csw2017 peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
TRANSCRIPT
Win32k Dark Composition
Attacking the Shadow Part of Graphic Subsystem
@360Vulcan Team
PengQiu(@pgboy)
SheFangZhong(@zhong_sf)
About US
Member of 360 vulcan team.
Windows kernel security researcher
Pwn2Own winners 2016 .pwned Chrome pwn2own 2016
.pwned Flash pwn2own 2016
Pwnfest winners 2016 .pwned Edge PwnFest 2016
.pwned Flash PwnFest 2016
Pwn2Own winners 2015 .pwned IE pwn2own 2015
�
Agdenda
Direct Composition Overview
0day & Exploitation
Fuzzing
Mitigation & Bypass
• High-performance bitmap composition with transforms, effects and animations graphic engine
• Introduced from windows 8.
• Working based on dwm(desktop windows manager).
Direct Composition Overview
Direction Composition Architecture
dwmcore dcomp ...userland
kernel
DirectComposiAonCApplicaAonChannel
visual
CExpressionMarshaler CFilterEffectMarshaler CScaleTransformMarshaler...
submit
DWM (desktop windows manager)
DXGK (directX graphic kernel)
call
Significant Change since win10 RS1
• kernelimplementchanged
• InterfacechangedRemovelotsofinterface.10+?
LotsoffuncAonhasbeenrewrite,notfixvuln
Addsomeinterface.eg:
Beforewin10RS1Existindependentlyandsomeinthewin32kfiltertable
Sincewin10RS1
all included in
Thisfunc1onisoutofWin32kfilterlist�
Why attack DirectComposition
• ReachableinAppContainerandoutofwin32kfilter
• Thispartimplementwithc++inkernel
• Introducedfromwindows8,everbeenfocusbyanotherresearchers,!!!asfarasweknow!!!
Important functions
Channel Object
• knowasDeviceObjectinuserinterface
• ownerofresource,usetocreateresource
• pArgSec(onBaseMapInProcessreturnabatchbufferweneedlater
Resource Object
• knowasvisualinuserinterface�
• similartowin32ksurface• Ithasalotsoftypes.
CScaleTransformMarshaler CTranslateTransformMarshaler
CRectangleClipMarshaler CBaseClipMarshaler
CSharedSecAonMarshaler CMatrixTransformMarshaler
CMatrixTransform3DMarshaler CShadowEffectMarshaler
. . .
Batch Buffer
• Associatewithachannel • ReturnedfromNtDComposiAonCreateChannel• NtDComposiAonProcessChannelBatchBufferparseit
• ThisfuncAonsupportalotofcommands
How to fuzz
Bydefaultis1,weincreasethosefuncAon’sprobabilityto100. �
• Theyneedachannelwegivethemone.• Theyneedaresourcewegivethemone.• Ifwedonotknownwhattheywant,givethemarandom
one.
�
0day & Exploition
Resource Double free (CVE-2017-XXXX)
Root Cause
Free the resource(visual)'s property buffer forget to clear resource->Databuffer. result in free again when resource is free
First time free
Second time free
Exploition
Res1 First time free ResY
Free this one
Res2 Res3 Res4 …
Res1 palette
Occupy with palette
Res2 Res3 Res4 …
Res1 palette
Free palette
Res2 Res3 Res4 … Second time free
Res1 ResX
Occupy with ResX
Res2 Res3 Res4 …
Modify the palette->pEntries to what you want when occupy palette with a ResourceBuffer
palette pEntries
ResX->DataBuf
xxxxx
occupy second time
Content Replace
palette
pEntries
bitmap
pScan0
Usually, cover palette1->pEntries to a bitmap address
Read&Writeprimity
Replaceprocesstoken,exploited
Fix BSOD • We finished privilege escalation, but BSOD when process exit
• There still has double either Palette or ResX's DataBuffer, because they share the same kernel buffer
• Double free happened in clear process handle table when process exit
• Close palette handle first, Resource handle next
• So? must clear ResX->DataBuffer or remove ResX handle from handle table before process exit
Clear ResX->DataBuffer
• It's a binary tree struct, search the binary tree to find the channel that Resource belongs to.
• Channel handle table locate in: _EPROCESS->Win32Process->GenericTable
GenericTable
channel1
channel2 channel3
channel4 channel5
1. Locate ResX address
2. Locate channel address
Resource address store in channel's resource table
Resource table in channel implement as a array
void*ptrNull=0;AddressWrite(&ResX->DataBuffer,sizeof(void*),&ptrNull);
Clear
BagMarshaler Integer overflow (CVE-2016-XXXX)
Root cause Integer overflow while dataOffset < DataSize-0xc if DataSize < 0xc
If(dwOffet<(DWORD)(0x1-0xc)){
if(DataBuffer[dwOffset]==0x66){
DataBuffer[dwOffset+0xc]=xxxx;}} �
• By default,this->Databuffer==NULL && this->DataSize==0
• Write anywhere in x86 system.
• Not so easy in x64 system. 1.this->Databuffer must not NULL 2.this->DataSize < 0xC && this->DataSize!=0 3.*(this->Databuffer + inbuf->offset)==(0x45 or 0x66)
Exploitation:
1.this->Databuffer must not NULL wecouldcallCPropertyBagMarshaler::SetBufferProperty(...)withproperty==2toallocabuffer,thenstoreinthis->DataBuffer
*(this->DataBuffer+inbuf->offset)==(0x45 or 0x66)
SpraylotsofbufferXtoenablethatbufferXbehindthis->DataBuffer
DataBuffer bufferX...
Calcinbuf->offsetvalue,itmustbesaAsfy:
bufferX
• (Databuffer+offset)locateinbufferX,(bufferX->Filed1)
• bufferX->Flied1mustbemodifyablefromusermod,setitto(0x45or0x66)
• (Databuffer+offset+0xc)locateinbufferX,anditmustbeexploitable.
DataBuffer
bufferX
...
Offset
0xc
Flied1 Flied2
Fortunately,wefoundbitmapsaAsfythiscaseperfectly
DataBuffer
bitmap
...
Offset
0xc
Height pScan0
Now,bitmap->pScan0hasbennchangedtothevalueweset.sowegotRead/Writeprimary1.GetBitmapbits(....)2.SetBitmapbits(....)
Replacepstoken,exploited!
Complier Warning?
WARNING!!�
�
Mitigation & bypass
Read/Write ability object
1. tagWND abuse Write what? tagWND.strName ? (UNICODE_STRING)
GetWindowText ? NtUserDefSetText ?
Unfortunately, the destination address has been modify when write to, just desktop heap range is legal.
Maybe
2014
Pwn2Own:KeenTeam used once. HackingTeam leaked 0day. Someone write it to a public paper
2015.3
Pwn2Own: We used Twice. Pwn2Own: KeenTeam used Once.
2016.3
2016.8
2.BITMAP ABUSED
2016.10 We use Acclerator Object To Guess Bitmap Object Address. Then We used Twice again in PwnFast. Coresecurity guys release a paper to talk about is.
�
14393VS15xxx: �
A New way
ButOnlyTheObjectwhichAllocateatdesktopheap:1. Window2. Menu3. InputContext4. CallProc
limitation
ButItisenough,Ibelieveyouguyscouldfindsomethinguseful!!�
We are just on the way. Thank you.