PacSecJP, profile picture
Uploaded byPacSecJP
PDF, PPTX552 views

Di shen pacsec_final

- The document discusses exploiting unconventional use-after-free (UAF) bugs in the Android kernel perf system to gain root privileges on Android devices. - It describes two UAF bugs, CVE-2016-6787 and CVE-2017-0403, that are difficult to exploit due to lack of control over freed objects and inability to achieve code execution. - Novel exploitation techniques are proposed, such as freezing threads to gain time to refill freed objects for CVE-2016-6787 and compromising the pipe subsystem to achieve arbitrary kernel writes for CVE-2017-0403.

Embed presentation

Download as PDF, PPTX
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel Di Shen a.k.a. Retme (@returnsme) Keen Lab of Tencent
whoami •  Di Shen a.k.a. Retme (@returnsme) •  Member of Keen Lab •  Android Kernel vulnerability hunting and exploitation since 2014 •  Aim: to make out universal rooting exploit for Android •  Trophy: •  CVE-2016-6787 & CVE-2017-0403 (kernel/events/core.c) •  CVE-2015-1805 (fs/pipe.c) ’s first working exploit •  CVE-2015-4421,4422 (Huawei TrustZone) •  KNOX Bypassing on Samsung Galaxy S7 (BHUSA 17’) •  Exploiting Wireless Extension for all common Wi-Fi chipsets (BHEU 16’) •  And more To Be Announced in the future •  Available on https://github.com/retme7/My-Slides
Agenda •  Rooting Android: Current situation •  Overview of exploiting UAF in kernel •  Conventional approach •  Afterwards: Gain root •  The Unconventional UAFs •  Implementation of perf system •  Exploiting CVE-2017-0403 •  Exploiting CVE-2016-6787 •  Conclusion
Rooting Android: Current situation • Universal exploitable vulnerability is rare •  Available attack surface: •  Generic Linux syscalls •  Android universal drivers like Binder, ION, Ashmem
Rooting Android: Current situation • Enforced SELinux policy •  Most of device drivers are inaccessible •  Many syscalls are not reachable from untrusted Application •  Sockets ioctl commands are partially restricted
Rooting Android: Current situation •  Verified Boot through dm-verity kernel feature •  The gained root privilege is nonpersistent
Rooting Android: Future challenges •  Privileged Access Never (PAN) •  KASLR •  Pointer Authentication
Overview of exploiting UAF in kernel •  An easily exploitable UAF bug normally has following features: •  Has a function pointer in freed object •  Attacker has plenty of time to refill the freed object.
Conventional approach of UAF exploitation struct socket (freed) ops->ioctl(…) struct socket (refilled) ops->ioctl(…) JOP gadgets •  Free the victim object •  Refill the object with malformed data by heap spraying or ret2dir •  Let the function pointer point to ROP/JOP gadgets in kernel •  Ask kernel reference this function pointer to achieve arbitrary kernel code execution ioctl(sockfd,…) kernel_sock_ioctl() JOP gadgets
Afterwards, from code execution to root Arbitrary kernel code execuAon Overwrite process's addr_limit Arbitrary kernel memory overwriAng Overwrite uid, security id, selinux_enforcing
However… •  Not every UAF bug in kernel is so that idealized •  More unconventional situation to deal with… •  The victim object may don’t have a function pointer •  The kernel may crash soon after UAF triggered •  The attacker may cannot fully controlled the freed object
The unconventional UAFs I found •  All found in sys_perf_event_open() •  Perf system is pretty buggy •  Reachable by application last year •  But now it’s restricted by a feature called “perf_event_paranoid”
The unconventional UAFs I found •  CVE-2017-0403 •  Ever affected all devices shipped with 3.10 or earlier Linux kernel •  More than 14 million users of KingRoot gain root privilege on their smart phones •  CVE-2016-6787 •  Ever affected all Qualcomm-based devices. (Only Qucalcomm enabled hardware perf event…) •  A part of my exploit chain to bypass Samsung KNOX 2.6
sys_perf_event_open() •  Will create a perf_event •  Input: perf_event_attr •  A description of what kind of performance event you need •  Input: group_fd (optional) •  Specify the group leader of new perf_event •  Return the fd of perf_event to user space
Key kernel objects in perf system •  perf_event •  A performance event which is registered by user •  perf_event_context •  The container of all perf events created in one process •  Each process has two contexts, one for software events, other one for hardware events •  Perf group and group leader •  Multiple events can form a group •  One event is the leader perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
move_group •  Happens when user try to create a hardware event in pure software group
CVE-2016-6787 Remove the group_leader from origin software context and then install it to hardware context Remove every event from software context, and then install it to new hardware context ’move_group‘ leads to reducing context’s refcont by one
CVE-2016-6787 •  move_group ignored the concurrency issues •  UAF happens due to race condition •  Attacker trigger the move_group on same group leader simultaneously, •  The ref count of group_leader->ctx may be reduced to zero •  task_struct->perf_event_ctxp[perf_sw_context] will be freed accidently The object is freed
Free perf_event_context (PoC) Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main thread Sub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) ctx->refcount = 1 ctx->refcount = 2 ctx->refcount = 0
Kernel crashed instantly •  Kernel crashed soon after we freed the perf_event_context •  Thread scheduler need to reference this object consecutively •  We don‘t have plenty of time to refill the object L
Solution: freeze thread after free •  Keep thread scheduler away from me •  Switch the status of attacker’s thread from running to (un)interruptible •  The thread will be frozen and kernel won’t crash as soon as perf_event_context freed
How to freeze a thread from user land? •  Sleep() ? Not working •  Use futex_wait_queue_me() switch to interrupAble freezable_schedule()
Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main thread Sub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) futext_wait_queue_me() Phase 1 Phase 2 Spraying the heap by using ‘ret2dir’ trick, fill a malformed perf_event_context{} in every 1024 bytes Use futex_wake() wake up main thread Phase 4 schedule() finish_task_switch() perf_event_context_sched_in() ctx->pmu->pmu_disable() Phase 3
A brief summary of CVE-2016-6787 •  Easy to win the race, and trigger the bug •  Hard to refill the freed object (no time) •  Easy to control the code flow (corrupted object has function pointer) •  Proposed an approach of thread freezing to gain more time to refill object
Review: relationship of perf event, group and group leader •  Group leader has a sibling_list •  sibling_list is a list of perf events which belongs this group perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
CVE-2017-0403 (PoC) •  Create a perf event as ‘A’ •  Create another perf event as ‘B’, specify ‘A’ as its group leader •  Free ‘A’,the group leader •  Free ‘B’, a sibling of group ß---- UAF happens here
Root cause •  Now group leader ‘A’ is freed •  Kernel doesn’t empty its sibling list •  Leads to leaving a dangling pointer in sibling’s event->group_entry
Root cause •  Later on the sibling ‘B’ is freed •  list_del_event() •  list_del_init(&event->group_entry); •  overwrite a pointer to the freed group leader.
•  Slub poinson infomation •  0xfffffc00fc2b1a0 is overwritten to (group_leader+ 0x20)
The unconventional scenario •  The only thing I can do is overwritting the freed object as following *(size_t*)(freed_object + 0x20) = (freed_object + 0x20)
Pipe subsystem in Linux •  readv() & writev(): read/write multiple buffers through pipe •  Use an array of struct iovec{iov_base,iov_len} to describe user buffers •  When no contents available from the write end, readv() may block in kernel •  Then an array of struct iovec{} may stay in kernel’s heap
Compromise pipe system •  Call readv() •  rw_copy_check_uvector() confirm every iov_base must points to userland space. •  An array of struct iovec{} now is in heap. Nothing comes from the write end of pipe, so readv() block. •  If you can somehow overwrite the iovec{}, modify the iov_base to a kernel address. Emmm… iov_base iov_len iov_base iov_len iov_base iov_len ….. kernel_addr iov_len kernel_addr iov_len kernel_addr iov_len
Compromise pipe system •  Now write something to another end of pipe •  pipe_iov_copy_to_user() won’t check the iov_base again. •  Buffers you wrote to pipe will be copied to the kernel address
········ Trigger UAF, write two 8-bytes value“A+0x20”to address = A+0x20 ↓ the 1st freed object, address is A Solution: convert UAF to arbitrary R/W ↓the 2nd freed object, address is B = A + 0x400 Use iovec to spray the heap Freed Data Freed Data Freed Freed Data Freed Data ········· base len base len base base len base len ··················· base len A + 0x20 A+0x20 base ·········· base len base len Write a buffer to pipe ,the buffer will be copied to (A + 0x20) ········· base len KADDR 8 KADDR ·········· KADDR 8 KADDR 8 ········· Write a buffer to pipe again,it will be copied to KADDR KADDR can be any address value, we achieved arbitrary kernel memory overwriting 1 2 3 4 5
A brief summary of CVE-2017-0403 •  Attacker lost the file descriptor of freed object •  Cannot achieve code execution via refilling object’s function pointer •  Only be able to write the address value of freed object twice to freed object •  Proposed a new approach: compromising pipe system
Conclusion •  Most UAF bugs looks not exploitable, but there may be another way •  No idea? Put it down for a while, but do not let it go… •  Be familiar with kernel’s source code, kernel’s own feature may help your exploitation (e.g. pipe for CVE-2017-0403)
Di shen pacsec_final

More Related Content

PDF
Shusei tomonaga pac_sec_20171026
byPacSecJP
 
PPTX
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
byCODE BLUE
 
PPTX
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
byCODE BLUE
 
PDF
Auditing the Opensource Kernels
bySilvio Cesare
 
PDF
Possibility of arbitrary code execution by Step-Oriented Programming
bykozossakai
 
PDF
Automated Malware Analysis and Cyber Security Intelligence
byJason Choi
 
PDF
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
byChong-Kuan Chen
 
PDF
Can We Prevent Use-after-free Attacks?
byinaz2
 
Shusei tomonaga pac_sec_20171026
byPacSecJP
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
byCODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
byCODE BLUE
 
Auditing the Opensource Kernels
bySilvio Cesare
 
Possibility of arbitrary code execution by Step-Oriented Programming
bykozossakai
 
Automated Malware Analysis and Cyber Security Intelligence
byJason Choi
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
byChong-Kuan Chen
 
Can We Prevent Use-after-free Attacks?
byinaz2
 

What's hot

PDF
Lucas apa pacsec slides
byPacSecJP
 
PPTX
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
byCODE BLUE
 
ODP
Stealthy, Hypervisor-based Malware Analysis
byTamas K Lengyel
 
PPTX
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
byRootedCON
 
PDF
Audit
byMark Ellzey Thomas
 
PPTX
Detection index learning based on cyber threat intelligence and its applicati...
byCODE BLUE
 
PPTX
Hunting for APT in network logs workshop presentation
byOlehLevytskyi1
 
PPTX
ShinoBOT Suite
byShota Shinogi
 
PDF
Csw2016 economou nissim-getting_physical
byCanSecWest
 
PDF
Real-Time Static Malware Analysis using NepenthesFE
byWasim Halani
 
PDF
Csw2016 chen grassi-he-apple_graphics_is_compromised
byCanSecWest
 
PDF
BlueHat v18 || The matrix has you - protecting linux using deception
byBlueHat Security Conference
 
PDF
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
byFFRI, Inc.
 
PDF
The day I ruled the world (RootedCON 2020)
byJavier Junquera
 
PPTX
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
byCODE BLUE
 
PDF
Assume Compromise
byZach Grace
 
ODP
Malware analysis - What to learn from your invaders
byTazdrumm3r
 
PPTX
Metasploit for Web Workshop
byDennis Maldonado
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
PPTX
Bsides detroit 2013 honeypots
byTazdrumm3r
 
Lucas apa pacsec slides
byPacSecJP
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
byCODE BLUE
 
Stealthy, Hypervisor-based Malware Analysis
byTamas K Lengyel
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
byRootedCON
 
Audit
byMark Ellzey Thomas
 
Detection index learning based on cyber threat intelligence and its applicati...
byCODE BLUE
 
Hunting for APT in network logs workshop presentation
byOlehLevytskyi1
 
ShinoBOT Suite
byShota Shinogi
 
Csw2016 economou nissim-getting_physical
byCanSecWest
 
Real-Time Static Malware Analysis using NepenthesFE
byWasim Halani
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
byCanSecWest
 
BlueHat v18 || The matrix has you - protecting linux using deception
byBlueHat Security Conference
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
byFFRI, Inc.
 
The day I ruled the world (RootedCON 2020)
byJavier Junquera
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
byCODE BLUE
 
Assume Compromise
byZach Grace
 
Malware analysis - What to learn from your invaders
byTazdrumm3r
 
Metasploit for Web Workshop
byDennis Maldonado
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
Bsides detroit 2013 honeypots
byTazdrumm3r
 

Viewers also liked

PDF
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
byPacSecJP
 
PDF
Anıl kurmuş pacsec3
byPacSecJP
 
PDF
Kavya racharla ndh-naropanth_fin_jp-final
byPacSecJP
 
PDF
Marc schoenefeld grandma‘s old handbag_draft2
byPacSecJP
 
PDF
Di shen pacsec_jp-final
byPacSecJP
 
PDF
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
byPacSecJP
 
PDF
Ryder robertson pac-sec skeleton 2017_jp
byPacSecJP
 
PDF
Rouault imbert alpc_rpc_pacsec
byPacSecJP
 
PDF
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
byPacSecJP
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
byPacSecJP
 
Anıl kurmuş pacsec3
byPacSecJP
 
Kavya racharla ndh-naropanth_fin_jp-final
byPacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2
byPacSecJP
 
Di shen pacsec_jp-final
byPacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
byPacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
byPacSecJP
 
Rouault imbert alpc_rpc_pacsec
byPacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
byPacSecJP
 

Similar to Di shen pacsec_final

PDF
Davide Berardi - Linux hardening and security measures against Memory corruption
bylinuxlab_conf
 
PPTX
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
PPTX
Practical Windows Kernel Exploitation
byzeroSteiner
 
PDF
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
byNoSuchCon
 
PPTX
Metasploit & Windows Kernel Exploitation
byzeroSteiner
 
PDF
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
byPriyanka Aash
 
PDF
Digging for Android Kernel Bugs
byJiahong Fang
 
PDF
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
byKernel TLV
 
PPTX
Guardians of your CODE
byPeter Hlavaty
 
PPTX
Attack on the Core
byPeter Hlavaty
 
PPTX
Security research over Windows #defcon china
byPeter Hlavaty
 
PPTX
Racing with Droids
byPeter Hlavaty
 
PDF
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
byRootedCON
 
PDF
Exploitation of counter overflows in the Linux kernel
byVitaly Nikolenko
 
PPT
[h2hc] Generic exploitation of invalid memory writes
byMoabi.com
 
PDF
BlackHat_DC_2011_Avraham_ARM Exploitation-wp.2.0
byZuk Avraham
 
PDF
How to Root 10 Million Phones with One Exploit
byJiahong Fang
 
PDF
[Ruxcon 2011] Post Memory Corruption Memory Analysis
byMoabi.com
 
PDF
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
byJinbumPark
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
Davide Berardi - Linux hardening and security measures against Memory corruption
bylinuxlab_conf
 
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
Practical Windows Kernel Exploitation
byzeroSteiner
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
byNoSuchCon
 
Metasploit & Windows Kernel Exploitation
byzeroSteiner
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
byPriyanka Aash
 
Digging for Android Kernel Bugs
byJiahong Fang
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
byKernel TLV
 
Guardians of your CODE
byPeter Hlavaty
 
Attack on the Core
byPeter Hlavaty
 
Security research over Windows #defcon china
byPeter Hlavaty
 
Racing with Droids
byPeter Hlavaty
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
byRootedCON
 
Exploitation of counter overflows in the Linux kernel
byVitaly Nikolenko
 
[h2hc] Generic exploitation of invalid memory writes
byMoabi.com
 
BlackHat_DC_2011_Avraham_ARM Exploitation-wp.2.0
byZuk Avraham
 
How to Root 10 Million Phones with One Exploit
byJiahong Fang
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
byMoabi.com
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
byJinbumPark
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 

More from PacSecJP

PDF
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
byPacSecJP
 
PDF
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
byPacSecJP
 
PDF
Rouault imbert view_alpc_rpc_pacsec_jp
byPacSecJP
 
PDF
Anıl kurmuş pacsec3-ja
byPacSecJP
 
PDF
Yunusov babin 7sins-pres_atm_v4(2)_jp
byPacSecJP
 
PDF
Yunusov babin 7 sins pres atm v2
byPacSecJP
 
PDF
Shusei tomonaga pac_sec_20171026_jp
byPacSecJP
 
PDF
Kavya racharla ndh-naropanth_fin
byPacSecJP
 
PDF
Lucas apa pacsec_slides_jp-final
byPacSecJP
 
PDF
Marc schoenefeld grandma‘s old handbag_draft2_ja
byPacSecJP
 
PDF
Kasza smashing the_jars_j-corrected
byPacSecJP
 
PDF
Jurczyk windows metafile_pacsec_jp3
byPacSecJP
 
PDF
Jurczyk windows metafile_pacsec_v2
byPacSecJP
 
PDF
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
byPacSecJP
 
PDF
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
byPacSecJP
 
PDF
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
byPacSecJP
 
PDF
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
byPacSecJP
 
PDF
Moony li pacsec-1.5_j4-truefinal
byPacSecJP
 
PDF
Moony li pacsec-1.8
byPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
byPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
byPacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
byPacSecJP
 
Anıl kurmuş pacsec3-ja
byPacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
byPacSecJP
 
Yunusov babin 7 sins pres atm v2
byPacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
byPacSecJP
 
Kavya racharla ndh-naropanth_fin
byPacSecJP
 
Lucas apa pacsec_slides_jp-final
byPacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
byPacSecJP
 
Kasza smashing the_jars_j-corrected
byPacSecJP
 
Jurczyk windows metafile_pacsec_jp3
byPacSecJP
 
Jurczyk windows metafile_pacsec_v2
byPacSecJP
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
byPacSecJP
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
byPacSecJP
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
byPacSecJP
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
byPacSecJP
 
Moony li pacsec-1.5_j4-truefinal
byPacSecJP
 
Moony li pacsec-1.8
byPacSecJP
 

Recently uploaded

PDF
BELUGA slideshow funny and cool make you laugh
byjoshuaindrei
 
PDF
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
PDF
DNS Principles and Operations - Lecture 05
byInternet Systems Consortium and University of Ostrava
 
PPTX
Presentation4.pptx space it's exploration
byvarung3424
 
PDF
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
PDF
DNS Principles and Operations - Lecture 04
byInternet Systems Consortium and University of Ostrava
 
PDF
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
PPTX
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
PDF
From Technocracy to Data Sovereignty, Open Data and Geospatial Technologies
byFranz-Josef Behr
 
PPTX
Types of conflicthjhhkjljljjikjhbsakmxlsakx;lsakxla,xa,x.a,laxlaklsadisjcjsdd
bykburdzenidzeboys
 
PDF
DNS Principles and Operations - Lecture 01
byInternet Systems Consortium and University of Ostrava
 
PDF
Ethereum Fusaka Upgrade Set For December 3: Everything you need to know | 3.0 TV
by3verseTV
 
PDF
Antrophic abuse by GTG-1002 group, cyber attack analysis by MITRE ATLAS and A...
byCarlo Dapino
 
PDF
ResleekTV Review 2025: Is It the Best IPTV Service? Full Guide & Features
byStream Insight Reviews
 
BELUGA slideshow funny and cool make you laugh
byjoshuaindrei
 
Hybrid Mesh Firewall: Network firewall revolution
byBangladesh Network Operators Group
 
DNS Principles and Operations - Lecture 05
byInternet Systems Consortium and University of Ostrava
 
Presentation4.pptx space it's exploration
byvarung3424
 
DNSSEC Deployment for .BD SLDs by Abdul Awal
byBangladesh Network Operators Group
 
DNS Principles and Operations - Lecture 04
byInternet Systems Consortium and University of Ostrava
 
Optimizing DNS Performance in Kubernetes: Challenges and Best Practices
byBangladesh Network Operators Group
 
Understanding Universal Acceptance (UA) and Technical Challenges
byBangladesh Network Operators Group
 
From Technocracy to Data Sovereignty, Open Data and Geospatial Technologies
byFranz-Josef Behr
 
Types of conflicthjhhkjljljjikjhbsakmxlsakx;lsakxla,xa,x.a,laxlaklsadisjcjsdd
bykburdzenidzeboys
 
DNS Principles and Operations - Lecture 01
byInternet Systems Consortium and University of Ostrava
 
Ethereum Fusaka Upgrade Set For December 3: Everything you need to know | 3.0 TV
by3verseTV
 
Antrophic abuse by GTG-1002 group, cyber attack analysis by MITRE ATLAS and A...
byCarlo Dapino
 
ResleekTV Review 2025: Is It the Best IPTV Service? Full Guide & Features
byStream Insight Reviews
 

Di shen pacsec_final

  • 1.
    The Art ofExploiting Unconventional Use-after-free Bugs in Android Kernel Di Shen a.k.a. Retme (@returnsme) Keen Lab of Tencent
  • 2.
    whoami •  Di Shena.k.a. Retme (@returnsme) •  Member of Keen Lab •  Android Kernel vulnerability hunting and exploitation since 2014 •  Aim: to make out universal rooting exploit for Android •  Trophy: •  CVE-2016-6787 & CVE-2017-0403 (kernel/events/core.c) •  CVE-2015-1805 (fs/pipe.c) ’s first working exploit •  CVE-2015-4421,4422 (Huawei TrustZone) •  KNOX Bypassing on Samsung Galaxy S7 (BHUSA 17’) •  Exploiting Wireless Extension for all common Wi-Fi chipsets (BHEU 16’) •  And more To Be Announced in the future •  Available on https://github.com/retme7/My-Slides
  • 3.
    Agenda •  Rooting Android:Current situation •  Overview of exploiting UAF in kernel •  Conventional approach •  Afterwards: Gain root •  The Unconventional UAFs •  Implementation of perf system •  Exploiting CVE-2017-0403 •  Exploiting CVE-2016-6787 •  Conclusion
  • 4.
    Rooting Android: Currentsituation • Universal exploitable vulnerability is rare •  Available attack surface: •  Generic Linux syscalls •  Android universal drivers like Binder, ION, Ashmem
  • 5.
    Rooting Android: Currentsituation • Enforced SELinux policy •  Most of device drivers are inaccessible •  Many syscalls are not reachable from untrusted Application •  Sockets ioctl commands are partially restricted
  • 6.
    Rooting Android: Currentsituation •  Verified Boot through dm-verity kernel feature •  The gained root privilege is nonpersistent
  • 7.
    Rooting Android: Futurechallenges •  Privileged Access Never (PAN) •  KASLR •  Pointer Authentication
  • 8.
    Overview of exploitingUAF in kernel •  An easily exploitable UAF bug normally has following features: •  Has a function pointer in freed object •  Attacker has plenty of time to refill the freed object.
  • 9.
    Conventional approach ofUAF exploitation struct socket (freed) ops->ioctl(…) struct socket (refilled) ops->ioctl(…) JOP gadgets •  Free the victim object •  Refill the object with malformed data by heap spraying or ret2dir •  Let the function pointer point to ROP/JOP gadgets in kernel •  Ask kernel reference this function pointer to achieve arbitrary kernel code execution ioctl(sockfd,…) kernel_sock_ioctl() JOP gadgets
  • 10.
    Afterwards, from codeexecution to root Arbitrary kernel code execuAon Overwrite process's addr_limit Arbitrary kernel memory overwriAng Overwrite uid, security id, selinux_enforcing
  • 11.
    However… •  Not everyUAF bug in kernel is so that idealized •  More unconventional situation to deal with… •  The victim object may don’t have a function pointer •  The kernel may crash soon after UAF triggered •  The attacker may cannot fully controlled the freed object
  • 12.
    The unconventional UAFsI found •  All found in sys_perf_event_open() •  Perf system is pretty buggy •  Reachable by application last year •  But now it’s restricted by a feature called “perf_event_paranoid”
  • 13.
    The unconventional UAFsI found •  CVE-2017-0403 •  Ever affected all devices shipped with 3.10 or earlier Linux kernel •  More than 14 million users of KingRoot gain root privilege on their smart phones •  CVE-2016-6787 •  Ever affected all Qualcomm-based devices. (Only Qucalcomm enabled hardware perf event…) •  A part of my exploit chain to bypass Samsung KNOX 2.6
  • 14.
    sys_perf_event_open() •  Will createa perf_event •  Input: perf_event_attr •  A description of what kind of performance event you need •  Input: group_fd (optional) •  Specify the group leader of new perf_event •  Return the fd of perf_event to user space
  • 15.
    Key kernel objectsin perf system •  perf_event •  A performance event which is registered by user •  perf_event_context •  The container of all perf events created in one process •  Each process has two contexts, one for software events, other one for hardware events •  Perf group and group leader •  Multiple events can form a group •  One event is the leader perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
  • 16.
    move_group •  Happens whenuser try to create a hardware event in pure software group
  • 17.
    CVE-2016-6787 Remove the group_leaderfrom origin software context and then install it to hardware context Remove every event from software context, and then install it to new hardware context ’move_group‘ leads to reducing context’s refcont by one
  • 18.
    CVE-2016-6787 •  move_group ignoredthe concurrency issues •  UAF happens due to race condition •  Attacker trigger the move_group on same group leader simultaneously, •  The ref count of group_leader->ctx may be reduced to zero •  task_struct->perf_event_ctxp[perf_sw_context] will be freed accidently The object is freed
  • 19.
    Free perf_event_context (PoC) Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main threadSub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) ctx->refcount = 1 ctx->refcount = 2 ctx->refcount = 0
  • 20.
    Kernel crashed instantly • Kernel crashed soon after we freed the perf_event_context •  Thread scheduler need to reference this object consecutively •  We don‘t have plenty of time to refill the object L
  • 21.
    Solution: freeze threadafter free •  Keep thread scheduler away from me •  Switch the status of attacker’s thread from running to (un)interruptible •  The thread will be frozen and kernel won’t crash as soon as perf_event_context freed
  • 22.
    How to freezea thread from user land? •  Sleep() ? Not working •  Use futex_wait_queue_me() switch to interrupAble freezable_schedule()
  • 23.
  • 24.
    A brief summaryof CVE-2016-6787 •  Easy to win the race, and trigger the bug •  Hard to refill the freed object (no time) •  Easy to control the code flow (corrupted object has function pointer) •  Proposed an approach of thread freezing to gain more time to refill object
  • 25.
    Review: relationship ofperf event, group and group leader •  Group leader has a sibling_list •  sibling_list is a list of perf events which belongs this group perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
  • 26.
    CVE-2017-0403 (PoC) •  Createa perf event as ‘A’ •  Create another perf event as ‘B’, specify ‘A’ as its group leader •  Free ‘A’,the group leader •  Free ‘B’, a sibling of group ß---- UAF happens here
  • 27.
    Root cause •  Nowgroup leader ‘A’ is freed •  Kernel doesn’t empty its sibling list •  Leads to leaving a dangling pointer in sibling’s event->group_entry
  • 28.
    Root cause •  Lateron the sibling ‘B’ is freed •  list_del_event() •  list_del_init(&event->group_entry); •  overwrite a pointer to the freed group leader.
  • 29.
    •  Slub poinsoninfomation •  0xfffffc00fc2b1a0 is overwritten to (group_leader+ 0x20)
  • 30.
    The unconventional scenario • The only thing I can do is overwritting the freed object as following *(size_t*)(freed_object + 0x20) = (freed_object + 0x20)
  • 31.
    Pipe subsystem inLinux •  readv() & writev(): read/write multiple buffers through pipe •  Use an array of struct iovec{iov_base,iov_len} to describe user buffers •  When no contents available from the write end, readv() may block in kernel •  Then an array of struct iovec{} may stay in kernel’s heap
  • 32.
    Compromise pipe system • Call readv() •  rw_copy_check_uvector() confirm every iov_base must points to userland space. •  An array of struct iovec{} now is in heap. Nothing comes from the write end of pipe, so readv() block. •  If you can somehow overwrite the iovec{}, modify the iov_base to a kernel address. Emmm… iov_base iov_len iov_base iov_len iov_base iov_len ….. kernel_addr iov_len kernel_addr iov_len kernel_addr iov_len
  • 33.
    Compromise pipe system • Now write something to another end of pipe •  pipe_iov_copy_to_user() won’t check the iov_base again. •  Buffers you wrote to pipe will be copied to the kernel address
  • 34.
    ········ Trigger UAF, writetwo 8-bytes value“A+0x20”to address = A+0x20 ↓ the 1st freed object, address is A Solution: convert UAF to arbitrary R/W ↓the 2nd freed object, address is B = A + 0x400 Use iovec to spray the heap Freed Data Freed Data Freed Freed Data Freed Data ········· base len base len base base len base len ··················· base len A + 0x20 A+0x20 base ·········· base len base len Write a buffer to pipe ,the buffer will be copied to (A + 0x20) ········· base len KADDR 8 KADDR ·········· KADDR 8 KADDR 8 ········· Write a buffer to pipe again,it will be copied to KADDR KADDR can be any address value, we achieved arbitrary kernel memory overwriting 1 2 3 4 5
  • 35.
    A brief summaryof CVE-2017-0403 •  Attacker lost the file descriptor of freed object •  Cannot achieve code execution via refilling object’s function pointer •  Only be able to write the address value of freed object twice to freed object •  Proposed a new approach: compromising pipe system
  • 36.
    Conclusion •  Most UAFbugs looks not exploitable, but there may be another way •  No idea? Put it down for a while, but do not let it go… •  Be familiar with kernel’s source code, kernel’s own feature may help your exploitation (e.g. pipe for CVE-2017-0403)