Syscall Proxying || Pivoting Systems

Filipe Balestra Rodrigo Rubira Branco

[email protected] [email protected]
[email protected]

http://www.risesecurity.org
Agenda:

­ What is Syscall Proxying?

- Why Syscall Proxy is better than the open-source Squid?
- Why not open the Syscall Proxy source-code? Security
Reasons!
- Understand the proxy architecture

http://www.risesecurity.org
Agenda  (the real one!):

­ Background knowledge
­ What is Syscall Proxying?
­ Why I need it  or  When it's interesting?
­ Difficulties
­ Some samples
  ­ The Future
­ Acknowledges
­ References

http://www.risesecurity.org
 Background Knowledge

­ When a process need any resource it must perform a system call to ask
the operation system for the needed resource.

­ Syscall interface are generally offered by the libc (the programmer doesn't 
need to care about system calls)

­ We will discuss syscall proxying under Linux environment, so, some
aspects:
* Homogeneous way for calling syscalls (by number)
* Arguments passed via register (or a pointer to the stack)
* Little number of system calls
http://www.risesecurity.org
Background Knowledge

http://www.risesecurity.org
 Syscall Interface – Read from a file

Reader Linux Kernel

open

read

close Disk

http://www.risesecurity.org
 Syscall Interface – Read from a file

# strace cat /etc/passwd

execve("/bin/cat", ["cat", "/etc/passwd"], [/* 17 vars */]) = 0
...
open("/etc/passwd", O_RDONLY|O_LARGEFILE) = 3
...
...
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1669
...
close(3)                                = 0

­ As we can see using the strace program, even a simple command uses
many syscalls to accomplish the task

http://www.risesecurity.org
 Syscall Interface – Passing arguments using
registers

­ EAX holds the system call number

­ EBX, ECX, EDX, ESI and EDI are the arguments (some system
calls, like socket call can use the stack to pass arguments)

­ Call int $0x80 (software interrupt)

­ Value is returned in EAX

http://www.risesecurity.org
 What is Syscall Proxying?
­ The idea is to split the default syscall functionality in two steps:

* A client stub
Receives the requests for resources from the programs
Prepair the requests to be sent to the server (called marshalling)
Send requests to the server
Marshall back the answers

* A syscall proxy server
Handle request from the client
Convert the request in the native form (in our case, just linux)
Calls the asked system call
Sends back the response
http://www.risesecurity.org
 I don't wanna ask again! What a Hell is
Syscall Proxying?

­ A way to use many tools without install anything in an owned machine
(in an attack or in a penetration test)

­ Just play with the memory

­ Use your own tools (for your own native system) and don't care about
what is the operation system owned (the syscall proxy server for sure need to
be coded for many operation systems)

­ Pivoting is because you can use the syscall proxy server to attack many
other servers in the local network of the syscall proxy

http://www.risesecurity.org
 Syscall Interface – Read from a file

Reader Client Syscall Linux 

Stub Server Kernel

h_open
sys_send
open
h_read
sys_send
h_close read Disk
sys_send
close

http://www.risesecurity.org
 Why I need it or When it's interesting?
­ The syscall proxy server can be injected in a remote process and offer
an interface to the underlying operation system (including remotely 'local'
privilege escalation)

­ You can use any tools you like to your own system, without change
then (if you use LD_PRELOAD) 

­ The local process you are running under the stub does not know it is
running remotely

­ Easily infection of remote process and the kernel itself (using the
IDT patch you can easily execute arbitrary commands in the kernel – showed
by me in the latest Hackers to Hackers Conference)
http://www.risesecurity.org
 Difficulties

­ RPC does the same idea that we have showed, but the problem is
in the server­side we have lots of complexity

­ We need a small piece of code in the server­side, because it will be
injected in the vulnerable program

­ To accomplish that, we have in the client­side the 'image' of the stack­state
of the server­side

http://www.risesecurity.org
 Difficulties
Server
Process

Pack Arguments Read Request

Pseudo Stack Stack
Send to the server and wait
Pop Operation
for a reply
Create the request with  Registers
Send back
syscall data
the stack block
  Received a response from the server as reply int $0x80
Unpack results Restore the
http://www.risesecurity.org Stack
 Difficulties
­ In the beginning of a connection, the server returns its ESP
Client Request Server Stack
filename (pointer) 0x00
flags
The request ESP
mode

DATA local vars EBP

saved ESP
        0xbfffffff

http://www.risesecurity.org
 Some Samples

­ Remote Shell using syscall proxying

­ Remote Process Injection (using ptrace – be explained in another
h2hc 3 presentation)

­ Remote Scanning (pivoting system) 

­ Remote Kernel Infection (not using IDT patch – explained in my
presentation at h2hc 2)

http://www.risesecurity.org
 The Future

­ Finish the stub implementation of more system calls

­ Have a better version of the syscall proxy server for *BSD systems

­ Optimize the size of the syscall proxy server

­ Optimize the speed of execution of the syscall proxy scheme (for
remotely sniffing sections)

http://www.risesecurity.org
 Acknowledges
- RISE Security

- H2HC Organization? I'm included!

- Casek from UberWall for some news and

ideas

- Tiago Assumpção – First person to talk

with me about it (~2003)

- Ramon de Carvalho Valle from RISE -

Assembly Master

- Your patience!

- Without friends, we are nothing,

let's drink!
http://www.risesecurity.org
 References
­ Syscall Proxying – Simulating Remote Execution by Maximiliano Caceres
http://www.coresecurity.com/blackhat2002.htm ­> This presentation are embased in lot of
ideas and samples showed here

­ Syscall Proxying fun and applications by Casek
http://events.ccc.de/congress/2005/fahrplan/events/553.en.html ­> The sample injection
and scan codes are ideas shared by Casek in his presentation

­ RISE Security ­ http://www.risesecurity.org

­ Personal Website ­ http://www.kernelhacking.com/rodrigo

http://www.risesecurity.org
 END! Really is?

DOUBTS ?
Filipe Balestra Rodrigo Rubira Branco
[email protected] [email protected]
[email protected]

http://www.risesecurity.org