Shulou(Shulou.com)05/31 Report--

This article shows you an example analysis of 0Day vulnerabilities that use the Windows kernel to lift rights. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

01 background

In mid-December 2020, the Shadow Hunting Lab of Anheng threat Intelligence Center released "BITTER recently launched attacks against Chinese government departments and scientific research institutions." some components of the attack have been given and analyzed in this paper.

In the follow-up analysis, we found a new component, after analysis, we found that the component took advantage of an unknown Windows kernel rights loophole, and used the code to adapt to the Windows10 1909 operating system. We immediately sent the relevant information to Microsoft, and after Microsoft's confirmation, we are convinced that this is a 0Day vulnerability in the win32kfull module, which can also be triggered in the latest version of Windows10 20H2 full patch environment!

02 event Timeline

● December 10, 2020, an Heng threat Intelligence Center captured the relevant samples

● December 15, 2020, an Heng threat Intelligence Center found a suspicious Windows kernel privilege vulnerability in the course of analysis, and launched a root cause investigation.

● December 29th, Anheng threat Intelligence Center reported the vulnerability information to MSRC.

● December 29th, MSRC confirms receipt of vulnerability report

● December 31, 2020, MSRC confirmed that the vulnerability was a 0Day and began an investigation, asking for more details

● December 31, 2020, Anheng threat Intelligence Center provided MSRC with more details of the 0Day vulnerability.

● January 6, 2021, MSRC thanked Anheng threat Intelligence Center for more details and said the vulnerability was under repair.

● February 9, 2021, MSRC fixes this vulnerability, vulnerability number is CVE-2021-1732

03 loophole characteristics

According to our investigation and analysis, the 0Day vulnerabilities captured this time have the following characteristics:

(1) the target is the latest version of Windows 10 operating system.

(a) the latest version of Windows10 1909 64-bit operating system was attacked by the wild sample (the compilation time of the wild sample was May 2020)

(B) the wild sample adapts more than versions from Windows10 1709 to Windows10 1909, and will only run the utilization code in Windows10 1709 or above

(C) the original exploit code can be claimed in the latest version of Windows10 20H2 64-bit full patch environment with minor modifications.

(2) High quality of vulnerabilities, skillful use, good stability, and great difficulty in dynamic detection.

(a) the wild sample bypassed the kernel address space layout randomization (KASLR) of the latest version of Windows 10 system.

(B) this vulnerability is different from previous Win32k vulnerabilities, the type of vulnerability is not UAF, the whole exploitation process does not involve heap ejection and memory reuse, and the Type Isolation mitigation mechanism is not effective for it. When the Driver Verifier verifier is turned on, the wild samples can still claim their rights normally, which can not be detected by opening the kernel pool, so it is difficult to detect dynamically.

(C) the arbitrary address writing of the wild sample adopts the method of vulnerability feature combined with SetWindowLong series function, which is eye-catching.

(d) the wild samples use GetMenuBarInfo to read arbitrary addresses, which has not been made public before, which reflects the developers' skillful use and writing skills.

(e) after constructing an arbitrary address read-write primitive, the wild sample uses Data Only Attack to replace the Token of the current process, and the current kernel mitigation mechanism cannot defend against such attacks.

(F) the success rate of vulnerability exploitation of wild samples is almost 100%.

(G) after completing the utilization of the wild samples, all the relevant kernel structures will be restored, and the whole process will not affect the blue screen of the system and work stably.

(3) careful use and good concealment.

(a) the wild samples tested the specific antivirus software before exploiting the vulnerability.

(B) the current operating system version is judged by the wild sample, and systems lower than Windows 10 1709 will not call the exploit function.

(C) the wild samples were compiled in May 2020 and found by us in December 2020, and survived for at least 7 months, which shows that users are very cautious in using the vulnerability, which indirectly reflects the difficulty of capturing such hidden samples.

04 vulnerability trigger effect

Testing the wild 0Day sample in the latest version of Windows10 1909 x64 environment, you can see that the process has Medium permission when it is initially started.

When the exploit code is executed, the current process becomes System privilege, which indicates that the Token of the current process has been replaced with the Token of the System process, which is a common method of kernel privilege exploitation.

Starting the sample in the latest Windows10 20H2 full patch environment will cause the system blue screen. This is because the exploit code was compiled before Windows10 2004 and Windows10 20H2 were released, and the attacker would only adapt the code to the latest version of Windows10 1909 at that time.

05 technical analysis

Causes of 0x01 vulnerabilities

The flaw is a flaw caused by the flag bit setting out of sync with the corresponding offset setting caused by the user mode callback in the win32kfullroomxxxCreateWindowEx function.

When the xxxCreateWindowEx function of the win32kfull.sys module creates a window with window extended memory, it calls the xxxClientAllocWindowClassExtraBytes user-mode callback function and returns the user-mode creation window to expand memory. An attacker can call NtUserConsoleControl within the callback function and pass a handle to the current window, modifying a member of the current window kernel structure (used to indicate the area where the window extends memory) to offset, and modifying the corresponding flag to indicate that the member is an offset. The attacker can then call NtCallbackReturn in the callback function to return any value. After the callback ends, the return value will overwrite the previous offset, but the corresponding flag is not cleared, and then the unverified offset is directly used by the kernel code for heap memory addressing, causing out-of-bounds access.

0x02 vulnerability trigger logic

We completely reverse the exploit code of the wild sample, and construct the poc of the vulnerability. The following figure is the main execution logic of poc. We will explain the vulnerability trigger logic in combination with this figure:

In the win32kfullroomxxCreateWindowEx function

The window extended memory uses the xxxClientAllocWindowClassExtraBytes function to call back the user state function by default. The return value of the callback function is a pointer, which returns the memory created from the user mode, and this value is saved to the kernel structure.

When we call the win32kfullmemory xxxConsoleControl function in the custom xxxClientAllocWindowClassExtraBytes callback function, the flag of the window extended memory is set (| = 0x800) and the user-mode address stored in the kernel address is changed to an offset to be managed using the kernel's heap manager.

In poc, we choose to trigger the vulnerability when destroying the window. The win32kfullfullmemory xxxxFreeWindow function will determine whether the above flag is set. If set, it means that offset is stored in the corresponding kernel structure, and the RtlFreeHeap function is called to release the corresponding memory. If it is not set, the memory address is stored in the corresponding kernel structure, and xxxClientFreeWindowClassExtraBytes is called to release it with the help of the user mode callback function.

Within the xxxClientAllocWindowClassExtraBytes callback function, you can use NtCallbackReturn to control the return value. After the callback ends, the previous offset is overwritten with the return value, but the corresponding flag is not cleared. In poc, we return a user-state heap address, which overwrites the original offset to a user-state heap address (fake_offset). This eventually led to an out-of-bounds access to Win32kfullFullxxxFreeWindow when releasing the kernel stack with RtlFreeHeap.

The release address expected by RtlFreeHeap is RtlHeapBase+offset

The address actually released by RtlFreeHeap is RtlHeapBase+fake_offset.

As long as the RtlFreeHeap here is called, it will result in an out-of-bounds release, resulting in BSOD.

0x03 is used in the wild.

In the wild sample is a 64-bit program, it first calls functions such as CreateToolhelp32Snapshot to traverse all processes, looking for the "avp.exe" process ("avp.exe" is the Cabas antivirus software process).

After the wild sample detects the "avp.exe" process, it will only assign values to some custom structures and will not exit the process, and subsequent weight raising functions will still be called. We have carried out experiments in an environment with Kaspersky antivirus software, and the wild samples can raise their rights normally, as shown in the following figure.

Then, the wild samples call IsWow64Process to determine the current running environment, and correct some offsets according to the results. Here the code writer seems to have some problems in logical judgment. According to the following source code, the g_x64 in the following figure should be understood as g_x86, but subsequent calls indicate that this variable represents the x64 environment.

The code writer forces the g_x64 to be TRUE during initialization, so the call to IsWow64Process here can be ignored, but this seems to imply that the developer has written another 32-bit version of the lifting component.

After correcting the offset, the three functions of RtlGetNtVersionNumbers,NtUserConsoleControl and NtCallbackReturn are dynamically obtained by the field samples. Then call the RtlGetNtVersionNumbers function to get the current system version number and check whether the current system version number is greater than or equal to 16353 (Windows10 1709). Only when it is greater than this version number will the exploit code be called, and then determine whether the current system version number is greater than or equal to 18204 (Windows10 1903). If so, correct some kernel structure offset to facilitate later use.

After the verification is passed, the wild sample starts to call the utilization code, which first dynamically searches for the address of the HmValidateHandle function, and hook USER32roomxxClientAllocWindowClassExtraBytes callback function.

Two window classes are then registered with the code, one of which is used to create a vulnerability window called "magicClass", and the other is called "normalClass", which is used to create a general window to assist subsequent arbitrary address writes.

Then, use the code to create 10 windows with the help of normalClass, call the HmValidateHandle function to reveal the address of the user-mode tagWND structure of these windows, and disclose the offset offset in the structure, and then destroy the third-10th window, leaving only window 0 and window 1.

If the current environment is 64-bit, call NtUserConsoleControl to change the flag corresponding to window 0 from pointer to offset, so that the kernel tagWND structure of window 0 becomes offset, while the addressing mode of window 1 is still pointer.

Then, use the code to create a window 2 with a specific length window to expand memory, trigger xxxClientAllocWindowClassExtraBytes callback during the creation of window 2, and enter the custom callback function. In the custom function, first determine whether the current window extended memory length is a specific length, and then determine whether the current environment is x64. After the verification is passed, call NtUserConsoleControl to change the kernel tagWND structure addressing mode of window 2 to offset. Then call NtCallbackReturn to change the offset corresponding to the window extended memory of window 2 to the offset corresponding to the tagWND of window 0, which causes the subsequent reading and writing of the window extended memory of window 2 to read and write the tagWND structure of window 0, and the vulnerability has been successfully exploited here.

After the callback is over, the code has been able to modify the kernel tagWND member of window 0 with SetWindowLongW.

The code first calls SetWindowLongW to set the cbWndExtra of window 0 to 0xFFFFFFF, so that window 0 has the ability to write out of bounds. Then use window 0 to make the dwStyle | = WS_CHILD of window 1, then replace the original spmenu of window 1 with fake_spmenu, and realize the read and write primitive of any address on the basis of fake_spmenu.

Use any address of the code to read the primitive with the help of fake_spmenu

Implemented with GetMenuBarInfo reading tagMenuBarInfo.rcBar.left and tagMenuBarInfo.rcBar.top members, this approach has not been publicly used before, but is similar to the idea mentioned in the 2016 ZeroNight's "LPE vulnerabilities exploitation on Windows 10 Anniversary Update".

Using any address of the code to write primitives with the help of window 0 and window 1, with the help of SetWindowLongPtrA packaging, the specific implementation is as follows.

After constructing any address read-write primitive, use the code to leak a kernel address from the original spmenu structure of window 1, gradually locate the EPROCESS of the current process with the help of this address, then traverse the process chain, find the Token pointer of the System process and the address of the Token stored in the current process EPROCESS structure, and rewrite the Token of the current process into the Token of the System process.

After completing the claim, use the code to write primitives at any address to restore the previously modified window 0, window 1, and window 2 members, such as the original spmenu and the flag that caused the vulnerability, to ensure that there is no blue screen exception after the exploitation is completed. The whole exploit process is very stable.

0x04 conclusion

This vulnerability is a vulnerability caused by CallBack callback mechanism in the win32k subsystem, which can be used to escape sandboxed environments such as IE, Adobe Reader and so on. The quality of the vulnerability is high, and the use of wild samples is superb. Threat organizations may recruit members with certain strength, and do not rule out buying from professional vulnerability middlemen. The use of this wild sample reflects the strong 0day vulnerability reserve capacity of the APT organization behind it.

06 summary and thinking

0Day plays an important role in the covert battlefield in cyberspace. As the strategic reserve of attack organization, 0Day has special mission and strategic significance. In order to give full play to its value, it will only be used under very special target conditions.

With the continuous maturity of software and hardware and the improvement of defense system, the 0Day mining cost and utilization cost of some key software and hardware and systems have become very high, and the use conditions have become more stringent. For example, over the years, various manufacturers have strengthened their investment and ability to detect APT attacks, which makes APT organizations more cautious in the use of 0Day. A little carelessness will reduce the value life cycle of 0Day.

0Day is still a "nuclear weapon", and discovery is not necessarily tantamount to detection, but clues that may be seen in other clues. The most direct example is the remote code vulnerability exploited by Eternal Blue, which was lurking for a long time before it was exposed.

The improvement of the detection ability of 0Day or other covert attacks is still an important link that needs continuous improvement and improvement in the process of APT confrontation.

The generation of 0Day will not stop, and attacks using vulnerabilities will not stop. Last year (2020), a number of attacks involving 0Day/1Day vulnerabilities in the opposition were exposed, and Anheng threat Intelligence Center alone tracked 3 cases. In addition, at least 10 cases of vulnerability exploitation in the field were disclosed worldwide. And from the trend of disclosure vulnerabilities, browser, sandbox escape, rights loopholes will further increase.

In addition to the attack utilization on the end, the boundary system, critical equipment and centralized control system are also points of concern. There were a number of such security incidents last year. Among them, we should pay more attention to the boundary system of security protection, which needs to pay more attention to, strengthen and guarantee its own quality.

Not being found does not mean that it does not exist, it may be more likely to be latent. The discovery, detection and defense of advanced threats, covert attacks and 0Day attacks need to be strengthened iteratively in the process of the game. We need to actively think about how to grasp the defense system, defense capability and defense position in all links, blocks and points. Network security has a long way to go and a long way to go.

07 self-examination scheme

Samples of this Bitter APT organization attack will exist in the following directories by default:

C:\ intel\ logs

For example, if relevant directories or files are found during self-inspection, users can submit samples to the platform of Anheng threat Intelligence Center for testing, platform address:

Https://ti.dbappsecurity.com.cn/

You can also contact us to handle it.

Contact information: 6059 110

If customers have purchased an Heng APT attack warning platform, they can upload it directly for testing.

Attackers use 0day to attack in order to enhance their rights, usually to obtain more and higher permissions, such as preparing for horizontal penetration of the intranet. If it is found that there is a foreign VPN program at the same time, the risk of horizontal penetration in the intranet of the unit can not be ruled out.

08 defense recommendations

Upgrade the Anheng APT attack warning platform and Mingyu host security and management system EDR to the latest version for testing.

Please confirm that it is the latest version:

1. The version of APT attack warning platform is greater than or equal to V2.0.66.23509.210119

2. The EDR version is greater than or equal to v2.0.15.34

The Anheng APT attack early warning platform can detect known or unknown threats, monitor, capture and analyze the threat of malicious files or programs in real time, and can strongly monitor malicious samples such as mail delivery, vulnerability exploitation, installation and implantation, reconnection control and other related Trojans. At the same time, the platform carries out in-depth analysis of network traffic according to two-way traffic analysis, intelligent machine learning, efficient sandbox dynamic analysis, rich feature library, comprehensive detection strategy, massive threat intelligence and so on. The detection capability completely covers the whole APT attack chain, and effectively finds APT attacks, unknown threats and network security events that users are concerned about.

An Hengming host security and management system is a host security product that integrates rich system reinforcement and protection, network reinforcement and protection and other functions. The industry's unique advanced threat module is designed to deal with attack and defense scenarios; Mingyu host security and management system has the industry-leading blackmail and anti-killing capability through a self-developed patent-level file decoy engine; through kernel-level east-west traffic isolation technology, to achieve network isolation and protection; with patch repair, peripheral control, document audit, violation outreach detection and blocking and other host security capabilities. At present, the products are widely used in server, desktop PC, virtual machine, industrial control system, container security, attack and defense confrontation and other scenarios.

09 detection strategy

YARA

Rule apt_bitter_win32k_0day {

Meta:

Author = "dbappsecurity_lieying_lab"

Data = "2021-01-01"

Strings:

$S1 = "NtUserConsoleControl" ascii wide

$S2 = "NtCallbackReturn" ascii wide

$S3 = "CreateWindowEx" ascii wide

$s4 = "SetWindowLong" ascii wide

A1 = {48 C1 E8 02 48 C1 E9 02 C7 04 8A}

$a2 = {66 0F 1F 44 00 80 3C 01 E8 74 22 FF C2 48 FF C1}

$A3 = {48 63 05 CC 69 05 00 8B 0D C2 69 05 00 48 C1 E0 20 48 03 C1}

Condition:

Uint16 (0) = 0x5a4d and all of ($s*) and 1 of ($a *)

}

The above is an example analysis of using the Windows kernel to lift the rights of 0Day vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.