This post is about our talk at BlackHat Europe 2007 in Amsterdam.
Kernel vulnerabilities are often deemed unexploitable or at least unlikely to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question.
During our talk we intend to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of three different kernel vulnerabilities without public exploits. From a defenders point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited.
The vulnerabilities that will be discussed are:
- FreeBSD 802.11 Management Frame Integer Overflow (Patched)
Found and exploited by Karl Janmar. Advisory
- NetBSD Local Kernel Heap Overflow (Unpatched, 0-day)
Found by Christer Öberg, exploited by Christer and Joel Eriksson.
- Windows (2000 & XP) Local GDI Memory Overwrite (Unpatched)
Found by Cesar Cerrudo, exploited by Joel Eriksson. Advisory
Unlike most of the 802.11-related bugs that have been found lately the FreeBSD 802.11 vulnerability did not only affect a particular driver, but the 802.11 subsystem itself. Besides being discovered quite a while before the other WLAN-related bugs (summer 2005) it uses a pretty interesting payload, which injects a pure kernel-mode backdoor that communicates through spoofed management frames. The full exploit will be released after the talk.
The GDI bug for Windows 2000 and XP that results in a local privilege escalation when successfully exploited was found by Cesar Cerrudo from Argeniss and reported to Microsoft as early as 2004-10-22. It was made public during MoKB (Month of Kernel Bugs) on 2006-11-06, more than two years later.
Amazingly it has still not been patched, perhaps due to Microsoft not taking the threat seriously until they've seen that it can be exploited reliably in practice. Reliable exploitation for Windows 2000 and XP with any and all servicepacks and patches applied will be demonstrated during the talk.
Since we intend to release the NetBSD bug during the talk we will not disclose any details yet, but.. The particularly interesting thing about this bug is that it has been around for almost two decades. It was present in both OpenBSD and FreeBSD until they got rid of the code in question altogether and it most likely still exists in some of the other commercial Unix-systems derived from BSD.
( Joel Eriksson | Karl Janmar | Christer Öberg @ Bitsec )
Picture of the 802.11 exploit GUI:
Picture of the NetBSD exploit:
Picture of the GDI exploit: