Attacking Antivirus Software's Kernel Driver презентация

Июль 15, 2021

Главная
Без категории
Attacking Antivirus Software's Kernel Driver

Содержание

2. * About me bee13oy of CloverSec Labs Security Vulnerabilities Researcher, interested in: Microsoft Windows Kernel Microsoft
3. * Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion
4. * Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion
5. Motivation Reason for choosing AV Widely Used Typical and Challenging Choose my first target “Avast Free
6. AV Attacking Surface Kernel Driver - SSDT Hook - IOCTL Handler ActiveX - Memory Corruption -
7. * AV Kernel Attacking Surface DeviceIoControl What We Care Mostly hDevice dwIoControlCode lpInBuffer & nInBufferSize
8. * Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion
9. * How To Get hDevice CreateFile lpFileName is a SymbolicLink Device Name \\.\TestDev \Device\TestDev
10. How To Get hDevice Using PChunter Disadvantage No command-line mode ? No automation Incomplete *
11. How To Get hDevice Better option? Enumerating DeviceObjects from user mode: NtOpenDirectoryObject NtQueryDirectoryObject NtOpenSymbolicLinkObject (optional) NtQuerySymbolicLinkObject
12. How To Get dwIoControlCode But… No Source code No Symbols High complexity We have… IDA Pro
13. How To Get dwIoControlCode Avast aswSnx.sys Dispatch Function ASM Code ASM code feature cmp REG, 0x88888888
14. How To Get dwIoControlCode Avast aswSnx.sys Dispatch Function C Code C code feature * case 0x88888888
15. How To Get dwIoControlCode C++ std::regex to match ASM code feature C++ std::regex to match C
16. How To Get dwIoControlCode Get Entire ASM Codes by IDA Command Line idaw.exe -Ohexx86:-errs:-mail=bee13oy@gmail.com:aswSnx.asm:ALL -B aswSnx.sys
17. How To Get dwIoControlCode IOCTL_CODE Filter condition DeviceType is fixed Multiple of four Strict Dispatch Function
18. How To Get dwIoControlCode switch & case C++ std::regex to match “switch & case” P =
19. How To Get dwIoControlCode Finally, we got IOCTL_CODEs… *
20. lpInBuffer & nInBufferSize lpInBuffer Invalid Buffer Ptr Insert Interesting values, eg, 0, 1, 2, 0x20, 0x3f,
21. Make it together *
22. BSoD but... We got a broken log file. Why? *
23. BSoD but… How to Disable File System Caching? MSDN will tell you… File Buffering CreateFile with
24. Install AV & Run Fuzzer We tested 24 AV products from AV-TEST (February 2016) *
25. Antivirus Kernel Vulnerabilities ZDI CASES ZDI-CAN-3760 (Check Point) ZDI-CAN-3828 (AhnLab) ZDI-CAN-4191 (Trend Micro) ZDI-CAN-3712 (Avast) ZDI-16-670
26. Avast BSoD (aswSnx.sys) *
27. Trend Micro BSoD(tmnciesc.sys) *
28. * Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion
29. Norman Security suite 11.0 EoP Vulnerability *
30. Exploit Demo *
31. * Agenda Attacking Antivirus Software Finding Antivirus Kernel Vulnerabilities Exploiting Kernel Vulnerabilities Conclusion
32. Conclusion Recommendations for AV Companies Audit your drivers: source code reviews & fuzzing Don’t trust the
34. Скачать презентацию

Слайд 2

*
About me
bee13oy of CloverSec Labs
Security Vulnerabilities Researcher, interested in:
Microsoft Windows

Kernel
Microsoft Edge
Adobe Flash Player
Discovered 40+ AV Kernel Vulnerabilities:
ZDI-CAN-3760, ZDI-CAN-3828, ZDI-CAN-4191, ZDI-CAN-3712
ZDI-16-670, ZDI-16-530, ZDI-16-503, ZDI-16-502, ZDI-16-487, ZDI-16-484, ZDI-16-483
…

Слайд 3

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

Слайд 4

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

Слайд 5

Motivation
Reason for choosing AV
Widely Used
Typical and Challenging
Choose my first target “Avast

Free Antivirus”
Free antivirus software
Avast bug bounty program

Слайд 6

AV Attacking Surface
Kernel Driver
- SSDT Hook
- IOCTL Handler
ActiveX
- Memory Corruption
-

Insecure Method | Design Error

Engine
- File Format Parsing(Memory Corruption, RCE)
- Denial Of Service
- Detection Bypass
Management
- Web Interface
- Client/Server Management

IOCTL Handler

Слайд 7

*
AV Kernel Attacking Surface
DeviceIoControl
What We Care Mostly
hDevice
dwIoControlCode
lpInBuffer & nInBufferSize

Слайд 8

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

Слайд 9

$* How To Get hDevice CreateFile lpFileName is a SymbolicLink Device Name \\.\TestDev \Device\TestDev$

*
How To Get hDevice
CreateFile
lpFileName is a SymbolicLink Device Name
\\.\TestDev
\Device\TestDev

Слайд 10

How To Get hDevice
Using PChunter
Disadvantage
No command-line mode ? No automation
Incomplete
*

Слайд 11

How To Get hDevice
Better option?
Enumerating DeviceObjects from user mode:
NtOpenDirectoryObject
NtQueryDirectoryObject
NtOpenSymbolicLinkObject (optional)
NtQuerySymbolicLinkObject

(optional)
hDevice ==> *.sys?
Device name + .sys ?=> driver binary (aswSnx ? aswSnx.sys)
SymbolicLink reference (aswSP_Open ? aswSP.sys)

Слайд 12

How To Get dwIoControlCode
But…
No Source code
No Symbols
High complexity
We have…
IDA Pro
Windbg
Kernel Driver

*.sys

Слайд 13

How To Get dwIoControlCode
Avast aswSnx.sys Dispatch Function ASM Code
ASM code feature
cmp

REG, 0x88888888
mov REG, 0x88888888
sub REG, 0x88888888

Слайд 14

How To Get dwIoControlCode
Avast aswSnx.sys Dispatch Function C Code
C code feature
*
case

0x88888888
vN > 0x88888888
vN < 0x88888888
vN - 0x88888888
vN = 0x88888888

vN <= 0x88888888
vN >= 0x88888888
vN == 0x88888888
vN != 0x88888888

Слайд 15

How To Get dwIoControlCode
C++ std::regex to match ASM code feature
C++ std::regex

to match C code feature

P = "((cmp)|(mov)|(sub))(( )|( )|(\\t)|(\\t\\t))((eax)|(ebx)|(ecx)|(edx)
|(edi)|(esi)|(ebp)),((\\t)|(\\t\\t)|( ))(([0-9a-fA-F]{5,9}))((h)|(H))"

P = "((=)|(-)|(<)|(>)|(case)) ((0x[0-9a-fA-F]{5,9})|(-?[0-9]{5,10}))"

Слайд 16

How To Get dwIoControlCode
Get Entire ASM Codes by IDA Command Line
idaw.exe

-Ohexx86:-errs:-mail=bee13oy@gmail.com:aswSnx.asm:ALL -B aswSnx.sys
Get Entire C Codes by IDA Command Line
idaw.exe -Ohexx86:-errs:-mail=bee13oy@gmail.com:aswSnx.sys.c:ALL -A aswSnx.sys

Слайд 17

How To Get dwIoControlCode
IOCTL_CODE Filter condition
DeviceType is fixed
Multiple of four
Strict Dispatch

Function Filter condition

Слайд 18

How To Get dwIoControlCode
switch & case
C++ std::regex to match “switch &

case”
P = "(((switch) (\\( )((v|a)[0-9]{1,5}) ((\\+)|(-)))|(case)) ((0x[0-9a-fA-F]{1,9})|(-?[0-9]{1,11}))“
ioctl = N - 0xFFEFFE4

Слайд 19

How To Get dwIoControlCode
Finally, we got IOCTL_CODEs…
*

Слайд 20

lpInBuffer & nInBufferSize
lpInBuffer
Invalid Buffer Ptr
Insert Interesting values, eg, 0, 1, 2,

0x20, 0x3f, 0x40, 0x7f, 0x80, 0xff, 0x3ffff, -1, 0x7fffffff, etc
Insert Thread / Process ID
Insert Thread / Process Handle
Insert Another Buffer Ptr
nInBufferSize
Interesting values, eg, 0, 1, 2, 0x20, 0x3f, 0x40, 0x7f, 0x80, 0xff, 0x3ffff, -1, 0x7fffffff, etc
Sizeof lpInBuffer
Random length between 0 and sizeof lpInBuffer

Слайд 21

Make it together
*

Слайд 22

BSoD but...
We got a broken log file. Why?
*

Слайд 23

BSoD but…
How to Disable File System Caching?
MSDN will tell

you…
File Buffering
CreateFile with flag FILE_FLAG_NO_BUFFERING
Alloc aligned memory by using VirtualAlloc or _aligned_malloc
WriteFile with aligned memory and aligned sector_size length.
File Caching
CreateFile with flag GENERIC_WRITE
WriteFile
FlushFileBuffers

Слайд 24

Install AV & Run Fuzzer
We tested 24 AV products from AV-TEST

(February 2016)

Слайд 25

Antivirus Kernel Vulnerabilities
ZDI CASES
ZDI-CAN-3760 (Check Point)
ZDI-CAN-3828 (AhnLab)
ZDI-CAN-4191 (Trend Micro)
ZDI-CAN-3712 (Avast)
ZDI-16-670 (Avira)
ZDI-16-530

(Trend Micro)
ZDI-16-503 (Bitdefender)
ZDI-16-502 (Bitdefender)
ZDI-16-487 (AVG)
ZDI-16-484 (AVG)
ZDI-16-483 (AVG)
…

Слайд 26

Avast BSoD (aswSnx.sys)
*

Слайд 27

Trend Micro BSoD(tmnciesc.sys)
*

Слайд 28

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

Слайд 29

Norman Security suite 11.0 EoP Vulnerability
*

Слайд 30

Exploit Demo
*

Слайд 31

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

Слайд 32

Conclusion
Recommendations for AV Companies
Audit your drivers: source code reviews & fuzzing
Don’t

trust the user-supplied data
…

Attacking Antivirus Software's Kernel Driver презентация

Содержание

*About mebee13oy of CloverSec Labs Security Vulnerabilities Researcher, interested in:Microsoft Windows

*AgendaAttacking Antivirus SoftwareFinding Antivirus Kernel VulnerabilitiesExploiting Kernel VulnerabilitiesConclusion

*AgendaAttacking Antivirus SoftwareFinding Antivirus Kernel VulnerabilitiesExploiting Kernel VulnerabilitiesConclusion

MotivationReason for choosing AVWidely UsedTypical and ChallengingChoose my first target “Avast

AV Attacking SurfaceKernel Driver - SSDT Hook- IOCTL HandlerActiveX- Memory Corruption-

*AV Kernel Attacking SurfaceDeviceIoControlWhat We Care MostlyhDevicedwIoControlCodelpInBuffer & nInBufferSize

*AgendaAttacking Antivirus SoftwareFinding Antivirus Kernel VulnerabilitiesExploiting Kernel VulnerabilitiesConclusion

*How To Get hDeviceCreateFilelpFileName is a SymbolicLink Device Name\\.\TestDev\Device\TestDev

How To Get hDeviceUsing PChunterDisadvantageNo command-line mode ? No automationIncomplete*

How To Get hDeviceBetter option? Enumerating DeviceObjects from user mode:NtOpenDirectoryObjectNtQueryDirectoryObjectNtOpenSymbolicLinkObject (optional)NtQuerySymbolicLinkObject

How To Get dwIoControlCodeBut…No Source codeNo SymbolsHigh complexityWe have…IDA ProWindbgKernel Driver

How To Get dwIoControlCodeAvast aswSnx.sys Dispatch Function ASM CodeASM code featurecmp

How To Get dwIoControlCodeAvast aswSnx.sys Dispatch Function C CodeC code feature*case

How To Get dwIoControlCodeC++ std::regex to match ASM code featureC++ std::regex

How To Get dwIoControlCodeGet Entire ASM Codes by IDA Command Lineidaw.exe

How To Get dwIoControlCodeIOCTL_CODE Filter conditionDeviceType is fixedMultiple of fourStrict Dispatch

How To Get dwIoControlCodeswitch & caseC++ std::regex to match “switch &

How To Get dwIoControlCodeFinally, we got IOCTL_CODEs…*

lpInBuffer & nInBufferSizelpInBufferInvalid Buffer PtrInsert Interesting values, eg, 0, 1, 2,

Make it together*

BSoD but...We got a broken log file. Why?*

BSoD but…How to Disable File System Caching? MSDN will tell

Install AV & Run FuzzerWe tested 24 AV products from AV-TEST

Antivirus Kernel VulnerabilitiesZDI CASESZDI-CAN-3760 (Check Point)ZDI-CAN-3828 (AhnLab)ZDI-CAN-4191 (Trend Micro)ZDI-CAN-3712 (Avast)ZDI-16-670 (Avira)ZDI-16-530

Avast BSoD (aswSnx.sys)*

Trend Micro BSoD(tmnciesc.sys)*

*AgendaAttacking Antivirus SoftwareFinding Antivirus Kernel VulnerabilitiesExploiting Kernel VulnerabilitiesConclusion

Norman Security suite 11.0 EoP Vulnerability*

Exploit Demo*

*AgendaAttacking Antivirus SoftwareFinding Antivirus Kernel VulnerabilitiesExploiting Kernel VulnerabilitiesConclusion

ConclusionRecommendations for AV CompaniesAudit your drivers: source code reviews & fuzzingDon’t

Похожие презентации

*
About me
bee13oy of CloverSec Labs
Security Vulnerabilities Researcher, interested in:
Microsoft Windows

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

Motivation
Reason for choosing AV
Widely Used
Typical and Challenging
Choose my first target “Avast

AV Attacking Surface
Kernel Driver
- SSDT Hook
- IOCTL Handler
ActiveX
- Memory Corruption
-

*
AV Kernel Attacking Surface
DeviceIoControl
What We Care Mostly
hDevice
dwIoControlCode
lpInBuffer & nInBufferSize

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

*
How To Get hDevice
CreateFile
lpFileName is a SymbolicLink Device Name
\\.\TestDev
\Device\TestDev

How To Get hDevice
Using PChunter
Disadvantage
No command-line mode ? No automation
Incomplete
*

How To Get hDevice
Better option?
Enumerating DeviceObjects from user mode:
NtOpenDirectoryObject
NtQueryDirectoryObject
NtOpenSymbolicLinkObject (optional)
NtQuerySymbolicLinkObject

How To Get dwIoControlCode
But…
No Source code
No Symbols
High complexity
We have…
IDA Pro
Windbg
Kernel Driver

How To Get dwIoControlCode
Avast aswSnx.sys Dispatch Function ASM Code
ASM code feature
cmp

How To Get dwIoControlCode
Avast aswSnx.sys Dispatch Function C Code
C code feature
*
case

How To Get dwIoControlCode
C++ std::regex to match ASM code feature
C++ std::regex

How To Get dwIoControlCode
Get Entire ASM Codes by IDA Command Line
idaw.exe

How To Get dwIoControlCode
IOCTL_CODE Filter condition
DeviceType is fixed
Multiple of four
Strict Dispatch

How To Get dwIoControlCode
switch & case
C++ std::regex to match “switch &

How To Get dwIoControlCode
Finally, we got IOCTL_CODEs…
*

lpInBuffer & nInBufferSize
lpInBuffer
Invalid Buffer Ptr
Insert Interesting values, eg, 0, 1, 2,

Make it together
*

BSoD but...
We got a broken log file. Why?
*

BSoD but…
How to Disable File System Caching?
MSDN will tell

Install AV & Run Fuzzer
We tested 24 AV products from AV-TEST

Antivirus Kernel Vulnerabilities
ZDI CASES
ZDI-CAN-3760 (Check Point)
ZDI-CAN-3828 (AhnLab)
ZDI-CAN-4191 (Trend Micro)
ZDI-CAN-3712 (Avast)
ZDI-16-670 (Avira)
ZDI-16-530

Avast BSoD (aswSnx.sys)
*

Trend Micro BSoD(tmnciesc.sys)
*

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

Norman Security suite 11.0 EoP Vulnerability
*

Exploit Demo
*

*
Agenda
Attacking Antivirus Software
Finding Antivirus Kernel Vulnerabilities
Exploiting Kernel Vulnerabilities
Conclusion

Conclusion
Recommendations for AV Companies
Audit your drivers: source code reviews & fuzzing
Don’t