A computer components & hardware forum. HardwareBanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » HardwareBanter forum » General Hardware & Peripherals » Homebuilt PC's
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

"New "Turning Tables" Technique Bypasses All Windows KernelMitigations"



 
 
Thread Tools Display Modes
  #1  
Old August 22nd 18, 02:49 AM posted to alt.comp.os.windows-10,alt.comp.hardware.pc-homebuilt
Lynn McGuire[_3_]
external usenet poster
 
Posts: 198
Default "New "Turning Tables" Technique Bypasses All Windows KernelMitigations"

"New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations"

https://www.bleepingcomputer.com/new...l-mitigations/

This is the first article that I have seen that says I might should be
running Windows 10. That exploit table is awesome.

Except now, there is an awesome new exploit that might pass them all.

Lynn
  #2  
Old August 22nd 18, 08:23 AM posted to alt.comp.os.windows-10,alt.comp.hardware.pc-homebuilt
Andy Burns[_6_]
external usenet poster
 
Posts: 43
Default "New "Turning Tables" Technique Bypasses All Windows KernelMitigations"

Lynn McGuire wrote:

there is an awesome new exploit that might pass them all


Does the does the exploit only work for instances of Windows running
under Hyper-V?
  #3  
Old August 22nd 18, 05:33 PM posted to alt.comp.os.windows-10,alt.comp.hardware.pc-homebuilt
VanguardLH[_2_]
external usenet poster
 
Posts: 1,453
Default "New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations"

Andy Burns wrote:

Lynn McGuire wrote:

there is an awesome new exploit that might pass them all


Does the does the exploit only work for instances of Windows running
under Hyper-V?


Just because the article mentions "virtual" has nothing to do with
virtual machines, like Hyper-V, VirtualBox, VMware Player, etc.

https://en.wikipedia.org/wiki/Virtual_memory
https://en.wikipedia.org/wiki/Virtual_address_space

The articles says their exploit involved shared code in memory, so it
isn't limited to just Windows but any OS that using paging, like Linux.
The hackers only created a POC for Windows. They just haven't bothered
testing and providing a POC for Linux which is also susceptible.

DLLs (dynamic linked libraries) are one way to share code: any program
can call the same function (method) within the memory-loaded DLL. Under
Linux, they're just called libraries (although DLL is a generic comptuer
term, not just for Windows) and usually have an .so postfix (for Shared
Object). SO is part of ELF (Executable and Linking Format). SOs can be
versioned which eliminated the DLL Hell experienced in Windows. A
Sindows program can statically link (include) a DLL in its code: the
program carries along its own copy of the library to load in its memory
space but that means the program is larger from toting around what could
otherwised be shared. Other DLL Hell mitigations (only in Windows) are
noted at https://en.wikipedia.org/wiki/DLL_Hell#Solutions.

DLL injection is how to get your code into a library before it gets
loaded into memory and then reused by multiple processes. Injected code
can then hook into system API calls; e.g., reading the contents of
encrypted password objects (textboxes that normally don't show the
entered content) that cannot be performed by simply grabbing the
object's value. Once the code gets injected into the DLL, and after the
DLL gets loaded into memory, whatever the code changed or added will
effect all processes calling the same methods in that loaded DLL.

Letting processes share the same code reduces their memory footprint
rather than have every process tote along the same code. Ever notice
all the C runtimes that come with Windows? That's to share that code,
too, rather than bloat every program. The shared code must get loaded
into memory (nothing runs unless in memory - stuff pushed into pages on
the disk aren't running until reloaded into memory). Apparently the
loaded tables with shared coded aren't safeguarded from being rewritten.
Many DLLs are loaded simply by loading Windows; that is, starting
Windows will load many DLLs.

You can use Nirsoft's LoadedDLLsView to see which DLLs are currently
loaded. As I wrote this and then ran LoadedDLLsView, there are 1153
DLLs currently loaded into system RAM. For example, I'm posting here
using 40Tude Dialog (dialog.exe) which loaded the 4dmf.dll library.
However, I doubt any other process would share Dialog's library but some
programmers keep separate their functions in libraries for easier
maintenance of their code. Instead of having to delve into one large
code file, they know by function where to find some code they want to
change, so they keep those functions in libraries (DLLs) and have their
executable load the libs so those functions will be available to the
executable. In the list of loaded DLLs, a count shows how many
processes have links to one, or more, methods within that loaded DLL.
ntdll.dll (for NT kernel functions) has 87 processes currently accessing
methods in that OS DLL, including my Usenet client (Dialog).

Perhaps the reason Lynn mentioned "maybe she should be running Windows
10" is that mitigations might have been implemented in Win10 Redstone 3,
and up, regarding this corruption of shared memory. The table in the
article could be interpreted to identify under which versions of Windows
the author's POC will fail ("X" meaning fail). Since there is no
comment remarking what the table represents or even a title for the
table, I'm not sure what that table is supposed to represent. Do the
X's represent mitigations that were added but the POC circumvented them?
Are the X's simply to list which mitigations were added in each version
of Windows (and not to show which ones were obviated by the POC)? With
no information about what the table represents, there's nothing in the
article that overtly declares any release of Windows 10 is better
protected than earlier versions of Windows regarding the authors' POC.
In the video (https://www.youtube.com/watch?v=QmgbbSPj2j4) at 8:58:20,
although sometimes hard to discern what the speaker says, I think the
speaker said their shared table exploit POC obviates *all* of the
mitigations, even those in the latest of Windows 10. I don't see the
authors claiming Windows 10 Redstone 3+ is protected against their POC.
  #4  
Old August 22nd 18, 10:38 PM posted to alt.comp.os.windows-10,alt.comp.hardware.pc-homebuilt
Andy Burns[_6_]
external usenet poster
 
Posts: 43
Default "New "Turning Tables" Technique Bypasses All Windows KernelMitigations"

VanguardLH wrote:

Andy Burns wrote:

Lynn McGuire wrote:

there is an awesome new exploit that might pass them all


Does the does the exploit only work for instances of Windows running
under Hyper-V?


Just because the article mentions "virtual" has nothing to do with
virtual machines, like Hyper-V


Well they spent a lot of time during their presentation discussing
Hyper-V, that it semi-implied that the extra level of page tables and
sharing had something to do with it the exploit, I started to fast
forward through it when the "errrmm"s got too much.

  #5  
Old August 23rd 18, 04:56 AM posted to alt.comp.os.windows-10,alt.comp.hardware.pc-homebuilt
VanguardLH[_2_]
external usenet poster
 
Posts: 1,453
Default "New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations"

Andy Burns wrote:

VanguardLH wrote:

Andy Burns wrote:

Lynn McGuire wrote:

there is an awesome new exploit that might pass them all

Does the does the exploit only work for instances of Windows running
under Hyper-V?


Just because the article mentions "virtual" has nothing to do with
virtual machines, like Hyper-V


Well they spent a lot of time during their presentation discussing
Hyper-V, that it semi-implied that the extra level of page tables and
sharing had something to do with it the exploit, I started to fast
forward through it when the "errrmm"s got too much.


Don't know what is the speaker's native language but I gave up trying to
decipher his lack of command of English. If I listened longer, I'd
probably get the gist of his English cant to figure out more of what he
said. Like you, the eh's, ah's, and other interjections were just too
overwhelming to spend time listening to it all. You hear "pity" as a
word when the speaker was trying to say "p", "t", "e" (for the PTE
acronym), and "stupidees" for "2 PTEs". Forget about hearing "POSIX"
because "x" (ecks) is not something the speaker can pronounce. Possibly
the audience was more familiar with the speakers by having spend more
time to aclimate to the speaker's English pronounciations. I didn't
bother trying to find who attend the BSide seminar to know the
composition of that audience.

Too many times someone will write something thinking that because they
authored the document that they will also orate it well. Need to
practice those speeches before giving them no matter what language(s)
you speak. You need to know where you are going to eliminate making
repeated corrections via interjections to pause while regaining your
bearings. With the speaker always looking at his screen and presenting
slides, I suspect all the speaker had for notes were the slides and he
orated on the fly. That is, didn't seem the speaker had a [practiced]
speech to present using slides only to reinforce points made in a
speech. Could be the timing between their POC and BSide were too close
to write up and rehearse a speech, just collect a bunch of slides.

Both look to have many years in security research from profiles that I
found about them online. Just wish they actually had a prepared speech
that they practiced and used the slides to highlight some points in a
speech, and to publish their speech if they had one (or have someone add
English subtitles to the video but with the interjections omitted).

The virtualization (meaning virtual machines) started at about 9:06.52,
about 8 minutes after the start of the presentation. I didn't get that
far the first time I watched the video. Like you said, the speaker had
tons of interjections that shows the speaker doesn't know where they are
heading (because they didn't have an actual speech to practice). I
think that gets into how the OS (well, more likely the VMM - virtual
machine manager) will protect the pages in memory for the VMs to stay
isolated. The speaker kept mentioning PTEs (Page Table Entries) which
the OS employs on behalf of the VMM for use by guest OS' virtualized
memory.

Since this wasn't a classroom where students could interrupt with
questions but rather a presentation where the speaker keeps talking and
might take questions at the end, there really should be a speech
available online rather than just a bunch of slides that carry little
information without the speech to glue together the slides. Since there
was no speech, there isn't a copy available that I could find.

https://cdn2.hubspot.net/hubfs/48790...les_Slides.pdf

That has the slides which convey some information but not really about
how that information can be exploited in practice.

https://blog.ensilo.com/bypassing-kernel-mitigations

That's a recap (probably written afterward) that omits the details of
the BSide presentation.
  #6  
Old August 23rd 18, 08:37 AM posted to alt.comp.os.windows-10,alt.comp.hardware.pc-homebuilt
Andy Burns[_6_]
external usenet poster
 
Posts: 43
Default "New "Turning Tables" Technique Bypasses All Windows KernelMitigations"

VanguardLH wrote:

Don't know what is the speaker's native language


From the presentation, I would have guessed Russian, but from the
company details, more likely Hebrew?

Need to practice those speeches


Yes, running through it with an audience of colleagues, who can be very
critical, would have helped the structure, and then practising a script
several times.

They have assumed the audience doesn't know how shared virtual memory
works with protection flags such as RO and COW etc, so spent a lot of
time on that, but glossed over how the exploit manages to manipulate the
protection to allow 'A' to write to their copy of the page such that 'B'
will run the code.
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
USB bootable maker: Diff between "HP Drive Key Boot Utility" and "HP USB Disk Storage Format Tool"? Jason Stacy Storage (alternative) 1 April 21st 09 01:14 AM
"true life" vs. "anti-glare" of Vostro 1500: What are the brightness & contrast ratios??? Thomas G. Marshall Dell Computers 1 April 11th 08 10:47 PM
Downside of changing "Max frames to render ahead"/"Prerender Limit" to 1/0? Jeremy Reaban Nvidia Videocards 2 March 31st 06 04:24 AM


All times are GMT +1. The time now is 08:11 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 HardwareBanter.
The comments are property of their posters.