MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE. HC Tencent s XuanwuLab

Transcription

1 MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE HC Tencent s XuanwuLab

2 whoami Security Used to doing Chemistry; Interested in: Console Hacking; Embedded Device Security; Firmware Reverse and Emulation; Unpacking and Un-virtualizing; Geek Stuff: RFID lock-picking Device hacking;

3 Agenda Attack On USB and Drivers Creating Hardwares The Massive Fuzzing Results and Demo

4 Attack On USB and Drivers

5 Features Universal Serial Bus; Data Transfer; Multi Device Class; Quick Charge; Determined by VID and PID Research vusbf; BadUSB; USB MITM Fuzzing; PS3 USB JailBreak; Nintendo Switch JailBreak;

6

7 The idea Device Specific Driver Plug to Code execution Usbstor.sys usbport.sys usbhid.sys Software USB*hci.sys USBHUB.sys Enumeration Hardware

8 The attacking scenairo Unpack Cab File; Verify Binary Signature; Install Driver into DriverStore; Load Driver into Kernel Space; Call Entry Point of Driver; Initial PNP irp and call PNP IRP handler in target driver

9 The Goal Find Bugs in auto installed device drivers; Enumeration; Entry point Code in target driver; IRP handler in target driver; Other related code potion in target driver; IO Control Code Fuzzing; Achieve Plug2Pwn attack; Trigger and exploit driver bugs in a crafted USB device; Gain Kernel Code Execution directly;

10 Get the targets Where and How? Drivers Stored on Windows update server; Search while a foreign USB device insert; VID and PID are submitted to server; Protocol is documented (WSUS); Create a fake client with Python and tiny bit reverse-engineering; Enumeration each combination of VID and PID; How many? win7x 64 win10x 64 win7x8 6 win10x86 RAW After updateid After URI Total 3978

11 Trick VID and PID are WORD, max to 65535; 65536*65536= ; Get VIDs first VID:65536->903 (1.3%)

12 Creating Hardwares

13 Hardware Need hardware to trigger the driver-loading; Prepare devices for thousands of drivers is impossible and costly; No way to make fuzzing automatically with real hardwares; Firmware

14 Emulation USB Redirection Protocol: Redirect physical USB device into virtual machine; QEMU s feature; While enabled, a socket is exposed to host from guest machine; Connect the socket normally, send the protocol packets, then a USB device shows in guest machine;

15 Emulation Firmware Based on vusbf s work, thank you Sergej Schumilo vusbf s way: Use scapy to construct USB protocol in Python; Parse real USB device descriptor file; My work: Pack the emulation code into a thread function; Use a common COM device as a base descriptor; Apply new VID and PID on each thread running; Extend code for other device classes; Add Microsoft specific descriptor support; Bulk transfer monitor and fuzzing;

16 Working for 90% drivers; Emulation result

17 Let s Fuzzing

18

19 VM Management Initial Alive Restart EnvOK Plugin VMCrash DrvInstalled DrvRdy BSOD VMStuck VMSnap Fuzzing Stage1 Stage2 Stage3 End

20 Stage 1 Prepare environment for fuzzing; Pre-install target driver into Virtual Machine; Take Snapshot to speed up fuzzing; Task to achieve: Execute program inside VM; Collect as much as possible information for target drivers;

21 Execute program inside VM QGA(Qemu Guest Agent),much like VMTools, but customizable; Run as service on Windows, expose Virtual COM device inside VM; Exposed as regular socket outside VM; Feature: Probe VM status; Read/Write File; Execute Program; Etc.

22 Driver Installation System Pre-install drivers into OS before fuzzing; Dynamically parse CAB file depends on results of installation for each INF file; Information obtained: List of valid INF file; INF dynamic behavior while installation; The actual copied/ installed sys file;

23 Stage 2 Restore VM from Snapshot; Get Virtual USB device ready; Make sure target driver is running; Task to achieve: Launch Virtual USB Device; Monitor Device Status to see if target driver is running;

24 Launch Virutal USB Device Running Virtual Device in a standalone thread; Accept VID and PID as arguments; Connect to the USB redir socket to indicate a USB device inserted; Once inserted, Waiting for packets from guest VM;

25 Device Status Monitor Device is accessible only when driver is properly installed and run; When driver is installed successfully, status code is 0; if (IsFound){ cr = CM_Get_DevNode_Status(&Status, &Problem, DeviceInfoData.DevInst, 0); printf("device status : 0x%x\n",Status); if(status & DN_HAS_PROBLEM) { } printf("\terror code : %d\n", Problem); count++; IsFound=FALSE; } }

26 Stage 3 The IO Control Code Fuzzing Stage; Other Code potion fuzzing occur when virtual USB device inserted in stage2; Task to achieve: Start IO Control Code Fuzzing; Monitor fuzzing and VM status: both VM and VM process; Collect Crashdump and fuzzing testcase;

27 IO Control Code Fuzzing Design a fuzzer running inside VM; Enumerate IoCtl Codes, and do random fuzzing; Record buffer Out data when fuzzing for further analysis; for aa in validinterfaces: print "[*]Try to fuzz interface: %s"%aa['interface'] #if CurrentIoCTL in aa['validcode']: ret=fuzzerdll.fuzzworker("\\\\.\\"+aa['interface'],currentioctl,seed,max_le N_TESTCASE,NUM_OF_EACH_ITERATION) if ret!=0: dict={} dict['errorcode']=ret dict['seed']=seed dict['interface']=aa['interface'] dict['ioctlcode']=currentioctl xml['uifrecord']['errorlog'].append(dict) #print "Error Found while fuzzing, code: %d"%ret CurrentIoCTL=int(xml['UIFRecord']['CurrentIoCTL']["@code"],16) CurrentTestedCase=int(xml['UIFRecord']['CurrentTestedCase']["@num"]) TotalIoCTL=int(xml['UIFRecord']['TotalIoCTL']["@num"])

28 Monitor fuzzing Monitor IO Control Code fuzzing progress; Read, parse progress file and record the current progress; Monitor VM alive status; Monitor VM process alive status;

29 Collection Copy Crashdump and Testcase out of VM; Save crash evidence, and record in database; Restore VM back to snapshot; Re-apply progress file to VM and continue fuzzing;

30 Results and Demo

31 Demo1

32 Getting Results To get a reasonable result, you have to: Reproduce the bug; Scalable Crashdump automatically analysis; Binary level auto-analysis on target drivers;

33 Bug verification Launch two VMs, one for debugger, the other for debugee; Redirect guest virtual serial COM to host tcp/ip port; One-click Windows kernel debugging on Linux Host; Really Slowwwww!!!!!!!!!

34 CrashDump Auto-analysis Hundreds of CrashDump to be analyzed Lots of duplication and time consuming ; python+pykd make life easier; Parse Crashdump and output basic information;

35 Driver Auto-Analysis Tons of drivers need to be analyzed; Time consumingbefore and tedious; IDA plugin is made to make life easier; After

36 Example

37 Result

38 Bonus-Exploit Demo

39 Summary We propose a novel attack surface of Windows; We established a fuzzing system to fuzz USB device driver; 3 rd party driver developer differs in code quality; Low quality of device drive may harm to Microsoft ecology; Virtual device make driver fuzzing possible, extensible, reliable and efficient;

40 My leader: tkyu; Acknowledgement WenqunWang for writing exploit

41 THANKS FOR ATTENTION