Anatomy of a Remote

Kernel Exploit

(Dartmouth Edition)

Dan Rosenberg

Copyright © 2011 Virtual Security Research, LLC. 1

All Rights Reserved.
 Who am I?

▪ Security consultant and vulnerability researcher at

Virtual Security Research in Boston
▫ App/net pentesting, code review, etc.
▫ Published some bugs
▫ Rooted a few Android phones
▫ Focus on Linux kernel
▫ Research on kernel exploitation and mitigation

Copyright © 2011 Virtual Security Research, LLC. 2

All Rights Reserved.
 Agenda
▪ Motivation

▪ Challenges of remote exploitation

▪ Prior work

▪ Case study: ROSE remote stack overflow

▫ Exploitation
▫ Backdoor

▪ Future work

Copyright © 2011 Virtual Security Research, LLC. 3

All Rights Reserved.
 Motivation

Why am I giving this talk?

Copyright © 2011 Virtual Security Research, LLC. 4

All Rights Reserved.
 Why Remote Kernel Exploits?

▪ Instant root
▫ No need to escalate privileges

▪ Remote userland exploitation is hard!

▫ Full ASLR + NX/DEP
▫ Sandboxing
▫ Reduced privileges

Copyright © 2011 Virtual Security Research, LLC. 5

All Rights Reserved.
 Goals of This Talk

▪ Explore operating system internals from perspective of

an attacker

▪ Discuss kernel data structures and subsystems

▪ Exploit development methodology

▪ Individual bugs vs. exploit techniques

▪ Discuss next steps for kernel hardening

Copyright © 2011 Virtual Security Research, LLC. 6

All Rights Reserved.
 Challenges of
Remote Kernel
Exploitation
Wait, so you mean this is kind of hard?

Copyright © 2011 Virtual Security Research, LLC. 7

All Rights Reserved.
 Warning: Fragile

▪ Consequence of failed remote userland exploit:

▫ Crash application/service, wait until restarted
▫ Crash child process, try again immediately

▪ Consequence of failed remote kernel exploit:

▫ Kernel panic, game over

Copyright © 2011 Virtual Security Research, LLC. 8

All Rights Reserved.
 Lack of Environment Control

▪ Typical local kernel exploit:

▫ Can trigger allocation of heap structures
▫ Can trigger calling of function pointers
▫ High amount of information leakage available to local
users

▪ Remote kernel exploit:

▫?

Copyright © 2011 Virtual Security Research, LLC. 9

All Rights Reserved.
 Primer: Process vs. Interrupt Context
▪ Systems calls occur in “process context”:
▫ Kernel is executing code, but is associated with
userland process
▫ Has credentials, network/filesystem namespace, etc.

▪ On Linux, asynchronous events (e.g. network data)

occur in “interrupt context”:
▫ Network driver generates hardware interrupt
▫ Kernel dispatches data to appropriate softirq handler
▫ No userland process associated with execution
▫ On Linux, associated with softirqd kernel thread

Copyright © 2011 Virtual Security Research, LLC. 10

All Rights Reserved.
 Escape From Interrupt Context

▪ End goal: userland code execution (remote shell)

▫ How do we get there?
▫ No process backing execution

▪ Need to transition
▫ Interrupt context to process context to userland

Copyright © 2011 Virtual Security Research, LLC. 11

All Rights Reserved.
 Prior Work

What's been done before?

Copyright © 2011 Virtual Security Research, LLC. 12

All Rights Reserved.
 A Few Statistics

▪ 18 known exploits for 16 vulnerabilities

▫ 19 authors
▫ 9 with full public source code
▫ 3 with partial or PoC source

▪ Wide range of platforms

▫ Solaris and OS X still need some remote love

Copyright © 2011 Virtual Security Research, LLC. 13

All Rights Reserved.
By Operating System

8
3

Windows
Linux
2 *BSD
NetWare

Copyright © 2011 Virtual Security Research, LLC. 14

All Rights Reserved.
By Vulnerability Class

12 Stack Overflow
Heap Overflow
Array Indexing

Copyright © 2011 Virtual Security Research, LLC. 15

All Rights Reserved.
 By Year

0
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Copyright © 2011 Virtual Security Research, LLC. 16

All Rights Reserved.
 Highlights

▪ Barnaby Jack: Step into the Ring 0 (August 2005)

▫ First publication on remote kernel exploitation
▫ Transition to userland and kernel backdoor

▪ Sinan Eren: GREENAPPLE (May 2006)

▫ First remote kernel exploit in Immunity CANVAS

Copyright © 2011 Virtual Security Research, LLC. 17

All Rights Reserved.
 Highlights (cont.)

▪ hdm, skape, Johnny Cache (November 2006)

▫ Broadcom, Dlink, and Netgear wifi drivers
▫ First remote kernel exploits in Metasploit

▪ Alfredo Ortega, Gerardo Richarte: OpenBSD IPv6 mbuf

overflow (April 2007)
▫ First public remote kernel heap overflow
▫ Bypasses userland NX

Copyright © 2011 Virtual Security Research, LLC. 18

All Rights Reserved.
 Primer: NX (Non-Executable Pages)
▪ Pages have permissions: read, write, execute
▫ Initially, on Intel chips, page table entries only
supported read and write flags
▫ Read implied executable

▪ Before long, realized this was a bad idea

▫ Malicious data can be executed as code!

▪ NX is implemented using 63rd bit of page table entry:

▫ Natively supported on 64-bit platforms
▫ Supported on PAE CPUs (need hardware + software)
▫ Emulated in userland by kernel

Copyright © 2011 Virtual Security Research, LLC. 19

All Rights Reserved.
 Highlights (cont.)

▪ Kostya Kortchinsky: MS08-001 (January 2008)

▫ Immunity CANVAS
▫ First publicized remote Windows kernel pool overflow

▪ sgrakkyu: sctp-houdini (April 2009)

▫ First remote Linux sl*b overflow
▫ Introduced vsyscall trick to transition from interrupt
context to userland

Copyright © 2011 Virtual Security Research, LLC. 20

All Rights Reserved.
 Primer: Linux Virtual Syscalls
▪ On x86-64 machines, Linux supports “virtual syscalls”
▫ Three system calls that can be implemented entirely
in userland: gettimeofday, getcpu, time

▪ Trapping to kernel mode is relatively expensive

▫ Check CPL, switch stack, store trap frame, reload %cs
and %ss

▪ Faster to just stay in userland

▪ “vsyscall” page accomplishes this by mapping a page

exported by the kernel into every userland process

Copyright © 2011 Virtual Security Research, LLC. 21

All Rights Reserved.
 So What Was That Trick?
▪ Sgrakkyu realized this is a good attack vector

▪ vsyscall page is a shadowed mapping: read-write

version in kernel memory, read-execute in user
memory

▪ In interrupt context, we can write into the kernel

mapping of this page, overwriting a virtual syscall

▪ Now every userland process will execute our userland

shellcode whenever they call a virtual syscall!

Copyright © 2011 Virtual Security Research, LLC. 22

All Rights Reserved.
 Observations
▪ Majority stack overflows, but none dealt with NX kernel
stack
▫ Let's fix that

▪ No Linux interrupt context stack overflows

▫ sgrakkyu and twiz showed us how in Phrack 64, let's
do it in real life

▪ Wireless drivers suck

▫ Six 802.11 remote kernel exploits

Copyright © 2011 Virtual Security Research, LLC. 23

All Rights Reserved.
 Building the Exploit

Or: How I Learned to Stop Worrying and

Love the Ham

Copyright © 2011 Virtual Security Research, LLC. 24

All Rights Reserved.
 Target: 32-bit x86 PAE Kernel

▪ Kernel has NX support (CONFIG_DEBUG_RODATA)

▫ Only enforced on PAE (32-bit) or 64-bit kernels

▪ Can't execute first-stage shellcode on kernel stack

▪ Can't introduce code into userspace without proper

page permissions

▪ No vsyscall trick for easy transitions

Copyright © 2011 Virtual Security Research, LLC. 25

All Rights Reserved.
 Test Setup

▪ Attacker and victim VMs (Ubuntu 10.04)

▪ Debugging using KGDB over virtual serial port (host

pipe)

▪ BPQ (AX.25 over Ethernet)

▪ Except for glue code, exploit written entirely in x86

assembly

Copyright © 2011 Virtual Security Research, LLC. 26

All Rights Reserved.
 Famous Last Words

Debian Security Advisory DSA-2240-1:

Dan Rosenburg reported two issues in

the Linux implementation of the
Amateur Radio X.25 PLP (Rose)
protocol. A remote user can cause a
denial of service by providing
specially crafted facilities fields.

Copyright © 2011 Virtual Security Research, LLC. 27

All Rights Reserved.
 Intro to ROSE

▪ Rarely used amateur radio protocol

▪ Provides network layer on top of AX.25's link layer

▪ Uses 10-digit addresses and AX.25 callsigns

▪ Static routing only

Copyright © 2011 Virtual Security Research, LLC. 28

All Rights Reserved.
 CVE-2011-1493

▪ On initiating a ROSE connection, parties exchange

facilities (supported features)

▪ FAC_NATIONAL_DIGIS allows host to provide list of

digipeaters

▪ Parsing for this field reads length value from frame and
copies digipeater addresses without bounds checking,
causing a stack overflow

Copyright © 2011 Virtual Security Research, LLC. 29

All Rights Reserved.
 Sad Code :-(
...
l = p[1];
...
else if (*p == FAC_NATIONAL_DIGIS) {
fac_national_digis_received = 1;
facilities->source_ndigis = 0;
facilities->dest_ndigis = 0;
for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) {
if (pt[6] & AX25_HBIT)
memcpy(&facilities->dest_digis[facilities->dest_ndigis++],
memcpy pt, AX25_ADDR_LEN);
else
memcpy(&facilities->source_digis[facilities->source_ndigis++],
memcpy pt, AX25_ADDR_LEN);
}
}
...

Copyright © 2011 Virtual Security Research, LLC. 30

All Rights Reserved.
 Constraint #1

▪ The seventh byte of an AX.25 address is AND'd with

AX25_HBIT (0x80) if it's a destination digipeater
▫ Otherwise, treated as a source digipeater

▪ Every seventh byte of our payload needs to be

consistently greater or less than 0x80, or we'll copy
into the wrong array

▪ Requires manual tweaking

Copyright © 2011 Virtual Security Research, LLC. 31

All Rights Reserved.
 Plan of Attack

Get EIP

Unrestricted code
execution

Install kernel
backdoor

Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 32

All Rights Reserved.
 Triggering the Bug

Get EIP
▪ Fairly trivial

Unrestricted code ▪ Modify ROSE facilities

execution
output functions to craft
frame with overly large
length field for
Install kernel FAC_NATIONAL_DIGIS,
backdoor
followed by lots of NOPs
(0x90)
Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 33

All Rights Reserved.
 Evil ROSE Frame

Facilities
ROSE Total len =
0x00 FAC_NATIONAL FAC_NATIONAL_DIGIS 0x9090...
header Length = 0xff
XX

Copyright © 2011 Virtual Security Research, LLC. 34

All Rights Reserved.
 Got EIP
Program received signal SIGSEGV,
▪ Recompile ROSE module, Segmentation fault.
reload, and use rose_call [Switching to Thread 1456]
0x90909090 in ?? ()
to initiate connection to (gdb) i r
eax 0x0 0
target ecx 0xde3a5f3c -566599876
edx 0x296 662
ebx 0x90909090 -1869574000
esp 0xd11e199c 0xd11e199c
▪ Overflowed softirq stack ebp
esi
0x90909090 0x90909090
0x90909090 -1869574000
(interrupt handler) edi
eip
0x90909090 -1869574000
0x90909090 0x90909090
eflags 0x10286 [ PF SF IF RF ]
cs 0x60 96
ss 0x68 104
ds 0x9090007b -1869610885
es 0x9090007b -1869610885
fs 0xffff 65535
gs 0xffff 65535

Copyright © 2011 Virtual Security Research, LLC. 35

All Rights Reserved.
 How to Execute Code?

Get EIP
▪ Traditionally, return into
shellcode on stack
Unrestricted code
execution ▪ Problem 1: we don't
know where we are
▫ Trampolines are easy
Install kernel
backdoor
▪ Problem 2: softirq stack
is non-executable
Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 36

All Rights Reserved.
 Primer: Registers
▪ x86-32 has several general purpose registers:
▫ %eax, %ebx, %ecx, %edx, %esi, %edi

▪ Some have “traditional” uses

▫ %eax is return code
▫ %ecx is a counter
▫ %esi/%edi are source and destination of copy

▪ Special registers: %esp (stack pointer), %ebp (frame

pointer), %eip (instruction pointer)

Copyright © 2011 Virtual Security Research, LLC. 37

All Rights Reserved.
 Primer: Calling Convention

▪ How do we invoke functions?

▫ Traditionally, put arguments on stack (%esp), and
issue a “call” instruction

▪ Different in kernel mode:

● First argument in %eax
● Second in %edx
● Third in %ecx
● Others on stack

Copyright © 2011 Virtual Security Research, LLC. 38

All Rights Reserved.
 Primer: ROP
▪ We control the return address and data at %esp

▪ Each return will direct execution to address at stack

pointer and increment it

▪ Chain together function epilogues (“gadgets”) to

perform arbitrary computation

▪ Relies on homogeneity of distribution (binary) kernels

and lack of randomization
▫ Choose gadgets that are more likely to appear in
constant locations across kernels

Copyright © 2011 Virtual Security Research, LLC. 39

All Rights Reserved.
 Making our Stack Executable
▪ Kernel has nice function static unsigned long rop_stub[] = {
/*1*/ PUSH_ESP_POP_EAX,
to do this for us: /*4*/ 0xffffffff,
0xffffffff,
▫ set_memory_x() /*3*/ 0xffffffff,

ALIGN_EAX,
/*2*/ 0xffffffff,
▪ Calling convention has 0xffffffff,
arguments in registers /*1*/ RET,

/*4*/ POP_EDX,
0x00000004,
▪ ROP stub steps: /*3*/ 0xffffffff,
0xffffffff,
▫ Load (%esp & ~0xfff) /*2*/ 0xffffffff,
into %eax 0xffffffff,

▫ Load 4 into %edx /*1*/ RET,

▫ Call set_memory_x() /*4*/ SET_MEMORY_X,

JMP_ESP,
▫ Jump into stack };

Copyright © 2011 Virtual Security Research, LLC. 40

All Rights Reserved.
 Overcoming Space Constraints

Get EIP
▪ We now have traditional
shellcode executing on
the softirq stack!

Unrestricted code
execution ▪ Problem: length is
limited to 0xff (255),
minus what we've
Install kernel already used
backdoor

▪ Not enough room for a

Restore and
useful payload
recover

Copyright © 2011 Virtual Security Research, LLC. 41

All Rights Reserved.
 Needle in a Haystack
▪ Full ROSE frame is intact somewhere on the kernel
heap

▪ Pointer to a memory region containing our socket data

lives on the stack

▪ Walk up the stack, following kernel heap pointers

▪ Search general area for tag included in ROSE frame

▪ Mark it executable and jump to it

Copyright © 2011 Virtual Security Research, LLC. 42

All Rights Reserved.
 What Now?

Get EIP

▪ We can execute
Unrestricted code arbitrary-length
execution payloads now!

▪ Goal: install kernel

Install kernel
backdoor backdoor in ICMP
handler

Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 43

All Rights Reserved.
 Primer: Linux Networking
▪ What happens when network data is received?

▪ Hardware magic happens, driver layer

(linux/drivers/net) receives low-level frame

▪ Driver identifies “this is an IP packet”, sends to

network layer (linux/net/ipv{4,6})

▪ Network layer checks “what protocol is this” (TCP,

UDP, ICMP, etc.) and dispatches to appropriate protocol
handler (linux/net/*)

Copyright © 2011 Virtual Security Research, LLC. 44

All Rights Reserved.
 Protocol Handlers
/* Array of network protocol structure */
const struct net_protocol __rcu
*inet_protos[MAX_INET_PROTOS] __read_mostly;

/* Definition of network protocol structure */

struct net_protocol {
int (*handler)(struct sk_buff *skb);
void (*err_handler)(struct sk_buff *skb, u32 info);
...
};

/* Standard well-defined IP protocols. */

enum {
IPPROTO_IP = 0, /* Dummy protocol for TCP */
IPPROTO_ICMP = 1, /* Internet Control Message Protocol */
...
};

Copyright © 2011 Virtual Security Research, LLC. 45

All Rights Reserved.
 Hooking ICMP
▪ Storage on softirq stack
▫ Already executable, safe, persistent

▪ Copy hook and address of original ICMP handler

▫ We'll need this later

▪ Handler is in read-only memory

▫ Flip write-protect bit in %cr0 register

▪ Write address of our hook into ICMP handler function

pointer

Copyright © 2011 Virtual Security Research, LLC. 46

All Rights Reserved.
 Hooked In

inet_protos:
hook:
IPPROTO_IP <hook>: push edi
<hook+1>: push esi
IPPROTO_ICMP <hook+2>: push ebx
<hook+3>: push eax
...
...

net_protocol:
icmp_rcv:
handler <icmp_rcv>: push ebp
<icmp_rcv+1>: mov ebp,esp
err_handler <icmp_rcv+3>: push edi
<icmp_rcv+4>: push esi
... ...

Copyright © 2011 Virtual Security Research, LLC. 47

All Rights Reserved.
 Time to Rebuild...

Get EIP

▪ We've destroyed large

Unrestricted code portions of the softirq
execution stack

▪ How can we keep the

Install kernel
backdoor kernel running?

Restore and
recover

Copyright © 2011 Virtual Security Research, LLC. 48

All Rights Reserved.
 Cleaning Up the Locks

▪ ROSE protocol is holding

two spinlocks
▫ If we don't release
these, the ROSE stack
will deadlock soon

▪ Problem: ROSE is a
module, we don't know
where the locks live

Copyright © 2011 Virtual Security Research, LLC. 49

All Rights Reserved.
 Needle in a Haystack, Again
▪ Global modules variable: linked list of loaded kernel
modules

▪ A plan!
▫ Follow linked list until we find ROSE module
▫ Read module structure, find start of .data section
▫ Scan .data section for byte pattern of two
consecutive spinlocks (distinctive signature)
▫ Release them

Copyright © 2011 Virtual Security Research, LLC. 50

All Rights Reserved.
 Preemption Woes
▪ Preemption count must be consistent with what the
kernel is expecting, or scheduler will...

...complain and fix it for you?!

if (unlikely(prev_count != preempt_count())) {
printk(KERN_ERR "huh, entered softirq %u %s %p"
"with preempt_count %08x,"
" exited with %08x?\n", vec_nr,
softirq_to_name[vec_nr], h->action,
prev_count, preempt_count());
preempt_count() = prev_count;
}

▪ Let's avoid that warning...

Copyright © 2011 Virtual Security Research, LLC. 51

All Rights Reserved.
 Has Anybody Seen a Preemption Count?
▪ Preempt count lives at known location in thread_info
struct, at base of kernel stack:

struct thread_info {
struct task_struct *task; /* main task structure */
struct exec_domain *exec_domain; /* execution domain */
__u32 flags; /* low level flags */
__u32 status; /* thread synchronous flags */
__u32 cpu; /* current CPU */
int preempt_count; /* 0 => preemptable,
<0 => BUG */
...
};

▪ Decrement it and we're done

Copyright © 2011 Virtual Security Research, LLC. 52

All Rights Reserved.
 Unwinding the Stack
▪ Stack is partially
Unwind to
corrupted from overflow
frame
boundary
▪ Need to restore it to
recoverable state

▪ Walk up stack from

current location until we
Overflow match a signature of a
known good state

▪ Adjust ESP to good state,

and return

Copyright © 2011 Virtual Security Research, LLC. 53

All Rights Reserved.
 Refresher: What Have We Achieved?
▪ Trigger the overflow, gain control of EIP

▪ Leverage ROP to mark softirq stack executable, jump

into shellcode

▪ Search for intact ROSE frame on kernel heap, mark

executable, jump into it

▪ Install kernel backdoor by hooking ICMP handler

▪ Do some necessary cleanup and unwind stack for safe

return from softirq

Copyright © 2011 Virtual Security Research, LLC. 54

All Rights Reserved.
Kernel Backdoors
for Fun and Profit

(Insert “backdoor” joke)

Copyright © 2011 Virtual Security Research, LLC. 55

All Rights Reserved.
 What About That Backdoor Part?

▪ Whenever an ICMP packet is received, our hook is

called

▪ Check for magic tag in ICMP header

▪ Two distinct types of packets

▫ “Install” packets contain userland shellcode
▫ “Trigger” packets cause shellcode to execute

▪ May be sent independently

▫ Install payload, trigger it repeatedly at later date

Copyright © 2011 Virtual Security Research, LLC. 56

All Rights Reserved.
 Backdoor Strategy

▪ Problem: ICMP handler also runs in softirq context

▫ Want userland code execution

▪ Phase 1: transition to kernel-mode process context

▪ Phase 2: hijack userland control flow

Copyright © 2011 Virtual Security Research, LLC. 57

All Rights Reserved.
 Backdoor Phase 1

Install userland
payload
▪ Check for magic tag and
packet type

Hook system call ▪ If “install” packet, copy

userland payload into
safe place (softirq stack)

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 58

All Rights Reserved.
 Transition to Process Context

Install userland
payload
▪ If “trigger” packet, need
to transition to process
context

Hook system call

▪ Easiest way: hook
system call

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 59

All Rights Reserved.
 Primer: System Calls
▪ Userland process invokes a system call (read, write,
fork, etc.)

▪ Traditional mechanism is int 0x80 (more recently

everything uses systenter/syscall)

▪ Index into Interrupt Descriptor Table, check privileges

▪ Invokes handler specified by IDT (syscall entry point)

▪ Syscall entry point parses arguments, indexes into

syscall table, and calls appropriate system call handler

Copyright © 2011 Virtual Security Research, LLC. 60

All Rights Reserved.
 System Call Hijacking
▪ How to find system call table at runtime?
▫ sidt instruction retrieves IDT address
▫ Find handler for INT 0x80 (syscall)
▫ Scan function for byte pattern calling into syscall
table

▪ Read-only syscall table

▫ More flipping write-protect bit in %cr0

▪ Store original syscall handler for later, write address of

hook into syscall table

Copyright © 2011 Virtual Security Research, LLC. 61

All Rights Reserved.
 Carry On...

Install userland
payload
▪ Want working ICMP stack

Hook system call ▪ Call original ICMP

handler

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 62

All Rights Reserved.
 Backdoor Phase 2

▪ We've copied userland payload to kernel memory

▪ Some process comes along and calls our hooked

system call...

▪ Need to hijack process for userland code execution

Copyright © 2011 Virtual Security Research, LLC. 63

All Rights Reserved.
 Only Root, Please

Check root privileges

▪ Only interested in root
processes

Inject userland
payload ▪ How to verify?
▫ thread_info →
task_struct → cred
Divert userland
execution ▫ Unstable, annoying...

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 64

All Rights Reserved.
 System Calls from Kernel Mode?

▪ System calls are extremely useful abstractions

▫ Friendly interface, kernel does most of the work

▪ Poll: is it possible to call system calls via INT 0x80

from kernel mode?
▫ Tally your votes...

Copyright © 2011 Virtual Security Research, LLC. 65

All Rights Reserved.
 System Calls from Kernel Mode!

▪ Most system calls will work when called from kernel

▪ Stack switch only occurs on inter-PL interrupts

▫ Based on CPL vs. DPL of GDT descriptor
▫ Happens on int and iret

▪ When called from kernel mode, just an ordinary intra-

PL interrupt

Copyright © 2011 Virtual Security Research, LLC. 66

All Rights Reserved.
 Exceptions (No Pun Intended)

▪ Doesn't work quite right with some system calls

▫ Some require pt_regs (per-thread register) structure
▫ Assumptions about state of stack at time of system
call

▪ fork, execve, iopl, vm86old, sigreturn, clone, vm86,

rt_sigreturn, sigaltstack, vfork

Copyright © 2011 Virtual Security Research, LLC. 67

All Rights Reserved.
 Checking for Root

▪ Easy: load %eax with 0x18 (getuid), INT 0x80

▪ Check %eax (return code) for 0

▪ If not zero, call original syscall handler for hooked

function

▪ If zero, unhook syscall and continue payload

Copyright © 2011 Virtual Security Research, LLC. 68

All Rights Reserved.
 Lethal Injection

Check root privileges

▪ Kernel stack contains

pointer to saved
Inject userland
payload userland %esp

▪ Copy userland payload

Divert userland
execution
from kernel memory to
userland stack

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 69

All Rights Reserved.
 Let it Run...

Check root privileges

▪ Userland stack is non-

executable (NX)
Inject userland
payload

▪ Call mprotect syscall via

INT 0x80 to mark
Divert userland
execution userland stack
executable

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 70

All Rights Reserved.
 It's a Diversion!
▪ Need to redirect
Check root privileges userland control flow

▪ Kernel stack contains

Inject userland
payload pointer to saved
userland %eip

Divert userland
execution
▪ Give original saved %eip
to userland shellcode for
later
Continue execution
▪ Overwrite pointer with
address of payload on
userland stack
Copyright © 2011 Virtual Security Research, LLC. 71
All Rights Reserved.
 Keep on Running

Check root privileges

▪ Want hijacked process to

keep running
Inject userland
payload

▪ Jump to original handler

for hijacked system call
Divert userland
execution

Continue execution

Copyright © 2011 Virtual Security Research, LLC. 72

All Rights Reserved.
 Userland Payloads

▪ Use your imagination!

▫ Connect-back root shells work just fine

▪ Payloads are prefixed with stub that keeps hijacked

process running
▫ Fork new process
▫ Child runs shellcode
▫ Parent jumps to original saved %eip

Copyright © 2011 Virtual Security Research, LLC. 73

All Rights Reserved.
ROSE Exploitation Demo

Copyright © 2011 Virtual Security Research, LLC. 74

All Rights Reserved.
 Future Work

No, this isn't a perfect exploit.

Copyright © 2011 Virtual Security Research, LLC. 75

All Rights Reserved.
 Hard-Coding
▪ Advantages over signatures / fingerprinting
▫ Reliability vs. portability

▪ On PAE kernel, ROP gadgets seem unavoidable

▫ Minimize number of ROP gadgets
▫ Minimize hard-coding of other data structures

▪ On non-PAE kernel, situation is better

▫ Can survive with one JMP ESP (if you know saved EIP
offset)
▫ Partial overwrites or spraying possible

Copyright © 2011 Virtual Security Research, LLC. 76

All Rights Reserved.
 Future Work: Offense

▪ Remote fingerprinting of kernel

▫ Automatic generation of ROP gadgets

▪ Exploiting other packet families

▫ IrDA, Bluetooth, X.25?

▪ Finding that TCP/IP bug that breaks the Internet

Copyright © 2011 Virtual Security Research, LLC. 77

All Rights Reserved.
 Future Work: Defense
▪ Randomize kernel base at boot
▫ Prevents code reuse (e.g. ROP) remotely in absence
of remote kernel memory disclosure

▪ Fuzz and audit networking protocols more rigorously

▪ Inline functions that alter page permissions directly

(prevent easy ROP)

▪ Policies on preventing page permission modification

after initialization

Copyright © 2011 Virtual Security Research, LLC. 78

All Rights Reserved.
 Thanks To...

▪ Ralf Baechle

▪ Nelson Elhage

▪ Kees Cook

▪ twiz, sgrakkyu

Copyright © 2011 Virtual Security Research, LLC. 79

All Rights Reserved.
 Questions?
E-mail: drosenberg@vsecurity.com
Twitter: @djrbliss

Company:
http://www.vsecurity.com

Personal:
http://www.vulnfactory.org

Exploit code:
https://github.com/djrbliss/rose-exploit

Copyright © 2011 Virtual Security Research, LLC. 80

All Rights Reserved.