Getting Physical: Extreme abuse of Intel based Paging Systems

Getting Physical: Extreme abuse of Intel based Paging Systems

Thursday, March 17, 2016
Nicolas Economou, Enrique Nissim
CanSecWest

Exploiting a kernel vulnerability is not as straightforward as it was in former times. While there used to be a gap between the protection measures implemented in kerneland in omparison with userland, modern OS kernels now include several security mitigations with the goal of preventing the execution of untrusted privileged code.

Write-what-where conditions might allow an attacker to elevate privileges by writing a controlled value into some special region of kernel memory. Tipically, one should somehow leak a kernel address (the where) and then patch that location (with the what) by triggering the vulnerability. Most of previous work on the topic however, do not address all the contemporary protections provided by operating systems. Mitigations such as DEP, KASLR, Null dereference prevention, SMEP and in the case of Windows, integrity levels, KMCS and KPP, limit the successful exploitation of a kernel vulnerability.

In this presentation we discuss several scenarios and approaches that could be taken in order to execute custom ring0 code by altering the behavior of the paging mechanism of the operating system. The present techniques allow to circumvent all the mitigations mentioned above without the end of memory leaks and they even go further by letting an unprivileged user to dump all the kernel-accessible physical memory.

In our demos we are going to show our technique over the lastest Windows/Linux versions.

Attachment: