If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
"New "Turning Tables" Technique Bypasses All Windows KernelMitigations"
"New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations"
https://www.bleepingcomputer.com/new...l-mitigations/ This is the first article that I have seen that says I might should be running Windows 10. That exploit table is awesome. Except now, there is an awesome new exploit that might pass them all. Lynn |
#2
|
|||
|
|||
"New "Turning Tables" Technique Bypasses All Windows KernelMitigations"
Lynn McGuire wrote:
there is an awesome new exploit that might pass them all Does the does the exploit only work for instances of Windows running under Hyper-V? |
#3
|
|||
|
|||
"New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations"
Andy Burns wrote:
Lynn McGuire wrote: there is an awesome new exploit that might pass them all Does the does the exploit only work for instances of Windows running under Hyper-V? Just because the article mentions "virtual" has nothing to do with virtual machines, like Hyper-V, VirtualBox, VMware Player, etc. https://en.wikipedia.org/wiki/Virtual_memory https://en.wikipedia.org/wiki/Virtual_address_space The articles says their exploit involved shared code in memory, so it isn't limited to just Windows but any OS that using paging, like Linux. The hackers only created a POC for Windows. They just haven't bothered testing and providing a POC for Linux which is also susceptible. DLLs (dynamic linked libraries) are one way to share code: any program can call the same function (method) within the memory-loaded DLL. Under Linux, they're just called libraries (although DLL is a generic comptuer term, not just for Windows) and usually have an .so postfix (for Shared Object). SO is part of ELF (Executable and Linking Format). SOs can be versioned which eliminated the DLL Hell experienced in Windows. A Sindows program can statically link (include) a DLL in its code: the program carries along its own copy of the library to load in its memory space but that means the program is larger from toting around what could otherwised be shared. Other DLL Hell mitigations (only in Windows) are noted at https://en.wikipedia.org/wiki/DLL_Hell#Solutions. DLL injection is how to get your code into a library before it gets loaded into memory and then reused by multiple processes. Injected code can then hook into system API calls; e.g., reading the contents of encrypted password objects (textboxes that normally don't show the entered content) that cannot be performed by simply grabbing the object's value. Once the code gets injected into the DLL, and after the DLL gets loaded into memory, whatever the code changed or added will effect all processes calling the same methods in that loaded DLL. Letting processes share the same code reduces their memory footprint rather than have every process tote along the same code. Ever notice all the C runtimes that come with Windows? That's to share that code, too, rather than bloat every program. The shared code must get loaded into memory (nothing runs unless in memory - stuff pushed into pages on the disk aren't running until reloaded into memory). Apparently the loaded tables with shared coded aren't safeguarded from being rewritten. Many DLLs are loaded simply by loading Windows; that is, starting Windows will load many DLLs. You can use Nirsoft's LoadedDLLsView to see which DLLs are currently loaded. As I wrote this and then ran LoadedDLLsView, there are 1153 DLLs currently loaded into system RAM. For example, I'm posting here using 40Tude Dialog (dialog.exe) which loaded the 4dmf.dll library. However, I doubt any other process would share Dialog's library but some programmers keep separate their functions in libraries for easier maintenance of their code. Instead of having to delve into one large code file, they know by function where to find some code they want to change, so they keep those functions in libraries (DLLs) and have their executable load the libs so those functions will be available to the executable. In the list of loaded DLLs, a count shows how many processes have links to one, or more, methods within that loaded DLL. ntdll.dll (for NT kernel functions) has 87 processes currently accessing methods in that OS DLL, including my Usenet client (Dialog). Perhaps the reason Lynn mentioned "maybe she should be running Windows 10" is that mitigations might have been implemented in Win10 Redstone 3, and up, regarding this corruption of shared memory. The table in the article could be interpreted to identify under which versions of Windows the author's POC will fail ("X" meaning fail). Since there is no comment remarking what the table represents or even a title for the table, I'm not sure what that table is supposed to represent. Do the X's represent mitigations that were added but the POC circumvented them? Are the X's simply to list which mitigations were added in each version of Windows (and not to show which ones were obviated by the POC)? With no information about what the table represents, there's nothing in the article that overtly declares any release of Windows 10 is better protected than earlier versions of Windows regarding the authors' POC. In the video (https://www.youtube.com/watch?v=QmgbbSPj2j4) at 8:58:20, although sometimes hard to discern what the speaker says, I think the speaker said their shared table exploit POC obviates *all* of the mitigations, even those in the latest of Windows 10. I don't see the authors claiming Windows 10 Redstone 3+ is protected against their POC. |
#4
|
|||
|
|||
"New "Turning Tables" Technique Bypasses All Windows KernelMitigations"
VanguardLH wrote:
Andy Burns wrote: Lynn McGuire wrote: there is an awesome new exploit that might pass them all Does the does the exploit only work for instances of Windows running under Hyper-V? Just because the article mentions "virtual" has nothing to do with virtual machines, like Hyper-V Well they spent a lot of time during their presentation discussing Hyper-V, that it semi-implied that the extra level of page tables and sharing had something to do with it the exploit, I started to fast forward through it when the "errrmm"s got too much. |
#5
|
|||
|
|||
"New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations"
Andy Burns wrote:
VanguardLH wrote: Andy Burns wrote: Lynn McGuire wrote: there is an awesome new exploit that might pass them all Does the does the exploit only work for instances of Windows running under Hyper-V? Just because the article mentions "virtual" has nothing to do with virtual machines, like Hyper-V Well they spent a lot of time during their presentation discussing Hyper-V, that it semi-implied that the extra level of page tables and sharing had something to do with it the exploit, I started to fast forward through it when the "errrmm"s got too much. Don't know what is the speaker's native language but I gave up trying to decipher his lack of command of English. If I listened longer, I'd probably get the gist of his English cant to figure out more of what he said. Like you, the eh's, ah's, and other interjections were just too overwhelming to spend time listening to it all. You hear "pity" as a word when the speaker was trying to say "p", "t", "e" (for the PTE acronym), and "stupidees" for "2 PTEs". Forget about hearing "POSIX" because "x" (ecks) is not something the speaker can pronounce. Possibly the audience was more familiar with the speakers by having spend more time to aclimate to the speaker's English pronounciations. I didn't bother trying to find who attend the BSide seminar to know the composition of that audience. Too many times someone will write something thinking that because they authored the document that they will also orate it well. Need to practice those speeches before giving them no matter what language(s) you speak. You need to know where you are going to eliminate making repeated corrections via interjections to pause while regaining your bearings. With the speaker always looking at his screen and presenting slides, I suspect all the speaker had for notes were the slides and he orated on the fly. That is, didn't seem the speaker had a [practiced] speech to present using slides only to reinforce points made in a speech. Could be the timing between their POC and BSide were too close to write up and rehearse a speech, just collect a bunch of slides. Both look to have many years in security research from profiles that I found about them online. Just wish they actually had a prepared speech that they practiced and used the slides to highlight some points in a speech, and to publish their speech if they had one (or have someone add English subtitles to the video but with the interjections omitted). The virtualization (meaning virtual machines) started at about 9:06.52, about 8 minutes after the start of the presentation. I didn't get that far the first time I watched the video. Like you said, the speaker had tons of interjections that shows the speaker doesn't know where they are heading (because they didn't have an actual speech to practice). I think that gets into how the OS (well, more likely the VMM - virtual machine manager) will protect the pages in memory for the VMs to stay isolated. The speaker kept mentioning PTEs (Page Table Entries) which the OS employs on behalf of the VMM for use by guest OS' virtualized memory. Since this wasn't a classroom where students could interrupt with questions but rather a presentation where the speaker keeps talking and might take questions at the end, there really should be a speech available online rather than just a bunch of slides that carry little information without the speech to glue together the slides. Since there was no speech, there isn't a copy available that I could find. https://cdn2.hubspot.net/hubfs/48790...les_Slides.pdf That has the slides which convey some information but not really about how that information can be exploited in practice. https://blog.ensilo.com/bypassing-kernel-mitigations That's a recap (probably written afterward) that omits the details of the BSide presentation. |
#6
|
|||
|
|||
"New "Turning Tables" Technique Bypasses All Windows KernelMitigations"
VanguardLH wrote:
Don't know what is the speaker's native language From the presentation, I would have guessed Russian, but from the company details, more likely Hebrew? Need to practice those speeches Yes, running through it with an audience of colleagues, who can be very critical, would have helped the structure, and then practising a script several times. They have assumed the audience doesn't know how shared virtual memory works with protection flags such as RO and COW etc, so spent a lot of time on that, but glossed over how the exploit manages to manipulate the protection to allow 'A' to write to their copy of the page such that 'B' will run the code. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
USB bootable maker: Diff between "HP Drive Key Boot Utility" and "HP USB Disk Storage Format Tool"? | Jason Stacy | Storage (alternative) | 1 | April 21st 09 01:14 AM |
"true life" vs. "anti-glare" of Vostro 1500: What are the brightness & contrast ratios??? | Thomas G. Marshall | Dell Computers | 1 | April 11th 08 10:47 PM |
Downside of changing "Max frames to render ahead"/"Prerender Limit" to 1/0? | Jeremy Reaban | Nvidia Videocards | 2 | March 31st 06 04:24 AM |