OpenBSD Remote Exploit

Transcription

1 OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007

2 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability was found: The m dup1() function causes an overflow on the mbuf structure, used by the kernel to store network packets. Copy direction mbuf1 mbuf2 mbuf3 mbuf4 End of overflow Figure: mbuf chain overflow direction The function m freem() crashed...

3 Searching for a way to gain code execution

4 Searching for a way to gain code execution

5 C code equivalent / s y s /mbuf. h #d e f i n e MEXTREMOVE(m) do { \ i f (MCLISREFERENCED(m) ) { \ MCLDEREFERENCE(m) ; \ } e l s e i f ( (m) >m f l a g s & M CLUSTER) { \ pool put (&mclpool, (m) >m ext. ext buf ) ; \ } e l s e i f ( (m) >m ext. e x t f r e e ) { \ ( ( (m) >m ext. e x t f r e e ) ) ( (m) >m ext. e x t b u f, \ (m) >m ext. e x t s i z e, (m) >m ext. e x t a r g ) ; \ } e l s e { \ f r e e ( (m) >m ext. e x t b u f, (m) >m ext. e x t t y p e ) ; \ } \ (m) >m flags &= (M CLUSTER M EXT ) ; \ (m) >m ext. e x t s i z e = 0 ; / why??? / \ } w h i l e ( / CONSTCOND / 0)

6 IcmpV6 packets Attack vector We use two IcmpV6 packets as the attack vector Mbuf chain Fragment 1 IPv6 Header Hop by Hop Header Fragmentation Header Fragment 2 IPv6 Header Fragmentation Header Icmpv6 Icmpv6 Header Trampoline Header mbuf 1 Header ShellCode SyscallHook Payload mbuf 2 Header mbuf 3 Figure: Detail of IcmpV6 fragments

7 Where are we? Code execution We really don t know where in kernel-land we are. But ESI is pointing to our code. Initial situation Final situation Kernel User process Ring 0???? Ring 3 Hooked syscall ESI?? ShellCode ShellCode iret Int 0x80????? Ring 0 Kernel Where we are? Figure: Initial and final situations

8 Now what? Hook (remember DOS TSRs?) We hook the system call (Int 0x80) Normal System Call User process Hooked System Call User process Ring 3 INT 0x80 Normal syscall INT 0x80 Hooked syscall return return Ring 0 Kernel Kernel Hook Figure: System call hook Note: If the OS uses SYSENTER for system calls, the operation is slightly different.

9 New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions)

10 New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process)

11 New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process) 3. Get user Id (curproc >userid)

12 New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process) 3. Get user Id (curproc >userid) 4. If userid == 0 : 4.1 Get LDT position 4.2 Extend DS and CS on the LDT (This disables WˆX!) 4.3 Copy the user-mode code to the the stack of the process 4.4 Modify return address for the syscall to point to our code

13 New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process) 3. Get user Id (curproc >userid) 4. If userid == 0 : 4.1 Get LDT position 4.2 Extend DS and CS on the LDT (This disables WˆX!) 4.3 Copy the user-mode code to the the stack of the process 4.4 Modify return address for the syscall to point to our code 5. Restore the original Int 0x80 vector (remove the hook)

14 New syscall pseudo-code 1. Adjust segment selectors DS and ES (to use movsd instructions) 2. Get curproc variable (current process) 3. Get user Id (curproc >userid) 4. If userid == 0 : 4.1 Get LDT position 4.2 Extend DS and CS on the LDT (This disables WˆX!) 4.3 Copy the user-mode code to the the stack of the process 4.4 Modify return address for the syscall to point to our code 5. Restore the original Int 0x80 vector (remove the hook) 6. Continue with the original syscall

15 OpenBSD WˆX internals WˆX: Writable memory is never executable i386: uses CS selector to limit the execution. To disable WˆX, we extend CS from ring0. 0x GB 0xffffffff.text.so.so heap stack 512 MB User Code Segment (CS) Extension User Data Segment (DS) stack Extension Figure: OpenBSD selector scheme and extension

16 Defeating WˆX from ring0 Our algorithm, independent of the Kernel: s l d t ax ; S t o r e LDT i n d e x on EAX sub esp, byte 0 x7f sgdt [ esp +4] ; S t o r e g l o b a l d e s c r i p t o r t a b l e mov ebx, [ esp +6] add esp, byte 0 x7f push eax ; Save l o c a l d e s c r i p t o r t a b l e i n d e x mov edx, [ ebx+eax ] mov ecx, [ ebx+eax+0x4 ] s h r edx, 1 6 ; b a s e l o w >edx mov eax, ecx s h l eax, 2 4 ; b a s e m i d d l e > edx s h r eax, 8 or edx, eax mov eax, ecx ; b a s e h i g h > edx and eax, 0 xff or edx, eax mov ebx, edx ; l d t > ebx ; Extend CS s e l e c t o r or dword [ ebx+0x1c ], 0 x000f0000 ; Extend DS s e l e c t o r or dword [ ebx+0x24 ], 0 x000f0000

17 Injected code WˆX will be restored on the next context switch, so we have two choices to do safe execution from user-mode: Turning off W^X (from usermode) Creating a W+X section From kernel... User Stack From kernel... User Stack Ring 3 1. mprotect() 2.fork() 3.Standard user mode code mprotect() extends CS permanently Ring 3 1. fork() 2.mmap() 3.copy 4.jmp to mmaped 5. Standard user mode code Figure: Payload injection options

18 Questions before going on? Now we are executing standard user-mode code, and the system has been compromised.

19 Proposed protection Limit the Kernel CS selector The same strategy than on user-space. Used on PaX ( for Linux. 0x GB 0xffffffff 0xD xD kernel mbuf chains, etc Kernel Code Segment (CS) CS shrink Kernel Data Segment (DS) Figure: OpenBSD Kernel CS selector shrink

20 A third remote vulnerability? IPv6 Routing Headers Uninitialized variable on the processing of IPv6 headers. 1. DoS or Code Execution (depending who you ask!) 2. Present on CVS from January to March of 2007 (very few systems affected)

21 Conclusions In this article we presented: 1. Generic kernel execution code and strategy 2. Possible security improvement of the kernel

22 Conclusions In this article we presented: 1. Generic kernel execution code and strategy 2. Possible security improvement of the kernel 3. A third bug - No software is perfect

23 Final Questions? Thanks to: Gerardo Richarte: Exploit Architecture Mario Vilas and Nico Economou: Coding support