Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Kernel is calling a zero(day) pointer – CVE-2013-5065 – Ring Ring

SpiderLabs investigates a number of suspicious binary files on a daily basis. A week ago we came across a PDF file which had two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges vulnerability in Windows Kernel.

Just recently we confirmed that the new escalation-of-privileges zero day (CVE-2013-5065) has been delivered in the wild using CVE-2013-3346 as a container. Our goal in this blog post is to raise the public awareness by describing the technical details behind this recent kernel zero-day. We've tested the zero day on Windows XP and Server 2003 only.

 

What would a PDF file have to do with a kernel vulnerability?

These days, Adobe Reader is more safe to use because Adobe did a good job implementing an additional layer of security – the sandbox.

Any code in the recent versions of Adobe Reader renderer will be sandboxed and enforced by a policy. This means that even after a successful exploitation of the renderer, the injected code will be contained and the attacker's shellcode will run under limited privileges (e.g. one can't launch a new process using the shellcode). More details about the Adobe Reader Sandbox can be found here.

At this time, the sandbox can be bypassed in one of the following ways:

  1. Broker Vulnerability(Adobe Reader)
  2. Kernel Vulnerability

The investigated sample exploited CVE-2013-3346 (Adobe Reader ToolButton Remote Code Execution Vulnerability) using heapspray and ROP, in order to gain code execution in the context of Adobe Reader. The shellcode proceeds to exploit the kernel zero-day in order to bypass the sandbox and deliver the final payload (Trojan/virus executable).

 

The Shellcode

First, let's outline the stages of this attack:

  1. Obtain enough information about the context to resolve library functions' addresses (ReadFile, CreateFile, WinExec etc.) using the Process Environment Block.

  2. Allocate Memory at address 0x0 (ZwAllocateVirtualMemory), to be executed by the kernel (will be explained in more detail below).

  3. Pad the allocated page(at 0x0) with 0x0EF5 NOPs.

    9966_74494c30-3017-426c-8833-9a642546e75f

  4. Copy a small portion of the shellcode (at offset 0x303-0x40E) to the 0x00000EF5 address. These copied opcodes will later be used by privileged kernel code to elevate permissions and bypass the sandbox.

    12044_d6832f91-f5d7-42fb-b0e6-5e72d9630789

  5. Get a handle of the vulnerable NDProxy driver (using CreateFile).

  6. Trigger the zero day (CVE-2013-5065) by sending an arbitrary TAPI control function.
    (After this stage, the sandbox is bypassed and the Adobe renderer process is running as SYSTEM) – detailed under "The Kernel Vulnerability Ringing 0 Using TAPI"

    9597_62a4a8b8-c2f7-418f-b7ea-8162e660986c

    Back To User Mode:

  7. Decode the <<obj 4 0>> in the PDF file to an executed binary, and then save it to the %temp% folder.

  8. Execute the saved binary (Trojan/Virus).

 

The Kernel Vulnerability - CVE-2013-5065 - Ringing 0 Using TAPI:

What is TAPI? From the Microsoft Developer Network, "[Telephony Application Programming Interface (TAPI)] is a set of APIs that simplify and abstract the details of making telephony connections between two or more devices."

NDProxy is a system-provided driver, which allows us to perform various network operations with devices capable of Telephony operations. Essentially NDProxy is the user interface for Telephone operations. As such, it is possible to invoke the DeviceIoControl WinAPI with a handle to NDProxy in order to perform TAPI operations.

When invoking the DeviceIoControl API with a handle to NDProxy driver, the kernel will trigger the NDProxy!PxIODispatch function inside the driver. As the name suggests, the function is responsible for Dispatching I/O instructions (PxTapiLineBusy, PxTapiDial, PxTapiAnswer, etc.).

The DeviceIoControl Function:

BOOL WINAPI DeviceIoControl(

_In_ HANDLE hDevice,
_In_ DWORD dwIoControlCode,
_In_opt_ LPVOID lpInBuffer,
_In_ DWORD nInBufferSize,
_Out_opt_ LPVOID lpOutBuffer,
_In_ DWORD nOutBufferSize,
_Out_opt_ LPDWORD lpBytesReturned,
_Inout_opt_ LPOVERLAPPED lpOverlapped

);

First, to get to the vulnerable flow, we'll have to instruct the kernel to perform a TAPI operation. This can be achieved by invoking DeviceIoControl API with the value of 0x8fff23c8 as its dwIoControlCode:

9742_69ff583f-7aab-4ed0-a3e8-ee48525ebaf4

 

To determine which TAPI operation to execute, the function PxIODispatch will rely on the lpInBuffer structure – supplied by DeviceIoControl. Considering this fact we have to build a buffer structure with the value of 0x7030125 in its 0x14 offset.

Let's take a look at the PxIODispatch instructions that will determine which PxTapi function to execute:

mov eax, [esi+14h] ; 0x7030125 (lpBuffer+0x14)
sub eax, 7030101h ;(0x7030125-0x7030101) =24 =eax
[…snip…]
NDProxy!PxIODispatch+0x21e:
eax=00000024
f78400b0 8d0440 lea eax,[eax+eax*2] ; 24+24*2 = 0x6C
NDProxy!PxIODispatch+0x221:
f78400b3 c1e002 shl eax,2
kd> r eax
eax=000001b0
mov dword ptr [ebp+LockState.LockState], eax ;save result for later use

 

Some Math:

eax+eax*2=eax+2*eax=3eax

Therefore: (3*(0x7030125-0x7030101))*4 = 0x1B0;

This result is then used as an index to a static function table to decide which PxTapi function will be executed.

A snippet from that table(starts at 0x18188):

11898_cecf2dfc-14f7-409e-a4a1-a8a82b04f1cc

 

The address at [functionTable+0x1B0] is out of the table boundaries and therefore points to a pointer with the value of 0x38:

8474_2af72226-90ff-45cb-a1d2-9ebdced55b65

 

Eventually, the code tries to execute a function from the table by the given index (0x1b0 – the math result from above):

8325_230dbb79-61ac-482b-8530-68465d140195

 

The above call will resolve the pointer at 0x18338(table+0x1B0) which points to 0x38(instead of a valid pxTapi function), then execute the code at 0x00000038.

 

BAM - Blue Screen

Here you can see the stack trace of the crash reproduced in our lab environment:

10579_904981a1-50bf-4eef-88c9-e583820c1e57

 

Back to Adobe Reader Vulnerability - what is being executed by the kernel?

Remember what the PDF shellcode already did? As described in "The Shellcode" paragraph above, the shellcode already allocated an address space and filled the memory at 0x38 with NOPs sled followed by some opcodes.

These opcodes are specially designed to run in ring 0 and the execution of these bytes will utilize the high privileges of the kernel context to elevate AcroRd32.exe (renderer) privileges using the following stages:

  • Invoke nt!PsLookupProcessByProcessId call to get the EPROCESS structure of sandboxed AcroRd32.exe (renderer) process.
  • Invoke nt!PsLookupProcessByProcessId call again to get the EPROCESS structure of "SYSTEM" process (PID:4).
    10885_9e40eec9-954d-4182-ac0e-2b29dd58ec02
  • Replace the "AcroRd32.exe" EPROCESS Token with a copy of the "SYSTEM" Process Token.
  • Clear the "AcroRd32.exe" EPROCESS Job field.

    9513_5d4e4b4b-7368-4599-951a-75696cebddc7

 

At this point, the sandbox has been bypassed and the execution goes back to the user-mode context (AcroRd32.exe) to execute the embedded (obj4) Trojan/virus.

10356_85058c21-d00f-456b-8842-428ab9189f57

 

Here's a C++ snippet, for those of you who want to see for yourself:

11426_b84e7b8c-66ce-40d0-851d-dbf20c60f1dd

Trustwave's Secure Web Gateway blocks this attack out-of-the-box using its generic protection engine and did so without any additional updates.

 

Mitigation

Microsoft offers a solution for this issue here:
http://blogs.technet.com/b/msrc/archive/2013/11/27/microsoft-releases-security-advisory-2914486.aspx

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo