BlackHat 2011 – Kernel Attacks Through User-Mode Callbacks

this is windows hooks of death Colonel attacks through user mode callbacks with tar jae-min right so welcome to my talk like I said this is Colonel attacks reusable callbacks first a bit about myself I’m a security researcher at Norman I work as part of the malware detection team my interests are vulnerability research operating system internals I’ve also done some past work on Colonel exploitation in the context of the colonel pool windows 7 specifically I’ve also done some work on mitigations on for instance trying to mitigate null plan or exploitation on Windows so this talk is going to be about several vulnerability classes in Windows related to Windows hooks and use remote callbacks these eventually end up being several unique classes like milk Leonard references and use a pro priests they resulted in 44 patch privilege escalation vulnerabilities in ms 11 Oh 34 back in April and M is 11 0 54 last month and there was also several unannounced vulnerabilities that were also patched as part of the variant discovery process for us to understand all these bugs we need to go into several mechanisms specific to windows and key or the kernel itself and went 30 de caso a lot of the background material is going to be on that so this is the agenda we’ll start with a brief introduction move on to talk about win32 k the window manager specifically because that’s a lot that’s basically the component of winter decay that we’re concerned with and user mode callbacks we’ll look at several of the vulnerabilities we’ll look at their exploitability and we’ll also try to mitigate exploitation some of these issues and we’ll wrap up with some conclusive remarks in the end so just for a brief introduction to begin with so the windows GUI subsystem was traditionally all implemented in user mode and this was done as a client server process model client being the application the server being CSRs s in NT 4.0 a disturbed component was moved to kernel mode and this was what introduced win32 k dot says this was about 15 or 16 years ago so today when 30k manages both the window manager and the graphics device interface I’ll talk more about those later so user mode callbacks allows winter decay to make calls back into user mode to operate on user mode data and the reason it does this is too for instance invoke application define hooks provide event notifications or read and set properties in user mode structures it’s implemented the mechanism itself is implemented in empty executive so there’s an export that winter decay pulse and it’s pretty much working it’s pretty much a reverse system call so it’s about the opposite of what you would expect for first system call so you know sum up briefly win 30k uses a global locking design in creating a thread safe environments or the window manager does and this is presumably you know remnants of the old subsystem design so these callbacks actually interrupts colonel execution and thus allow winter DK structures and objects to be modified while you’re executing on user mode so if you don’t sufficiently checks for you know changes you could have a number of different vulnerability classes like I said earlier so there’s a you know there’s a few you know some interesting previous work in this field Thomas car near had a paper in uninformed some years ago on local protoje escalations in winter to UK this was actually on user mode callbacks but it was more on the validation of the data returned from the callback and not on the state of win 30k itself there was also some interesting vulnerabilities patched in last year the window creation wallet abilities and one of these actually was on changes so the the MS 1032 did not fit was a bug where d current or we’re being 32k did not

sufficiently revalidate the parent or a window after a call back so this was kind of like up the alley where where this research is going and Stefan I sir also had a talk this is not related to Windows kernel at all but it’s it was a similar bug class in which he had a privileged component that made calls back into a non-privileged context and he could change around on the privileged state so you know the goals of this talk is to show how user mode callbacks without very stringent checks may introduce several sub subtle vulnerabilities they will also try to show how such vulnerabilities can be exploited for instance using pool or heap manipulation and it will finally we’ll try to propose a method to generically mitigate null pointer dereference vulnerabilities so that was briefly on the contents so we’ll go over to winter decay so like I said earlier the older version of went through decay or windows itself or actually you know windows in general is a modified microkernel design meaning that file system network protocols and drivers you know where our role in kernel mode but in mt three-point 51 they followed a more pure microkernel pro which on the implementation of the GUI subsystem so this means that the window manager and GDI was implemented in user mode and even though that is might be slow in some contexts to use a lot of optimizations like share memory design sharing memory between the client and server process and using paired threads to to make the time slicing of context switching more efficient so you know this is what pretty much it looks like back then you had all those components and user mode and they had a limited executive services that you know did the necessarily colonel processing of this component so you know the drawbacks of this design was that you know even though you had all this code in user mode a lot of the graphics and the window subsystem relies on interacting with hardware so you’re still required to make calls to kernel mode so that was one of the reasons why hey why don’t we just do everything in kernel mode since you know since we have to make this in these system calls anyway and also you know the client-server interaction you know involves excessive thread and context switching so that was one of the fundamental drawbacks of this design and like I said they used the shared memory between the client and the server process so you know each paired thread had to have a 64k shared memory buffer and this you know turned out to be quite high in terms of memory requirements so in windows NT 4.0 they move these components or manually connect components to kernel mode so it is eliminated the need for shared buffers and paired threads you know there were way fewer threading context switches you know reduced memory requirements but they still use some performing tricks such as caching or mapping kernel mode structures into user mother and this is you know it’s good for performance but really a bad for you know exploitation or good for exploitation so you know in windows NT 4.0 fin CS RSS and today there’s even less because they moved up the console as well so so winter UK is really just the kernel component of the win32 subsystem like the graphics subsystem it implements the kernel side of the window manager the graphics device interface it provides also thanks to the rec tex interfaces and it has his own system call table so whenever you interact with this module you go through all of these system call tables so windows 7 there’s 800 entries so the attack surface is quite large so the window manager and its primary responsibilities is to control window displays it manages screen output collects input from keyboard and mouse it calls application define hooks passes the messaging between applications and it also manages the user objects which we’ll discuss later on so this is that this is the component that is taught focuses on the GDI interface or graphics device interface you know manages the and raw graphics output itself so it has a library of graphics functions that you

know that all the I user components call so it dis includes functions for a line text you know figure drawing graphics manipulation and you also have gi objects like brushes pens dc’s paths regions and you have AP eyes for video and print drivers as well GDI is pretty slow compared to Direct X so you know at some point it’s probably going to be replaced but you know as long as there’s backwards compatibility to worry about it’s not probably going to happen any time soon so that was briefly on winter decay we’ll we’ll talk about the window manager so these are you know the user objects are what builds up the managing components of the win32 subsystems so in all user handles like windows cursors menus are backed by their own objects and each of these objects has their own structures and user objects are indexed into a handle table that is maintained by win32 k so we’ll talk about that in a few slides all the objects they start with a common header known as the head structure and this holds the actual handle value and also a reference counts that tracks object use so this is a this is one of the vulnerability classes is on the reference count or missions mismanagement of the reference count there’s also additional fields defined if the object is owned by say a thread or process because then you want to know you know the context pointer to the thread or process objects so all the user objects they’re indexed like I said into a handle table that is defined per session so when I user logs in he gets its own session so you know all the handle information is for a session not tied to a desktop or anything its global for per user any pointer to this handle table is stored in a shared infrastructure and you can actually get this from user mode so you can do the users that are to dll export chi shared info you can the handle table from user mode and this is also because of optimization and each entry in the user handle table is resemble represented by a handle entry structure so we have a handle table with all the objects that is in use so each of these objects is represented by this structure so you have the pointer to the object itself you have a pointer to the owner and you have a type field that defines the type of the object you have flags that define how the object is used if it’s being destroyed or similar you have also a unique seed that they use to provide entropy to the handle valid value itself and the way to do this is that they increment the seed on each free of the object or an already handle table entry this doesn’t really work because the unique conquer is only 16 bits so you could easily wrap it and and a few tries so this is basically how that looks you have the pointer to the kernel memory or don’t object in the kernel memory and the one to the owner the object type and strive flags and you can easily dump this from user mode so user objects are stored and you know either the session pool the desktop heap or to share deep all of these are in kernel mode obviously the desktop heap and the shared heap are read-only mapped into a user address space so any process will have that you know invokes the GUI subsystem will have these memory map app being set up and this is to avoid the kernel transitions so you know objects associated with a particular desktop is stored in the desktop heap and the remaining objects are either stored and shared or the session pool so you know when you start a GUI application you’ll have these mappings set up so it’s quite easy to enumerate pointers to kernel memory if you want to do exploitation or inside anything like that so you have the shared section that contains the user handle table and a shared heap and each new desktop that thread is associated with it gets its own mapping into the process so it’s pretty young and all of this is because of performance to avoid making system calls so the shared section user mapping that contains the handle table and the

shared heap is set up when you load user32.dll so if you load library this dll it will you know notify CSR SS that will set up the mapping for for the process and the user handle table is located at the base of the shared section and this can like I said earlier be obtained in at least two ways either through the export in user32 or by calling this function to see it’s RSS and then CS RSS returns a pointer to through the handle table in user mode so we can easily you know make an application that dumps all these information you know without any privileges or anything so it’s yeah you know it’s it’s quite convenient when you overcome exploitation you get all this information for free so the desktop keep user mapping is set up for each thread so when 32k maps the associated desktop heap into the user mode process whenever you woke a new desktop or create a new desktop the information about the desktop heap is stored in its own structure so you get the the colonel address of the desktop heat from user mode as well and the way they do reason I do this is to compute the address of the user mode location out these objects so they take the pointer to the desktop heap in the kernel and they use a delta that is also readable from user mode and then they know the address of the user mode mapping because they don’t store pointers to user mode the only store pointers to kernel mode so that’s why you see all these kernel mode pointers when you poke around in the desktop keep so for them to look up you know other objects that you do this to find the right location in user mode so again we can we can do more we can we can look up objects we can inspect them we can you know see the window procedures the log count of the head structure etc so I’ll them it is later on so in on windows 7 there’s 21 different user object types so there’s actually there’s 22 including the freetype which is 0 and this also includes the attraction get gesture objects that we introduced in windows 7 and information on all these types are stored in something known as the handle type type information table and this isn’t mapped into use a mother but you can get if you look up this table and look at the structures you can you can find out the target memory location of each of these objects and also they reduce try routines so you know here’s the table of this is quite convenient to us you know you can see all the locality of all the objects who’s the owner so when you know the owner you know dr additional header structures for instance if it’s a thread structure our thread thread own i has a pointer to the thread infrastructure if it’s processed owned it’s as a point or two to process infrastructure so and all of these you know i like i said the session pool is not mapping to user mode so it’s and the ones that we have access to is really just the desktop heap and the shared keep objects so as you can see at the bottom we have two new objects in Windows 7 the touching church through types so you know what’s interesting about the window manager is that it does not exclusively lock each of these objects so when you try to use an object you would think that you know he had some mutual exclusion like a dispatch header or dispatcher header the object itself but it actually it locks the entire window manager so it has a global lock whenever it operates on these and these objects or any of the data structures in a new in winter UK so when you try to operate on a global data structure it is a exclusive lock if you know right operations are involved and otherwise it tries to use a shared lock so obviously if you’d only reach from the structures the shared lock is better because you don’t have to freeze up the entire subsystem so this was clear enough designed to be multi-threaded you know no two applications on separate desktops or actually separate window stations within the same session can process their message queue simultaneously it’s not possible because

of his model so you can see here that do you know how a function typically looks like when you try to invoke a win32 k system call the first one acquires a Sherlock well the second one acquires a exclusive lock and it although they don’t say shared lock they use the term critical sections so when a caught as I enter shared grit that mean that the acquire to share la quality while when you enter the user critical section that you exclusively lock this section so that’s nice so we’ll see how using mode callbacks tie into this first i’ll just go over what user mode callbacks actually are so in interacting with user mode data wayne 32k is required to make calls back into user mode and this led to the concept of usable callbacks the mechanism itself is like I said briefly in the introduction in que es remote call back in the antis kernel and it works like a reverse system call you know although there’s not a lot of research on this field there were some good papers and blog posts one by ivan lu foo and by thomas car near and you know this mechanism although used a lot and window measure it’s used extensively and user object handling itself so this is because a lot of our object store for instance data in user mode so the prototype for this function looks like this so wind 30 tak calls this function I provides an API number that is the index into the call that back table and user mode so when it transitions the transition back to user mode it looks up the pointer to this table and at that table is stored and user32.dll so this might may not make much sense but maybe this slide or the next slide will probably be better to look at I’ll just go through this first so in a system call you know a trap frame is stored on the kernel threads stack and this is to save context so when you return from the colonel you want to restore those registers so you know the user mode callback mechanism does the opposite it creates a new so this is in the kernel it creates a new track frame and fakes the eip so it sets the ipt eip to KI user callback dispatcher that then calls the user 32 function and it also you know cop stay input buffer to do use a Martin stack so it’s it’s it’s pretty straightforward one other thing to note is that in this mechanism on whiston windows 7 it switches the kernel stack on XP it usually growed you know the expanded the kernel stack while on windows 7 and wasted a they were some issues with that so they just switched it to another Colonel sec and then switch it back when you return so here you can see the on call back to the user mode call back ibooks up one of the functions so in this case the callback was an event call back so it calls into the application that set this event and then executes the code that user specifies and this is done any news remote so this is okay and then you return back to where you left off in the kernel using anti call back return and this you know reverses the sets up the original thread stack you know cleans up and and continues where left on left off so yeah the empty call back return is the function that returns think I already said this it also deletes the colonel call back stack up in completion and yet copies the result back to the colonel colonel thread stack so there’s some in a different applications of user mode callbacks like i mentioned in the introduction there’s you know use it for invoking application windows hooks providing event notifications copying data from user mode or to user mode and this is for instance used in DD handling hooks also allow users to execute code in response to certain events so you can say you want to hook invoked when you call a window procedure when you create a destroyer window when you process the keyboard mouse but so you can have the application be

notified about all these events so for instance if you create a window you can have a cbt hook that’s a computer-based training hook set up to inspect the properties and the orientation of the window and you can also change around on on the orientation of the windows so you know this is something beyond the application can do quite easily and upon returning you know this this kernel function will complete and then the handle is finally returned to to the application and yeah this is where it kind of goes wrong you have when you returning to this function you’re free to do whatever you want and yeah we’ll we’ll look at this in the next section so yes so on to the vulnerabilities so you’re probably wondering you know why why’s callbacks bad you know what about this global lock so you know the critical section whenever a callback is executed the colonel leaves this section and this is to you know be able to perform other two others bass tusks well well you know the user mode code is being executed and upon returning from the callback in odia it re-enters the critical section or reacquire the global launch and then you know you have to make sure that all the objects that you had or previously referenced in this function is still in the expected state so you know you could easily you can store before you can work a callback you can store a pointer to the parent or window so if you do a call back change the parent and in return and don’t sufficiently revalidate the parent of the window you could easily you know end up operating on freed memory or internal pointers or whatever so you know there’s obviously since user mode callbacks is so tied up to how Windows works they have to use some kind of scheme to to know when callbacks may be invoked or not so they use this function named decoration scheme so as all functions are either prefixed XXX or Z Z Z and this depends on how the function may invoke the callback so functions prefix xxx you know we’ll probably in most cases leave the critical section and invoke esma call back in some cases they may require a specific set of arguments but in most cases it probably will invoke a callback function is prefixed ZZZ Z they will typically invoke a deferred event call back and this is usually not a problem except you know it relies on this global value GDV or gdw deferred win events to be something else than no it’s no it will also invoke a callback that’s immediate so there were some issues with you know the naming scheme so you know not all these functions were labeled correctly so you know the programmer could assume that a Sims since a callback Snyder woke I don’t need to you know revalidate or love these objects or anything so you know for for patching em it’s 11 0 34 they also renamed some of these functions and you can easily you know locate undecorated functions in say by scripting and ida pro just look up cross-reference all the functions that potentially may call que es or would call back or exit the critical section and see if any of these functions are not decorated than as they should and it turns out that you know a lot of them still aren’t are not so it’s a lot of inconsistency in the naming so when you invoke a call back and have a reference to an object you expect that object to be valid when you return so what you have to do is you have to lock the object so the if you remember the Heather it had a lock count value that’s c-loc object a field so we basically need to increment that to prevent the object from being deleted there’s two ways of performing locking and that’s red locking and in Simon clocking so thread locking is usually used in the context to a thread so you have functions like thread lock and thread unlock if you look into this assembly you’ll usually see that you know these functions are in lined or at least the thread lock function is in mind so each thread lock entry is stored as atl

structure or thread lock structure and store on the list so so on you know if the programmer forgets to to unlock and the turn and thread terminates it will actually iterate through this list and free all the entries so you know this mechanism is you know quite quite good actually and this is how you would typically see that and win32 k so you know I see that the thread lock entry is added to the thread lock lists the lock count is incremented and then the XXX function is called I potentially may invoke a call back and then finally the thread lock is released so this is how it should be done you also have assignment locking so not all locking is performed in the context of a thread sometimes you want to have it in the context of our process or global to the system so this is these are the functions you use for that so if you have an initialize so basically you store a pointer to the object somewhere and if that pointer is already initialized they release the existing object reference and this this function our dysfunctionality does not provide the same safety net and so to speak that thread locking does because you know if thread terminates in a call back the thread termination code itself has to release these references individual individually if they fail to do this you know we might have some inconsistency in the LA County so you know any object expected to be valid after usable callback should be locked any object that no longer is used by a particular component should be unlocked orly release and like i said if you if you you know if you have mismanagement any either of these it could result in either no retention meaning that the object is released too early or you know we’re no release meaning that the object could never be free or the reference count could wrap in the worst case so you know it’s it’s quite easy to to understand that I guess so here you have the Absinthe locking the user mode function could potentially destroy the object and then the colonel resumes execution and keeps on using that object if it doesn’t check that sufficiently so there were some few cases there would actually i think in opera about 15 or 20 vulnerabilities related to object reference counting so you know in creating a window this was actually what i showed you earlier about the cbt hook you can adjust the orientation of a window using a cbet hook use you can also set the order like the arrangement of the window and the desktop like from top innermost outermost or and in provide and you do this by providing a handle to the window after which the new window handle this hat is inserted the problem with the dysfunction create window ex and went to k was that it did not sufficiently lock this object you just obtain a reference to the pointer to this window and then it would invoke subsequent callbacks in which you could potentially destroy this window and then kept on using it when linking it n to the c order handle lists so this is basically what that looked like you have the function that looks up the handle value and stores the or returns the colonel object pointer it does not lock this it just gets the colonel object planner stores it in a local variable you could do a callback destroy this window and then and this function would operate on freed memory here’s another one this was in keyboard layout objects so when you load a key a keyboard layout object you can optionally call this X function and what that does is that it tries to unload a handle that you first provide the problem with this was that win 30k did not again Lock this handle it simply got the pointer to the object so you can unload the that handle in a user mode call back and then the remaining code would you know operate on freed memory again so you could easily call like unload keyboard layout function provide

a handle to this that was provided here and then this function down here would operate on freed memory so you also have that was one of the vulnerability classes there’s also what I like to say or call object state validation so all objects and artists are assumed to be in a sour old objects assume to be in a certain state should always have their state validated and this usually involves like checking for initial ID pointers or are checking for flags or something like that and user mode callbacks you know could alter the state of the object properties so you know I dropped them and you could no longer be active and parent of the window has changed if you have a DD conversation you know the partner or the opposite party you could be terminated so there’s a lot of things you need to check even though you know you might think there is not much to check for so this was for another class of one abilities I think about 10 of them were in DD conversations they handling so dde or dynamic data exchange is the legacy protocol for passing data between applications so window still supports this and you know several functions did not sufficiently validate the changes that occurred after user mode callbacks so it did not specifically need not check for the pointer to the opposite party so you know that pointer could possibly be null so it would end up in a null pointer dereference so this is basically you know try to give an overview of how a DD conversation looks you have the client window does the post message or get message depending on the way this match is it messages past and then it has a specific or for certain DD functions or messages it does a call back to copy the data in from user mode because all these other data is stored in user mode so it will either copy data in from user mode or copy data out from user mode when ending up to the server so you know these copy data in or copy data out result in a callback and in in within that callback you could destroy the opposite party so in this case if you do that you would have a null pointer that was exploitable in most cases we’ll talk more about the exploitability after this section another class is on buffer reallocation so many objects you know have item arrays associate Lou balloon and these are in a dynamically sized buffers so we have for instance menu item arrays where when you insert an item it will you know I’m a certain for a certain threshold it will reallocate that memory this conserve memory this is this happens either when you insert or remove entries from the buffer if you you know remove all entries it will free the buffer and any buffer that can be reallocated in a call back you know has to be checked up on return and if you don’t do this you’ll have no there’s a high probability of ending up in a use a precondition so this basically sums up word it checks need to be performed so you get the number of item arrays you get a pointer to the array you look up the first item this should actually reevaluate the buffer pointer for each iteration then you operate on that item you might have a user mode call back in which you could resize the array itself and then when you return you know it usually check for if they if there’s more items and if you don’t revalidate the total one total number of items in the array you can be screwed as well so you know the lack of these checks could easily end up in vulnerabilities so there was a lot of them in menu item handling so menus they hold an arbitrary number of many items these like I said are stored in a dynamically size array and after using will call backs win32 k did not in any way validate shal changes in this array and there’s no way to lock in many items so they couldn’t do that and you know any of the XXX function is operating on a menu item

could potentially was potentially vulnerable and you know and that attacker could easily you know reallocate via call back or reallocate the buffer in a callback and trigger use-after-free so this is how how that looks you have the menu object that you create using these standard api’s create pop-up menu or create menu then you insert menu items and you know Flynn it and on creation of these on the first item you reserve space for eight items then on a ninth you will reallocate the array to hold an additional eight items so this is how that will look in this case you know you can see at the bottom that it does not revalidate the pointer it simply uses ebx or the register and assumes that no reallocation has been made it also stores the number of items before it enters the loop and it does not revalidate this no-count so failing to that you could corrupt adjacent memory this is also one of the classes timer check the time of use it’s kind of similar to what we already talked about but you know when you leave a critical section or the critical section itself is essentially used to prevent these issues so when you leave the critical section invoke a call back you know you have to recheck that the values are still the same and this can be particularly dangerous in cleanup routines so you know you can potentially invoke callbacks after something has been cleaned up and then you can reinsert it and this could end up in cell references and you know two objects or buffers so here’s an example of that they check the old tab window if that is no if it is it will exit so you know we have to have this defined and then later down here it you know if this event hook is set it will it may invoke a user mode call back and then you know knowing that this is not 0 it’s simply calls destroy window however we can destroy this window within the call back so you know this will actually try to destroy a null pointer window object so we mapped them all page and have an exploit along ability this was some not really related but you know it’s kind of nice to just mention so when you validate handles and you use the handle validation api’s and these never lock the object itself they simply just validate it and the handles and returned the object pointers and you should avoid generic handle validation unless the structure of the object is irrelevant because this if you do so you only check for the entry that it’s valid and completely ignores the type and like I said functions that we validate handles after callbacks I may no longer operate on the same object because the uniqueness count to provide the hand light entropy is only 16 bit so you know doing this freeing and allocating sufficient amount of time so you could fool the kernel or fool in the third winter decay into thinking that it still operates on the same handle so here we see you know this is the first one is is a lack of completely lack of validating you know anything it just gets to handle from the call back and then tries to look that up for the handle table and does not validate the type nor more the length of the handle table itself so and the second one is a you know it tries to use the generic type to look up a image so it assumes this to be a cursor object of course you can provide anything so this also may result in some exploitable bugs so on to exploit ability so you know most of these issues are related to use after fries and all pointed references so we’ll look at those and in the case of use a pro fries we it mainly depends on the attackers ability to manipulate the either the heap or the colonel pool and the colonel heap so to speak I did on my

previous research was on the colonel pool so if you’re interested in you know looking up how to manipulate the colonel pool you should be that there’s not much public information on the colonel heap so we’ll briefly just look at how that works and you know for for the reference whenever you invoke a callback you can easily hook the functions because you have the pointer stored in the peb so you can just be replace the pointer and do whatever you like so the colonel has a stripped down version of the user model heap allocator it has rgl allocate heap rtl free heap these are both used by the shared and the desktop heaps notably neither heaps employ any front and allocators so this you can see this from looking up the heat base and noticing that the extended lookup is no this was also something that Chris valasek pointed out in his paper on the low fragmentation heap you know just briefly that you know if this condition was true there was no front and heaps so this means that there’s no lo fragmentation heap or look aside lists so it makes it really easy to predict where allocations are made or how they managed neither heaps also encode or obfuscated the management structures and we see this from the encode mask being null so we can easily dump the desktop heap since it’s mapped into user mode we can dump it from user mode or we can dump it from the colonel so here we see oh via the information we also have the commit routine which I’ll talk about in the next slide so the the blocks index points to the heap list look up which holds the on extended lookup pointer which is no that is the reason why it does not use any front end alligators so you know all the free memory is indexed into a single free lists it’s ordered by block size meaning it has a granular granularity of eight bytes or 16 depending on the architecture they use list hints to optimize least lock up so since you store all the entries in the same array you obviously have to have some additional structures to speed up the lookup and the requested memory is always pulled from the front of the Oprah oversized heap chunk and while the remaining fragment is put back into the free list and if the heap runs at a committed memory it and tries to extend it by calling the comic routine so you know you could easily if you overwrite the commit routine this was one of the attacks on the user mode heap you know waste but years back you can do this in the kernel since there’s no obfuscation even if you know there was encoding you would be able to get the encoding key since the keep itself is mapped in user mode so for exploiting Hughes aquifer vulnerabilities we can use Unicode strings to reallocate the memory from the user mode call back you know this allows you to control the size and the contents of the heap lock so it’s a you know very flexible the only caveat is that you know you cannot use virginals or and the last two bites of the string obviously has to be terminated with a null terminator for the desktop heap you can use set windows texts to set window text to set the text or window on this session pool you can use set class long pointer and these are really the two you need to worry about the shared heap it’s not there’s not it’s not it’s not much used so so here you see that will replace the object with a string and the vulnerability or you know it tries to use this user pointer in this string to perform some operations so this easily you know this is easy and exploitable vulnerabilities since you can control since it’s a Unicode string you can put anything really as the pointer a lot of these bugs are you know I concerned with object locking or and whenever you replace the free memory the first thing the code usually does is that it tries to lock the objects or release the object so it will use one of these

pointers to to perform the locking and this really allows you to do an arbitrary increment or an arbitrary sequence and some targets in this context would be to try to hit the type value of a handle table entry because if the type value is a window or one you can decrement that 20 and then destroy that object and then since the 0 type does not have a destroyed function defined it will called a null pointer and you can map the null pointer and then control execution you can also target a PC objects this was something that guru mentioned in a paper so you could recommend the a as a synchronous procedure call you know context from user mode to kernel mode so it would execute it would execute with caramel privileges this is while that will look where we see dr unlocking the user control pointer of the reallocated memory and this you know this is because the wintry DK calls or tries to call hm assignment lock which is the assignment logging function on the pointer that this freed memory holds were now reallocated memory holds there’s also like I said no planar vulnerabilities these are you know potentially exploitable in Windows since you can map the null page either by using for instance anti allocate virtual memory or anti map view file you know many null pointer vulnerabilities are concerned with window objects so you can map the null page fake the window object and then set up a fake window procedure so if you have a flag that says that that window procedure is server side or kernel mode you would actually be able to execute or control the procedure and execute with kernel mode privileges on any subsequent message sent to that object so this you know this easily shows that in doing so you’ll be able to instantly get you know arbitrary kernel code execution so our demo on this and we’ll use the window object use a free that I I showed you earlier so let’s see yeah just going to boot my vm so I don’t have a snapshot to cheat or anything should be fast so what we’ll do is that will you know use the CBT hook to provide a Z order handle after which our new handlings inserted in the sea order chain and we will destroy this handle or this object in a subsequent call back and then reallocate that memory to control the logging operations that are performed subsequently so this was a bit bigger than I expected it to be but just resize this so I’ll run I’ll bring up two instances of consoles here then run the exploit so this is going to be partially interactive meaning that it will pop a message box on the callbacks so it easier to see so I’ll do window and then the command that I want to execute so in this case I want to execute kallik with system oh that was the wrong one sorry window 10 so now we are in the cbt hook we set up the handle to the window that we want to insert a new window after so what I’ve done here is I’ve you know looked up the mapping in user mode found the colonel pointer and then I can use my aunt you know the utility that has some screenshots on to dump that address i’ll just type in you know shared info FV 8 14 9 z and then these size of the objects so now you see that you know this is the object that we want to destroy later on so if I you know click OK again and what’s going to happen is that it’s going to destroy this window

and then we’ll hit the next call back I’m sorry we’ll hit the next call back and then we’ll just write a window so as you can see we assign the z-order window in a cbt hook we destroyed it within the callback and then we reallocated that freed memory so if i do this again you see that you know all the strings our de string replaced the object what I’ve also done is that I’ve you know since this is unicode i can insert pretty much any object pointer that i want as long as I avoid the double nulls so this address here actually points to be handled table entry for the window that we will like avoid or decrement so will decrement its type and then destroy the window to you know do the freetype destroy function or trigger the freetype destroyed function which then you know tries to execute the not on execute a null pointer no type function pointer which is no so we map this page I didn’t mention this but you can see at the top here that you know I mapped an old page for free type trampoline so now when i click ok the something should happen oh sorry nice so you know just to see that this actually worked you know there we go we have system that’s quite nice so we’ll move on to to the next section so this was you know exploiting a fairly complex vulnerability there’s also a lot of vulnerabilities related to null pointers so the one that I accidentally clicked earlier on this one was a null pointer bowling buddy so this one is you know it’s the same one or is a different one but it does the same it and tries to maps null page and execute with a kernel mode privileges so what do you want to try to do is you want to try to you know avoid the null page from being mapped or you know try to mitigate the exploit ability of some of these issues so we’ll talk briefly about mitigations so mitigating used after free vulnerabilities is quite difficult you know it’s generally hard because you usually will impact performance significantly some approaches you could do is you could use the late freeze you could use a dedicated free lists you can try to isolate the strings meaning that when you try to reallocate this memory you have the string in a separate heap or something you could try to track the allocations between ring transitions so when you perform a callback you would keep track of the memory allocations and then recheck those when you return and make sure that you know everything is saying you know from mitigating null pointer exploitation we can try to deny the the allocation of a null pointer all the odin all page there’s some potential ways of doing this we could either use system call hooking or we can modify the page table entries or we could try to use WOD manipulation system call hooking hooking is not really any a good solution because you know for the first it’s not supported on X 8 x64 64 bit due to patch card I will check the system call table and you also want to take a more generic approach because you know just hooking the function that potentially may make these calls could you know end up you failing to sufficiently hook all these functions so you know there’s two that are Marrero that you can use but you know say there were some additional or say there are some additional and you you know we would miss those pte modification it requires the page to me map so that is not very ideal since we want to avoid the null page to a map so we’ll look at the word manipulation part so the user mode process base is described by the virtual address descriptors and these are you know structured in self balance trees which are binary trees and you know what’s neat about wads is that they’re always checked before a page table entry is created and this is for

instance the way that Windows implements the no access protection words are also used to secure memory and they can be made non-delegable so for instance to process environment block and the threat environment block used this feature to prevent you from deleting the mapping it’s also used on the k user shared idea share data sexually so this is you know really how I watry looks you have a process object with a pointer to the wad roots and then you know how have a binary tree that represents all the address ranges so what we want to do is we want to make a wad entry for it in the null page to prevent that from being mapped so with with them so I wrote a paper on this last month and what we do here is we try to invert insert a crafted wad entry that restricts small page access for both the colonel and the user so if you have an oldie reference in the kernel you want to you don’t want anything to be mapped you want to have an instant access violation and you also want the user not to be able to map that page we avoid the deletion using this same method as the peb or and the thread and wailmer and worm box and we set the address range from 0 to FF FF FF FF FF which is you know the entire lower part windows that is not usually used unless you you know start a 16-bit process we also set the protection to Novak no access and you know this gets us a long way but there’s a fundamental issue that you know you could still change the protection for this since you own the BOD it’s processed owned so we use a special flag to prevent memory commits so if the memory is not actually committed you know the middle protection cannot be changed so this is you know we go to the leftmost branch and insert the wad and the watry and you can see how this looks you know in window bug you see the mapping on top holding or you know blocking all the attempts or all them reserving all the memory and the process of this process and looking up the PT entry for this you see that it’s not valid so now page table entries has been created so the you know the results for this seem to be quite good you know calling any of the traditional api’s for allocating memory for allocating the null page for you know trying to free demo page or change it protection you know fail you also have the map you of section with which is another way of mapping the mall page that also does not work so run a short demo of that as well so like I said this other bug was a null pointer vulnerability easily exploitable so what we’ll do is we’ll run our driver that inserts this wad entry on process creation of course you could inject into another process but the ID is to load this driver up on loading windows so you would have this mapping set up for all processes so I need to be an admin to to load driver obviously so I’ll hit the payload which loads the driver I can do k tests just to see that actually I’ll just unload it first run k tests so you’ll see that you know it attempts to map the null page it succeeds so it can do memory reads okay it can do no page right okay so you know that perks if I load the driver these tests fail because you you know set up this wide entry so you know trying all these functions does not help you so if I you know if I redo the exploit you know it’s it’s not going to work because the allocate virtual memory that I use to set up the null page mapping fails with the is this exit code right here so and although it’s difficult to address colonel exploitation on Windows you know there’s

definitely some possibility of doing that so that’s about some up to a be on talk I’ll just do it brief conclusion so you know considering the future of the win32 k subsystem you know it needs a much more consistent and security oriented design it should not be necessary for the kernel to make calls back in user mode you know it’s not doesn’t really makes much sense you should also a or Microsoft should also reconsider the performance benefit of using the shared user and kernel mode memory mappings so mapping the desktop heap and the handle table and the shared key into user mode although good for performance really really helps exploitation so you know limiting the information available to the users is is probably a good idea the window manager should also provide you know a mutual exclusion design on a per object basis not globally lock the module itself because with all the multi-core architectures you know this doesn’t really help so it will be better suited but towards those and this is also similar to what is already done in the MTA executive or the windows kernel itself as well as in GD on so you know legacy components is always going to be or you know probably are the most vulnerable parts of an operating system meaning that the security was not usually designed part of the original design now win32 k is it’s built around some very old jew and gooey subsystem code that you know before you had this transition transition and before you introduce winter do k dot says they they used much of the same code so you know it’s it’s going to be difficult when you don’t have security as part of the original design and Colonel exploitation you know acquires knowledge about the address space so limiting information is important we’ve seen this being done on lenox but it’s you know not done too much in Windows and although difficult you know mitigating Windows kernel exploitation is definitely possible obviously it’s harder and you don’t have access to source code and it cannot really hook anything you want so it’s more difficult but it’s it’s possible so yeah some guys i want to thank and greet em SRC has been really cool about all these bugs appreciate that and some good references in case you’re interested in reading more you know if you want to learn more about the colonel heap you should really check out chris valasek paper on the low fragmentation heap you know it contains really much all the information you need to do the manipulation and stuff so so that’s it any questions guess you’re all tired there’s one question back there and yeah so you don’t validate the objects themselves you use the handle values so you have the handle value and you provide that to a function that prevent returns the pointer and what that function does is that it validates the it looks the up the entry in the handle table checks the type that you specify so you know that is how you get the get the handler get the pointer from ahem there’s no way to you know given that you have object pointer there’s no real way to you know validate that so that’s why you have the log counts and you know increment the log count ensure that that object is always valid ok so thank you