A few weeks ago j00ru has visited me, and, as one can figure out, some more or less interesting ideas came to be. One of such ideas was to use the Call-Gate mechanism in kernel/driver exploit development on Windows, or, to be more precise, to use a write-what-where condition to convert a custom LDT entry into a Call-Gate (this can be done by modifying just one byte), and using the Call-Gate to elevate the code privilege from user-land to ring0. The idea was turned into some PoC exploits, and finally, into the paper presented below.
But first, I would like to thank Unavowed for a great amount of time to correct the English in the paper, and also for converting the paper to LaTeX (we started with using OO.org, then converting it into Word 2007, and we finished with the paper being in LaTeX). I would also like to thank Agnieszka 'Sorrento Aishikami' Zerka for parallel English-checking of the paper :)
GDT and LDT in Windows kernel vulnerability exploitation by Matthew "j00ru" Jurczyk and Gynvael Coldwind
PDF: call_gate_exploitation.pdf (680KB)
PoC: ldtsource.zip (13kb) (the file is also attached to the PDF)
Content:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments
All comments are mostly welcomed, both here and on j00ru's blog! :)
Update (17 January 2010, 19:32 GMT+1): We've found out that some one PoC exploit in the source package contained some old experimental code instead of the new one. It's fixed now. Sorry about that :)
MD5 of the old/bugged (ldt)sources.zip / pdf: 95f1b1551e34d7f28789fa17693f0c17 / 6cb745e451be165f49a66876557cb518
MD5 of the new fixed (ldt)sources.zip / pdf: 63657de78b1a2a35b46fc29aa8df81cf / 6840185722dc69048e0bf5434f19d5cb
Update 2: Indy on the woodmann.com forum started a very interesting discussion about the technical aspect of this method :)
enum Sections
{- lang = PL | EN;
- RSS(PL, EN);
- Tools*new*
- Security advisories
- Code Snippets
- Photo gallery
- About me
class BlogRoll
{- int arashi coldwind blogspot();
- int arashi coldwind brocante();
- int j00ru blog();
- int portolio xa();
- int nemessica uw-blog org();
- int icewall blog();
- int krzywy-rce();
- int pi3 blog();
- int blog pentestera();
- int piotr konieczny();
- int security news();
- int sil2100/vx's web log();
- int lcamtuf's blog();
- int invisible things();
enum Tags
{Complexity
OS
Arch/Computer
- cpc464 ()
Branch
- security ()
- format bug ()
- race condition ()
- re ()
Language
Other
};class SitesOfTheGuyThatHostsMe:)
{- int 2o6_pl();
- int jabber_2o6_pl();
- int pctk_org();
- int afterme_pl();
int main()
{- "How NOT to hide your face";
- "What's up at my workshop? Presenting, HWFramework";
- "CONFidence 2010 - video from our lecture about the Windows vulnerabilities";
- "Just some old PHP research";
- "HiperDrop 0.0.1";
- "Hispasec, time to move on...";
- "RECON - slideshow";
- "CONFidence 2010 slides and original vulnerability advisories";
- "RECON 2010 - paper accepted";
- "Windows CSRSS cross-version API Table";
- "HITB Dubai PDF and CONFidence 2010 in Krakow";
- "Volcano in the backyard and HITB Dubai";
- "[HISPASEC Research] Windows Kernel Vulnerabilities... x5 :)";
- "Hack In The Box 2010 Dubai, "Case study of recent Windows vulnerabilities"";
- "Microsoft Windows CSRSS Local Privilege Elevation Vulnerability";
- "The tale of Syndicate Wars Port";
- "Syndicate Wars Port - a reverse-engineering tale";
- "GDT and LDT in Windows kernel vulnerability exploitation";
- "HITB Magazine (ezin) #1";
- "DR6 may or may not be useful for bochs/VirtualPC detection";
- "BSWAP + 66h prefix";
- "VirusTotal Uploader 2.0";
- "CONFidence 2.0, slideshow, SilkProxy 0.0.1";
- "Windows Win32k syscall table";
- "Google Go, my thoughts and a simple raytracer";
- "PHP getimagesize internals (part 3): PNG";
- "My first laptop - Bondwell B200 (CPU 80C88)";
- "PHP getimagesize internals (part 2): GIF";
- "PHP getimagesize internals (part 1)";
- "D-Link DI-524 and 2v2 in StarCraft";
- "A step beyond the drivers\etc\hosts file";
- "RAND_MAX-related misinterpretation, and Art of File 3D";
- "Random thoughs, 2nd edition";
- "Banker trojans - a return to the past";
- "Random security thoughts";
- "Art of file - graphical interpretation of a file";
- "CONFidence 2009 ESET crackme - solution";
- "CONFidence 2009 - gg plz re :)";
- "RE-Enter teh blog";
- "ANSI Escape Codes for Windows 7 RC";
- "How to make your life simpler - GDB scripts embedded in assembly source code";
- "SysDay 2009 post conference materials (and the unicorn)";
- "March GDPL 3h compo - results";
- "After the march 3h GDPL compo...";
- "OS X, Objective C i RE";
- "OS X vs Write-What-Where Condition";
- "Automagical function list in C++";
- "Entropy";
- "Ent v.0.0.3";
- "Referer spam, episode 2";
- "Conferences, conferences...";
- "Few random things";
- "Someone forgot to finish the spam generator. Again.";
- "Return-oriented exploiting";
- "ExcpHook ver 0.0.5-rc2";
- "New layout";
- "CPC464 and cassettes";
- "Windows 7 - a list of change in exports, update";
- "SIN*COS";
- "Enter teh ANSI Escape Code support for internal cmd.exe commands and BAT scripts";
- "Using OpenGL in .BAT scripts";
- "Windows 7 - short list of changes in kernel32.dll exports";
- "BAT scripts and objective programming";
- "Rant: The week of my own private Hardware War";
- "Lightsack - code from CPC, conclusion";
- "Lightsack - how to send data from CPC 464 to PC without owning the neccesery cables";
- "CPC 464";
- "Code snippets";
- "A malware "stealing" AppInit_DLLs entrypoint";
- "LOOP vs. default Mac OS X assembler";
- "Forgot something?";
- "Freedom for everything - total annihilation of process memory";
- ".S.k.y.";
- "Format bug, Vista and %n";
- "An interesting anti-RE schema";
- "Missing gettimeofday function and a race condition";
- "SekIT 2008";
- "Hacker Challenge 2008";
- "Security Days - task 3, 4";
- "Security Days 6 - task 2";
- "Quick news - final results of Security Days 6 and photos from the SekIT conference";
- "SekIT 2008";
- "Security Days 6, day 1 - solution";
- "Install Chrome, and You will stop being anonymous to Google";
- "Security Days 6, day 1";
- "Is function hooking in Chrome really a security mechanism?";
- "Is automatic file download in Google Chrome really a vulnerability?";
- "Remote Buffer Overflow in Google Chrome";
- "Google Chrome's Sandbox";
- "Google Chrome - first impression";
- "Urban Terror";
- "Subsection ";
- "Security Days 6";
- "Old advisories";
- "Fibers in a thread";
- "Metaball, Python+Pygame+Psyco and SDL+C++";
- "UFO: Alien Invasion";
- "Naked functions in gcc/g++";
- "1rd";
- return "vexillium.org";
class OldSites
{- int gynvael_vexillium_org();
- int gynvael_lunarii_org();
- int gynvael_uw-blog_org();
Comments:
I see a contradiction though, you state that "The actual problem with the majority of the techniques
presented in the above publications is the fact
that they are mostly based on undocumented, internal
Windows behavior, that is not guaranteed to remain in
the same form across system updates, service packs or
respective system versions" which is true. However, despite LDT is a well-known x86 architecture artifact, the ways you use to obtain the required offsets seem to be heavily relying in undocumented methods.
Anyway, good work!
You are particularly right at a point, if referring to the third method presented in the paper ("Custom LDT goes User Mode"). Using NtQueryInformation / KPROCESS structure offsets cannot be considered ultra-compatible, indeed.
However, the main goal we wanted to achieve - stability - was the purpose of creating the 4.1 and 4.2 sections; the only Windows-dependent component there, is a well-documented GetThreadSelectorEntry function. On the other hand, we also wanted to show that there is a great number of attack vectors related to GDT/LDTs in general, and all of them are worth to be researched / used in practical exploitation ;>
Add a comment: