Shulou(Shulou.com)06/01 Report--

This article will explain in detail the defects of the operating system in dealing with MOV SS/POP instructions, and the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

0x00 vulnerability description

The developer of the operating system did not properly handle a statement in the system programming guide in Intel 64 and the IA-32 architecture software developer's manual. The # DB exception that caused the delay of the MOV SS/POP SS instruction could lead to unexpected behavior, causing the operating system to crash and even be used to claim rights (CVE-2018-8897). A similar problem exists in KVM (CVE-2018-1087). The vulnerability has a wide range of influence and the hazard level is important.

0x01 vulnerability impact surface

Vulnerabilities affect modern popular operating systems such as Windows/MacOS/FreeBSD/Linux kernels and virtualized systems such as KVM/Xen.

Technical details of 0x02

Suppose you want to execute the following two instructions now:

At the same time, a hardware access breakpoint is set, which happens to be mov ss, and the [rax] instruction will trigger this hardware access breakpoint.

Because mov ss and pop ss instructions will suspend exceptions and interrupts, the mov ss, [rax] instruction will generate hardware interrupts, but the interrupts will be suspended until the next instruction is executed. The execution of the int 3 instruction gives priority to responding to the int 3 interrupt. The CPU cuts into the kernel and executes the No. 3 interrupt vector corresponding to IDT. The int 3 interrupt will determine whether the int 3 is from R3 or R0, and if it is from R3, choose to swap GS.

But there is also a hardware interrupt hanging at this time, so before executing the first one, the No. 1 interrupt vector corresponding to IDT will be executed immediately, and the GS has not been swapped yet. Int 1 belongs to the interrupt gate, which is interrupted by the int 3 response code with permission of R0 and uses the original GS. This runs the GS set in user mode in the kernel-mode exception handler, which can have unintended consequences.

The following is a brief analysis of the key points in the claim code that exploits this vulnerability on windows published on github.

When the windows system crashes, RtlCaptureContext and KiSaveProcessorControlState are executed in the KeBugCheckEx,KeBugCheckEx, which gives us a chance to get the control flow of the program.

If we set a hardware access breakpoint at gs:20h+0x40+0xA0 by setting the DR register (the offset given by the author is gs:20h+0x100+0xA0), we can enter KiDebugTrapOrFault,KiDebugTrapOrFault- > in KeBugCheckEx. -> RtlCaptureContext, the thread in user space reads RSP once, and continues KiDebugTrapOrFault- >... -> RtlCaptureContext, the thread in user space reads the RSP again, because the process is the same. According to the difference between the two RSP values, the RSP value of the next call to RtlCaptureContext can be calculated. Minus 0x8 is the location where the pointer is returned.

Next, we construct a ROP chain that disables SMEP and jumps to shellcode, which is stored in XMM13-XMM15.

Previously, the position where the return pointer is stored minus the offset of XMM13 in the Context structure exists in the forged PCR structure, and then the ROP chain covers the return pointer when the Context writes XMM13-XMM15, thus performing the shellcode. After successful use, the effect is as follows.

0x03 repair recommendation

At present, a number of affected manufacturers have provided relevant patches, and 360CERT recommends that the majority of users follow the prompts to update to prevent attacks that exploit this vulnerability.

Apple: https://support.apple.com/en-us/HT208742

FreeBSD Project: https://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.asc

Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897

Red Hat: https://access.redhat.com/security/vulnerabilities/pop_ss

Ubuntu: https://usn.ubuntu.com/3641-1/

Ubuntu: https://usn.ubuntu.com/3641-2/

Xen: https://xenbits.xen.org/xsa/advisory-260.html

Linux Kernel: https://patchwork.kernel.org/patch/10311005/

Linux Kernel: https://patchwork.kernel.org/patch/10310757/

About the operating system on the MOV SS/POP instruction processing defects are shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.