Windows XP SP3 Registry Handling Buffer Overflow



Similar documents
CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Firefox, Opera, Safari for Windows BMP file handling information leak. September Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs

Hotpatching and the Rise of Third-Party Patches

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Bypassing Memory Protections: The Future of Exploitation

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

esrever gnireenigne tfosorcim seiranib

Bypassing Windows Hardware-enforced Data Execution Prevention

Reverse Engineering and Computer Security

ERNW Newsletter 51 / September 2015

Fighting malware on your own

Introduction. Figure 1 Schema of DarunGrim2

Defense in Depth: Protecting Against Zero-Day Attacks

The Advantages of Block-Based Protocol Analysis for Security Testing

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Systems Design & Programming Data Movement Instructions. Intel Assembly

Software Vulnerabilities

Using fuzzing to detect security vulnerabilities

Computer Organization and Assembly Language

The Leader in Cloud Security SECURITY ADVISORY

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Kernel Pool Exploitation on Windows 7

Return-oriented programming without returns

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Software Fingerprinting for Automated Malicious Code Analysis

Bypassing Browser Memory Protections in Windows Vista

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

Off-by-One exploitation tutorial

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

Persist It Using and Abusing Microsoft s Fix It Patches

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Violating Database - Enforced Security Mechanisms

This document describes the methodology used for validating the model, analysis, comments and test results from the model s application.

Hi and welcome to the Microsoft Virtual Academy and

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Introduction to Reverse Engineering

The Security Development Lifecycle

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions

FRONT FLYLEAF PAGE. This page has been intentionally left blank

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk Rahul Kashyap

Custom Penetration Testing

Choosing a Computer for Running SLX, P3D, and P5

Computer Organization and Architecture

HTC Windows Phone 7 Arbitrary Read/Write of Kernel Memory 10/11/2011

Linux Kernel. Security Report

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Quick Install Guide - Safe AutoLogon For First-time Users - Installing and Running the Software. Published: February 2013 Software version: 5.

Sandbox Roulette: Are you ready for the gamble?

Skeletons in Microsoft s Closet - Silently Fixed Vulnerabilities. Andre Protas Steve Manzuik

Faking Extended Validation SSL Certificates in Internet Explorer 7

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Virtual machines and operating systems

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

Pushing the Limits of Windows: Physical Memory Mark Russinovich (From Mark Russinovich Blog)

winhex Disk Editor, RAM Editor PRESENTED BY: OMAR ZYADAT and LOAI HATTAR

What Happens In Windows 7 Stays In Windows 7

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Parallels Transporter Agent

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

AdminToys Suite. Installation & Setup Guide

Nessus scanning on Windows Domain

Attacking x86 Windows Binaries by Jump Oriented Programming

EMC RepliStor for Microsoft Windows ERROR MESSAGE AND CODE GUIDE P/N REV A02

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Windows Operating Systems. Basic Security

Stack Overflows. Mitchell Adair

Desktop and Professional Editions

Intel 845G/GL Chipset Dynamic Video Memory Technology

FAT32 vs. NTFS Jason Capriotti CS384, Section 1 Winter Dr. Barnicki January 28, 2000

Securing software by enforcing data-flow integrity

Installation and Deployment

Microsoft Security Bulletin MS Important

COM Port Stress Test

CORE SECURITY. Exploiting Adobe Flash Player in the era of Control Flow Guard. Francisco Falcon Black Hat Europe 2015 November 12-13, 2015

Determining Your Computer Resources

There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research

Verizon Security Scan Powered by McAfee. Installation Guide for Home Users

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March Contents

Digital Persona Fingerprint Reader Installation

POACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS. Rafal Wojtczuk

Compromise-as-a-Service

SkyRecon Cryptographic Module (SCM)

Buffer Overflows. Security 2011

Exploiting Trustzone on Android

System Center Configuration Manager

SPAMfighter Mail Gateway

PCI-SIG ENGINEERING CHANGE REQUEST

Installing GFI MailEssentials

W4118 Operating Systems. Junfeng Yang

Transcription:

Windows XP SP3 Registry Handling Buffer Overflow by Matthew j00ru Jurczyk and Gynvael Coldwind Hispasec 1. Basic Information Name Windows XP SP3 Registry Handling Buffer Overflow Class Design Error Impact Medium / High Credits Matthew j00ru Jurczyk, Gynvael Coldwind Discovered 2008-12-20 Published 2010-05-29 2. Abstract Microsoft Windows XP is a commonly used desktop operating system, released with Service Pack 3 at the time of writing this paper. The vulnerable system component is heart of Windows NT family the ntoskrnl.exe kernel executable itself. It is responsible for performing nearly all the critical system operations most of the requests come from user-mode applications using the SYSENTER mechanism. System call set describes the functions available for a low-level application programmer if one finds a buffer-overflow vulnerability in a syscall handler, it is very likely that he also will be able to run arbitrary code in the kernel s context (ring 0). The vulnerability covered in this paper relies on the lack of user s input data validation in one of the Windows registry system call functions. The bug itself is present in an internal kernel function related to the symbolic linking mechanism, that provides a possibility to create invisible transition between a fake key (the forwarder) and the real ones. By crafting a properly malformed input as a function parameter, one is able to cause a poolbased overflow, consequently leading to a potential code execution and complete system compromitation. The affected Microsoft Windows versions are all the systems prior to Windows Vista (including Windows XP SP3 with latest patches).

3. Vulnerability details Before I start describing how the vulnerability itself works, I will shortly explain how the internal registry symbolic links work and how they are handled by the Windows kernel. The entire Windows registry consists of a number of mixed.dat files, each containing information about a separate registry tree. The binary format introduced by Microsoft decades ago has not been fully documented by the vendor himself, though many people decided to carry out some research on this topic. The results of their work are really promising most of the format has been successfully reversed and put on downloadable websites. Since the format is being developed all the time as new requirements appear, the meaning of some flags and constant values being used in modern system is not yet known. Each single registry key has its own structure inside the source REGF file. The structure contains every information that the system could possibly need during its work. The most important fields regarding a key record are: Key type bit mask Parent key record Point to sub-key list Pointer to security record Key name This time, only the first field will be explained in detail. Although different sources claim that the, so called Enumeration field is a static value and can be set to only one predefined value, it s actually not true. It turned out that the following values can be mixed together, forcing the system to deal with a malformed key type, giving interesting results: KEY_ROOT: 0x2C KEY_LINK: 0x10 KEY_REGULAR: 0x20 So here is the way we can make one key point to another without even being noticed : Put a link bitmask into the Type field of NK record Create a value named SymbolicLinkValue (this is a fixed name and cannot be changed!), of an internal type REG_LINK (6) inside that key Put the destination path into the newly created value as a normal Unicode string. After these actions are performed, the key should no longer exist as a normal record every reference to a registry path containing a symbolic link is handled by the kernel so that the user-mode programs gets an open HANDLE to where the link points to, not to the forwarding key itself.

Under normal circumstances, the kernel does not use the registry contents during critical operations, but the link translation simply cannot be achieved without accessing the SymbolicLinkValue record. Having some essential knowledge about the registry internals, let s begin with the real vulnerability roots. It would be best for the reader to operate on the Windows Kernel Research v1.0 sources since it shows the nature of the bug in a clear form, but listings from both IDA and WRK will be presented below. The buffer overflow is directly caused by the SymbolicLinkValue handling implementation. Most of the real job is performed by a non-exported function called CmpGetSymbolicLink. The function assumes that since the value is an Unicode string and is not generally used by any 3 rd part applications (though some critical Windows components aim to use it for various purposes), its size is not going to be greater than 0xFFFF (65535d) bytes. The below code snippets should make everything clear: if(!getvaluedata(buffer,&valuelength)) { fail; } Length = (USHORT)ValueLength + sizeof(wchar); PAGE:0049A071 movzx eax, word ptr [edi] PAGE:0049A074 lea esi, [esi+eax+2] Obviously, the highest 16 bits of the value length are ignored by the system parser, which could potentially lead to some kind of corrupted allocation and further code execution Let s take a look at the rest of the function code: NewBuffer = Allocate(Length); if(newbuffer == NULL) { fail; } PAGE:004CA567 loc_4ca567: PAGE:004CA567 push 20204D43h ; Tag PAGE:004CA56C push esi ; NumberOfBytes PAGE:004CA56D push 1 ; PoolType PAGE:004CA56F call _ExAllocatePoolWithTag@12 and further

CopyMemory(NewBuffer, Buffer, (DWORD)ValueLength); PAGE:004CA57C mov ecx, [ebp+var_8] PAGE:004CA57F mov [ebp+destination.length], cx PAGE:004CA583 mov edx, ecx PAGE:004CA585 shr ecx, 2 PAGE:004CA588 mov [ebp+destination.maximumlength], si PAGE:004CA58C mov esi, [ebp+var_c] PAGE:004CA58F mov [ebp+destination.buffer], eax PAGE:004CA592 mov edi, eax PAGE:004CA594 rep movsd PAGE:004CA596 mov ecx, edx PAGE:004CA598 and ecx, 3 PAGE:004CA59B cmp [ebp+source], 0 PAGE:004CA59F rep movsb The case should need no explanation now. A 16-bit wrapped integer is used to allocate some pool memory, and then the other real size of the data is used as RtlCopyMemory function parameter! This typical kind of vulnerability creates a chance to achieve arbitrary code execution inside the ExFreePool kernel function every user present on the system is allowed to create links without any restrictions, thus giving the vulnerability a privilege escalation status. What should be noted is that the amount of bytes we use to overwrite the allocated memory area is not fully controlled by the attacker. To be more precise, it is not possible to say An 8-byte overwrite is needed to gain control over the computer and perform such attack the vulnerability allows to overflow the buffer by any multiplicity of 0x10000. In other words, one can overflow the pool using at least ~65kB of junk data, which actually causes really serious damage to the drivers as well as the kernel module itself. Another exploitation obstacle is an internal, so-called deferred free mechanism. In order to enhance the system performance, a special pending free requests list is kept in the kernel. Every time ExFreePoolWithTag function is called, a new record is being pushed on the list. When its size reaches a boundary value, it is being flushed by handling all the requests at once. Since triggering a pool overflow leads to most of critical kernel/driver data being irreversibly overwritten, there is no way the system could keep running correctly up to a moment when the real chunk deallocation is performed one can either trigger code execution immediately after the overflow itself, either end up having the machine crashed inside some random device driver.

The author s research implies that the deferred free mechanism is active on machines with at least ~512MB of physical memory. A relatively stable exploit has been developed for machines with lower amount of RAM. Unsuccessful or impossible (due to the above restrictions) exploitation process always leads to Denial of Service conditions, crashing the system. 4. Impact The vulnerability allows an attacker to run arbitrary code with the system kernel (highest possible) privileges. It can be achieved using any kind of user account, both locally and remotely. The impact of a single attack, considering the above conditions, is rated as medium/high. 5. Disclaimer Copyright by Hispasec

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information