Today, I would like to post a less-technical text, discussing two issues I have recently came across, or been busy with; don’t worry though, as CSRSS Write-Up: IPC (part 2/3) is on the way. The first matter is about recent changes applied to the blog appearance and functionality, while the latter regards the results of a source-code audit performed by me and my Hispasec colleagues (Gynvael Coldwind and Icewall) something like a year ago (last summer :-)).
All
Windows CSRSS Write Up: Inter-process Communication (part 1/3)
In the second post of the Windows CSRSS Write Up series, I would like to explain how the practical communication between the Windows Subsystem and user’s process takes place under the hood. Due to the fact that some major improvements have been introduced in Windows Vista and later, the entire article is split into two parts – the first one giving an insight at what the communication channel really is, as well as how is it taken advantage of by both CSRSS and a user processes. The second one, on the other hand, is going to talk through the modifications and new features shipped with the Windows systems starting from Vista, as most of the basic ideas remain the same for decades. As you already know what to expect, proceed to the next section :-)
Windows CSRSS write up: the basics
The following post entry opens a series of CSRSS-oriented articles, aiming at describing the uncovered CSRSS mechanism internals, present in the Windows OS for more than fifteen years now. Although some great research has already been carried out by a few curious guys (check out the references), no thorough case study is available until now. In this series, I am going to cover both the very basic ideas and their implementations, as well as the recent CSRSS changes applied in modern operating systems (i.e. Windows 7). And so, just have a good read! ;)
Attacking the Host via Remote Kernel Debugger (Virtual Machines)
Note: This post is highly related to the research performed by Alex Ionescu. He is going to present the results of his work on the RECON2010 conference, during his Debugger-based Target-to-Host Cross-System Attacks speech. As it turns out, Alex and I have been working on the same subject concurrently – while I have only managed to perform cursory analysis of the mechanism, Alex has carried out a thorough analysis and possibly developed a PoC for a real vulnerability ;) Besides this, I would like to share some of my ideas and conclusions which I came up with, during a short period of the recent weeks ;)
A quick insight into the Driver Signature Enforcement
I have recently had some fun playing around with driver signing on Windows x64, and so I like to share some matters that have came into my head ;) Therefore, let me briefly describe some internal mechanisms lying behind well known Driver Signature Enforcement, a significant part of the Code Integrity feature introduced by Microsoft in Windows Vista and Windows 7. Understanding the underlying system behavior would let us think of possible attack vectors against the protection, as well as better apprehend the existing techniques, such as the ones developed by Joanna Rutkowska or Alex Ionescu. Let the fun begin!
CONFidence 2010 is over
One of the biggest (best ;)) IT security-oriented conferences in Poland finished three days ago, in the wednesday evening. In the very first place, I would like to congratulate all the organisers, for their decision on where the event should be held, as well as how it should look like – during these two days, I had plenty of real fun!
CONFidence 2010 took place in Poland, on 25th and 26th of May, in the Kijów Cinema. The lectures were presented on two, independent tracks (thus everyone was able to find something for himself in any given moment), and regarded numerous, important security fields. In my opinion (and because of my specific interests), the best speeches were given by Sebastian Fernandez – “General notes about exploiting Windows x64“, Mario Heidreich – “The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI” and Alexey Tikhonow – “De-blackboxing of digital camera”. I am really looking forward to see the slides being published as soon as possible. Meanwhile, you can find the complete conference schedule at http://2010.confidence.org.pl/agenda.
Windows CSRSS cross-version API Table
It seems like half a year has passed since I published the Win32k.SYS system call table list on the net. During this time (well, it didn’t take so long ;)) I managed to gather enough information to release yet another API list – this time, concerning an user-mode application – CSRSS (Client/Server Runtime SubSystem). As a relatively common research subject, I think a table of this kind can make things easier for lots of people.
Before presenting the table itself, I would like to gently introduce the mechanism in consideration to the reader. As the name itself states, CSRSS is a part of the Windows Environment Subsystem, running in user-mode. It is a single process (having the highest possible – SYSTEM – privileges), which mostly takes advantage of three dynamic libraries – basesrv.dll, csrsrv.dll and winsrv.dll. These files provide support for certain parts of the subsystem functionality, such as:
- Updating the list of processes / threads running on the system
- Handling the Console Window (i.e. special text-mode window) events
- Implementing parts of the Virtual DOS Machine support
- Supplying miscellaneous functions, such as ExitWindowsEx
Windows Kernel Vulnerabilities continued – details
And so it happened ;> As I’ve written in this post, Gynvael Coldwind has just finished speaking about recent Windows Kernel Vulnerabilities on the Hack In The Box Dubai conference, taking place today. Unfortunately, because of the European air communication being disabled these days, the presentation was held remotely – one way or another, it can be considered very successful, imho.
Thanks to the organisers, who publish the materials right after the speeches are over, all of the slides are now available at http://conference.hitb.org/hitbsecconf2010dxb/materials/.
Our presentation, containing the details of how the aforementioned kernel / CSRSS vulns work and can be exploited, can be found here (1.27MB).
I am not going to spoil anything more here – if you were not lucky to attend the Dubai conference, I strongly recommend the polish CONFidence 2010 held in May (which I also mentioned already).
Have fun! ;-)
CTcpFwd – cross-platform stdin/out to socket forwarding class
A few weeks ago, I had the pleasure to take part in a local 24-hour long, programming marathon (greets to my team: Pawel and Wojtek!). Due to the nature of the competition, I was obliged to create a simple class, making it possible to redirect sockets to standard i/o (stdin / stdout), which would greatly facilitate the communication process with the contest server. Because of the fact that we were going to work on different system platforms – both Microsoft Windows and GNU/Linux, the class had to be as cross-platform compatible as it was only possible. And so the CTcpFwd class, presented today, came into existence.
After the event was over, I decided to standardize the code and apply some minor fixes – currently, it is supposed to be a fully functional module. What should be kept in mind, though, is the fact that the code is released as a Proof of Concept project – its main purpose is to present the exact way of how the stdin / stdout file descriptors can be tampered with, on Windows – as it turns out, it is not as simple as one might assume.
This tiny class lets the programmer create and close multiple named, remote connections (Connect and Disconnect methods), as well as switch the current stream associated with stdin/stdout (SwitchStdin and SwitchStdout routines), using the names declared previously. By default, the class turns off both the Nagle’s buffering algorithm for the sockets (TCP_NODELAY flag) and the standard i/o buffering. Some example usage of CTcpFwd follows:
Windows Kernel Vulnerabilities release (Hispasec research)
Today, during the Patch Tuesday, Microsoft has released bits of information regarding the security vulnerabilities present in the Windows kernel – found and exploited (in the Proof of Concept form) by me and Gynvael Coldwind – which are directly connected with a well-known Windows Registry functionality. Five bugs have been described (there is a total of six in fact – one of them was reduced due to the fact that one patch in the source code fixes two separate vulns at the same time) – two of them allow Local Elevation of Privileges to be achieved, while the other three make it possible to perform a Denial of Service attack.
What should be noted is that the entire research was done within the cooperation with Hispasec VirusTotal.
Let’s take a look at what the Microsoft report (MS10-021 to be exact) says about the vulnerabilities in consideration: