About 1 5 years 5 months to repair the two 0day-vulnerability warning-the black bar safety net

Ticker 2 0 1 5 year 5 month 1 2 day, Microsoft pushed a 5-month patch day patch includes IE, Windows kernel, Windows kernel driver, Office and other components of the security updates. This month the repair of the two 0day vulnerabilities
MS15-0 5 2 are fixed in the Windows kernel security feature bypass Vulnerability: CVE-2 0 1 5-1 6 7 4 out of https://technet.microsoft.com/en-us/library/security/MS15-052）
MS15-0 5 1 fixed in the Windows kernel-mode drivers elevation of Privilege vulnerabilities: CVE-2 0 1 5-1 7 0 1 at https://technet.microsoft.com/en-us/library/security/MS15-051 also attracted our attention. After confirming, the CVE-2 0 1 5-1 6 7 4 I 2 0 1 4 years found a kernel-KASLR bypass Vulnerability, CVE-2 0 1 5-1 7 0 1 It is Fireeye in this year 4 month 1 8 day release on Operation RussianDoll Russian matryoshka operations, the report found, the Russian APT28 hacker group launched for the extremely particular target of attack for privilege escalation kernel 0day vulnerabilities, in Microsoft released a patch on the line at the same time, from the Russian security community kernelmode. info hack hfiref0x also in his Github announced for the CVE-2 0 1 5-1 7 0 1 vulnerability of the complete attack code https://github.com/hfiref0x/CVE-2015-1701 in. The Blog author on this three month repair of the 0day vulnerability, talk about their principles, details and repair methods and some of the surrounding information.
0x01 CVE-2 0 1 5-1 6 7 4/MS15-0 5 2
Vulnerability information
MS15-0 5 2 Microsoft designed to fix CVE-2 0 1 5-1 6 7 4 vulnerabilities released for CNG. sys security updates. The vulnerability is real and the author in the last 1 0 months Microsoft released Windows 1 0 the first preview Edition 9 8 6 0 when released an article this http://weibo.com/1648808737/BpGpHhEyD on the description of the vulnerability, CVE-2 0 1 5-0 0 1 0/MS05-0 1 0, the https://technet.microsoft.com/library/security/MS15-010 is the same issue belongs to the Microsoft in fix for CVE-2 0 1 5-0 0 1 0 did not fix completely, the legacy of security vulnerabilities.
In Windows 1 0 after the release, the author on which to test the two KASLR bypass vulnerabilities, A is j00ru at NoSuchCon 2 0 1 3 published on the use of a kernel KiTrap01 handling the Debug exception the problem of detection of the kernel address to bypass KASLR issues http://j00ru.vexillium.org/blog/21_05_13/nsc2013_slides.pdf another one is the author of in 2 0 1 4 in reverse Windows 8.1 kernel find a CNG. sys in the presence of not yet disclosed KASLR bypass vulnerability, at the time the release of Windows 9 8 6 0 preview Edition, these two loopholes have not been fixed.
Due to CNG. sys device(\Device\CNG)is one of the few settings of ALL APPLICATION PACKAGES DACL, thereby allowing a high degree of isolation, the AppContainer also can feel free to access the device, and this problem affects both x86 and x64 systems j00ru the KASLR bypass can only be used for x86 systems, and therefore the latter is more practical. This vulnerability is 360Vulcan Team to Pwn2Own type of the game reserves of the kernel vulnerability/defect one, and Microsoft for KASLR bypasses the type of vulnerability has been relatively ambiguous attitude j00ru the KASLR bypass the until now Windows 1 0 latest version 1 0 0 7 4 still has not been fixed, so the author will not be this vulnerability is reported to Microsoft, this patch of Japan, the CVE-2 0 1 5-1 6 7 4 that is, the author here mentioned the vulnerability.
May be due to the vulnerability affects IE and Spartan in the EPM（enhanced protected mode, mainly using the AppContainer protection), Microsoft decided in Windows 1 0. new version to fix this vulnerability, we see that in 2 0 1 5 年 1 月 released Windows 1 0 9 9 2 6, Microsoft has quietly completely fixes this vulnerability, while in 2 month’s patch day, Microsoft also is similarly affected Windows 8/8. 1/Server 2 0 1 2/Server 2 0 1 2 R2 push the MS05-0 1 0 to try to fix this problem.
But it is interesting that, in the MS05-0 1 0, although Microsoft has given the vulnerability CVE-2 0 1 5-0 0 1 0 The number, but did not completely fix this problem, cause this loophole in the final Pwn2Own 2 0 1 5 is from Korean players lokihardt use compromised Windows kernel. It is also because of Pwn2Own 2 0 1 5, Microsoft again released MS15-0 5 2 Security Update for the vulnerability is changed to a new number: CVE-2 0 1 5-1 6 7 4 in. Actually this“new”vulnerability and CVE-2 0 1 5-0 0 1 0 is almost exactly the same problem, belonging to the CVE-2 0 1 5-0 0 1 0 did not completely fix the legacy problems, let a person incomprehensible is, in Windows 1 0 9 9 2 6, The CVE-2 0 1 5-0 0 1 0 and CVE-2 0 1 5-1 6 7 4 The problems are is a one-time fix, have to say Microsoft seems to be in development Windows 1 0 the process, the patch repair and management of the occurrence of the negligence and confusion, was sparked now the problem.
In the ZDI on the official website has disclosed this vulnerability to some of the details: http://www.zerodayinitiative.com/advisories/ZDI-15-189/, due to cng. sys the attack surface is not much, have the experience of security researchers based on this information can already be relatively easily discover the loopholes in the details, so here the author directly describes the vulnerability of the specific information.
Vulnerability details
This vulnerability exists in cng. sys device control processing code. CNG. SYS is Microsoft’s next-generation kernel cryptography, drive it through the device control(DeviceControl and the function output provides a lot of cryptography-related interface, and a lot of the Windows kernel driver as he the device control processing in the mix at the same time open to other kernel drivers and user-mode program control functions. This is often a lot of kernel security vulnerabilities of the source, I’m on the ISC 2 0 1 4 On On 3 6 0 XP shield Armor 3. 0 kernel protection was mentioned one had been affecting the Windows System, still affect many important third-party drive control interface within the KASLR bypass, there is a similar problem.
CNG. sys is special in that he created the device(\Device\CNG), will use ObSetSecurityObjectByPointer for the device set up a special Security Descriptor the security descriptor is to allow ALL APPLICATION PACKAGES permissions the user full control of the device. For Microsoft’s AppContainer/EPM mechanism slightly have an understanding of the students may know, set the permissions of the device, even in IE or Spartan isolation protection mode of the rendering process, it is also possible to directly access the CNG so a set purpose also is to hope that all processes are able to access its associated interface, so in the drive of the IRP_MJ_CREATE process, it is directly allowing any access, do not do any checks, i.e. the CNG. SYS related interfaces, even if is IE/Spartan protected mode or enhanced protected mode protected process, it can be freely accessed.
In CNG. SYS device control code, a plurality of control codes is dedicated to an external drive to use, such as 0x39024,0x39040,0x39044,0x39048,0x39064, etc., these device control code for the caller returns including FIPSSHA, FIPS3Des, HMAC MD5, FIPS GenRandom ,SSL encryption and decryption and Key Management, BCrypto series interface and a series of in CNG internal implementation of the function interface address, by this way, the external drive can directly call these functions in the interface, The Associated cryptographic operations, without the need for their own implementation of these interfaces.
The problem here is that for these specialized outer kernel mode driver settings interface, and there is no check of the IRP whether the source is kernel-mode, so the user mode program directly via the DeviceIoControl function, as you can invoke these device control code, access to these functions of the interface. Of course, user mode programs can’t directly use these interfaces, but with CNG. SYS mirror image of the layout, the user-mode program can get CNG. sys base address and the relevant key data of the position, thus completely bypassing Microsoft kernel KASLR kernel-mode address randomization techniques.

[1] [2] [3] [4] next