Shulou(Shulou.com)06/02 Report--

What is the idea of bypassing Windows Control Flow Guard? For this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more small partners who want to solve this problem find a simpler and easier way.

preface

Typically, attackers can intercept control flow by exploiting memory vulnerabilities. But researchers have also proposed a variety of defenses to avoid such problems, such as address space randomization (ALSR), exclusive OR execution (XOR Execute), control flow integrity (CFI), and various other defenses. CFI enforces control flow integrity to ensure program execution without problems. The most widely deployed CFI is the control flow guard (CFG) provided by windows. CFG is currently deployed on the latest Windows 8.1, Windows 10, and has more than 500 million uses. Therefore, if there is a problem with CFG, it can lead to very serious consequences.

Windows CFG implementation

Windows 'implementation of CFI is called Control Flow Guard (CFG) because it is impossible to achieve very precise CFI due to actual performance requirements, so the CFI actually deployed on Windows is coarse-grained, forward CFI. First, coarse-grained CFI is: all valid jump addresses are a global set, i.e., inaccurately specifying a valid jump address for each indirect jump; second, what is called forward CFI: only skip call, jump direct jump and indirect jump, no calculation ret case. In addition, the Windows CFG implementation relies on the bitmap table, which stores information about whether a destination address is valid or not. The two bits in the bitmap table correspond to the 16 bytes of the actual address, so there are four cases:

00: There is no valid jump address in this address range

01: Address range contains export suppression table target

10: Only 16 bits are valid for its address (first address of the range)

11: All addresses in the address range are valid

Thus, a very obvious loophole can be seen:

In the case of code 11, the entire 16-bit address is a valid jump address. At this time, if there is an indirect jump vulnerability, such as jump [eax] (eax = 0x1007), when the value of eax can be modified, the jump address can jump to the instruction above the address of 0x1007,(add rsp, 0x40) This is one of the design vulnerabilities of Windows CFG. Second, since Windows CFG is a forward CFI defense, it cannot prevent rewriting the return address, so this feature can be used to bypass CFG if ret addr can be rewritten.

Bypass CFG

In the paper, a method of bypassing CFG is mentioned, which is compared with previous bypasses:

Less stack control is required, only the top area of the stack needs to be controlled

Greater flexibility and reproducibility in real-world attack scenarios

The required gadgets are widely available in Windows systems

The article defines two kinds of gadgets, which can bypass CFG through the cooperation of two kinds of gadgets. Define P(p)R(r) gadget:

The gadget is a valid CFG target

The gadget is an add {e, r}sp, m instruction that may not exist

The gadget is n pop instructions, which may not exist

The gadget is a ret r instruction, r can be 0

p = m + wn (w is the length of a word, 32-bit is 4, 64-bit is 8)

Such a series of definitions actually describes the operation at the end of a program function call. such as that valid code segment in the figure above

add rsp, 0x40pop rdipop rbxret

By definition, the gadget can be defined as P(80)R(0), p = 64 + 8 * 2, r = 0. The main purpose of this gadget chain is to change the position of stack frames in order to modify ret addr. In a 32-bit system, parameters are passed through the stack, and the contents of the stack can be affected by changing parameters. In this way, the purpose of modifying ret addr can be achieved. However, in 64-bit systems parameter transfer is done through registers, so the contents of the stack are generally not affected, so the S gadget is redefined so that the contents of the stack can be modified. Usually a tail-call optimization may produce S gadgets.

Define S gadget:

The gadget is a valid CFG target

The gadget overflows n registers into the Register Parameter Area (RPA)

The gadget ends with a controlled indirect jump

S(2) gadget DEMOmov [rsp + 0x8], rcxmov [rsp + 0x10], rdxsub rsp, 0x40... mov rax, [rcx]mov rax, [rax + 0x20]add rsp, 0x40jmp [dispatch_fptr]

rcx, rdx is generally used as the first parameter and the second parameter in Windows 64-bit function calls. Assuming that the parameters can be controlled by the attacker, then in this gadget, an attacker-controlled parameter is passed into the stack, that is, there is an opportunity to modify ret addr.

The following diagram shows the connection process of a PR-P chain:

Attack

How to use PR, P gadget to attack, Edge is used as the attack target in the paper to implement long-range attack. First of all, we need to know the address of the object in memory, so we need to have the process of address disclosure. Secondly, we need to forge some data, and we need to have certain write memory operations. In the Demo of the attack, two Edge vulnerabilities, CVE-2016-7200 and CVE-2016-7201, were exploited to achieve address disclosure and arbitrary memory read and write permissions.

S(2) gadget1 ; @ chakra+0x31f00002 chakra! ScriptEngine::EnumHeap:3 mov r11, rsp4 ; Spill arguments to RPA5 mov [r11+0x10], rdx6 mov [r11+0x8], rcx7 ; Allocate stack frame8 sub rsp, 0x289 ; Prepare call to rcx->__vfptr[10]10 mov rax, [rcx]11 mov r8, rdx12 xor edx, edx13 mov rax, [rax+0x50]14 ; Deallocate stack frame15 add rsp, 0x2816 ; Perform indirect call via CFG17 jmp cs:__guard_dispatch_icall_fptrP(16)R(0) gadgetpop rdipop rsiret

The target function is JavascriptFunction::HasInstance virtual function, first locate the position of JavascriptFunction object in memory, and modify the function to S(2) gadget address by modifying VTable pointer to point to a fake VTable, where the position of instanceof function in VTable is 0x200. S(2) gadget is executed when instanceof is called.

S gadget gets a pointer to JavascriptFunction object as the first argument, a pointer to Var as the second argument, and S gadget puts the arguments on the stack at lines 5 and 6. Line 13 places JavascriptFunction offset 0x50 into rax, after which jmp rax performs P(16)R(0) gadget.

We only need to set a Var pointer of our own construction to intercept the control flow.

Once the control flow is intercepted, it can be attacked via traditional ROP.

The paper proposes a new method to bypass Windows CFG, which has certain flexibility, and the article mentions that there are many gadgets available in Windows system, so if you systematically scan all the common dynamic libraries of Windows, you can use them in many scenarios.

About bypassing Windows Control Flow Guard thinking is how to answer the question to share here, I hope the above content can have some help for everyone, if you still have a lot of doubts not solved, you can pay attention to the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.