SlideShare a Scribd company logo

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

N
NoSuchCon

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

Technology
1 of 52
Download to read offline
Attack on the Core! @zer0mem
#whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
Part 1 -> KernelIo tech
Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
Read & Write boosting [windows]
 KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf Read & Write boosting [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
 PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo http://vulnfactory.org/research/stackjacking-infiltrate11.pdf Read & Write boosting [linux / droids]
Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
Part 2 -> cases
Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO - SMAP 5. but sometimes PXN
Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/ http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf
Part 3 -> design features (flaws)
Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
Part 4 -> state of exploitation
before win8.1 POOL HARDENING SMEP SMAP PLAIN PTRS “KASLR” NtQuerySysInfo even kids … … do pwn
Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented Strong complex access control policy Well randomized kernel space Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
Rebirth to K E R N E L Developing begins
CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
Kernel monitoring [IoCompletion] ▪ IoCompletion – MonitorALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
come on … why shellcoding or pure c ? C++
Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
1. 2. 3. 4. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); Fix Rellocations resolve kernel part of Import table Ready for exec with CPL0! CPLTeleport KERNEL as exploitation VECTOR
Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm
C++ ‘shellcoding’ framework https://github.com/k33nteam/cc-shellcoding releasing very soon @K33nTeam
materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture- client/KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
jfang liac wushi nforest NTarakanov j00ru aionescu Acknowledge Thanks to : cesarcer dan rosenberg rafal wojtczuk krzywix maxim
We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS,WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
Q & A Thank You. follow us @K33nTeam peter (at) keencloudtech.com

Recommended

Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 

Recommended

Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Using Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled WorldUsing Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled WorldFrank Hunleth
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 

More Related Content

What's hot

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attackjaredhaight
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaCODE BLUE
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Using Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled WorldUsing Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled WorldFrank Hunleth
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 

What's hot (20)

You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew Suarez
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru OtsukaTake a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Using Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled WorldUsing Erlang in an Embedded and Cross-Compiled World
Using Erlang in an Embedded and Cross-Compiled World
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 

Similar to NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux EnvironmentEnrico Scapin
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopQuey-Liang Kao
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetesTed Jung
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersBen Hall
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 

Similar to NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core (20)

Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Exploiting Llinux Environment
Exploiting Llinux EnvironmentExploiting Llinux Environment
Exploiting Llinux Environment
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
MattsonTutorialSC14.pdf
MattsonTutorialSC14.pdfMattsonTutorialSC14.pdf
MattsonTutorialSC14.pdf
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Audit
AuditAudit
Audit
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside ContainersThree Years of Lessons Running Potentially Malicious Code Inside Containers
Three Years of Lessons Running Potentially Malicious Code Inside Containers
 
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 

More from NoSuchCon

NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNoSuchCon
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNoSuchCon
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNoSuchCon
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNoSuchCon
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNoSuchCon
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNoSuchCon
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
 
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNoSuchCon
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNoSuchCon
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNoSuchCon
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNoSuchCon
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNoSuchCon
 

More from NoSuchCon (16)

NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
NSC #2 - Challenge Introduction
NSC #2 - Challenge IntroductionNSC #2 - Challenge Introduction
NSC #2 - Challenge Introduction
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
 
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic BackdooringNSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
NSC #2 - D3 03 - Jean-Philippe Aumasson - Cryptographic Backdooring
 
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based device
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
 
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
NSC #2 - D2 05 - Andrea Barisani - Forging the USB Armory
 
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database Attacks
 
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine Security
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
 
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practiceNSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
NSC #2 - D1 05 - Renaud Lifchitz - Quantum computing in practice
 
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLCNSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
NSC #2 - D1 03 - Sébastien Dudek - HomePlugAV PLC
 
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
NSC #2 - D1 02 - Georgi Geshev - Your Q is my Q
 
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineering
 

Recently uploaded

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

  • 2. #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
  • 3. outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
  • 4. Part 1 -> KernelIo tech
  • 5. Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
  • 6. Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
  • 7. Read & Write boosting [windows]
  • 8.  KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf Read & Write boosting [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
  • 9. Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
  • 10.  PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo http://vulnfactory.org/research/stackjacking-infiltrate11.pdf Read & Write boosting [linux / droids]
  • 11. Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
  • 12. MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
  • 13. Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
  • 14. KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
  • 15. Part 2 -> cases
  • 16. Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO - SMAP 5. but sometimes PXN
  • 17. Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
  • 18. kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
  • 19. KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
  • 20. KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/ http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf
  • 21. Part 3 -> design features (flaws)
  • 22. Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
  • 23. Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
  • 24. Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
  • 25.
  • 26. Part 4 -> state of exploitation
  • 28. Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
  • 29. Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented Strong complex access control policy Well randomized kernel space Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
  • 30. Rebirth to K E R N E L Developing begins
  • 31. CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
  • 32. Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
  • 33. Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
  • 34. Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
  • 35. Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
  • 36. Kernel monitoring [IoCompletion] ▪ IoCompletion – MonitorALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
  • 37. Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
  • 38. SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
  • 39. come on … why shellcoding or pure c ? C++
  • 40. Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
  • 41. Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
  • 42. Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
  • 43. 1. 2. 3. 4. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); Fix Rellocations resolve kernel part of Import table Ready for exec with CPL0! CPLTeleport KERNEL as exploitation VECTOR
  • 44. Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
  • 45. Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
  • 46. C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm
  • 48. materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture- client/KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
  • 49. jfang liac wushi nforest NTarakanov j00ru aionescu Acknowledge Thanks to : cesarcer dan rosenberg rafal wojtczuk krzywix maxim
  • 50. We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS,WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
  • 51. 2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
  • 52. Q & A Thank You. follow us @K33nTeam peter (at) keencloudtech.com