A key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be—how mitigation techniques and additional defensive layers can keep cyberattacks at bay while vulnerabilities are being fixed and patches are being deployed. Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits.
In this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.
|CVE||Microsoft Update||Exploit Type||Mitigation in Anniversary Update|
|CVE-2016-7255||MS16-135 (Nov, 2016)||Win32k Elevation of Privilege Exploit||Strong validation of tagWND structure|
|CVE-2016-7256||MS16-132 (Nov, 2016)||Open Type Font Exploit||Isolated Font Parsing (AppContainer)
Stronger validation in font parsing
CVE-2016-7255 exploit: Win32k elevation of privilege
In October 2016, the STRONTIUM attack group launched a spear-phishing campaign targeting a small number of think tanks and nongovernmental organizations in the United States. The campaign, also discussed in the previously mentioned blog post, involved the use of the exploit for CVE-2016-7255 in tandem with an exploit for the Adobe Flash Player vulnerability CVE-2016-7855.
The attack group used the Flash exploit to take advantage of a use-after-free vulnerability and access targeted computers. They then leveraged the type-confusion vulnerability in win32k.sys (CVE-2016-7255) to gain elevated privileges.
Abusing the tagWND.strName kernel structure
In this section, we’ll go through the internals of the specific exploit for CVE-2016-7255 crafted by the attacker. We will show how mitigation techniques provided customers with preemptive protection from the exploit, even before the release of the specific update fixing the vulnerability.
Figure 1. Exploit and shellcode phases of this attack
Modern exploits often rely on read-write (RW) primitives to achieve code execution or gain additional privileges. For this exploit, attackers acquire RW primitives by corrupting tagWND.strName kernel structure. This exploit method is a trend discussed in security conferences and visible to those who investigated actual attacks. For example, we detailed similar findings in a presentation about the Duqu 2.0 exploit at Virus Bulletin 2015.
By reverse engineering its code, we found that the Win32k exploit used by STRONTIUM in October 2016 reused the exact same method. The exploit, after the initial Win32k vulnerability, corrupts tagWND.strName structure and uses SetWindowTextW to write arbitrary content anywhere in kernel memory.
Figure 2. SetWindowTextW as a write primitive
The exploit abuses this API call to overwrite data of current processes and copy token privileges of the SYSTEM. If successful, the exploit enables the victim process—iexplore.exe, in this example—to execute with elevated privileges.
Figure 3. Internet Explorer with SYSTEM privileges
Mitigating tagWND exploits with stronger validation
To mitigate the Win32k exploit and similar exploits, the Windows Offensive Security Research Team (OSR) introduced techniques in the Windows 10 Anniversary Update that prevent abusive use of tagWND.strName. This mitigation performs additional checks for the base and length fields, making sure that they are in the expected virtual address ranges and are not usable for RW primitives. In our tests on Anniversary Update, exploits using this method to create an RW primitive in the kernel are ineffective. These exploits instead cause exceptions and subsequent blue screen errors.
Figure 4. Windows 10 Anniversary Update mitigation on a common kernel write primitive
With the upcoming Windows 10 Creators Update, Windows Defender ATPintroduces numerous forms of generic kernel exploit detection for deeper visibility into targeted attacks leveraging zero-day exploits. Technical details about the enhanced sensor will be shared in a forthcoming blog post.
CVE-2016-7256 exploit: Open type font elevation of privilege
As early as June 2016, unidentified actors began to use an implant detected as “Henkray” in low-volume attacks primarily focused on targets in South Korea. Later, in November 2016, these attackers were detected exploiting a flaw in the Windows font library (CVE-2016-7256) to elevate privileges and install the Henkray backdoor on targeted computers with older versions of Windows.
The font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.
Figure 5. Auto-generation of font file with exploit
This secondary executable or script tool, which has not been recovered, appears to prepare and drop the font exploit, calculating and preparing the hardcoded offsets needed to exploit the kernel API and the kernel structures on the targeted system. Through deep forensic inspection of the binary data found in samples, we extracted all the hardcoded offsets and ascertained the kernel version targeted by this exploit: Windows 8 64-bit.
Function table corruption for initial code execution
The font exploit uses fa_Callbacks to corrupt the function table and achieve initial code execution. The callback is called from the CFF parsing function. The following snippet shows a corrupted ftell pointer to a nt!qsort+0x39 location in kernel code.
Figure 6. fa_Callbacks table corruption
The following snippet shows the code that calls the corrupt function pointer leading to a kernel ROP chain.
Figure 7. fa_Callbacks.ftell function call code
When the corrupted function is called, the control jumps to the first ROP gadget at nt!qsort+0x39, which adjusts stack pointer and initializes some register values from stack values.
Figure 8. First ROP gadget
After the first gadget, the stack points to a kernel ROP chain which calls to ExAllocatePoolWithTag call to reserve shellcode memory. Another ROP gadget will copy the first 8 bytes of the stage 1 shellcode to the allocated memory.
Figure 9. Copying the stage 1 shellcode
Shellcode and privilege escalation
The stage 1 shellcode is very small. Its main function is to copy the main body of the shellcode to newly allocated memory and run them with a JMP RAX control transfer.
Figure 10. Stage 1 shellcode
The main shellcode runs after the copy instructions. The main shellcode—also a small piece of code—performs a well-known token-stealing technique. It then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation. Both the SYSTEM process and target process PIDs, as well as certain offsets for the kernel APIs needed by the shellcode, are hardcoded in the font sample.
Figure 11. Token replacement technique
Mitigating font exploits with AppContainer
When opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel. AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.
Figure 12. AppContainer protects against untrusted fonts in Windows 10 Anniversary Update
Windows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code.
Figure 13. Windows 10 font viewer error
Conclusion: Fighting the good fight with exploit mitigation and layered detection
While fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques. Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.
In this article, we looked into recent attack campaigns involving two zero-day kernel exploits. We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.
By delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.
In addition to the techniques mentioned in this article, Windows 10 Anniversary Update introduced many other mitigation techniques in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities.
For effective post-breach detection, including cover for the multiple stages of attacks described in this blog post, sign up for Window Defender ATP. The service leverages built-in sensors to raise alerts for exploits and other attack activity, providing corresponding threat intelligence. Customers interested in the Windows Defender ATP post-breach detection solution can find more information here.
Microsoft would like to thank KrCERT for their collaboration in protecting customers and for providing the sample for CVE-2016-7256.
Matt Oh and Elia Florio, Windows Defender ATP Research Team
Jan 18, 2017 – Corrected the spelling of Henkray backdoor.
Contenido completo del post en http://blog.segu-info.com.ar o haciendo clic en el título de la noticia
Cada mes, los lectores comparten con nosotros tendencias y estadísticas relacionadas a diversos temas de Seguridad de la Información que planteamos a través de las encuestas que realizamos en ESET Latinoamérica. Durante octubre el tópico a tratar fue la pérdida de datos y el uso de respaldos o copias de seguridad. Aunque los códigos maliciosos […]
Sophos Anti-Virus for Mac: Home Edition – Free
Free anti-virus that works simply and beautifully. Just like your Mac.
By downloading you agree to the EULA
As Apple computers grow more popular than ever, they’re an increasingly-enticing target for hackers. And these hackers aren’t just mischief-makers—by targeting your computer or applications you use, these criminals are out to steal and profit from your valuable personal information. Don’t let them. Get free Sophos Anti-Virus for Mac today.
Introducing Sophos Anti-Virus for Mac Home Edition.
It’s easy to install, quiet to run and simple to use—it keeps you safe from viruses, Trojans and worms without getting in your way.
High-grade protection without slowing you down.
Best of all, it’s free full-featured anti-virus. You get business-grade protection for your Mac backed by our SophosLabs experts—they’re on the job every day of the year, 24 hours a day. We’ll stop, quarantine and clean up Mac or Windows threats that try to infect your computer. We can even stop new, unknown threats.
As versatile as you want it to be, as powerful as you need it to be.
Nobody likes system pop-ups or system slow-downs. That’s why our product won’t annoy you with messages or take up your computer’s resources. And once you install Sophos Anti-Virus for Mac Home Edition, you’re the boss. Want it to just scan quietly in the background as you work? No problem. Need to create a custom scan to check what you want and leave out what you don’t? It can do that, too.
We told you about the Boonana Trojan Mac virus that was discovered by SecureMac just yesterday. SecureMac has now completed its initial analysis of the virus and has new information about it, as well as a removal tool if you believe your Mac is infected.
According to the company’s security bulletin, “The initial infection vector of the Boonana trojan is through a message on social networking sites similar to “Is this you in this video?” which includes a link to an external site. Upon clicking the link, a java applet will attempt to load in the user’s web browser. During our testing, the malicious Java applet communicated with a Command & Control server, and presented an installer window at a random time after accessing the malicious site. This installer did not indicate that it had been downloaded from the web which indicates it is avoiding the quarantine flag typically set by programs such as Safari.”
This virus is still listed as a critical security threat due to the fact that the control servers are still operational. SecureMac notes that this means that servers could be gathering information from infected computers like IP Addresses, and potentially the modification of sudoers file that would allow passwordless access to any potentially infected machines. It is thought that this trojan virus could be used for control purposes.
“In many cases, especially with botnets, the malware might not initially exhibit malicious behavior, but can become active at any time as the command and control servers are updated,” notes SecureMac in the updated bulletin.
You can read the provided by SecureMac by clicking here, and you can also keep an eye out on the SecureMac bulletin page where future updates on this virus will be posted. If you believe your Mac is infected with this virus, you can try running the removal tool found on the bulletin page or by clicking here to directly download the tool.
For more information about the virus stay tuned to Mac|Life.
Follow this article’s author, Cory Bohon on Twitter.
Gracias a esto, según Rocky Heckman, arquitecto senior de seguridad de Microsoft, a lo largo del día, reciben un montón de estas notificaciones, con parte del código (un dump de cierta porción de memoria) que generó el error. El tema está en que muchas de estas notificaciones corresponden a acciones por parte de desarrolladores de virus/malware (con prisa, -podríamos añadir-) que en fase de creación de sus nuevas obras de arte, lógicamente hacen pruebas sobre sus propias máquinas. Al no estar depurado el comportamiento del software, lo normal es que se generen ‘crashes’ de aplicación sobre el sistema operativo y al pulsar el botón ‘Enviar Informe’ de la ventana que se abre (sin leer el texto de la misma), se enviará información preciosa de la creatividad del revolucionario troyano beta directamente a Microsoft. ¿Paradójico no? Precisamente el fabricante del sistema operativo de cuyas vulnerabilidades se quieren aprovechar, reciben información de primera mano directamente de parte de su creador.
Y es que estas cosas pasan cuando no ‘escuchamos’ TODO lo que nuestro sistema operativo nos dice… Pero venga va, ¿quién se lee siempre el texto completo de un EULA cuando lo está instalando? Si el mensaje es muy largo o muy ‘repleto de letras y líneas’ directamente buscamos el botón ‘Aceptar’ y que continúe lo antes posible.
Y pensar que el propio Windows proporciona la posibilidad de deshabilitar la solicitud y envío de informe de errores a Microsoft… Cuántos leaks podrían haberse evitado por parte de estos despistados desarrolladores de malware sobrados de creatividad e ilusión si, en Windows 2000/2003 o XP, hubieran ido al menú contextual de “Mi PC” -> “Propiedades” -> “Informe de Errores” y hubieran configurado convenientemente esta opción para evitar la notificación de errores a los de Redmond.
En caso de que nuestros desarrolladores despistados de malware usen Windows Vista o Windows 7, la forma de deshabilitar la notificación de errores es diferente.
Para ello, ejecutaremos ‘gpedit.msc‘ en Inicio -> Ejecutar para abrir la ‘Configuración de Políticas Locales‘. En ‘Administración de Plantillas” -> “Componentes de Windows‘, modificaremos ‘Deshabilitar Informes de Error de Windows‘ a ‘Habilitado‘