S2 EUSKALHACK Self-Defenseless

Download as pdf or txt
Download as pdf or txt
You are on page 1of 64

SELF-DEFENSELESS

EUSKALHACK IV

BÁLINT VARGA-PERKE 2019.06.22


WHOAMI
• Silent Signal co-founder
• Penetration testing
• Custom training
• Consulting
• @buherator
• Top Hungarian IT-sec resource for some time…
• Moved to polluting the tubes via Twitter
BACKGROUND
• Some hits
• Aruba wIPS
• Panda cloud infrastructure
• Bitdefender
• Symantec Critical System Protection
• Trend Micro Office Scan
• McAfee crapware
• All logic bugs
• Tried fuzzing too
• Not really my game…
PREVIOUS RESEARCH
ABUSING PRIVILEGED FILE ACCESS IN ANTIVIRUS SOFTWARE
• Parallel research with Florian Bogner and Clement Lavoillotte
• AVGater
• Abusing Privileged File Manipulation
• LPE in multiple endpoint security products
• Bitdefender, Kaspersky, Symantec, …
• My approach: Self-defense bypass
• Bare-Knuckled Anti-Virus Breaking
• Primary idea: COM hijacking
HYPOTHESIS

Self-defense hides exploitable attack surface.


ARCHITECTURE

SYSTEM
User

AV UI AV Service

AV Kernel Module
ARCHITECTURE

SYSTEM
User

AV UI AV Service

AV Kernel Module
SELF-DEFENSE
IS SELF-DEFENSE A SECURITY BOUNDARY?
• Symantec
• CVE-2017-6331
• Avast
• CVE-2017-8307
• CVE-2017-8308
• Kaspersky
• Bypass from 2007:
„Kaspersky Lab does not consider this to be a vulnerability: it is not an error in
our code, but an obscure method for manipulating standard Windows routines
to circumvent our self-defense mechanisms.”
KASPERSKY
• No political agenda here…
• Self-defense bypass != vulnerability
• My original bypass still works
• Some experience from previous research
• Well-known components
• Configurability
• Only AV that caught my previous exploits while they
were 0-day :P
• I found bypasses ofc. ;)
• Research target: KFA
• Was released around the time my research began
• Reusable components (KIS, KES, Secure Connection…)
PRIOR WORK
2008 SOURCE LEAK
• Kaspersky source code appeared on
the Internet in 2011
• Leaked by former employee
• KASPERSKY.AV.2008.SRCS.ELCRABE.RAR
• Source code was from 2008
• I did not use it of course
• That would be illegal…
• "It also contains fragments of an obsolete
version of the Kaspersky anti-virus engine,
which has been radically redesigned and
updated since the source code was stolen"
ANTIVIRUS DEBUGGING
• Use VM's
• Preferably with a good API for snapshot-revert
• Airgap
• Unwanted updates
• Unwanted leaks
• More deterministic
• Script everything
• Everything is slow, speed up where we can
• pykd rocks!
ANTIVIRUS DEBUGGING
• You may be allowed to disable self-
defense
• Kaspersky has an option for this
• User-mode sometimes works
• Snapshot!
• Use a Kernel Debugger like proper adults! avp_info=pykd.dbgCommand("!process 0 0 avp.exe")
avp_eprocess=avp_info.split(" ")[1]
• Need to switch to user process context - slow! pykd.dbgCommand(".process -r -i -p %s; " % avp_eprocess)

• Control the user debugger from KD (thx guys!) ntsd -d -p <PID>


• Much faster (over COM port!)
ANTIVIRUS DEBUGGING

SYSTEM
User

AV UI AV Service

AV Kernel Module
DIA CÍME

REVERSE ENGINEERING
KASPERSKY
• 32-bit application
• WOW64 is hard, use a 32-bit OS for
testing
• __fastcall calling convention
• First two params in ECX and EDX,
rest on stack
• Many RE tools can't handle this…
• “Real-life” complexity
• Module sizes in order of MBs
• Structures/exports imitating OO design
• Wide set of x86 instructions
(killing RE tools)
KASPERSKY
TARGET: IPC COMPONENT
• PRRemote.DLL
• + PRCore.DLL
• "Prague"
• Common IPC interface among multiple
products
• KFA, KES, Secure Connection, etc.
• Today's agenda:
High level message processing (~ OSI Layer 5)
• Needed for upper layer analysis
• Tip of the iceberg
COMMUNICATION
PRREMOTE.DLL
• Implements RPC functionality "Hijacking debug output:
1) allocate new memory buffer ($dump)
2) [$dump] <- pointer referencing the beginning of
• Functionality for both client and server data inside the buffer
3) [$dump]+0x10 Size of data DWORD, data starts at 0x18
• Debug strings 4) err_logger expects dst buffer in ECX, so put $dump
there when the function starts
• … the reverser's best friends 5) Log information put inside $dummy when err_logger
exits. Size of data is at $dump+8

• Non-trivial debug print mechanism ->


6) Enable err_logger by placing $dummy to the stack of
is_Debug every time it's called

Still crashes sometimes (on DB update attempts?)..."


- My notes, verbatim
(I definitely should write better notes)
PRREMOTE.DLL
$ strings prremote.dll | fgrep rpc_
rmt rpc_send_receive_server exception
rmt rpc_send_receive_server failed,
rmt rpc_send_receive_server2 called, connection
rmt rpc_send_receive_server2 exception during method call
rmt rpc_send_receive_server3: failed to parse packet (size=
rmt rpc_send_receive_server3 unknown call type:
rmt rpc_invoke3 unknown call type:
rmt rpc_invoke3 not enough memory to store returned data:
rmt rpc_init_context_handle failed, RpcStatus is
rmt rpc_send_receive2 failed, RpcStatus is
rmt rpc_send_receive2: not enough memory to store received data:
rmt rpc_send_receive2 call failed, RpcStatus is
rmt rpc_send_receive3 failed, RpcStatus is
rmt rpc_send_receive3: not enough memory to store received data:
rmt rpc_send_receive3 call failed, RpcStatus is
rmt rpc_disconnect_from_server exit
PRREMOTE.DLL
• 3 versions of rpc_send_receive_server*()
• Older versions still present
• Regular breaks on rpc_send_receive_server3()
• Call stack shows one previous call in the module
• I called it my_rpc_message_handler()
• Deeper frames are from RPCRT4: built-in Windows RPC
PRREMOTE.DLL
my_rpc_message_handler()
• Called from RPCRT4
• Single argument, correctly identified as RPC_MESSAGE*
by IDA
• Windows RPC is merely a transport layer
• Internal structure: "The RPC_MESSAGE structure contains
information shared between NDR and the rest of the RPC or OLE
runtime."
• Basic sanity check
• rpc_message->Buffer passed as argument to
rpc_send_receive_server3()
SENDING MESSAGES
• PythonForWindows
• Endpoint: PRRemote:<AVP PID>
• Interface:
806411e0-2ed2-194f-bb8c-e27194948ac1
• Method: 4
• What are the others for?

client = windows.rpc.RPCClient(r"\RPC Control\PRRemote:%d" % int(avp_pid) )


iid = client.bind("806411e0-2ed2-194f-bb8c-e27194948ac1")
ndr_params = ndr.make_parameters([ndr.NdrLong]*len(pkt))
resp = client.call(iid, 4, ndr_params.pack(pkt))
PRREMOTE.DLL
MESSAGE BUFFER 00000000 00000000 00000000 00000000
01013200 SMALLINT
• Recognizable header
• Readable strings
• UTF-16
rpc_send_receive_server3() my_rpc_header_size_check()
• Top-level message dispatcher • len_in: WORD @ 0x12
• Interesting strings: • len_out: DWORD @ 0x14
• "rmt\tReceived message has wrong
integrity code" • len_in + len_out < rpc_msg->Size
• "rmt\tNo session found for ID" • LangSec ppl love this ;)
MESSAGE STRUCTURE
struct KASPY_IPC_REVERSED {
DWORD zero0
DWORD zero4
DWORD zero8
DWORD zeroC
WORD doubleOne
WORD len_out
DWORD len_in
};
MESSAGE STRUCTURE
struct KASPY_IPC_REVERSED {
• Trace with x64dbg and Lighthouse
DWORD zero0
• Debug: "No session found for ID" DWORD zero4
• Need a correct 64-bit value for parsing to happen DWORD zero8
• QWORD @ 0x18
• You don’t brute-force 64-bits, even locally DWORD zeroC

• Except on first connect WORD doubleOne


• SID = 0 WORD len_out
• Authorization2() runs DWORD len_in
• In practice: DWORD session0
• sess0 = 0xFFFA783B (slowly grows on service
respawn) DWORD session1
• sess1 < 0x10000 (random DWORD on respawn) };
• Brute-force is totally practical!
• Lack of boot-time entropy?
MESSAGE STRUCTURE
struct KASPY_IPC_REVERSED {
• Debug: "Received message has wrong integrity code" DWORD zero0
DWORD zero4
• Based on Flower-Noll-Vo (FNV) hash DWORD zero8
• Widely used algorithm, e.g. in spam filters DWORD zeroC
• Not a cryptographic hash WORD doubleOne
• FNV offset basis constant is present WORD len_out
• Modified version, but primitives can be identified DWORD len_in

• Created standalone implementation with ripr DWORD session0


DWORD session1
• Static code from Binary Ninja + Unicorn Engine
WORD unk
• 64-bits random looking prefix makes this a MAC  DWORD hash0
• Set by the client in payload upon first connect (SID=0, DWORD hash1
key=0) };
MESSAGE STRUCTURE
• 0x101 -> protocol version struct KASPY_IPC_REVERSED {
DWORD zero0
• Header parser behavior depends on this value DWORD zero4
• 0x100 - 0x101 DWORD zero8

• Timestamp DWORD
WORD
zeroC
version
• Length == 0x32 WORD len_out
DWORD len_in
DWORD session0
DWORD session1
WORD unk
DWORD hash0
DWORD hash1
DWORD time0
DWORD time1
};
MESSAGE CHECKS
• Four DWORD's are needed to accept the message for
further parsing
• 2 DWORD's as "session"
• 2 DWORD's as "integrity key"
• Current IDs/keys are stored in global structures in both
the high priv. (avp.exe) and low priv. (avpui.exe)
processes
• With self-defense bypass the secrets can be obtained
• Other options:
• Brute-force
• Pre-auth messages
• ???
DIA CÍME

BUGS
CODE REVIEW
• Remember that length check?
• It goes like this:

my_rpc_header_size_check() MOVZX EDX,word ptr [ECX + 0x16] ; len_out


...
• len_in: WORD @ 0x12 MOV EAX,dword ptr [ECX + 0x18] ; len_in
ADD EAX,EDX
• len_out: DWORD @ 0x14
CMP dword ptr [EBP + size],EAX
• len_in + len_out < rpc_msg->Size

• Pre-auth integer overflow


• I don't think it's exploitable (nor I am a pro exploit dev)
• Still quite telling…
FUZZING
„Any fuzzer at all, no matter how primitive, has a
better chance of finding a bug than an idle CPU core.” – Ben Nagy

• <20 LoC fuzzer in Python


• Replay mutated packets captured at
rpc_send_receive_server3()
• Patched out session/integrity checks with debugger
• Pre+post auth crashes in minutes
FUZZING

Attacker controlled
FUZZING
CONTROLLED MEMCPY
• The memcpy() in use wasn't identified as a library
function
• memcpy() doesn't open a stack frame
• Caller has stack canary
• Leak through arbitrary sized FNV preimage?
• Destination is a stack array right before the canary
• Can we do anything interesting with full control over the
array?
PROCEDURE CALLS
PROCEDURE CALLS
• We are in the old rpc_send_receive_server() now!
• Called from rpc_send_receive_server3()
• So much for "radical redesign"…
• func_addr is chosen from different function pointer
tables
• User chooses the table
• User chooses the offset
• Offset is bounds checked
FUNCTION TABLES
Typical function in the table:
void f(int param_1,int param_2,int param_3,int param_4,int param_5,int param_6,int param_7)
{
if (param_2 == -0xf000) {
(**(code **)(*(int *)DWORD_100739a0 + 0x14))(0xffff1000,param_3,param_5);
return;
}
(**(code **)(*(int *)(param_1 + 4) + 0x124))
(param_1,param_2,param_3,param_4,param_5,param_6,param_7,0xffffffff);
return;
}

• Can we control param1?


• Unlikely: Not present in the input stream
• First parameter is stored early in EDX in rpc_send_receive_server()
• Our memcpy() doesn't affect is
• Neither does any subsequent memory corruption
FUNCTION TABLES

undefined4 __cdecl call_param2(undefined4 param_1,int param_2)


{
int iVar1;
iVar1 = (**(code **)(*(int *)(DWORD_10077ad4 + 4) + 0x58))(DWORD_10077ad4,param_2);
if (-1 < iVar1) {
(**(code **)(*(int *)(param_2 + 4) + 0x5c))(param_2);
}
return 0;
}

Are we happy, Vincent?


DIA CÍME

EXPLOITATION
EXPLOITATION
THE GOOD THE BAD
• We are local… • Stack canaries
• ASLR ineffective • Thanks Tavis…
• Arbitrary computation • DEP
(dynamic shellcode, ROP, etc.)
• Losing session+keys at respawn
• AVP respawns
• Heap entropy still exists
• Pokemon exception handling
• Randomizing things before it was cool…
EIP CONTROL
• 4th WORD after header holds flags
• Needs proper setting to reach the table based call
• Next DWORD is the table offset
• What on Earth is this?
undefined4 __cdecl call_param2(undefined4 param_1,int param_2)
{
int iVar1;
iVar1 = (**(code **)(*(int *)(DWORD_10077ad4 + 4) + 0x58))(DWORD_10077ad4,param_2);
if (-1 < iVar1) {
(**(code **)(*(int *)(param_2 + 4) + 0x5c))(param_2);
}
return 0;
}
EIP CONTROL
• Looks like a method call on a global object
• Implementation in PRCORE.DLL
• The real deal is reached after multiple calls
• my_struct_checker()

undefined4 __cdecl call_param2(undefined4 param_1,int param_2)


{
int iVar1;
iVar1 = (**(code **)(*(int *)(DWORD_10077ad4 + 4) + 0x58))(DWORD_10077ad4,param_2);
if (-1 < iVar1) {
(**(code **)(*(int *)(param_2 + 4) + 0x5c))(param_2);
}
return 0;
}
STRUCT CHECKER
uint my_struct_checker(int ptr,dword char_out)
{
uint ptr1;

ptr1 = -(uint)(ptr != 0) & ptr - 0x4cU;


if ((ptr1 != 0) && ((char)char_out != 0)) {
char_out = 0;
(*__ptr_check_param1)(ptr1 + 0x54, &char_out,4,0);
if ((char_out == 0) || (char_out != ptr1 + 0x58)) {
ptr1 = 0;
}
}
return ptr1;
}
STRUCT CHECKER
int my_check_param1(byte *ptr, byte *char_out, int ctr4)
{
int iVar1;
int *in_FS_OFFSET;
undefined local_14 [16];

iVar1 = *in_FS_OFFSET;
*(undefined **)in_FS_OFFSET = local_14;
while (ctr4 != 0) {
*char_out = *ptr;
ctr4 = ctr4 + -1;
char_out = char_out + 1;
ptr = ptr + 1;
}
*in_FS_OFFSET = iVar1;
return 0;
}
STRUCT CHECKER
• I used dynamic analysis + VM snapshots to keep
heap addresses constant
• If it works, it's not stupid!
• These functions get hit all the time
• Must single-step from rpc_send_receive_server()
• Struct checker performs basic sanity checks
• Param2 has to survive multiple dereferences
• Provide self-referencing pointers
STRUCT CHECKER
• Sent 20K packages with self-referencing pointers,
then the trigger packet
• Still based on predictable heap addresses + VM snapshots
• Checks passed -> EIP overwritten \o/
• EIP value read from an address after the checked
struct values -> Possible to control!
• How?

WE NEED TO SPRAY THE HEAP!


HEAP SPRAY
• Tests showed that packet sizes are limited (~2K)
• Parsed buffers are freed by my_rpc_msg_handler()
• Hooked HeapAlloc in IAT via KD
• Terribly slow…
• Physical page offsets?
• Patched PythonForWindows so it won't check sizes or
wait for replies
• Managed to spray my packets over a 78K, non-continuous
space :P
• Let's read up again on this ALPC thingy…
HEAP SPRAY

Alex Ionescu already did it!


(duh!)
HEAP SPRAY
ALPC HEAP SPRAY STRATEGY
• ALPC allows passing large messages • Allocate 256M memory in our process
via shared memory • Use the ALPC layer directly to send
• DataView's RPC message
• Unmapped after use (RPCRT4), • PythonForWindows has example code
but can be arbitrary large! • Share the 256M mapping
• Virtual base addresses will differ • Brute-force base address in avp.exe
between client and server • Read access violations are handled :D
• Offset inside allocation is known • 2-3 tries in practice
HEAP SPRAY
Trigger SELFPTR SELFPTR SELFPTR SELFPTR
Spray SELFPTR SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
Spray 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef
0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef
256M

0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef


Spray 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef

Landing zone
Spray


ROP CHAIN
ESI ->
Trigger SELFPTR SELFPTR SELFPTR SELFPTR
Spray SELFPTR SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
Spray ROP1 ROP1 ROP1 ROP1
ROP1 ROP1 ROP1 ROP1
ROP1 ROP1 ROP1 ROP1
Spray ROP1 ROP1 ROP1 ROP1

ROP1: ESP<-ESI (+POPs); RET 10


Spray
ROP CHAIN
ESI ->
Trigger SELFPTR SELFPTR SELFPTR SELFPTR
Spray ROP2 SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
Spray ROP1 ROP1 ROP1 ROP1
ROP1 ROP1 ROP1 ROP1
ROP1 ROP1 ROP1 ROP1
Spray ROP1 ROP1 ROP1 ROP1

ROP1: ESP<-ESI (+POPs); RET 10


ROP2: ESP += 0x18
Spray
ROP CHAIN
ESI ->
Trigger SELFPTR SELFPTR SELFPTR SELFPTR
Spray ROP2 SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR ROP3
Spray WinExec ROP1 ROP1 ROP1
ROP1 ROP1 ROP1 ROP1
ROP1 ROP1 ROP1 ROP1
Spray ROP1 ROP1 ROP1 ROP1

ROP1: ESP<-ESI (+POPs); RET 10


ROP2: ESP += 0x18
Spray ROP3: POP EBX
ROP CHAIN
ESI ->
Trigger SELFPTR SELFPTR SELFPTR SELFPTR
Spray ROP2 SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR ROP3
Spray WinExec ROP4 Command ROP1
ROP1 ROP1 ROP1 ROP1
ROP1 ROP1 ROP1 ROP1
Spray ROP1 ROP1 ROP1 ROP1
Command is sprayed at every 0x10000
ROP1: ESP<-ESI (+POPs); RET 10
ROP2: ESP += 0x18
Spray ROP3: POP EBX
ROP4: POP EDI
ROP CHAIN
ESI ->
Trigger SELFPTR SELFPTR SELFPTR SELFPTR
Spray ROP2 SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR SELFPTR
SELFPTR SELFPTR SELFPTR ROP3
Spray WinExec ROP4 Command ROP5
ROP1 ROP1 ROP1 ROP1
ROP1 ROP1 ROP1 ROP1
Spray ROP1 ROP1 ROP1 ROP1
Command is sprayed at every 0x10000
ROP1: ESP<-ESI (+POPs); RET 10
ROP2: ESP += 0x18
Spray ROP3: POP EBX
ROP4: POP EDI
ROP5: PUSH EBX; CALL EDI
DIA CÍME

DEMO
DIA CÍME

OUTRO
COORDINATED DISCLOSURE?
If these are your priorities…
COORDINATED DISCLOSURE?
If these are your priorities…
COORDINATED DISCLOSURE?
If these are your priorities…
COORDINATED DISCLOSURE?
If these are your priorities…
COORDINATED DISCLOSURE?
If these are your priorities…

… you are not a charitable organization.


BUG BOUNTY?
• Research value > Bounty value
• Unrealistic scoping doesn't
encourage researchers
• Client-side exploits?
• Dependencies?
• Limited impact
• Local
• Needs self-defense bypass
• PoC to be released a bit later
CONCLUSIONS
RESULTS TIPS
• Self-defence does hide exploitable • This is just the tip of the iceberg
attack surface • Other parses
• Self-defense bypasses are useful • Other vendors!
• Attack from two ends • Neat ideas in other IPC research
• Look into persistence, code injection (browsers)
techniques • Gamozolabs, Ned Williamson+NiklasB,
• Kaspersky IPC parsers are fragile etc.

• Local exploits are easy, despite • Fuzzing is a metal detector


mitigations • Interesting code > Unexploitable bugs
THANK YOU!
BÁLINT VARGA-PERKE
[email protected]

@buherator

@SilentSignalHU

You might also like