CYBER MONGOL
  • Our Journey
  • Intelligence Engine
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
  • Our Journey
  • Intelligence Engine
  • ASATA
  • Human-Machine Teaming
  • Operator Research
  • Achievements and Media
  • Counter Intelligence
Search by typing & pressing enter

YOUR CART

11/21/2021

​Leaking Kernel Memory from User Space Using NtQuerySystemInformation as a Low Priv User

​Leaking Kernel Memory from User Space Using NtQuerySystemInformation as a Low Priv User

I read an interesting blog (found below) on exploiting an Arbitrary Write NULL vulnerability which utilized NtQuerySystemInformation as a low privilege user to leak SYSTEM addresses/pointers (handle information). Finding this interesting, I turned to ASATA to see how prevalent this API call was in privilege attacks - extremely! Now I wanted to test this for myself, I wanted to see how a low privileged user could access kernel memory (handle/object data) from user space, using NtQuerySystemInformation and the SYSTEM_HANDLE_INFORMATION structure.
 
I used ASATA to search for some suitable called versions of NtQuerySystemInformation (either in CPP or C#), finally settling on a function found in Jean-Francois’s SharpHandler (found below). After creating my binary, I had a look at what MDE saw and interestingly enough, there was a benign warning for anomalous memory allocation "NtProtectVirtualMemory," but no alerts (possible detection opportunity for this kind of attack). Knowing that I hadn't imported this function, it looks like NtQuerySystemInformation calls NtProtectVirtualMemory to change memory permissions and allow access from user space to kernel memory. I tried to confirm this with WinDBG but it is almost unusable since upgrading to Windows 11 – buggy!
 
In the video I show you how I rapidly investigated the prevalence of this technique, quickly assembling a binary utilizing ASATA’s ability to search over a million offensive functions, show the results of my binary contrasted against ProcessHacker and then have a look at the binary in MDE's timeline.
 
Write Null (blog): https://wafzsucks.medium.com/hacksys-extreme-vulnerable-driver-arbitrary-write-null-new-solution-7d45bfe6d116
 
Listing Open Handles and Finding Kernel Object Addresses (Blog): https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/get-all-open-handles-and-kernel-object-address-from-userland
 
SharpHandler: https://github.com/jfmaes/SharpHandler
 
Undocumented SYSTEM_HANDLE_INFORMATION: https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle.htm
 
 
#infosec #cybersecurity #informationsecurity #threatintelligence #networksecurity #sec #security #tools #offensivesecurity #pentesting #redteam #blueteam


Comments are closed.

    Archives

    November 2021
    October 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    September 2020
    August 2020
    July 2020

    Categories

    All

    RSS Feed

contact us:
© COPYRIGHT 2015. ALL RIGHTS RESERVED.