Friday, July 6, 2007

Kernel Wars in Vegas!

Kernel Wars is back, this time at BlackHat USA and DefCon in Las Vegas. Looking forward to seeing you there!

The GDI bug and the FreeBSD 802.11 vulnerability that was discussed in the original BlackHat Europe presentation in Amsterdam will be included this time too. The NetBSD bug have been replaced with... A new NetBSD 0-day. :>

We have also brought a new co-speaker this time, Claes Nyberg. Claes is also the developer of our in-house fuzzer Itchy, that our main bug hunter Christer Öberg is constantly discovering new vulnerabilities with. :) Claes will talk about his exploit for the OpenBSD ICMPv6 bug, found by Alfredo Ortega from CORE SDI.

Speaking of which, I've noticed that Alfredo will do an entire BlackHat-talk about his own exploit/payload for the bug in question. Will be interesting to see.. :) Bitsec vs CORE, let the best payload win! ;)

For DefCon we have included yet another one of Christer's 0-days, and might throw in another one still. There is almost a whole month until Vegas after all.. ;)

Best Regards,
Joel Eriksson
CTO Bitsec

Monday, January 29, 2007

Kernel Wars in Amsterdam!

This post is about our talk at BlackHat Europe 2007 in Amsterdam.

Kernel vulnerabilities are often deemed unexploitable or at least unlikely
to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question.

During our talk we intend to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of three different kernel vulnerabilities without public exploits. From a defenders point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited.

The vulnerabilities that will be discussed are:

- FreeBSD 802.11 Management Frame Integer Overflow (Patched)
Found and exploited by Karl Janmar. Advisory

- NetBSD Local Kernel Heap Overflow (Unpatched, 0-day)
Found by Christer Öberg, exploited by Christer and Joel Eriksson.

- Windows (2000 & XP) Local GDI Memory Overwrite (Unpatched)
Found by Cesar Cerrudo, exploited by Joel Eriksson. Advisory

Unlike most of the 802.11-related bugs that have been found lately the FreeBSD 802.11 vulnerability did not only affect a particular driver, but the 802.11 subsystem itself. Besides being discovered quite a while before the other WLAN-related bugs (summer 2005) it uses a pretty interesting payload, which injects a pure kernel-mode backdoor that communicates through spoofed management frames. The full exploit will be released after the talk.

The GDI bug for Windows 2000 and XP that results in a local privilege escalation when successfully exploited was found by Cesar Cerrudo from Argeniss and reported to Microsoft as early as 2004-10-22. It was made public during MoKB (Month of Kernel Bugs) on 2006-11-06, more than two years later.

Amazingly it has still not been patched, perhaps due to Microsoft not taking the threat seriously until they've seen that it can be exploited reliably in practice. Reliable exploitation for Windows 2000 and XP with any and all servicepacks and patches applied will be demonstrated during the talk.

Since we intend to release the NetBSD bug during the talk we will not disclose any details yet, but.. The particularly interesting thing about this bug is that it has been around for almost two decades. It was present in both OpenBSD and FreeBSD until they got rid of the code in question altogether and it most likely still exists in some of the other commercial Unix-systems derived from BSD.

( Joel Eriksson | Karl Janmar | Christer Öberg @ Bitsec )

Picture of the 802.11 exploit GUI:

Picture of the NetBSD exploit:

Picture of the GDI exploit: