|
Leaking Kernel Memory from User Space Using NtQuerySystemInformation as a Low Priv User I read an interesting blog (found below) on exploiting an Arbitrary Write NULL vulnerability which utilized NtQuerySystemInformation as a low privilege user to leak SYSTEM addresses/pointers (handle information). Finding this interesting, I turned to ASATA to see how prevalent this API call was in privilege attacks - extremely! Now I wanted to test this for myself, I wanted to see how a low privileged user could access kernel memory (handle/object data) from user space, using NtQuerySystemInformation and the SYSTEM_HANDLE_INFORMATION structure. I used ASATA to search for some suitable called versions of NtQuerySystemInformation (either in CPP or C#), finally settling on a function found in Jean-Francois’s SharpHandler (found below). After creating my binary, I had a look at what MDE saw and interestingly enough, there was a benign warning for anomalous memory allocation "NtProtectVirtualMemory," but no alerts (possible detection opportunity for this kind of attack). Knowing that I hadn't imported this function, it looks like NtQuerySystemInformation calls NtProtectVirtualMemory to change memory permissions and allow access from user space to kernel memory. I tried to confirm this with WinDBG but it is almost unusable since upgrading to Windows 11 – buggy! In the video I show you how I rapidly investigated the prevalence of this technique, quickly assembling a binary utilizing ASATA’s ability to search over a million offensive functions, show the results of my binary contrasted against ProcessHacker and then have a look at the binary in MDE's timeline. Write Null (blog): https://wafzsucks.medium.com/hacksys-extreme-vulnerable-driver-arbitrary-write-null-new-solution-7d45bfe6d116 Listing Open Handles and Finding Kernel Object Addresses (Blog): https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland SharpHandler: https://github.com/jfmaes/SharpHandler Undocumented SYSTEM_HANDLE_INFORMATION: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle.htm #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam *New Signal: Visual Studio Cobalt Strike BOF Template - Visualized by ASATA* ASATA has become interested (because of growing human momentum) and ingested a repo (securifybv/Visual-Studio-BOF-template) which streamlines the offensive extensibility of Cobalt Strike through templating Beacon Object Files, or BOFs. ASATA has profiled Windows functions and parameters within these templates and example code by MITRE ID type, articulating the different offensive behaviors they represent. The recent (~1 year) trend of porting Windows tradecraft to BOFs is making tradecraft more accessible to less sophisticated operators – this repo exemplifies that. Some of the very same COM interfaces we have been investigating (based on ASATA offensive trend analytics) have been put into this template’s example functionality. Something we learned while investigating this repo is the ability to utilize a COM interface (IAppIdPolicyHandler) to enumerate AppLockerPolicy, instead of PowerShell Get-AppLockerPolicy. This is actually a quite obscure tactic (in our dataset anyway) as we only show one instance of it while searching across a million offensively called Windows functions. BOF Templates: https://github.com/securifybv/Visual-Studio-BOF-template AppLocker Policy Enumeration in C (Blog): https://ntamonsec.blogspot.com/2020/08/applocker-policy-enumeration-in-c.html #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 11/12/2021 COM InterfacesCoCreateInstance is a pivotal API in the creation of COM objects. When used maliciously and with various parameters (referencing different interfaces), functionality that resides in things like TaskScheduler, BITS, WMI, etc can be accessed via COM and used for things like persistence and privilege elevation. Below, some links to the documentation for the interfaces we see accessed frequently in offensive tools. ITaskScheduler: https://docs.microsoft.com/en-us/windows/win32/api/mstask/nn-mstask-itaskscheduler IFileOperation: https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nf-shobjidl_core-ifileoperation-copyitem IBackgroundCopyManager: https://docs.microsoft.com/en-us/windows/win32/api/bits/nn-bits-ibackgroundcopymanager IWbemLocator: https://docs.microsoft.com/en-us/windows/win32/api/wbemcli/nn-wbemcli-iwbemlocator Creating an Object with COM: https://docs.microsoft.com/en-us/windows/win32/learnwin32/creating-an-object-in-com HD Video: https://youtu.be/T6wLOVepnAA #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam 11/4/2021 Down the Rabbit Hole with COMRabbit Hole: Looking into COM-Hijacking, I got lost down a rabbit hole and learned some cool things about CoCreateInstance which is utilized within offensive tooling to load COM objects and also access WMI functionality. In this video I will be using the analysis tools WinDbg, ASATA & ProcMon to check out some aspects about offensive COM usage.
I’m hoping some of these linked resources can be useful jump-off points. Much more to explore… #infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam |
Search by typing & pressing enter
RSS Feed