks ExAllocatePoolWithTag, etc., and contaminate their POOL of content. Thus, whether it is on the stack or on the heap, as long as it is not initialized, the contents are our pollution. If the kernel stack variable is not correctly initialized, it is possible to Will this magic value is written to the user-state memory. Combined with our capture of the log, you can immediately discover this information leak. In order to exclude coincidences, the use of a multiple conversion magic value like 0xAAAAAAAA , 0xBBBBBBBB way to exclude false positives. To exclude interference after a typical results are as follows ! You can see that in a transient monitoring process, it is caught in the system 161 times leak. Of course, this is not re-ranked, not with so a plurality of independent vulnerabilities, but some of the vulnerabilities in the repeated leakage. This time we got a real information leak vulnerability, there is a stack of information, supplemented by simple manual analysis, you can know the details This is also the CVE-2017-8482 behind the story. Difference comparison For uninitialized stack the result of kernel information leaks, we can use pollution and then look for the tags found. For direct leakage of critical information, such as write directly to a module, object, POOL type of address, you cannot use this method to find.

[1] [2] next