dma: skeleton key of computing && selected soap box rants david maynor x-force advanced...
DESCRIPTION
DMA: Skeleton key of computing && selected soap box rants David Maynor X-Force Advanced R&D. DMA (Direct Memory Access). But first, I digress. . I started auditing for software vulns late in the game. By the time I started simple stack overflows were all but gone. - PowerPoint PPT PresentationTRANSCRIPT
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
DMA: Skeleton key of computing && selected soap box rants
David MaynorX-Force Advanced R&D
2
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
DMA(Direct Memory Access)
3
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
But first,I digress.
4
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
<SOAPBOX>
5
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
I started auditing for software vulns late in the game.
By the time I started simple stack overflows were all but gone.
Heap exploits are all the rage…
Strcpy, sprintf, and friends are all but extinct…
6
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
There is no joy in Mudville tonight…
Although they still pop up from time to time…
*COUGH*COUGH*MSMQ*COUGH*COUGH*
7
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
for mighty Casey has struck out.
THE MSMQ BUG OF MS05-017 FAME!Pretty ain’t it?
8
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
But if you know the right people…You will hear stories…
Nothing more than whispers…Of a magical place…
Where these types of overflows are plentiful…
9
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Device Drivers!!!
(APPLAUSE)
10
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
A long, long time ago...
• %s format specified, eax is user controlled buffer
11
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
I can still remember
• Buffer size is 64, format specified is %s%s, off_22e48 is from user controllable data.
12
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
How that music used to make me smile.
• Format is %d//%s, EAX is user controllable data.
13
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
And I knew if I had my chance
• Format is <string>//%s, eax is user controllable
14
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
That I could make those people dance
• [ebp+arg_18] is user controllable data
15
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
And, maybe, they’d be happy for a while.
• Format is %d//%s:%s, [ebp-1B0h] and [ebp-1ACh] are both user controllable buffers
16
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
So bye-bye, miss american pie.
• Format is %s, eax is user controllable.
17
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Drove my chevy to the levee, But the levee was dry.
• edi is 32 bytes, [ebp+user_buf] is user controllable.
18
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
And them good old boys were drinkin’ whiskey and rye
• edi is user controllable buffer
19
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Singin’, this’ll be the day that I die.
• esi is a user controllable buffer
20
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
This’ll be the day that I die.
• eax is 1024 bytes long, format is %d//%s, [ebp+7Ch] is user controllable
21
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
SOME OF THESE EXAMPLES WERE OBFUSCATED IN IDA TO MAKE FINDING THEM A BIT DIFFUCULT.
ISS generally won’t release details on vulns.
Especially since the vendor hasn’t been notified yet.
They are suppose to show the current state of device driver security.
22
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
HI WINDOW!
Now before you blame Microsoft…
It is not completely their fault…
Opensource projects like Linux/FreeBSD have some of the same problems.
A lot of the examples show were from 3rd party drivers…
But Microsoft is not with out fault…
23
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Are you free for dinner this week?
• What don’t you see?
24
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Just joking…
• eax is a user controllable buffer.
25
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What I mean by user controllable
Data that comes from something that a user could influence or directly control if they masquerade as a device or modify how a device works.
An example is self identifying devices that send a vendor string when plugged in.
26
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Why does this happen?
• In order to exploit most device drivers you must have physical access to the system
• There are exceptions– Wireless drivers– Bluetooth drivers– Network Drivers
• Where else to look?– File system– Peripheral drivers– Anything in \WINDOWS\System32\Drivers
27
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Is exploiting them possible?
• It seems like more device driver writers don’t care much about security, the same for video game developers.
• They trust input they receive far to much.• If exploited the attacker is now in ring0 and doing
useful stuff can be tricky, but not hard.• If you mess up its normally blue screen city.• With devices becoming more complex, the
drivers are doing more.
28
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
• “I think this year or next year exploiting device drivers will be all the rage!” –Maximillian Dornseif (while eating a lot of meat and drinking beer)
• I am confident all the examples show can lead to exploitable conditions.
• These conditions may be local/remote/physical access.
• The possibility for local privilege escalation is astounding.
29
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Fixing?
• Device driver writers will need to become as proficient at defensive programming techniques as any other developer.
• Trusted computing models that include everything being “sandboxed” will help.
• More stack/heap protection to be extended to device drivers.
• It finally boils down to human error.
30
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Question to ask Microsoft:Will the device driver signing program include
checks for security related problems like buffer overflows?
31
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
BTW
• What is the deal with hardware and software designers wanting to make more protocols IP friendly like RDMA and iSCSI?
• Does this seem like a bad idea to anyone else?
32
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
</SOAPBOX>
Back to DMA
33
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Physical hardware access…
• Mudge, SUN, Forth, physical access– http://www.phrack.org/show.php?p=53&a=9
• NSA fears Furbies!!– http://www.cnn.com/US/9901/13/nsa.furby.ban.01/
34
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What does a standard business computer look like?
1U rackmount server• 4 usb ports• 2 RJ-45 ethernet ports.• SATA harddrive.• ATI RAGE chipset
35
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What does a standard business computer look like?
Laptop• 2 USB ports – Intel 82801DB Host controller• Generic PCMCIA (Cardbus) controller• 1 Network adapter - Broadcom• 1 sound card - Sigmatel• 1 ATI Mobility Radeon 9000
36
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Why do you care?
• Most people think about attacks at the OS level and above with no thought to below.
37
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Increased complexity
• You no longer have 1 computer• You have a complex system made up of many
different smaller systems.• These systems are upgrade, updateable, and
programmable…and hackable.• One of the most complicated subsystems, the
video card.• GART
38
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What can you do to video cards?
• Overclock them via software, hack firmware, change factory settings, in general “tweak them”
• http://www.rage3d.com/r3dtweak/
39
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Why do you care?
• Video cards, a subsystem of your computer, can be manipulated to do things that was never intended.
• What other things can be manipulated?• What can be achieved?• How?
40
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What other components are complex?
• Nvidia – building more and more complex software into hardware – Active Armor and nForce.
41
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Bus Mastering
42
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Bus Mastering
• DMA is one form of bus mastering– Bus master refers to the device that controls the
system bus– DMA is a simple form that allows for the setup of
memory transfers with out the need for the CPU.– In these cases another device takes control of the
System Bus. The device signals the CPU when the transfer is complete.
43
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What is DMA?
• It really is Direct Memory Access.– Designed to allow components and subsystems to access
system memory for read/write with out us CPU time.
• Used in USB,PCMCIA (cardbus), disk controllers, video and sound cards, and firewire.
• Think of it as how things get done inside your pc.• Requires DMA controller to work• Requires “bus request” to start transfer. • System DMA vs. Bus Master DMA• DMA deals with physical memory• Most transfers are done in direct mode
44
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What is DMA?
• CPU is oblivious to DMA activities• Requires large contiguous physical memory regions, no
page mapping on the host.• Scatter/Gather can be used to avoid the problem of not
enough contiguous memory• Most OSes implement this at the driver level and include
their own API for developing DMA applications, you don’t have to use these.
• In fact without using the provided tools its much easier to coherence the machines into doing bad things.
45
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What is DMA
• Not using provided and APIs increases complexity greatly and will slow down development.
• I use a happy medium approach.• There isn’t really much in the way of security.
(we are not currently discussing XP SP2 with DEP)
46
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
How is DMA implemented?
• Depends on the OS?– Windows XP– Linux– OSX
47
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
How does DMA work?
48
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Transports that use DMA
• USB– Easiest to access– A bit tricky to exploit
• PCMCIA– Easy to access on laptops.– Building an exploit device may be expensive and require
specialized knowledge.
• AGP– Can use video card to do DMA transfer into system meory.
• Disk Controllers– Hardest to access
49
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Owning over USB
• How does USB work?– Universal Serial Bus– Devices are self identifying.– This allows for specific types of drivers to be handled
by specific drivers. – Types of devices are HID, Communication, Mass
Storage, Audio, and Streams, Chip/Smart card reader, Content Security, Device firmware upgrade.
– Supports several different topologies. – Packet oriented protocol that is reminiscent of IP.
50
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What does USB look like?
51
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
More USB stuff
52
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
More about USB.
• What is a root hub?– Has one or more interface, detects attachment and
removal of devices. – Typical USB is master/slave relationship.– Root hub initiates connection and transfers by polling
device at a set interval for data to be processed. • What is a host controller
– EHCI vs. OHCI vs. UHCI.• EHCI – Enhanced Host Controller Interface – used by high
speed controllers.
53
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
More about USB.
• UHCI – Universal Host Controller Interface – more software oriented, relies more heavily on drivers.
• OHCI – Open Host Controller Interface – more reliance on hardware with minimum software intervention.
• OHCI is the preferred controller for exploitation since it has the least amount of “sanity” checks in software and the majority of the operations are left up to hardware.
54
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Why are DMA attacks over USB hard?
• Roothub– In the master/slave architecture the hosts roothub
controls reads/writes without giving the peripheral device a chance to.
– The roothub is the only initiator or transfers, polling periodically at a set interval to check if peripheral has data to transfer.
• Because the roothub is the only initiator a lot of people say that USB can’t be exploited.
55
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
USB Stuff
• On-The-Go– Limited peer-to-peer functionality added in USB 2.0– For devices like cameras communicating with printers.
• OHCI– Less sanity checking, better for attackers
• Other possible methods?– Exploiting device drivers– Confusion with certain aspects
• Current shellcode just creates a window on the target machine.
56
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
USB Infoz
57
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What does it look like?
58
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
I should note…
• This method is not as reliable as I had originally thought.
• I search through memory looking for SEH struct and overwrite the unhandled expectation filter with what I think is the address of my shellcode
• There are several problems with it.– What process am I in?– Is it the correct address for shellcode?– Since I have now mucked with every SHE on the box,
it dies pretty quickly. BLUESCREEN CITY!
59
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Things to make it more reliable?
• Need to be able to map the virtual address to a physical address (this is very time consuming to develop)
• Better ability to detect OS version and patch level– Very small things can interfere with this.
• Service pack independent shellcode.
60
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What can’t be owned over USB?
61
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
What other transports can be easily attacked?
PCMCIA
62
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
PCMCIA…err…Cardbus
• Often what people think is PCMCIA is actually cardbus.
• PCMCIA supports a 16bit bus vs. Cardbus 32bit bus.
• Cardbus cards and PCMCIA cards and not always exchangeable.
63
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Which do you have?
64
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Exploiting Cardbus
• Need a device– Network card– Gps card
• Need a target– A process that is always running, winlogon seems to
work
65
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Other vectors?
• How about an untraceable rootkit that survives reboots and reinstalls?
• Lets revisit videocards…– Powerful GPU– Loads of memory– Upgradeable firmware– AGP utilizes DMA access
66
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Patch video card firmware
• Its not easy.• Amazing chance you can ruin the card• It will survive reinstalls and reboots because
neither affect the firmware of the card.• To remove a clean firmware update should be
applied. • Requires extensive knowledge of the card
controller and corresponding asm.
67
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
More vectors
• Brainstorming…– NICs– Soundcards– Virtual Machines– RDMA
68
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.Copyright © 2003 Internet Security Systems, Inc. All rights reserved worldwide.
Questions, comments, suggestions