Transcript DMA - CanSecWest

DMA: Skeleton key of computing
&& selected soap box rants
David Maynor
X-Force Advanced R&D
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
DMA
(Direct Memory Access)
2
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
But first,
I digress.
3
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
<SOAPBOX>
4
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
I started auditing for software vulns late in the
game.
By the time I started simple stack overflows were
all but gone.
Heap exploits are all the rage…
Strcpy, sprintf, and friends are all but extinct…
5
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
There is no joy in Mudville tonight…
Although they still pop up from time to time…
*COUGH*COUGH*MSMQ*COUGH*COUGH*
6
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
for mighty Casey has struck out.
THE MSMQ BUG OF MS05-017 FAME!
Pretty ain’t it?
7
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
But if you know the right people…
You will hear stories…
Nothing more than whispers…
Of a magical place…
Where these types of overflows are plentiful…
8
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Device Drivers
!!!
(APPLAUSE)
9
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
A long, long time ago...
• %s format specified, eax is user controlled buffer
10
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
I can still remember
• Buffer size is 64, format specified is %s%s,
off_22e48 is from user controllable data.
11
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
How that music used to make me smile.
• Format is %d//%s, EAX is user controllable data.
12
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
And I knew if I had my chance
• Format is <string>//%s, eax is user controllable
13
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
That I could make those people dance
• [ebp+arg_18] is user controllable data
14
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
And, maybe, they’d be happy for a while.
• Format is %d//%s:%s, [ebp-1B0h] and [ebp1ACh] are both user controllable buffers
15
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
So bye-bye, miss american pie.
• Format is %s, eax is user controllable.
16
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Drove my chevy to the levee,
But the levee was dry.
• edi is 32 bytes, [ebp+user_buf] is user
controllable.
17
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
And them good old boys were drinkin’
whiskey and rye
• edi is user controllable buffer
18
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Singin’, this’ll be the day that I die.
• esi is a user controllable buffer
19
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
This’ll be the day that I die.
• eax is 1024 bytes long, format is %d//%s,
[ebp+7Ch] is user controllable
20
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
SOME OF THESE EXAMPLES WERE OBFUSCATED IN
IDA TO MAKE FINDING THEM A BIT DIFFUCULT.
ISS generally won’t release details on vulns.
Especially since the vendor hasn’t been notified yet.
They are suppose to show the current state of device driver
security.
21
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
HI WINDOW!
Now before you blame Microsoft…
It is not completely their fault…
Opensource projects like Linux/FreeBSD have some of the
same problems.
A lot of the examples show were from 3rd party drivers…
But Microsoft is not with out fault…
22
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Are you free for dinner this week?
• What don’t you see?
23
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Just joking…
• eax is a user controllable buffer.
24
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What I mean by user controllable
Data that comes from something that a user could
influence or directly control if they masquerade
as a device or modify how a device works.
An example is self identifying devices that send a
vendor string when plugged in.
25
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Why does this happen?
• In order to exploit most device drivers you must
have physical access to the system
• There are exceptions
– Wireless drivers
– Bluetooth drivers
– Network Drivers
• Where else to look?
– File system
– Peripheral drivers
– Anything in \WINDOWS\System32\Drivers
26
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Is exploiting them possible?
• It seems like more device driver writers don’t
care much about security, the same for video
game developers.
• They trust input they receive far to much.
• If exploited the attacker is now in ring0 and doing
useful stuff can be tricky, but not hard.
• If you mess up its normally blue screen city.
• With devices becoming more complex, the
drivers are doing more.
27
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
• “I think this year or next year exploiting device
drivers will be all the rage!” –Maximillian Dornseif
(while eating a lot of meat and drinking beer)
• I am confident all the examples show can lead to
exploitable conditions.
• These conditions may be local/remote/physical
access.
• The possibility for local privilege escalation is
astounding.
28
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Fixing?
• Device driver writers will need to become as
proficient at defensive programming techniques
as any other developer.
• Trusted computing models that include
everything being “sandboxed” will help.
• More stack/heap protection to be extended to
device drivers.
• It finally boils down to human error.
29
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Question to ask Microsoft:
Will the device driver signing program include
checks for security related problems like buffer
overflows?
30
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
BTW
• What is the deal with hardware and software
designers wanting to make more protocols IP
friendly like RDMA and iSCSI?
• Does this seem like a bad idea to anyone else?
31
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
</SOAPBOX>
Back to DMA
32
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Physical hardware access…
• Mudge, SUN, Forth, physical access
– http://www.phrack.org/show.php?p=53&a=9
• NSA fears Furbies!!
– http://www.cnn.com/US/9901/13/nsa.furby.ban.01/
33
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What does a standard business computer
look like?
1U rackmount server
• 4 usb ports
• 2 RJ-45 ethernet ports.
• SATA harddrive.
• ATI RAGE chipset
34
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What does a standard business computer
look like?
Laptop
• 2 USB ports – Intel 82801DB Host controller
• Generic PCMCIA (Cardbus) controller
• 1 Network adapter - Broadcom
• 1 sound card - Sigmatel
• 1 ATI Mobility Radeon 9000
35
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Why do you care?
• Most people think about attacks at the OS level
and above with no thought to below.
36
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Increased complexity
• You no longer have 1 computer
• You have a complex system made up of many
different smaller systems.
• These systems are upgrade, updateable, and
programmable…and hackable.
• One of the most complicated subsystems, the
video card.
• GART
37
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What can you do to video cards?
• Overclock them via software, hack firmware,
change factory settings, in general “tweak them”
• http://www.rage3d.com/r3dtweak/
38
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Why do you care?
• Video cards, a subsystem of your computer, can
be manipulated to do things that was never
intended.
• What other things can be manipulated?
• What can be achieved?
• How?
39
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What other components are complex?
• Nvidia – building more and more complex
software into hardware – Active Armor and
nForce.
40
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Bus Mastering
41
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Bus Mastering
• DMA is one form of bus mastering
– Bus master refers to the device that controls the
system bus
– DMA is a simple form that allows for the setup of
memory transfers with out the need for the CPU.
– In these cases another device takes control of the
System Bus. The device signals the CPU when the
transfer is complete.
42
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What is DMA?
• It really is Direct Memory Access.
– Designed to allow components and subsystems to access system
memory for read/write with out us CPU time.
• Used in USB,PCMCIA (cardbus), disk controllers, video
and sound cards, and firewire.
• Think of it as how things get done inside your pc.
• Requires DMA controller to work
• Requires “bus request” to start transfer.
• System DMA vs. Bus Master DMA
• DMA deals with physical memory
• Most transfers are done in direct mode
43
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What is DMA?
• CPU is oblivious to DMA activities
• Requires large contiguous physical memory regions, no
page mapping on the host.
• Scatter/Gather can be used to avoid the problem of not
enough contiguous memory
• Most OSes implement this at the driver level and include
their own API for developing DMA applications, you don’t
have to use these.
• In fact without using the provided tools its much easier to
coherence the machines into doing bad things.
44
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What is DMA
• Not using provided and APIs increases
complexity greatly and will slow down
development.
• I use a happy medium approach.
• There isn’t really much in the way of security.
(we are not currently discussing XP SP2 with DEP)
45
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
How is DMA implemented?
• Depends on the OS?
– Windows XP
– Linux
– OSX
46
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
How does DMA work?
47
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Transports that use DMA
• USB
– Easiest to access
– A bit tricky to exploit
• PCMCIA
– Easy to access on laptops.
– Building an exploit device may be expensive and require
specialized knowledge.
• AGP
– Can use video card to do DMA transfer into system meory.
• Disk Controllers
– Hardest to access
48
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Owning over USB
• How does USB work?
– Universal Serial Bus
– Devices are self identifying.
– This allows for specific types of drivers to be handled
by specific drivers.
– Types of devices are HID, Communication, Mass
Storage, Audio, and Streams, Chip/Smart card reader,
Content Security, Device firmware upgrade.
– Supports several different topologies.
– Packet oriented protocol that is reminiscent of IP.
49
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What does USB look like?
50
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
More USB stuff
51
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
More about USB.
• What is a root hub?
– Has one or more interface, detects attachment and
removal of devices.
– Typical USB is master/slave relationship.
– Root hub initiates connection and transfers by polling
device at a set interval for data to be processed.
• What is a host controller
– EHCI vs. OHCI vs. UHCI.
• EHCI – Enhanced Host Controller Interface – used by high
speed controllers.
52
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
More about USB.
• UHCI – Universal Host Controller Interface – more software
oriented, relies more heavily on drivers.
• OHCI – Open Host Controller Interface – more reliance on
hardware with minimum software intervention.
• OHCI is the preferred controller for exploitation
since it has the least amount of “sanity” checks in
software and the majority of the operations are
left up to hardware.
53
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Why are DMA attacks over USB hard?
• Roothub
– In the master/slave architecture the hosts roothub
controls reads/writes without giving the peripheral
device a chance to.
– The roothub is the only initiator or transfers, polling
periodically at a set interval to check if peripheral has
data to transfer.
• Because the roothub is the only initiator a lot of
people say that USB can’t be exploited.
54
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
USB Stuff
• On-The-Go
– Limited peer-to-peer functionality added in USB 2.0
– For devices like cameras communicating with printers.
• OHCI
– Less sanity checking, better for attackers
• Other possible methods?
– Exploiting device drivers
– Confusion with certain aspects
• Current shellcode just creates a window on the
target machine.
55
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
USB Infoz
56
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What does it look like?
57
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
I should note…
• This method is not as reliable as I had originally
thought.
• I search through memory looking for SEH struct
and overwrite the unhandled expectation filter
with what I think is the address of my shellcode
• There are several problems with it.
– What process am I in?
– Is it the correct address for shellcode?
– Since I have now mucked with every SHE on the box,
it dies pretty quickly. BLUESCREEN CITY!
58
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Things to make it more reliable?
• Need to be able to map the virtual address to a
physical address (this is very time consuming to
develop)
• Better ability to detect OS version and patch level
– Very small things can interfere with this.
• Service pack independent shellcode.
59
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What can’t be owned over USB?
60
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What other transports can be easily attacked?
PCMCIA
61
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
PCMCIA…err…Cardbus
• Often what people think is PCMCIA is actually
cardbus.
• PCMCIA supports a 16bit bus vs. Cardbus 32bit
bus.
• Cardbus cards and PCMCIA cards and not
always exchangeable.
62
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Which do you have?
63
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Exploiting Cardbus
• Need a device
– Network card
– Gps card
• Need a target
– A process that is always running, winlogon seems to
work
64
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Other vectors?
• How about an untraceable rootkit that survives
reboots and reinstalls?
• Lets revisit videocards…
–
–
–
–
Powerful GPU
Loads of memory
Upgradeable firmware
AGP utilizes DMA access
65
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Patch video card firmware
• Its not easy.
• Amazing chance you can ruin the card
• It will survive reinstalls and reboots because
neither affect the firmware of the card.
• To remove a clean firmware update should be
applied.
• Requires extensive knowledge of the card
controller and corresponding asm.
66
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
More vectors
• Brainstorming…
–
–
–
–
NICs
Soundcards
Virtual Machines
RDMA
67
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Questions, comments, suggestions
68
Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.