Nullcon 2012 CTF

(Collaborative post by Mateusz “j00ru” Jurczyk, Gynvael Coldwind and Adam Iwaniuk)

Friday, the 7th of September 2012 we were supposed to play the securitytraps.no-ip.org CTF. Unfortunately, the competition was postponed for a later date at the last moment, due to some significant technical problems. Next day evening we accidentally discovered another CTF taking place – the nullcon 2012 CTF, which sadly had already started one day earlier. Nonetheless, there were still 24 hours until the end, so we decided to give it a shot. TL;DR: We ended up 3rd (Team 41414141).

Below we describe a few of the tasks in more detail, plus briefly note what was the idea behind the solution to the other challenges we managed to solve.

Read moreNullcon 2012 CTF

Fun facts: Windows kernel and Device Extension Size

Today, I would like to start sharing some of the most amusing examples of the Windows kernel behavior that I often stumble upon while reverse-engineering its various areas, exploiting a particular vulnerability or just randomly exploring its code. Some of them might have certain implications for security, some are completely impractical and are presented for the sole purpose of entertainment. This post certainly belongs to the second group. Enjoy!

Oh and by the way, the discovery and exploitation of CVE-2011-2018 (as described in my detailed white paper) has been awarded with a Pwnie Award! Woot, thanks for the recognition :) Congratulations to all the other winners and nominees, especially Fermin Serna (@fjserna) with his amazing information leak research and Adobe Flash vulnerability.

Pwnie Award 2012 for Best Privilege Escalation Bug

Device extensions

As Microsoft states in the “Device Extensions” MSDN article:

For most intermediate and lowest-level drivers, the device extension is the most important data structure associated with a device object. Its internal structure is driver-defined, and it is typically used to:

  • Maintain device state information.
  • Provide storage for any kernel-defined objects or other system resources, such as spin locks, used by the driver.
  • Hold any data the driver must have resident and in system space to carry out its I/O operations.

Read moreFun facts: Windows kernel and Device Extension Size

PDF fuzzing and Adobe Reader 9.5.1 and 10.1.3 multiple critical vulnerabilities

(Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind)

Several months ago, we started an internal Google Security Team effort to improve the general security posture of the Chrome embedded PDF reader, in an approach similar to the Flash fuzzing performed several months ago by Tavis Ormandy. During the course of a few weeks, we built a solid corpus of PDF documents that we feel gets significant coverage of the Chrome PDF Reader’s code base and used it to shake out more than 50 low-to-high severity bugs. All of the high and critical severity bugs we discovered have been fixed in the stable channel [12, 3] as of this posting; see examples:

[132585] [132694] [132861] High CVE-2012-2851: Integer overflows in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

[134888] High CVE-2012-2855: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

[134954] [135264] High CVE-2012-2856: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

[136643] [137721] [137957] High CVE-2012-2862: Use-after-free in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

[136968] [137361] High CVE-2012-2863: Out-of-bounds writes in PDF viewer. Credit to Mateusz Jurczyk of Google Security Team, with contributions by Gynvael Coldwind of Google Security Team.

Read morePDF fuzzing and Adobe Reader 9.5.1 and 10.1.3 multiple critical vulnerabilities

ATmega328 (Arduino Uno compatible) MD5 optimized assembly implementation

Disclaimer: the things I am writing about are new to me. Although I do my best to have a solid (well, decent in this case) understanding of the covered topics, some inaccuracies might have slipped through. Feel free to point them out in the comments.

Hey guys, or anyone who still happens to visit this blog. First of all, thanks for the Pwnie Awards nomination!

I’ve been recently toying with the idea of learning some electronics that’s not necesarilly related to desktop PCs or the Intel X86(-64) architecture. Finally, the choice fell on programming AVR microcontrollers, or specifically playing with the Arduino Uno board (including an ATmega328 unit) and its many optional shields which can make a project physically functional. As you can see, there’s totally nothing out of ordinary going on, but it’s a start and I’ll probably take the chance to share anything that takes a few hours to learn :-) My first idea for the very initial project was to write an optimized MD5 hash function implementation and create a simplistic bruteforce password cracker. Because of the very limited CPU resources (16MHz) and the fact that avr-gcc 4.3.3 turned out not to be so clever about generating efficient code, I decided to learn some of the AVR architecture, make a first bunch of silly mistakes and write the code in assembly.

As a consequence, I created a very basic md5 library, with the public interface (md5_init, md5_update, …) in C and the computation-heavy part calculating the hash itself (md5_transform) in assembly; it is the subject of this post. As far as I can tell, the code should work on any of ATmega48PA, ATmega88PA, ATmega168PA, ATmega328P MCU and potentially some others. It’s been thoroughly tested both manually and automatically against another third-party implementation, but I do not guarantee that it would always work as expected. Use at your own risk.

Read moreATmega328 (Arduino Uno compatible) MD5 optimized assembly implementation

CVE-2011-2018 exploitation as a standalone paper + other news

I figured that it might be worth releasing the “The story of CVE-2011-2018 exploitation” as a stand-alone, nicely formatted paper for your reading convenience. It was previously released in the Hack in The Box Magazine #8 over a month ago (see announcement blog post). In short words, the paper is a guide through the exploitation process of a subtle, yet very interesting vulnerability in the Windows kernel, patched by Microsoft in December 2011. Without further ado, the full document can be downloaded at: cve_2011_2018.pdf (607kB).

Abstract

Exploitation of Windows kernel vulnerabilities is recently drawing more and more attention, as observed in both monthly Microsoft advisories and technical talks presented on public security events. One of the most recent security flaws fixed in the Windows kernel was CVE-2011-2018, a vulnerability which could potentially allow a local attacker to execute arbitrary code with system privileges. The problem affected all – and only – 32-bit editions of the Windows NT-family line, up to Windows 8 Developer Preview. In this article, I present how certain novel exploitation techniques can be used on different Windows platforms to reach an elevation of privileges through this specific kernel vulnerability.

Read moreCVE-2011-2018 exploitation as a standalone paper + other news

Hack in the Box Magazine #8 available now

Every one or two quarters, there’s the one day we all wait for – and that’s when the latest issue of the Hack in the Box Magazine is released :-) Thanks to the hard and awesome work of Zarul Shahrin and the entire editorial crew, we are very excited to announce that the eight edition is now out available on the project website. One big change we decided to make due to popular demand is a printer-friendly version of the mag, with a single logical page per a physical one, (hopefully) making it significantly easier to read it even when you don’t have a spare 24″ screen to use. Also, you can now order an original printed version through HP MagCloud. For more information, see the bottom of http://magazine.hitb.org/. I can’t see the “spread” version available on the website now, but if you’re interested, feel free to ping me for it.

Other than that, there are some quite interesting articles you should definitely check out. Traditionally, I took care of the Windows Security section with an article called “The Story of CVE-2011-2018 Exploitation”. Although the specific Windows kernel vulnerability was very fresh at the time of writing the paper (it was fixed in December 2011) and it’s almost half a year old now, it still required (unbashedly speaking) one of the most sophisticated chain of Windows kernel exploitation techniques I have seen in a long time. The document covers several interesting methods such as kernel pool and stack spraying or the usage of ring-0 virtual address space information leaks used together to create a working Windows XP/Vista/7 privilege escalation proof of concept. If you are into Windows internals and low-level vulnerability exploitation, you will definitely find something for yourself. On a side note, should you know any easier or simpler means of performing any of the discussed exploitation steps, I will be more than happy to hear from you!

As always, the magazine is in need for authorship support. If you believe you have an interesting IT security-related subject and are willing to write an article for us, don’t wait and drop us a line at editorial@hackinthebox.org.

The magazine can be downloaded from here (HITB-Ezine-Issue-008.pdf, 2.18 MB)

Read moreHack in the Box Magazine #8 available now

A Bug Hunter’s Diary review

Title: A Bug Hunter’s Diary. A Guided Tour Through the Wilds of Software Security.
Author: Tobias Klein
ISBN: 978-1-59327-385-9
Published: November 2011
Websites: http://nostarch.com/bughunter.htmhttp://www.trapkit.de/books/bhd/en.html

In the modern times of noisy news headlines like “A Security Researchers Unveils a Critical Vulnerability in Product X”, little is publicly said about the overall bug hunting process, in lieu of discussions regarding technical bug details, exploitation mitigations and their countermeasures. The taste of identifying a target, finding a vulnerability, creating proof-of-concept code and talking to the vendors was only known to those actively participating in the security scene – but only until Tobias Klein published his book called A Bug Hunter’s Diary. Mr. Klein, a German security researcher, decided to let the reader take a glimpse at how a bug hunter’s daily work looks and feels like; a subject as much interesting as underestimated in the common literature.

The book is divided into eight chapters and a brief Appendix. The Introduction outlines basic concepts, assumptions and tools used by the author and commonly referenced thorough the book. After that follow seven technical chapters, each discussing a vulnerability in a different product, found and responsibly disclosed by the author during the course three years (2008 – 2011). The diversity of software classes discussed in the book ranges from media decoders (VLC, FFmpeg) through web browsers (WebEx ActiveX control) up to kernels and device drivers (Solaris, Mac OSX, Apple iOS, Avast! driver). Thanks to the wide selection of presented hardware and software platforms and products, one can learn how all kinds of software can be subject to fundamentally trivial bugs, and how different vendors have completely different policies and response times in regard to external reports.

What I consider the biggest advantage of the book is the specific layout of the chapters. Each of them is arranged in the form of a story, beginning with an initial concept of how to approach a chosen target and ending with a patch release and advisory publication. This goes far beyond the typical scheme of limiting focus to technical aspects of software security only, and makes the book enjoyable for anyone interested in vulnerability discovery.

As a diary, I believe it is one of the best books I have read so far. Easy writing style, interesting bugs and illustrative pictures and code listings are the key points making it so successful. Bear in mind, though, that it should not be confused with a textbook – if you are looking for a complete overview of common vulnerability classes or information regarding exploitation mitigations such as DEP or ASLR, you’d rather refer to The Shellcoder’s Handbook or a similar volume. That said, I would especially recommend A Bug Hunter’s Diary as an excellent supplement of a security textbook to everyone making his first steps in the software security field. I definitely wish to see more books of this kind published in the future.

FYI: Printable “Windows Kernel Address Protection” paper out

That’s just a short notification that I decided to release the Windows Security Hardening Through Kernel Address Protection article published in Hack in the Box Magazine #7 over a month ago (see HITB #7 on the wild, at last). The paper is now available in a nicely formatted, printer-friendly format. If you missed it then, here’s your chance to take a look :-)

Download: Windows Security Hardening Through Kernel Address Protection (382 kB, PDF)

Abstract

As more defense-in-depth protection schemes like Windows Integrity Control or sandboxing technologies are deployed, threats affecting local system components become a relevant issue in terms of the overall operating system user’s security plan. In order to address continuous development of Elevation of Privileges exploitation techniques, Microsoft started to enhance the Windows kernel security, by hardening the most sensitive system components, such as Kernel Pools with the Safe Unlinking mechanism introduced in Windows 7. At the same time, the system supports numerous both official and undocumented services, providing valuable information regarding the current state of the kernel memory layout. In this paper, we discuss the potential threats and problems concerning unprivileged access to the system address space information. In particular, we also present how subtle information leakages can prove useful in practical attack scenarios. Further in the document, we conclusively provide some suggestions as to how problems related to kernel address information availability can be mitigated, or entirely eliminated.

Magus Ex Machina – a product of a 48h codejam

(Collaborative post by Gynvael Coldwind and Mateusz “j00ru” Jurczyk)

Five weeks ago, we have taken part in a fancy game-development competition aka Google GameJam 48h. As the name implies, the contest lasted for precisely two days; unfortunately, we were proven to lack supernatural powers and had to spend some of the precious time sleeping :-) The theme of the event was “Magic versus Science”, and in our case, those two days of hardcore coding resulted in a 2D logic game called Magus Ex Machina. In the end, four teams in total managed to create and present games with actual gameplay; interestingly, we were the only ones making use of a native technology (i.e. OpenGL + SDL + a few other minor libraries), as the other competitors decided to go for pure browser (html + css + javascript) productions. Although we didn’t get the first place, we believe that the game is still fun to play, and thus worth sharing with a larger audience :-)

Read moreMagus Ex Machina – a product of a 48h codejam

Refreshed Windows System Call Table (NT/2000/XP/2003/Vista/2008/7/8) released

Long time no see, huh? :-)

TL;DR: I created and released a complete Windows NT-family syscall table. See the bottom of the post for a link.

For the last couple of years, the Metasploit project (gritz skape!) has been hosting a table of the core Windows kernel services, also known as system calls (originally available at http://dev.metasploit.com/users/opcode/syscalls.html). In its final version, the table included information regarding Windows NT (all recent service packs), 2000 (all service packs), XP (up to SP2), 2003 (up to SP1) and Vista (up to SP0). As years passed, new operating system editions were being released by Microsoft, while existing ones had new Service Packs made available for them. Consequently, due to lack of active maintainance, the project has became partially outdated, and eventually disappeared from the metasploit domain around four weeks ago.

Today, I would like to present a table based on the same concept (well, even the layout doesn’t differ too much), but supplemented with information about the originally missing Windows versions, including Windows 8 Developer Preview available since less than two months. The table contains a list of every Windows kernel service found at any point in the history of Windows NT-family, together with the syscall id for all OS editions it was present on. Unfortunately, it lacks the corresponding syscall handlers’ definitions; that’s simply because most of the NTAPI interface is not publicly documented by Microsoft. As such, the project has a primarily informative purpose – you can observe how the Windows native api has evolved through all these years, what kind of functionality might have been introduced in new system versions and which parts were removed, and so on. I believe you can also use it to pick an interesting Windows internals research subject, if you feel like performing one :-)

The most recent version of the table can be found here: https://j00ru.vexillium.org/syscalls/nt/32/

Read moreRefreshed Windows System Call Table (NT/2000/XP/2003/Vista/2008/7/8) released