Living Off the Kernel Land: Developing Post-Exploitation Kernel Threat

Alonso Candado Sánchez Euskalhack IV June 21, 2019

WHOAMI

Alonso Candado Sánchez

- Security Software Engineer at Countercraft

- @alonso.candado on twitter

- Interested in :

- Low level development - Malware research - Reversing - kernel exploitation

- What ?

- Why ?

- How ?

Living off the land

• Agenda:

• Introduction

• kernel threat loader

• Living off the Land features

• Conclusions

Introduction

Introduction

- History

- Kernel Threats

Introduction

History:

• PatchGuard 2005 x64 Xp sp3

• Driver Signature Enforcement (DSE) x64 2007

Introduction: kernel threats 1

- TDL4(2010) :• Bootkit component• Modify Boot Config Data option to disable dse

- Turla/Uroboros(2009-2013) :• Virtualbox exploit (CVE-2008-3431)• Overwrite global system variable(ntoskrnl!g_CiEnabled) controlling DSE behavior• Bypass PatchGuard hooking KeBugCheckEx API

- Derusbi(2013) :• First version 2008• NICM.SYS exploit (CVE-2013-3956) signed by Novell• g_CiEnabled modification

- Grayfish(2013) :• Equation Group rootkit• Bypass DSE with bootkit component. Overwrite hard disk driver firmware that contains infected VBR

- DuQu 2.0 (2015):

• Exploit win32k.sys

- Remsec(2016) :• Exploits vulnerability in Agnitum driver called Sandbox.sys• IOCTL which call to ZwLoadDriver

- Slingshot APT (2018) :• Exploit in Sandra.sys CVE-2010-1592• Exploit in CVE-2007-5633• Writing in MSR registers and restore the original value.

Introduction: kernel threats 2

kernel threat loader

• Workflow

• Exploitation

• Practical example

• Conclusions

Kernel threat loader

Kernel threat loader : workflow

-SMEP

- SMAP

- KASLR

- VIRTUALIZATION BASED SECURITY (VBS):

• Prevent MSR registers modifications• SMEP cannot be disabled• Only signed kernel pages can become executable (HVCI)

Kernel threat loader : exploitation 1

Kernel threat loader : exploitation 2

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf

Kernel threat loader : exploitation 3

https://www.coresecurity.com/content/virtualbox-privilege-escalation-vulnerability

- Driver is open to communicate to any arbitrary process

- Lack buffer validation

- Use METHOD_NEITHER

- What-Write-Where vulnerability

1.- Target ICTL

2.- Write target value

3.- Target buffer nt!g_CiEnable

VIRTUALBOX EXPLOIT:

• SUP_IOCTL_COOKIE I/O.

• SUP_IOCTL_LDR_OPEN get ring 0 buffer

• SUP_IOCTL_LDR_LOAD load the shellcode into ring 0 buffer

• UP_IOCTL_SET_VM_FOR_FAST

• UP_IOCTL_FAST_DO_NOP

Summary: vulnerability + abuse the insecure logic

Kernel threat loader : exploitation 4

Kernel threat loader : exploitation 5

A vulnerable driver: lesson almost learned(2018)How not to use a driver to execute code with kernel privileges

• Anti-cheat driver bandainamcoonline.sys

Kernel threat loader : exploitation 6

https://securelist.com/elevation-of-privileges-in-namco-driver/83707/

Kernel threat loader : exploitation 6

Conclusions

Practical Example

Kernel threat loader : practical example 1

- Logical components:

• Payload

• Shellcode Builder:

PE Loader

Kernel threat loader : practical example 2

Kernel threat loader : practical example 3

- Kernel Loader:

• Reflective loader

• Actions:

• Map Sections • Relocations • Find Imports • IoCreateDriver DriverEntry

Kernel threat loader : practical example 4

Kernel threat loader : practical example 3

- Shellcode builder

• Get export address from payload DriverLoader

• Get MmGetSystemRoutineAddress (bypass KASLR)

• Build the shellcode

• Send IOCTL to vulnerable driver

Kernel threat loader : practical example 5

Kernel threat loader : practical example 5

- Shellcode(stage1):

• Solve dependencias/contex in order to load a new PE and launch a new driver.

• Copy buffer driver to NonPagedPoolExecute memory

• Get PsCreateSystemThread

• Launch a new thread • Entry point DriverLoader • Parameters Context

DEMO

Living off the land features

• Kernel keylogger

• Kernel backdoor

• Remote backdoor that does not bind new sockets

• Registering SMB handle

• https://github.com/zerosum0x0/smbdoor

• Hypervisor capabilities

Conclusions

Questions?