Thread Of Notes

Seth Jenkins discovered an arbitrary write primitive in Pixel kernel exploitation but lacked a KASLR leak. He researched the Linux kernel's linear mapping, which directly maps physical memory to a virtual address region. On Android ARM64, this linear mapping has a fixed virtual address due to memory hot-plugging requirements and limited virtual address bits. Consequently, the phys_to_virt calculation becomes static, with PHYS_OFFSET consistently being 0x80000000.Further compounding this, Pixel phones decompress the kernel at a static physical address, 0x80010000, on every boot. This allows for the static calculation of kernel virtual addresses for any kernel data entry. For instance, the modprobe_path string can be reliably accessed at 0xffffff8001ff2398. In practice, a static kernel base of 0xffffff8000010000 can be used on Pixels to derive kernel symbol virtual addresses, bypassing the need for a KASLR leak for arbitrary read-write primitives.The linear mapping also allows kernel data regions to be mapped read-write, though text regions remain non-executable. Even on devices with randomized physical kernel load addresses, the non-randomized linear mapping aids exploitation by allowing attackers to target predictable physical memory locations. Memory spraying techniques can place data at known kernel virtual addresses, simplifying the forging of kernel data structures.Both the lack of linear map randomization and the static kernel physical address on Pixels are considered intended behavior by the Linux kernel team and Google. While KASLR remains valuable against remote attacks, its effectiveness against local attackers is diminished. Preserving KASLR integrity through engineering efforts is crucial for overall security. Future improvements could include randomizing the linear map, increasing physical page allocation entropy, and randomizing kernel physical addresses.
Google Project Zero discussed the necessity of remote ASLR leaks for exploiting memory corruption bugs on Apple devices. This led to the discovery of a technique that could remotely leak a pointer without memory safety violations or timing attacks. The method applies to attack surfaces that deserialize, re-serialize, and return attacker-provided data. While no immediate real-world attack surface was identified on macOS/iOS, the technique was tested using an artificial case with NSKeyedArchiver. The issue was reported to Apple and fixed, though no public bug tracker entry was made due to the lack of demonstrated real-world impact. This novel technique builds upon prior work related to hash table collision attacks. Historically, hashDoS attacks exploited worst-case hash table performance to cause denial-of-service. Earlier research also hinted at using hash collisions to leak addresses. The hashDoS concept can be viewed as an attacker slowing down access to specific hash buckets. This principle was leveraged in Firefox to leak heap addresses through timing measurements of JavaScript Map insertions. Iterating over pointer-keyed data structures can also reveal information about object addresses. Serialization mechanisms, particularly those allowing arbitrary object graphs, can be unsafe. Apple's NSKeyedUnarchiver operates with an allowlist of deserializable classes. A specific test case aims to leak the shared cache pointer by deserializing and re-serializing attacker-supplied data using NSKeyedUnarchiver. The NSNull singleton object's hash, when not explicitly handled, defaults to its address, which is stored in the shared cache. NSNumber instances are hashed differently, depending on their numeric value. Dictionaries use hash codes modulo the number of buckets to manage key placement.
Google Project Zero is updating its vulnerability disclosure policy with a "Reporting Transparency" trial to reduce the time it takes to fix vulnerabilities. The current "90+30" policy aims for quick patch development and adoption, but the "upstream patch gap" remains a key issue. This gap involves delays between a fix being available and its integration by downstream vendors. Google's trial focuses on upstream technologies, like chipsets and drivers, highlighting the extended vulnerability lifecycle. The new trial begins by publicly announcing a vulnerability report within a week, including vendor, affected product, and reporting date. The goal is to inform downstream dependents and improve communication for faster patch deployment. No technical details will be released until the 90-day deadline, making the announcement an alert, not a guide for attackers. Project Zero acknowledges some vendors may face increased attention but believes benefits outweigh potential inconvenience. The trial aims for a safer ecosystem where vulnerabilities are fixed on user devices, not just in code repositories. Project Zero plans to monitor the trial's effects and adapt its policies based on the findings. They hope to encourage better patch adoption and ultimately improve the security of the overall ecosystem. The trial specifically addresses the time between a fix becoming available and its being integrated by dependent vendors. This increased transparency will help shorten the overall vulnerability lifecycle for end-users.
The blog post discusses the exploitation of hive-based memory corruption bugs in the Windows registry, which can lead to privilege escalation and arbitrary code execution. The author explains that these bugs are characteristic of the Windows registry but can be applied to other similar vulnerabilities. The post focuses on the exploitation of these bugs, which involves overwriting data within an active hive mapping in memory. The author notes that the Windows registry cell allocator lacks safeguards against memory corruption and has no element of randomness, making its behavior predictable. The exploitation of classic memory corruption bugs typically involves initial memory corruption, followed by intermediate steps, and finally, profit in the form of arbitrary code execution or privilege escalation. The author explains that hive memory corruption can be exploited by overwriting internal hive data, which can have a broader impact on the overall security of the system. The post discusses the possibility of performing hive-only attacks in privileged system hives, which can be done by exploiting vulnerabilities that can be triggered solely through API or system calls. The author notes that there are several user-writable keys in the HKLM\SOFTWARE and HKLM\SYSTEM hives that can be used to corrupt a system hive. The post provides examples of such keys, including HKLM\SOFTWARE\Microsoft\CoreShell and HKLM\SOFTWARE\Microsoft\DRM. The author concludes that exploiting hive memory corruption bugs can be a viable way to elevate privileges and execute arbitrary code, and that the techniques described in the post can be applied to other similar vulnerabilities. The post is a supplement to a previous presentation on the topic, and the author encourages readers to review the slides and recording for more information. Overall, the post provides a detailed analysis of the exploitation of hive-based memory corruption bugs and their potential impact on the security of the Windows registry.
The Windows Registry is a complex and critical component of the Windows operating system, and its security is of utmost importance. The registry is a local attack surface that can be leveraged by a less privileged process to gain higher privileges or access the kernel. The registry's codebase is old, complex, and written in a memory-unsafe language, making it prone to logic and memory safety bugs. The registry implementation resides in the core Windows kernel executable, which increases the chances of a bug being exploited. Most of the registry-related code is reachable by unprivileged users, making privilege escalation a likely scenario. The registry manages sensitive information, including security-critical system information, passwords, and user permissions. The registry is not trivial to fuzz, and there is a lack of publicly available materials on its internal mechanisms, making it a challenging target for bug hunting. The registry has proven to be a fruitful research objective, with numerous classes of bugs, including hive memory corruption, pool memory corruption, information disclosure, race conditions, logic bugs, and inter-process attacks. The registry's security descriptors are shared by multiple keys and must be reference counted, which can lead to use-after-free conditions and hive-based memory corruption if not implemented correctly. The registry's complexity and lack of documentation make it a difficult target to audit, but also provide opportunities for researchers to discover new vulnerabilities.
The NSO BLASTPASS iMessage exploit was a zero-click, zero-day vulnerability that compromised iPhones running the latest version of iOS without any interaction from the victim. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim. Apple issued an out-of-band security update for iOS on September 7, 2023, to fix the vulnerability. The WebP team also released a proposed fix for the issue, which was later integrated into Chrome.The root cause of the vulnerability was a memory corruption issue in the WebP lossless image format, specifically in the Huffman coding used in the format. The vulnerability allowed an attacker to define invalid Huffman trees, which could cause memory corruption when the decoding table was built. However, the corruption primitive was limited, and the image parsing would stop shortly after the bug was triggered.The exploitation of the vulnerability was a mystery, as it was unclear how to land an exploit in a one-shot, zero-click setup. The corruption primitive was very limited, and without access to the samples, it was almost impossible to know how to exploit the vulnerability.In mid-November, the author obtained a number of BLASTPASS PKPass sample files and crash logs from failed exploit attempts, which allowed them to analyze the samples and figure out how the exploit worked. The analysis revealed that the vulnerability was exploited by sending a malicious image file that triggered the memory corruption issue, and then using the limited corruption primitive to execute arbitrary code.The WebP format is a relatively modern image file format that uses Huffman coding to compress images. The lossless format uses a RIFF container and a separate lossless format, which is where the vulnerability was found. The vulnerability was in the Huffman coding used in the lossless format, specifically in the way that the decoding table was built.The author's analysis of the samples revealed that the exploit used a combination of techniques to execute arbitrary code, including using the limited corruption primitive to overwrite a function pointer and then executing the malicious code. The analysis also revealed that the exploit was highly sophisticated and required a deep understanding of the WebP format and the Huffman coding used in it.Overall, the NSO BLASTPASS iMessage exploit was a highly sophisticated and complex vulnerability that required a deep understanding of the WebP format and the Huffman coding used in it. The exploitation of the vulnerability was a mystery, but the analysis of the samples revealed that it was possible to execute arbitrary code using a combination of techniques.
James Forshaw, a researcher at Google Project Zero, discusses the "trapped object bug class" in object-oriented remoting technologies such as DCOM and .NET Remoting. These technologies allow for the development of object-oriented interfaces that can cross process and security boundaries, but this flexibility has downsides, including the potential for privilege escalation or remote-code execution.Not all objects that can be remoted are safe to do so, and some objects, such as XML libraries, can execute arbitrary script code in the context of an XSLT document. If an XML document object is made accessible over the boundary, a client could execute code in the context of the server process.There are several scenarios that can introduce this bug class, including sharing an unsafe object inadvertently, using asynchronous marshaling primitives, and abusing built-in mechanisms to lookup and instantiate objects. For example, the Windows Runtime libraries introduced a bug by adding code to the existing XML DOM Document v6 COM object, which exposed the runtime-specific interfaces and allowed a malicious client to query for the old IXMLDOMDocument interface and use it to run an XSLT script.Another example is the FileInfo and DirectoryInfo .NET classes, which can be marshaled both by value and by reference, and can be used to create a new instance of the object in the server's process. An attacker can leverage this by sending a serialized form of the object to the server, which will create a new instance of the object, and then read back the created object, which will be marshaled back to the attacker by reference.The final scenario mentioned is abusing the built-in mechanisms to lookup and instantiate objects to create an unexpected object. For example, in COM, an attacker can use the CoCreateInstance API to create an arbitrary COM object in the context of the server and get it returned to the client. This can be exploited by getting an XML DOM Document object created in the server, returned to the client marshaled by reference, and then using it to execute arbitrary code in the context of the server.These scenarios highlight the importance of carefully considering the security implications of using object-oriented remoting technologies and ensuring that only safe objects are shared across security boundaries.
James Forshaw from Google Project Zero wrote a blog post about building a virtual memory access trap primitive on Windows. The goal of this primitive is to cause a reader or writer of a virtual memory address to halt for a significant amount of time, which can be used to exploit certain bugs in the kernel. In his previous blog post, Forshaw proposed using an SMB file on a remote server or abusing the Cloud Filter API to achieve this. However, a new feature in Windows 11 24H2 allows for the abuse of the SMB file server directly on the local machine, without the need for a remote server. This feature introduces the ability to specify the destination TCP port for the SMB client from the command line, which can be used to connect to a fake SMB server. The new feature allows for the exploitation of vulnerabilities known as "False File Immutability" bugs, and it does not require administrator access to use. Forshaw has updated his example fake SMB server to allow binding to a different port, making it possible to perform the attack locally. This change has been made available in Windows 11 24H2, which is generally available, and it is enabled by default. An administrator can disable this feature through Group Policy, but it is unlikely that non-enterprise users will change this setting. Forshaw believes that making this feature enabled by default is a mistake that may cause problems for Windows in the future. Overall, this new feature provides a new way to exploit certain vulnerabilities in Windows, and it highlights the importance of careful consideration when introducing new features to an operating system.
Define a TCP connection: A TCP connection is a virtual communication channel between two endpoints on a network. Explain TCP handshaking: TCP handshaking involves a three-way handshake to establish a connection between the client and server. Describe the role of SYN, ACK, and FIN packets in TCP: SYN packets initiate connection requests, ACK packets acknowledge received data, and FIN packets terminate connections. Explain the difference between TCP and UDP: TCP is a connection-oriented protocol that provides reliable data transfer, while UDP is a connectionless protocol that prioritizes speed over reliability. Describe the TCP sliding window: The sliding window mechanism allows for efficient data transmission by acknowledging received data and adjusting the window size accordingly. Explain the concept of TCP congestion control: TCP congestion control algorithms aim to prevent network congestion by adjusting the transmission rate based on network conditions. Describe the TCP retransmission mechanism: TCP retransmits lost or corrupted data packets to ensure reliable data transfer. Explain the difference between a TCP server and a TCP client: A TCP server listens for incoming connections and provides services, while a TCP client initiates connections and requests services. Describe the purpose of TCP port numbers: TCP port numbers identify different services or applications running on a host. Explain the role of a TCP proxy server: A TCP proxy server acts as an intermediary between clients and servers, providing additional functionality such as caching, load balancing, and security.