系統(tǒng)中錯(cuò)誤句柄引用所引發(fā)漏洞

windows系統(tǒng)中錯(cuò)誤的句柄引用所引發(fā)的漏洞

目錄背景知識(shí)隱患與漏洞漏洞的利用漏洞的防范2背景知識(shí)句柄與對(duì)象3對(duì)象實(shí)例對(duì)象實(shí)例對(duì)象管理器內(nèi)核層對(duì)象句柄用戶層背景知識(shí)DDK中的函數(shù)ObReferenceObjectByHandleObOpenObjectByPointer4背景知識(shí)ObReferenceObjectByHandle函數(shù)的原型NTSTATUSObReferenceObjectByHandle(

INHANDLEHandle,

INACCESS_MASKDesiredAccess,

INPOBJECT_TYPEObjectTypeOPTIONAL,

INKPROCESSOR_MODEAccessMode,

OUTPVOID*Object,

OUTPOBJECT_HANDLE_INFORMATION HandleInformationOPTIONAL

);5背景知識(shí)ObReferenceObjectByHandle用法 status=ObReferenceObjectByHandle(handle, GENERIC_ALL, NULL, KernelMode, &fileObject,

NULL); if(NT_SUCCESS(status)){ //與對(duì)象相關(guān)操作 … }6隱患與漏洞場景應(yīng)用程序與內(nèi)核的同步應(yīng)用層創(chuàng)建事件對(duì)象核心層通過句柄獲得對(duì)象完成事件同步7隱患與漏洞應(yīng)用層代碼 eventHandle=CreateEvent(NULL,TRUE,FALSE,NULL);

rc=DeviceIoControl(deviceHandle,

IOCTL_INIT_EVENT, &eventHandle, sizeof(eventHandle), NULL, 0, &returnSize);8隱患與漏洞核心層的代碼status=ObReferenceObjectByHandle(*(PHANDLE)InputBuffer, GENERIC_ALL, NULL, KernelMode, (PVOID*)&eventObject, NULL);If(NT_SUCCESS(status)){

//與對(duì)象相關(guān)操作 KeClearEvent(eventObject);

….}9隱患與漏洞漏洞在哪里?ObReferenceObjectByHandle函數(shù)的參數(shù)檢查

if((ObjectHeader->Type==ObjectType)||(ObjectType==NULL)){ …. if((SeComputeDeniedAccesses(GrantedAccess,DesiredAccess)||(AccessMode==KernelMode)){ … }}10隱患與漏洞漏洞在哪里?安全隱患ObjectType賦值為NULL時(shí)可返回任意類型的有效對(duì)象應(yīng)用層傳遞的對(duì)象類型并不明確不能獲得期待的對(duì)象11隱患與漏洞漏洞在哪里?KeClearEvent的實(shí)現(xiàn)

kd>uKeClearEventnt!KeClearEvent:804faf168bffmovedi,edi804faf1855pushebp804faf198becmovebp,esp804faf1b8b4508moveax,dwordptr[ebp+8]804faf1e83600400anddwordptr[eax+4],0804faf225dpopebp804faf23c20400ret412隱患與漏洞漏洞的形成ObReferenceObjectByHandle的錯(cuò)誤使用與KeClearEvent函數(shù)的調(diào)用形成了安全漏洞對(duì)象的不正確操作造成對(duì)象體的破壞13隱患與漏洞漏洞的形成內(nèi)核對(duì)象被破壞，從而形成漏洞14

對(duì)象體+0+4

被改寫為0+8+c+10+14+18+1c+20隱患與漏洞漏洞的根源對(duì)函數(shù)缺乏理解人員的疏忽傳入不合理的參數(shù)操作了不期待的對(duì)象15漏洞的利用漏洞的利用挑選一顆合適的子彈構(gòu)造有利的利用環(huán)境讓子彈安全的飛往目標(biāo)從目標(biāo)安全的返回16漏洞的利用利用場景中的漏洞使用_FILE_OBJECT作為子彈_KEVENT對(duì)象與_FILE_OBJECT對(duì)象的對(duì)比17漏洞的利用_KEVENTkd>dtnt!_kevent-r +0x000Header:_DISPATCHER_HEADER +0x000Type:UChar +0x001Absolute:UChar +0x002Size:UChar +0x003Inserted:UChar +0x004SignalState:Int4B +0x008WaitListHead:_LIST_ENTRY18漏洞的利用_FILE_OBJECTkd>dtnt!_file_object +0x000Type:Int2B +0x002Size:Int2B +0x004DeviceObject:Ptr32_DEVICE_OBJECT +0x008Vpb:Ptr32_VPB +0x00cFsContext:Ptr32Void +0x010FsContext2:Ptr32Void +0x014SectionObjectPointer:Ptr32 ……19漏洞的利用_FILE_OBJECT的影響典型的I/O處理流程20設(shè)備驅(qū)動(dòng)程序I/O管理器I/O系統(tǒng)服務(wù)API用戶模式API內(nèi)核層應(yīng)用層漏洞的利用_FILE_OBJECT的影響I/O管理器關(guān)聯(lián)_FILE_OBJECT與設(shè)備對(duì)象IoGetRelatedDeviceObject函數(shù)21漏洞的利用_FILE_OBJECT的影響IoGetRelatedDeviceObject函數(shù)對(duì)于文件返回FileObject->Vpb->DeviceObject的設(shè)備棧頂層對(duì)象對(duì)于磁盤設(shè)備返回FileObject->DeviceObject->Vpb->DeviceObject的設(shè)備棧頂層對(duì)象對(duì)于其他類型返回FileObject->DeviceObject的設(shè)備棧頂層對(duì)象22漏洞的利用_FILE_OBJECT的影響破壞后_FILE_OBJECT所關(guān)聯(lián)的設(shè)備對(duì)象為空形成了空指針引用的漏洞可導(dǎo)致運(yùn)行任意ring0代碼23漏洞的利用偽造設(shè)備對(duì)象24文件對(duì)象…設(shè)備對(duì)象…虛擬地址空間0-0x1000設(shè)備對(duì)象漏洞的利用_DEVICE_OBJECT的結(jié)構(gòu)0:kd>dt_DEVICE_OBJECTnt!_DEVICE_OBJECT+0x000Type:Int2B+0x002Size:Uint2B+0x004ReferenceCount:Int4B+0x008DriverObject:Ptr32_DRIVER_OBJECT+0x00cNextDevice:Ptr32_DEVICE_OBJECT+0x010AttachedDevice:Ptr32_DEVICE_OBJECT+0x014CurrentIrp:Ptr32_IRP+0x018Timer:Ptr32_IO_TIMER……25漏洞的利用_DRIVER_OBJECT的結(jié)構(gòu)0:kd>dt_driver_objectnt!_DRIVER_OBJECT+0x000Type:Int2B+0x002Size:Int2B+0x004DeviceObject:Ptr32_DEVICE_OBJECT……+0x028FastIoDispatch:Ptr32_FAST_IO_DISPATCH+0x02cDriverInit:Ptr32long+0x030DriverStartIo:Ptr32void+0x034DriverUnload:Ptr32void+0x038MajorFunction:[28]Ptr32long26漏洞的利用偽造驅(qū)動(dòng)對(duì)象27偽造的設(shè)備對(duì)象…驅(qū)動(dòng)對(duì)象的指針偽造的驅(qū)動(dòng)對(duì)象…MajorFunction[IRP_MJ_CREATE]…漏洞的利用實(shí)現(xiàn)dispatch函數(shù)fastcall的調(diào)用方式函數(shù)的參數(shù)正確的處理irp在應(yīng)用調(diào)用I/O處理函數(shù)避免復(fù)雜，一切從簡CloseHandle與IRP_MJ_CLEANUP28漏洞的利用通過對(duì)設(shè)備進(jìn)行I/O操作來獲得控制權(quán)29內(nèi)核設(shè)備I/