Upload
bromium-labs
View
852
Download
9
Tags:
Embed Size (px)
Citation preview
Sandboxes:
A Pen-tester’s perspective
Rahul Kashyap [email protected]
Rahul Kashyap, [email protected]
Bromium Confidential
• Previously led McAfee Labs vuln research
• Done security startups and offense/defense security
research
• Bromium Labs
• Team has discovered several vulnerabilities in multiple platforms
• Spoken at several cool conferences
About
I’m
Hiring!
Bromium Confidential
• Sandboxes: Introduction
Architecture
Types
• Sandboxes: Exploitation
Kernel Mode
User Mode
• Conclusion
Agenda
Bromium Confidential
• Environment designed to run untrusted (or exploitable)
code, in a manner that prevents the encapsulated code
from damaging the rest of the system
• The aim of a sandbox is to isolate threats
• Our research focuses on security effectiveness of the
isolation primitives for application sandboxes
What is a sandbox?
Bromium Confidential
• Type A: OS enhancement based (Sandboxie, Buffer Zone
Pro, Dell DDP)
• Type B: Master/slave model (Adobe ReaderX, Chrome
browser)
Types of Sandboxes
Bromium Confidential
• A lot of commonly used code reliant on kernel components
and various services
• Large exposure to kernel interfaces
Digression: Windows OS
Bromium Confidential
• Sandboxed app: dear kernel, please open a file for me, the
file name is at address X
• Kernel: X points to “allowed_file.txt” string; here goes a file
handle for you
• Sandboxed app: dear kernel, please open a file for me, the
file name is at address Y
• Kernel: Y points to “secret_file.txt” string; you are a
sandboxed app, I will not let you access this file
How kernel enforces access control
Bromium Confidential
• Sandboxed app: dear kernel, please draw the text “Hello world”
for me please, using the true type font stored at address X
• Kernel: You are a sandboxed app, but using a font is a benign
operation which you need to function properly
• Kernel: OK, just a moment, I need to parse this font
• While processing the font, kernel corrupts its own memory
because the parser code in the kernel is buggy
• Because of memory corruption, kernel starts executing code at
X, which allows the app to do anything it wants
How kernel exploits work (example)
Bromium Confidential
• Example: Sandboxie, BufferZone Pro, Dell DDP
• Custom kernel driver modifies Windows behavior, so that
change to protected system components is prevented
• Use cases: Most of such sandboxes are used for controlled
execution of applications
• Sandboxie is widely used for malware analysis
TYPE A
Bromium Confidential
Application Sandbox Type A
Bromium Confidential
• Example: Google Chrome, Adobe Reader
• Two processes - master and slave, talking over IPC channel
• Slave is confined using OS access control facilities
• Master mediates access to resources
• Use case: protect the application from exploitation
• Google Chrome and Adobe Reader are popular applications
mainly for web and content rendering
TYPE B
Architecture: Type B
• Master has smaller codebase, the point being – it should be tougher to exploit it
• Slave has a bigger attack surface that needs to be „brokered‟ by the master
• Slave still directly interacts with the OS Kernel
• Slave also has access to certain user mode components
Bromium Confidential
Application Sandbox Type B
Bromium Confidential
• Slave runs with low privileges
• restricted token
• job object
• desktop object
• integrity level
Chromium sandbox on Windows
Bromium Confidential
• How exhaustive is the OS-based confinement, according to
the documentation [2]?
• Mounted FAT or FAT32 volumes – no protection
• TCP/IP – no protection
• Access to most existing securable resources denied
• Everybody agrees it is good enough…
Chromium sandbox on Windows
Bromium Confidential
Chromium sandbox in action
Slave
Master
Bromium Confidential
• How resistant is Master to a malicious Slave?
• This is what most authors focused on
• How resistant is OS to a malicious Slave?
• We focus on the last aspect
• Recently MWRLabs also bypassed Chrome using similar vector
Pwn2Own 2013[11]
Chromium sandbox on Windows
Bromium Confidential
Master/slave type sandbox on Windows,
Adobe Reader
Observe “Low”
Integrity level
Bromium Confidential
• Exhaustive previous related work on methodology of
attacking the Master [3], [4]
• The first case of Adobe sandbox vulnerability exploited in
the wild reported in Feb 2013 [9]
• This escape possible because of a bug in Master
Master/slave type sandbox on Windows, Adobe
Reader
Bromium Confidential
Master/slave type sandbox on Windows, Chrome
browser
Observe “untrusted”
Integrity level
Bromium Confidential
• Slave de-privileged even more than stated in chrome
sandbox documentation
• “Untrusted” integrity level
• Particularly, access to FAT32 file system denied
Master/slave type sandbox on Windows, Chrome
browser
Bromium Confidential
• Well-known cases of successful attacks against the master
(shown at Pwnium[5], Pwn2own[6])
• The attacks against the master are complex and relatively
rare
Master/slave type sandbox on Windows,
Chrome browser
Bromium Confidential
• Slave can still exploit a kernel vulnerability
• bpf syscall filter on Linux - designed to limit exposure of OS #nice
• Some vulnerabilities are not exploitable by Slave
• If need to create a process
• If need to alter specific locations in the registry
• win32k.sys still much exposed
A vulnerability in win32k.sys can potentially be exploited at the
browser level, yielding full control over the machine directly, without
the need to achieve code execution in the sandbox first.
Master/slave type sandbox on Windows,
Chrome browser
Bromium Confidential
Exploitation
CVE-2011-3402 CVE-2011-2018 CVE-2012-2527 CVE-2012-1890 CVE-2012-1893 CVE-2012-0178 CVE-2012-1515 CVE-2012-1864 CVE-2012-1865 CVE-2012-1866 CVE-2012-1867 CVE-2012-1868 CVE-2012-0217 CVE-2012-0179 CVE-2012-0157 CVE-2012-0148 CVE-2012-0149 CVE-2011-5046 CVE-2012-0154 CVE-2012-0001 CVE-2013-1278 CVE-2013-1279 CVE-2013-1280 CVE-2013-0008 CVE-2012-2556 CVE-2012-4786 CVE-2012-2530 CVE-2012-2553 CVE-2012-2897 CVE-2013-1248 CVE-2013-1249 CVE-2013-1250 CVE-2013-1251 CVE-2013-1252 CVE-2013-1253 CVE-2013-1254 CVE-2013-1255 CVE-2013-1256 CVE-2013-1257 CVE-2013-1258 CVE-2013-1259 CVE-2013-1260 CVE-2013-1261 CVE-2013-1262 CVE-2013-1263 CVE-2013-1264 CVE-2013-1265 CVE-2013-1266 CVE-2013-1267 CVE-2013-1268 CVE-2013-1269 CVE-2013-1270 CVE-2013-1271 CVE-2013-1272 CVE-2013-1273 CVE-2013-1274 CVE-2013-1275 CVE-2013-1276 CVE-2013-1277
CVE-2012-0217 Exploit: MS12-042 SANDBOX BYPASS DEMO (Kernel Mode Exploitation)
Sandbox
PWNY!
Bromium Confidential
• Windows kernel issues are discovered increasingly
frequently
• 25 CVE for Windows kernel in 2012
• 73+ CVE till Sept 2013
• There have been attacks like Duqu that have targeted
kernel vulnerabilities
• Yes… it‟s a large attack surface
Is this a problem?
User Mode Exploitation
• Type A and Type B do not restrict network connectivity for a sandboxed process.
• The exception to this rule is Google Chrome that has been hardened to restrict TCP/IP networking in case the renderer got exploited.
• All vulns in these services are a potential sandbox escape vector
• Even properly functioning code can be abused
Bromium Confidential
• ALPC ports are a low-level mechanism used for
interprocess communication on the Windows OS. Again,
many Windows services listen on ALPC ports; if a
sandboxed code can connect to these services, it can
attempt to exploit a vulnerability in it.
• Type A sandboxes are wide open to all of these
ALPC Ports
ALPC Ports: Adobe Reader vs Chrome
Adobe Reader XI (version 11.0.3):
lkd> !alpc /lpp fffffa80052ffb30
Ports created by the process fffffa80052ffb30:
fffffa8004f9fb50('OLEB45817786DEF457D9394B3110F6B') 0, 1 connections fffffa8005312070 0 -> fffffa8005279990 0 fffffa80078ddb30('svchost.exe')
Ports the process fffffa80052ffb30 is connected to:
fffffa80053073c0 0 -> fffffa80078bf090('ApiPort') 0 fffffa8007ce3060('csrss.exe')
fffffa80050b7070 0 -> fffffa8007b4ea10('ThemeApiPort') 0 fffffa8007aaab30('svchost.exe')
fffffa800b4b9e60 0 -> fffffa8007912c30('lsasspirpc') 0 fffffa8007883210('lsass.exe')
fffffa8004f1adc0 0 -> fffffa8007b34e60('Audiosrv') 0 fffffa8007a1e9e0('svchost.exe')
fffffa8004f0e3f0 0 -> fffffa80079d4e60('epmapper') 31 fffffa80078ddb30('svchost.exe')
fffffa800535cb20 0 -> fffffa800798ea70('plugplay') 0 fffffa800797db30('svchost.exe')
Google Chrome browser (Version 27.0.1453.110 m)
lkd> !alpc /lpp fffffa80053a1060
Ports created by the process fffffa80053a1060:
<none>
Ports the process fffffa80053a1060 is connected to:
fffffa8005397b30 0 -> fffffa80078bf090('ApiPort') 0 fffffa8007ce3060('csrss.exe')
fffffa80052c8dd0 0 -> fffffa8007b4ea10('ThemeApiPort') 0 fffffa8007aaab30('svchost.exe')
Bromium Confidential
• “The vulnerability is caused by CSRSS improperly
validating permissions when a lower-integrity process
communicates a device event message to a higher-integrity
process.”
• Actually, the vulnerable versions of CSRSS performed no
validation or permission check at all, blindly executing
PostMessage with all parameters controllable by the peer.
• Errr... Shatter attack redux??
Example: CSRSS vulnerability (MS11-063)
CVE-2011-1967
Exploit: MS11-063 SANDBOX User-Mode Exploitation
Bromium Confidential
Summary
http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-
perspective/
CVE-2011-3402
Exploit: MS11-087 SiS’eh: Sandbox-in-Sandbox?Sandbox) !)
Clueless
PWNY!
DiDi ™ :- Defense in Depth indeed!
Bromium Confidential
Conclusion
• Application sandboxes are fundamentally vulnerable to kernel mode and certain
user mode vulnerabilities on the OS
• Breaking out of a sandbox by exploiting OS vulns provides far better ROI for the
attackers
• In our analysis Type A were far easier to escape out than Type B #$$ #Chrome
• Definitely avoid malware analysis inside application sandboxes! #D‟0h!
Bromium Confidential
• Rafal Wojtczuk, Bromium Labs
• [1] http://www.sandboxie.com/
• [2] http://dev.chromium.org/developers/design-documents/sandbox
• [3] "A Castle Made of Sand - Adobe Reader X Sandbox" Richard Johnson
• [4] “Breeding Sandworms” - Zhenhua Liu, Guillaume Lovet
• [5] http://blog.chromium.org/2012/10/pwnium-2-results-and-wrap-up_10.html
• [6] "Pwn2Own 2012: Google Chrome browser sandbox first to fall" http://www.zdnet.com/blog/security/pwn2own-2012-google-chrome-browser-sandbox-first-to-fall/10588
• [7] Dennis Fisher http://threatpost.com/en_us/blogs/its-time-abandon-java-012113
• [8] BufferZone Pro, http://www.trustware.com/BufferZone-Pro/
• [9] arstechnica.com/security/2013/02/zero-day-attack-exploits-latest-version-of-adobe-reader/
• [10] Duqu malware, http://em.wikipedia.org/wiki/Duqu
• [11] https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/
Credits/References
@rckashyap
Thanks!
http://labs.bromium.com/