2011-01-11:

Windows, drivers, GS cookies and 1 bit of entropy

windows:hacking:medium:gs cookies
After the CVE-2010-4398 (win32k.sys stack-based buffer overflow aka "UAC bypassing exploit" published on Code Project) was published a discussion appears on the net (at least on the Polish side of the net) whether the bug is exploitable on Windows XP. The problem on XP is that it has stack cookies (/GS cookies) which in this case were not present in other Windows versions. With j00ru we've looked into this issue, and found that the high entropy of the /GS cookies is questionable (at least in case of Windows drivers). Today, we publish the results of our research.

Research Paper:
Exploiting the otherwise non-exploitable - Windows Kernel-mode GS Cookies subverted
by Matthew "j00ru" Jurczyk & Gynvael Coldwind (EN)

Abstract:
Abstract: This paper describes various techniques that can be used to reduce the effective entropy of GS cookies implemented in a certain group of Windows kernel-mode executable images by roughly 99%, or otherwise defeat it completely. This reduction is made possible due to the fact that GS uses a number of extremely weak entropy sources, which can be predicted by the attacker with varying (most often - very high) degree of accuracy. In addition to presenting theoretical considerations related to the problem, the paper also contains a great amount of experimental results, showing the actual success / failure rate of different cookie prediction techniques, as well as pieces of hardware-related information. Furthermore, some of the possible problem solutions are presented, together with a brief description of potential attack vectors against these enhancements. Finally, the authors show how the described material can be practically used to improve kernel exploits’ reliability - taking the CVE-2010-4398 kernel vulnerability as an interesting example.

Timeline:
6 December 2010 - Initial e-mail to Microsoft informing that our research indicates that the ring-0 driver cookies are predictable.
6 December 2010 - Initial vendor response, confirming reception.
8 December 2010 - Second vendor response. Vendor was aware of the low entropy of the cookies and agrees that our approach is reasonable. Vendor statest that there are no plans for updating the mechanism in current versions of Windows, but will be considering it for future versions. Vendor did not request the paper to be released later than the authors originally planned.
4 January 2011 - Final "ping" to vendor. Some e-mails were exchanged, but delay in publishing was not requested.
11 January 2011 - The paper is published.

Thanks:
We would like to thank the following people for reviewing, commenting, and suggesting numerous improvements to the paper: Unavowed, Tavis Ormandy, Marc-Antoine Ruel, Carlos Pizano, Matt Miller and deus.

Have fun :)

P.S. The said bug is exploitable on Windows XP:


Comments:

2011-01-15 03:40:20 = Sab
{
Fantastic write and well done.
}

Add a comment:

Nick:
URL (optional):
Math captcha: 6 ∗ 7 + 4 =