Skip to content

Hack in the Box Magazine #8 available now

Every one or two quarters, there’s the one day we all wait for – and that’s when the latest issue of the Hack in the Box Magazine is released :-) Thanks to the hard and awesome work of Zarul Shahrin and the entire editorial crew, we are very excited to announce that the eight edition is now out available on the project website. One big change we decided to make due to popular demand is a printer-friendly version of the mag, with a single logical page per a physical one, (hopefully) making it significantly easier to read it even when you don’t have a spare 24″ screen to use. Also, you can now order an original printed version through HP MagCloud. For more information, see the bottom of http://magazine.hitb.org/. I can’t see the “spread” version available on the website now, but if you’re interested, feel free to ping me for it.

Other than that, there are some quite interesting articles you should definitely check out. Traditionally, I took care of the Windows Security section with an article called “The Story of CVE-2011-2018 Exploitation”. Although the specific Windows kernel vulnerability was very fresh at the time of writing the paper (it was fixed in December 2011) and it’s almost half a year old now, it still required (unbashedly speaking) one of the most sophisticated chain of Windows kernel exploitation techniques I have seen in a long time. The document covers several interesting methods such as kernel pool and stack spraying or the usage of ring-0 virtual address space information leaks used together to create a working Windows XP/Vista/7 privilege escalation proof of concept. If you are into Windows internals and low-level vulnerability exploitation, you will definitely find something for yourself. On a side note, should you know any easier or simpler means of performing any of the discussed exploitation steps, I will be more than happy to hear from you!

As always, the magazine is in need for authorship support. If you believe you have an interesting IT security-related subject and are willing to write an article for us, don’t wait and drop us a line at editorial@hackinthebox.org.

The magazine can be downloaded from here (HITB-Ezine-Issue-008.pdf, 2.18 MB)

Continue reading ›

2012 04 11 Exploitation
hacking
kernel
OS Internals
Papers
Ring0
Ring3
Undocumented API
Windows 7
Windows Vista
Windows XP Comments (2) Permalink

A Bug Hunter’s Diary review

Title: A Bug Hunter’s Diary. A Guided Tour Through the Wilds of Software Security.
Author: Tobias Klein
ISBN: 978-1-59327-385-9
Published: November 2011
Websites: http://nostarch.com/bughunter.htmhttp://www.trapkit.de/books/bhd/en.html

In the modern times of noisy news headlines like “A Security Researchers Unveils a Critical Vulnerability in Product X”, little is publicly said about the overall bug hunting process, in lieu of discussions regarding technical bug details, exploitation mitigations and their countermeasures. The taste of identifying a target, finding a vulnerability, creating proof-of-concept code and talking to the vendors was only known to those actively participating in the security scene – but only until Tobias Klein published his book called A Bug Hunter’s Diary. Mr. Klein, a German security researcher, decided to let the reader take a glimpse at how a bug hunter’s daily work looks and feels like; a subject as much interesting as underestimated in the common literature.

The book is divided into eight chapters and a brief Appendix. The Introduction outlines basic concepts, assumptions and tools used by the author and commonly referenced thorough the book. After that follow seven technical chapters, each discussing a vulnerability in a different product, found and responsibly disclosed by the author during the course three years (2008 – 2011). The diversity of software classes discussed in the book ranges from media decoders (VLC, FFmpeg) through web browsers (WebEx ActiveX control) up to kernels and device drivers (Solaris, Mac OSX, Apple iOS, Avast! driver). Thanks to the wide selection of presented hardware and software platforms and products, one can learn how all kinds of software can be subject to fundamentally trivial bugs, and how different vendors have completely different policies and response times in regard to external reports.

What I consider the biggest advantage of the book is the specific layout of the chapters. Each of them is arranged in the form of a story, beginning with an initial concept of how to approach a chosen target and ending with a patch release and advisory publication. This goes far beyond the typical scheme of limiting focus to technical aspects of software security only, and makes the book enjoyable for anyone interested in vulnerability discovery.

As a diary, I believe it is one of the best books I have read so far. Easy writing style, interesting bugs and illustrative pictures and code listings are the key points making it so successful. Bear in mind, though, that it should not be confused with a textbook – if you are looking for a complete overview of common vulnerability classes or information regarding exploitation mitigations such as DEP or ASLR, you’d rather refer to The Shellcoder’s Handbook or a similar volume. That said, I would especially recommend A Bug Hunter’s Diary as an excellent supplement of a security textbook to everyone making his first steps in the software security field. I definitely wish to see more books of this kind published in the future.

2012 01 17 Exploitation
Papers Comments (0) Permalink

FYI: Printable “Windows Kernel Address Protection” paper out

That’s just a short notification that I decided to release the Windows Security Hardening Through Kernel Address Protection article published in Hack in the Box Magazine #7 over a month ago (see HITB #7 on the wild, at last). The paper is now available in a nicely formatted, printer-friendly format. If you missed it then, here’s your chance to take a look :-)

DOWNLOAD: Windows_Kernel_Address_Protection.pdf (382 kB).

Abstract

As more defense-in-depth protection schemes like Windows Integrity Control or sandboxing technologies are deployed, threats affecting local system components become a relevant issue in terms of the overall operating system user’s security plan. In order to address continuous development of Elevation of Privileges exploitation techniques, Microsoft started to enhance the Windows kernel security, by hardening the most sensitive system components, such as Kernel Pools with the Safe Unlinking mechanism introduced in Windows 7. At the same time, the system supports numerous both official and undocumented services, providing valuable information regarding the current state of the kernel memory layout. In this paper, we discuss the potential threats and problems concerning unprivileged access to the system address space information. In particular, we also present how subtle information leakages can prove useful in practical attack scenarios. Further in the document, we conclusively provide some suggestions as to how problems related to kernel address information availability can be mitigated, or entirely eliminated.
2011 12 04 Exploitation
hacking
kernel
OS Internals
Papers
Ring0
Undocumented API
Windows 7
Windows Vista
Windows XP Comments (0) Permalink

Magus Ex Machina – a product of a 48h codejam

[Note: Collaborative post by Gynvael Coldwind and Mateusz "j00ru" Jurczyk]

Five weeks ago, we have taken part in a fancy game-development competition aka Google GameJam 48h. As the name implies, the contest lasted for precisely two days; unfortunately, we were proven to lack supernatural powers and had to spend some of the precious time sleeping :-) The theme of the event was “Magic versus Science”, and in our case, those two days of hardcore coding resulted in a 2D logic game called Magus Ex Machina. In the end, four teams in total managed to create and present games with actual gameplay; interestingly, we were the only ones making use of a native technology (i.e. OpenGL + SDL + a few other minor libraries), as the other competitors decided to go for pure browser (html + css + javascript) productions. Although we didn’t get the first place, we believe that the game is still fun to play, and thus worth sharing with a larger audience :-)

As for the game itself, the basic storyline is as follows:

Four powerful mages were returning home from a terrible war with great evil that haunted their realms. At the same time, scientists at CERN started a new experiment. And a black hole was created…

And hit by a lightning…

The lightning-blackhole turned into a magical inter-realm wormhole and teleported the mages.

Streight into the CERN main computer.

Help them get out and return to their realm.

The game is divided into separate levels (currently 13 of them, three of which are training-levels), each of which can consists of one or more distinct maps. On every level, the player is assigned up to four mages, each of them having a different skillset. And so, there’s a fire mage, who can shoot fireballs destroying parts of the wall (or rather turning them into gaps), a trigger mage who can summon and shoot huge metal objects which interact with the binary-switches present on the map (often resulting in opening/closing some doors), a support mage who can create bridges over holes, and a teleport mage who can create teleports all over the map.

In order to complete a level within a specific time limit, the player needs to coordinate the performance of all available mages, so that at least one of them reaches the exit located on one (usually last) of the episode’s maps. The player has full control over one mage at a time – he can then walk around the level and use the character’s specific skills (up to a certain limit); all of these activities are recorded, and saved for later. When the player is done with the current mage or the time limit expires, the next mage from a queue becomes active. At this point, the time is rewinded to the initial state of the level, and all actions performed by the previous mages are replayed. As a consequence, all characters end up playing simultaneously as the game progresses, creating an interesting  chain of dependencies between the mages, and making the gameplay highly dynamic.

Since even the best description won’t be as informative as a gameplay video, you can learn more by watching the following recording:

Although the game is theoretically compatible with the Linux and Mac OS X platforms (it was even tested at some point of the development), the official package is purposed for the Windows operating systems, only (feel free to build the game on the platform of your choice, though). Apart from adding a few (around seven) new maps, we haven’t changed anything (except on crash fix) since the end of the contest.

The game is released as open-source (see the README and LICENSE files for more information), and we’re not planning to further develop the project. We would like to acknowledge Peter Shanks, Kevin Saunders, Tomasz Wacirz and SoundJay.com for the media resources (images, music, sound effects) used in the game.

A full package (win32 executables, source code, media) can be downloaded from here (ZIP, 7.7 MB)
Disclaimer: the source code is a huge mess, but it was a 48h compo, don’t blame us :-)

And that’s pretty much it. Should you have any comments or problems related to the game, feel free to drop us a line.

Cheers!

2011 11 20 Cpp
Other
Programming Comments (0) Permalink

Refreshed Windows System Call Table (NT/2000/XP/2003/Vista/2008/7/8) released

Long time no see, huh? :-)

TL;DR: I created and released a complete Windows NT-family syscall table. See the bottom of the post for a link.

For the last couple of years, the Metasploit project (gritz skape!) has been hosting a table of the core Windows kernel services, also known as system calls (originally available at http://dev.metasploit.com/users/opcode/syscalls.html). In its final version, the table included information regarding Windows NT (all recent service packs), 2000 (all service packs), XP (up to SP2), 2003 (up to SP1) and Vista (up to SP0). As years passed, new operating system editions were being released by Microsoft, while existing ones had new Service Packs made available for them. Consequently, due to lack of active maintainance, the project has became partially outdated, and eventually disappeared from the metasploit domain around four weeks ago.

Today, I would like to present a table based on the same concept (well, even the layout doesn’t differ too much), but supplemented with information about the originally missing Windows versions, including Windows 8 Developer Preview available since less than two months. The table contains a list of every Windows kernel service found at any point in the history of Windows NT-family, together with the syscall id for all OS editions it was present on. Unfortunately, it lacks the corresponding syscall handlers’ definitions; that’s simply because most of the NTAPI interface is not publicly documented by Microsoft. As such, the project has a primarily informative purpose – you can observe how the Windows native api has evolved through all these years, what kind of functionality might have been introduced in new system versions and which parts were removed, and so on. I believe you can also use it to pick an interesting Windows internals research subject, if you feel like performing one :-)

The most recent version of the table can be found here: http://j00ru.vexillium.org/ntapi/

As the table width has grown up to quite a large size (it didn’t fit into my laptop’s monitor), I had to narrow it. In its current form, you can expand and hide information about individual Windows editions, or simply show all of the items (check the Show all and Hide all buttons). As a remainder, I have been also hosting the Windows Graphical System Call list for both 32- and 64-bit system versions (blog post). I will do my best to fill the rest of the empty cells in a few days.

Comments? Suggestions? Feel free to drop a line.

Oh by the way, in case you haven’t noticed yet: Michal Zalewski’s (aka lcamtuf) new book called “The Tangled Web” went public just two days ago. Suffice to say it’s a very solid book, focused on all the small details and quirks the modern client-side web security is all about. For more information, see http://nostarch.com/tangledweb.htm or http://lcamtuf.coredump.cx/tangled/.

Update (22.11.2011): I have just uploaded the requested 64-bit version of the table, find it here.

2011 11 18 kernel
OS Internals
Ring0
Undocumented API
Windows 7
Windows Vista
Windows XP Comments (11) Permalink

Hack in the Box Magazine #7 on the wild, at last.

Hello,

It gives me a great pleasure to announce that after several months past the last release (see The HITB Magazine #6 now available!), the awesome crew (as always, special kudos to Zarul Shahrin) has managed to put up the 7th edition of Hack in the Box Magazine! Without much ado, I will just say that the issue presents some interesting bits about the current global crysis in the cyberspace (by Jonathan Kent), extending SQL Injection attacks through buffer overruns (Aditya K Sood, Rohit Bansal and Richard J Enbody), automation of fuzzing and process crash testing with the PCMCA tool (Jonathan Brossard) and a number of other interesting articles and book reviews.

In order for the magazine to function properly, we are in constant need of unique content. If you believe you have some interesting, IT Security-related material to present, and would like to contribute to the project, don’t hesitate to drop us a line (editorial@hackinthebox.org)! We will be more than happy to consult your idea, help with the correction, or provide with any other type of advice :-)

As for the Windows Security section, you can traditionally find an article authored by me, titled Windows Security Hardening Through Kernel Address Protection. The paper briefly describes the problem of revealing potentially sensitive information about the kernel virtual address space into user-mode code, lists the scenarios in which such information might prove useful during practical exploitation, and proposes potential solutions on both Windows and CPU levels.

Note: The article has been written before Windows 8 Developer Preview became available, hence all information presented therein is only applicable up to Windows 7. The new system edition has plenty of new exploit mitigation techniques implemented (e.g. DEP-protected Non-Paged Pools), which can circuvment some of the described concepts. More on new Windows 8 security-oriented technologies coming soon ;)

The magazine can be downloaded from here (HITB-Ezine-Issue-007.pdf, 3.8 MB)

Continue reading ›

2011 10 19 hacking
kernel
OS Internals
Papers
Ring0
Undocumented API
Windows 7
Windows Vista
Windows XP Comments (3) Permalink

PiXiEServ out for public

A few years back, we’ve been (i.e. j00ru and Gynvael) working on a bootkit-related project (some polish SecDay’09 presentation slides can be found here: Bootkit vs Windows.pdf). One of its basic requirements was the ability to load custom boot-”sectors” from an external host in the local network. Since the publicly available solutions required too much time to be spent on configuration and we didn’t need most of the offered functionality anyway, we decided to create an extremely simplified Preboot Execution Environment (PXE) server on our own, and so PiXiEServ came to be. Actually, a great majority of the source code was written by Gynvael, with only few modifications applied by me (i.e. j00ru).

Although we eventually haven’t managed to complete the said bootkit-related project and the server source code is dated back to October 2009, we’ve now decided that the program and its sources might prove useful to other people playing with the network machine booting mechanism, as well as trying to write their own OS and test it on both virtual and real hardware (without having to worry about getting old school floppies, CDs, etc).

Please, however, bear in mind that the application only provides the most basic functionality (i.e. it allows serving a single file via TFTP and so doesn’t support multi-step/multi-file booting) and doesn’t support the other advanced features described in the PXE specification. So, while PiXiEServ can be helpful with minor research/etc activities, you won’t be able to perform a complete OS installation using it (Gynvael uses it for developement/testing of a pet OS called OSAmber).

We’ve successfully used PiXiEServ with VirtualPC and VirtualBox, as well as a couple of different laptops, netbooks and PCs.

If you are using Windows Vista (2003?) or later you will need to input the broadcast address specific to your local network as the fourth command line parameter (e.g. 192.168.1.255 if you are in a 192.168.1.0 network with 255.255.255.0 mask) – this is due to some change in networking made in Vista (2003?) and since it’s an old project we didn’t want to spend to much time on this.

A package containing Windows executables and source code can be downloaded from here (PiXiEServ.zip, 56 kB)
Note: The project also works on the GNU/Linux platform.

Should you encounter any problems with the compilation or correct functioning of the program, feel free to drop a line either to Gynvael or me.

Have fun!

2011 10 08 Bootkits
Cpp
hacking
Programming Comments (1) Permalink

Windows 8 Syscall Interface and Export Table diffing fun

Due to my forthcoming move to Switzerland, I haven’t had much time to post anything new here for quite some time. Hopefully, this will change soon after I am set up in my new location. In the meanwhile, I would like to share several tables presenting the differences in the export table symbols and native + graphical System Call Interface, found between a fully patched Windows 7 64-bit platform and the recently released Windows 8 Developer Preview. Since only x64 binaries are currently available to me, the tables are only based on this one architecture; I will soon supplement the set with 32-bit comparisons (as long as there are any changes between those two).

An exemplary table (Windows 7 vs Windows 8 executive services) is presented below:

Added in new ntoskrnl.exe
Removed from new ntoskrnl.exe
NtAddAtomEx
NtAlertThreadByThreadId
NtAlpcConnectPortEx
NtAssociateWaitCompletionPacket
NtCancelWaitCompletionPacket
NtCreateDirectoryObjectEx
NtCreateLowBoxToken
NtCreateTokenEx
NtCreateWaitCompletionPacket
NtCreateWnfStateName
NtDeleteWnfStateData
NtDeleteWnfStateName
NtFlushBuffersFileEx
NtPrefetchVirtualMemory
NtQueryWnfStateData
NtQueryWnfStateNameInformation
NtSetSystemCodeIntegrityRoots
NtSubscribeWnfStateChange
NtUnmapViewOfSectionEx
NtUnsubscribeWnfStateChange
NtUpdateWnfStateData
NtWaitForAlertByThreadId
NtWaitForWnfNotifications
NtCreateJobSet
NtFlushInstructionCache
NtGetPlugPlayEvent

 

A semi-complete (more diffs will follow) set of tables can be found here.

The list of files which have already been processed and uploaded is as follows:

Plus the two system service providers:

Aaaand… that’s about it, have fun! :)

2011 09 21 kernel
OS Internals
Ring0
Undocumented API
Windows 7 Comments (3) Permalink

0-day Windows XP SP3 Denial of Service (CSRSS Crash #1)

A rather short blog post today, as I am currently on my vacations. After publishing two, quite extensive write-ups regarding vulnerabilities in the Windows “CSRSS” component at Microsoft July Patch Tuesday:

I would like to shortly discuss the details about another bug in the Windows Subsystem, which was NOT patched due to low severity, and can be used to force a reboot of a Windows-driven machine. The result can be accomplished by exploiting a flaw in the winsrv!SrvGetConsoleTitle routine – a member of the Console Management services’ group. All Windows NT-family system editions up to Windows XP / 2003 are affected; on Windows 7, making use of the bug would crash the corresponding CONHOST.EXE process, at most. Even though it is also theoretically possible to turn the issue into an “Information Disclosure” class, we consider it highly unlikely to avoid an unhandled exception during the exploitation process.

Continue reading ›

2011 08 03 Assembler
C
Conferences
CSRSS
Exploitation
hacking
OS Internals
Programming
Ring3
Undocumented API
Windows XP Comments (2) Permalink

CVE-2011-1282: User-Mode NULL Pointer Dereference & co.

After a short break, today I would like to present the details of another Windows CSRSS vulnerability, fixed during the recent Microsoft Patch Tuesday cycle (advisory MS11-056) – CVE-2011-1282, also called CSRSS Local EOP SrvSetConsoleLocalEUDC Vulnerability. Although not as spectacular as the previous one (see: CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability), I strongly consider the nature and reason of the flaw’s existence not less interesting than the lack of a basic sanity check in winsrv!SrvAllocConsole. Have fun!

Introduction

Before lurking into the strictly technical details related to the considered vulnerability, I would like to discuss some of its general charateristics. As stated in the original Microsoft Security Bulletins, the issue severity is Important in the context of Windows XP and 2003 (marked as the Elevation of Privileges class), and Low (Denial of Service conditions) on newer system platforms. This particular difference between the XP and Vista impacts is going to be addressed later in this post.

Furthermore, the product vendor explains the cause of the vulnerability existence in the following way:

What causes the vulnerability?
This is a memory corruption vulnerability that can allow code execution in the system context. A NULL pointer is passed without validation to a function in the CSRSS. This allows the CSRSS to write to a NULL page in its process space. On Windows XP systems, under certain conditions, this page can then be leveraged by an attacker to execute code with increased permissions.

The above is, however, not entirely true, as the NULL Pointer Dereference is not the reason of the bug, but rather a direct consequence of several other subtle assumptions, and one major implementational error present in the CSRSS code.

Continue reading ›

2011 07 21 CSRSS
Exploitation
hacking
kernel
OS Internals
Ring3
Undocumented API
Windows 7
Windows Vista
Windows XP Comments (4) Permalink