Scribd
Upload
115 views69 pages

Untitled

This document discusses exploiting write-what-where vulnerabilities in the Windows 10 Creators Update kernel to achieve arbitrary kernel read/write capabilities and kernel code execution. It covers history of kernel exploitation techniques on previous Windows versions, mitigations introduced in newer versions, and new primitive techniques discovered to bypass defenses, including leveraging bitmap objects, tagWND structures, page table entry overwrites, and allocating executable kernel memory.

Uploaded by

Robert Cooper
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
115 views69 pages

Untitled

This document discusses exploiting write-what-where vulnerabilities in the Windows 10 Creators Update kernel to achieve arbitrary kernel read/write capabilities and kernel code execution. It covers history of kernel exploitation techniques on previous Windows versions, mitigations introduced in newer versions, and new primitive techniques discovered to bypass defenses, including leveraging bitmap objects, tagWND structures, page table entry overwrites, and allocating executable kernel memory.

Uploaded by

Robert Cooper
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 69

TAKING WINDOWS 10 KERNEL

EXPLOITATION TO THE NEXT


LEVEL – LEVERAING WRITE-
WHAT-WHERE VULNERABILITIES
IN CREATORS UPDATE
Whoami
• Morten Schenk
• Security Advisor, Improsec ApS
• Twitter - @blomster81
• Blog - https://improsec.com/blog/
• GitHub - https://github.com/MortenSchenk
• What to expect from this talk
• Windows 10 Kernel Exploitation on Creators Update
• Lots of hex
• 0-days!
Agenda
• Brief look at Kernel Exploitation history
• Arbitrary Kernel Read/Write Primitive
• KASLR information leak
• De-randomizing Page Table Entries
• Dynamic Function Location
• Executable Kernel Memory Allocation
• Note on Win32k Syscall Filtering
Exploitation Concept
• Write-What-Where
• Vulnerability class
• Best case
• Write controlled value at controlled address
• Common case
• Write not controlled value at controlled address
• Leverage to obtain kernel-mode code execution
Kernel Exploitation History - Windows 7
• Kernel information leaks were available with NtQuerySystemInformation
Kernel Exploitation History - Windows 7
• NonPagedPool was executable

• Execute User-mode memory from Kernel-mode


• Window Function running in kernel mode

• Overwrite HalDispatchTable function table with user-mode address


Kernel Exploitation History - Windows 10
• Windows 8.1 and Windows 10 before Anniversary Edition.
• Kernel information leaks with APIs blocked from Low Integrity.
• NonPagedPoolNx is the new standard.
• Supervisor Mode Execution Prevention is introduced.
• Kernel-mode read / write primitive is needed.
• GDI bitmap primitive.
• tagWND primitive.
Kernel Exploitation History - Windows 10

• Information leak of Bitmap through GdiSharedHandleTable

• Overwrite Bitmap size using Write-What-Where


• Consecutive Bitmaps can create a primitive
• SetBitmapBits
• GetBitmapBits
Kernel Exploitation History - Windows 10
• Information leak of User-mode mapped Desktop Heap through
• ulClientDelta from Win32ClientInfo
• UserHandleTable from User32!gSharedInfo

• Overwrite cbWndExtra using Write-What-Where


• Consecutive Windows can create a primitive
• SetWindowLongPtr overwrites adjacent
tagWND.StrName pointer through ExtraBytes
• InternalGetWindowText
• NtUserDefSetText.
Kernel Exploitation History - Windows 10
• Page Table Entry overwrite is common vector
Kernel Exploitation History - Windows 10
• Windows HAL Heap was in many cases static at 0xFFFFFFFFFD00000
• Offset 0x448 contained a pointer to
ntoskrnl.exe
• Use kernel-mode read/write
primitive to get base address.
Windows 10 Version Naming Conventions
Public Name Version Microsoft Internal Name OS Build
Release To Market 1507 Thredshold 1 10240
November Update 1511 Thredshold 2 10586
Anniversary Update 1607 Redstone 1 14393
Creators Update 1703 Redstone 2 15063
Fall Creators Update 1709 Redstone 3 N/A
Windows 10 1607 Mitigations
• Randomizes Page Table Entries
• Removes kernel addresses from
GdiSharedHandleTable
• Breaks bitmap primitive address
leak
Windows 10 1607 Mitigations
• Limits the tagWND.strName to point inside Desktop heap.
• Breaks tagWND primitive
Locating Bitmap Object
• Bitmap objects are stored in the Large Paged Pool.
• Randomized on reboot
• Need a kernel information leak to locate
• Win32ThreadInfo in the TEB is close to the Large Paged Pool
Locating Bitmap Object
• Creating a number of large Bitmap objects stabilizes the Pool
• Large static offset will point into
Bitmaps
Locating Bitmap Object
• Delete the second large Bitmap object.
• Allocate ~10000 new Bitmap objects of 0x1000 bytes each.
• Will point to start of Bitmap object.
Locating Bitmap Object
• Overwrite sizelBitmap of leaked Bitmap
• Reuses two consecutive Bitmaps as previously


Write-Where-Where
simulation
tagWND R/W outside Desktop Heap
• Pointer verification is performed by DesktopVerifyHeapPointer.
• tagWND.strName must be
within the Desktop Heap
tagWND R/W outside Desktop Heap
• Desktop Heap address and size comes from tagDESKTOP object.
• No validation on tagDESKTOP pointer.
• Pointer is taken from header of tagWND.
• Find tagDESKTOP pointer and replace it.
• Control Desktop Heap address and size
during verification.
tagWND R/W outside Desktop Heap
• SetWindowLongPtr can overwrite
tagDESKTOP pointer.
• Verification succeeds everywhere.

Write-What-Where
simulation
Windows 10 1703 Mitigations
• UserHandleTable from User32!gSharedInfo is gone
• UserHandleTable contains Kernel-mode address of tagWND
• Windows 10 1607

• Windows 10 1703
Windows 10 1703 Mitigations
• ulClientDelta from Win32ClientInfo is gone
• Windows 10 1607

• Windows 10 1703
Windows 10 1703 Mitigations
• ExtraBytes modified by SetWindowLongPtr are moved to user-mode.
• Cannot overwrite adjacent tagWND.strName.
Windows 10 1703 Mitigations
• tagWND as Kernel-mode read/write primitive is broken again.
• Bitmap object header increased by 0x8 bytes.
• Change allocation size to retain allocation alignment.
• HAL Heap is randomized.
• No longer ntoskrnl.exe pointer at 0xFFFFFFFFFD00448.
tagWND Primitive Revival
• ulClientDelta in Win32ClientInfo has been replaced by user-mode
pointer

• Inspecting new pointer reveals user-mode mapped Dekstop Heap


tagWND Primitive Revival
• Manually search through Desktop heap to locate tagWND object
tagWND Primitive Revival
• Size of ExtraBytes is defined by cbWndExtra when Windows Class is
registered
• RegisterClassEx creates a tagCLS object
• tagCLS has ExtraBytes defined by
cbClsExtra
• SetWindowLongPtr sets ExtraBytes in
tagWND
• SetClassLongPtr sets ExtraBytes in tagCLS
tagWND Primitive Revival
• ExtraBytes from tagCLS are still in
the kernel
• Allocate tagCLS followed by tagWND.
• Use SetClassLongPtr to update
tagWND.strName
• Read/write kernel-mode primitive
is back
Kernel ASLR Bypass
• Almost all kernel memory is randomized.
• Shared System Page – KUSER_SHARED_DATA is static
• Located at 0xFFFFF78000000000.
• Not executable.
• Does not contain interesting pointers.
• HAL Heap is randomized
• SIDT is mitigated with VBS
• Need new ntoskrnl.exe information leak
Kernel ASLR Bypass
• KASLR bypass could be primitive related.
• Must work for Windows 8.1 and Windows 10 1507 to 1703.
• Need a bypass for each primitive.
• Must leak ntoskrnl.exe pointer.
Bitmap KASLR Bypass 0-Day
• Surface structure from REACTOS
Bitmap KASLR Bypass 0-Day
• PDEVOBJ structure from REACTOS

Function Pointer
Bitmap KASLR Bypass 0-Day

Bitmap hdev field is empty


Bitmap KASLR Bypass 0-Day
• Other Bitmap variants exist.
Bitmap KASLR Bypass 0-Day
• Free a Bitmap at offset 0x3000 from first Bitmap
• Spray CompatibleBitmaps to reallocate
Bitmap KASLR Bypass 0-Day
• Read cdd!DrvSyncronizeSurface pointer
• Find ntoskrnl.exe pointer
tagWND KASLR Bypass 0-Day
• tagWND structure from REACTOS
tagWND KASLR Bypass 0-Day
• Offset 0x2A8 of KTHREAD has ntoskrnl.exe pointer
Page Table Entry Overwrite
• Page Table Entries had static base address of 0xFFFFF68000000000
• Self-mapping references
De-randomizing Page Table Entries
• The kernel must lookup PTE’s often
• Must have API which works despite randomization
• MiGetPteAddress in ntoskrnl.exe
• Static disassembly uses old base address
• Dynamic disassembly uses randomized base address
De-randomizing Page Table Entries
• MiGetPteAddress contains
the randomized base address
• Locate MiGetPteAddress
dynamically using read primitive
De-randomizing Page Table Entries
• Locate hash value of MiGetPteAddress
• Leak PTE base address
De-randomizing Page Table Entries
• Write shellcode to KUSER_SHARED_DATA + 0x800
• Flip the NX bit of the page

• Call shellcode by overwriting HalDispatchTable and calling


NtQueryIntervalProfile
Dynamic Kernel Memory
• ExAllocatePoolWithTag allocates kernel pool memory

• Allocate NonPagedPoolExecute
pool memory
• Return pool memory
address
Dynamic Kernel Memory
• Need controlled arguments to call ExAllocatePoolWithTag
• NtQueryIntervalProfile takes two arguments
• Must have specific values to trigger HaliQuerySystemInformation
• Need a different system call
Dynamic Kernel Memory
• Enter NtGdiDdDDICreateAllocation

• Thin trampoline around NtGdiDdDDICreateAllocation


Dynamic Kernel Memory
• Win32kbase!gDxgkInterface is function table into dxgkrnl.sys

• Arguments are not modified from system call to function table call
Dynamic Kernel Memory
• Inspecting win32kbase!gDxgkInterface shows it to be writable
Dynamic Kernel Memory
• Need to dynamically locate win32kbase!gDxgkInterface
• Can be found in win32kfull!DrvOcclusionStateChangeNotify

• Need to leak win32kfull.sys


Dynamic Kernel Memory
• PsLoadedModuleList is doubly-linked list of
_LDR_DATA_TABLE_ENTRY structures.

• Search for Win32kful in Unicode at offset 0x60


Dynamic Kernel Memory
• Leak PsLoadedModuleList from KeCapturePersistentThreadState

• Get Win32kfull.sys base address


• Find win32kfull!DrvOcclusionStateChangeNotify
• Finally locate win32kbase!gDxgkInterface
Dynamic Kernel Memory
• Overwrite win32kbase!gDxgkInterface + 0x68 with
nt!ExAllocatePoolWithTag

• Copy shellcode to allocated page


• Execute it by overwriting win32kbase!gDxgkInterface again
Win32k Syscall Filtering
• Win32k Syscall Filtering is enabled in Microsoft Edge
• Blocks some Win32k System Calls to stop exploitation
Win32k Syscall Filtering
• Resolve function address from syscall number

• Win32k syscall filtering depends on entries in


win32k!pServiceTableFilter
Win32k Syscall Filtering
• Bitmap read/write primitive uses
• NtGdiCreateBitmap
• NtGdiGetBitmapBits
• NtGdiSetBitmapBits
• tagWND read/write primitive uses
• NtUserCreateWindowEx
• NtUserSetClassLongPtr
• NtUserDefSetText
• NtUserInternalGetWindowText
• None of these are filtered
Summary
• Kernel read/write primitives can still be leveraged with Write-What-
Where vulnerabilities
• Page Table randomization can be bypassed with ntoskrnl.exe
information leak
• Device Independent Bitmap can be used to leak ntoskrnl.exe
• tagWND can be used to leak ntoskrnl.exe
• Possible to allocate RWX pool memory with ExAllocatePoolWithTag
• Code on GitHub shortly - https://github.com/MortenSchenk
Credits
• Alex Ionescu - https://recon.cx/2013/slides/Recon2013-Alex%20Ionescu-
I%20got%2099%20problems%20but%20a%20kernel%20pointer%20ain%27
t%20one.pdf
• Alex Ionescu - http://www.alex-ionescu.com/?p=231
• Diego Juarez - https://www.coresecurity.com/blog/abusing-gdi-for-ring0-
exploit-primitives
• Yin Liang & Zhou Li - https://www.blackhat.com/docs/eu-16/materials/eu-
16-Liang-Attacking-Windows-By-Windows.pdf
• Nicolas Economou - https://www.coresecurity.com/blog/getting-physical-
extreme-abuse-of-intel-based-paging-systems-part-3-windows-hals-heap
• David Weston & Matt Miller - https://www.blackhat.com/docs/us-
16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf

You might also like