Embed Size (px)
Citation preview
Thinking in rings
Michael Shalyt
Malware Research Team Leader @ Check Point
PRIVILEGE ESCALATION
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
IPHO 2005
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
IPHO 2005BSc. Physics + EE
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
IPHO 2005BSc. Physics + EE
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
IPHO 2005BSc. Physics + EE
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005BSc. Physics + EE
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005BSc. Physics + EE
MSc. Quantum Information
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
ASM (13yo)
Matlab
Javascript
Actionscript
Mathematica
C
Scheme
Cyber Cyber
Reverse Engineering
Research TL
PythonIPHO 2005BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
Pascal
AutoIT
MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Rese
arch
First program (8yo)
Lifeinagraph.blogspot.com
ASM (13yo)
Matlab
Javascript
Actionscript
Mathematica
C
Scheme
Cyber Cyber
Reverse Engineering
Research TL
PythonIPHO 2005BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
Pascal
AutoIT
Catapults
Humans
WHAT’S A HACKER?
WHAT’S A HACKER?
• People committed to circumvention of computer security.
WHAT’S A HACKER?
• People committed to circumvention of computer security.
• RFC 1392: “A person who delights in having an intimate understanding of the internal workings of a system”. (1960s around MIT's Tech Model Railroad Club)
WHAT’S A HACKER?
• People committed to circumvention of computer security.
• RFC 1392: “A person who delights in having an intimate understanding of the internal workings of a system”. (1960s around MIT's Tech Model Railroad Club)
• Vs. “user” (like “script kiddies”)
PRIVILEGE
PRIVILEGE
RINGS AND GATEKEEPERS
RINGS AND GATEKEEPERS
RINGS AND GATEKEEPERS
PRINCIPAL OF LEAST PRIVILEGE
PRINCIPAL OF LEAST PRIVILEGE
• System stability.
PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.
PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.
• Ease of deployment.
PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.
• Ease of deployment.
• In RL: Compartmentalization / Encapsulation.
X86 RINGS
Most privileged
Least privileged
VERTICAL PE - WHAT
VERTICAL PE - WHAT
• User -> admin.
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.• Username -> access.
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.• Username -> access. • Hypervisor instance traversal.
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.• Username -> access. • Hypervisor instance traversal.• Access to restricted places/documents/data.
VERTICAL PE - WHAT
• User -> admin.• User -> system/root.• Javascript -> shellcode.• Username -> access. • Hypervisor instance traversal.• Access to restricted places/documents/data.• Etc.
HORIZONTAL PE - WHAT
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
• Framing someone else.
HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
• Framing someone else.
• Etc.
PE – BATTLE PLAN
PE – BATTLE PLAN
• You already have limited capabilities.
PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
• Pass through the guard mechanism (appear as legitimate low ring-high ring interaction).
PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
• Pass through the guard mechanism (appear as legitimate low ring-high ring interaction).
• Trick the higher ring to do as you wish.
VERTICAL PE - HOW
VERTICAL PE - HOW
• XSS.
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.• Service privileges.
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.• Service privileges.• Design bug-features.
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.• Service privileges.• Design bug-features.• SE.
VERTICAL PE - HOW
• XSS.• Password guessing/brute forcing.• Driver vulnerabilities.• Service privileges.• Design bug-features.• SE.• Etc. Etc.
HORIZONTAL PE - HOW
HORIZONTAL PE - HOW
• XSS.
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
• SE.
HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
• SE.
• Etc. Etc.
EXAMPLES – LOOK MOM NO VULNS
EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.
EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.• Unprotected autorun directories.
EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.• Unprotected autorun directories.• Misconfigurations.
EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.• Unprotected autorun directories.• Misconfigurations.• Plain text passwords.
EXAMPLE – DLL HIJACKING
EXAMPLE – API EXPLOITATION
EXAMPLE – API EXPLOITATION
• User -> kernel.
EXAMPLE – API EXPLOITATION
• User -> kernel.• Ntdll.dll – wrapper and guard.
EXAMPLE – API EXPLOITATION
• User -> kernel.• Ntdll.dll – wrapper and guard.• Wealth of info before attack.
EXAMPLE – API EXPLOITATION
• User -> kernel.• Ntdll.dll – wrapper and guard.• Wealth of info before attack.• Kernel bug exploitation.
EXAMPLE – API EXPLOITATION
• User -> kernel.• Ntdll.dll – wrapper and guard.• Wealth of info before attack.• Kernel bug exploitation.• Often – make kernel mode run code from user mode.
QUESTIONS?
