ntdll! LdrHotPatchRoutine & DEP / ASLR bypass (MS13-063)
Yesterday, Microsoft released a set of security updates for its products, among which was the MS13-063 update, which fixes the ability to bypass such "mitigating" exploitation mechanisms as DEP & ASLR. Techniques to bypass these mechanisms in exploits were demonstrated by NSFocus Security Labs rewriters at the CanSecWest and VUPEN conferences at Pwn2Own 2013.
We have already written about the EMET v4 mechanisms, in which the possibility appeared to counteract the use of the ntdll! LdrHotPatchRoutine method for loading the code of the desired library in memory, bypassing so. restrictions imposed by DEP & ASLR. LdrHotPatchRoutine is used by the OS as part of hot patching (repairing components without rebooting) and allows you to load dynamic libraries from various locations, including the network (via UNC addresses). MS13-063 introduces a fix for the OS, similar in capabilities to that demonstrated in EMET.
')
Operation of LdrHotPatchRoutine is closely related to the ASLR bypass using the well-known UserSharedData structure (KUSER_SHARED_DATA), which is projected to hard-coded addresses in user mode (0x7ffe0000) and in kernel mode (0xffdf0000). The structure is used to quickly access OS components operating in user mode and the kernel to some shared service data (debug information, timer information, OS version, etc.). When using some function pointers in UserSharedData, an attacker can quickly figure out the address of the desired function. In particular, 64-bit versions of Windows prior to Windows 8 stored in this structure pointers to the functions of the 32-bit version of ntdll, which the OS uses for WoW64.
Thus, the described method of operating UserSharedData & LdrHotPatchRoutine is the ability of an attacker to initiate a call to the undocumented function LdrHotPatchRoutine with the necessary argument through one of the pointers to UserSharedData , which makes DEP & ASLR useless. MS13-063 aims to eliminate the desired pointer in UserSharedData so that an attacker cannot predict the address of LdrHotPatchRoutine . The screenshot below shows a part of UserSharedData, where you can see that the update has eliminated other function pointers in the structure (to prevent their possible exploitation in the future).
The function pointers have been moved to the ntdll! LdrSystemDllInitBlock structure, i.e. making it in the field of view of the ASLR, which eliminates the possible disclosure of the address in the future.
http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx
We have already written about the EMET v4 mechanisms, in which the possibility appeared to counteract the use of the ntdll! LdrHotPatchRoutine method for loading the code of the desired library in memory, bypassing so. restrictions imposed by DEP & ASLR. LdrHotPatchRoutine is used by the OS as part of hot patching (repairing components without rebooting) and allows you to load dynamic libraries from various locations, including the network (via UNC addresses). MS13-063 introduces a fix for the OS, similar in capabilities to that demonstrated in EMET.
')
Operation of LdrHotPatchRoutine is closely related to the ASLR bypass using the well-known UserSharedData structure (KUSER_SHARED_DATA), which is projected to hard-coded addresses in user mode (0x7ffe0000) and in kernel mode (0xffdf0000). The structure is used to quickly access OS components operating in user mode and the kernel to some shared service data (debug information, timer information, OS version, etc.). When using some function pointers in UserSharedData, an attacker can quickly figure out the address of the desired function. In particular, 64-bit versions of Windows prior to Windows 8 stored in this structure pointers to the functions of the 32-bit version of ntdll, which the OS uses for WoW64.
Thus, the described method of operating UserSharedData & LdrHotPatchRoutine is the ability of an attacker to initiate a call to the undocumented function LdrHotPatchRoutine with the necessary argument through one of the pointers to UserSharedData , which makes DEP & ASLR useless. MS13-063 aims to eliminate the desired pointer in UserSharedData so that an attacker cannot predict the address of LdrHotPatchRoutine . The screenshot below shows a part of UserSharedData, where you can see that the update has eliminated other function pointers in the structure (to prevent their possible exploitation in the future).
The function pointers have been moved to the ntdll! LdrSystemDllInitBlock structure, i.e. making it in the field of view of the ASLR, which eliminates the possible disclosure of the address in the future.
http://blogs.technet.com/b/srd/archive/2013/08/12/mitigating-the-ldrhotpatchroutine-dep-aslr-bypass-with-ms13-063.aspx
Source: https://habr.com/ru/post/190016/
All Articles