Insection: AWEsomely Exploiting Shared Memory Objects presented at Infiltrate 2015

by Alex Ionescu,

Summary : As the barriers to hijacking the kernel and system processes continue to increase with technologies such as Protected Processes, Patchguard, User Mode/Kernel Mode Code Integrity, and Virtual Machine Sandboxes, the pressure on the components managing these boundaries increases -- any bug now becomes a hole through which everything else can be taken down. One interesting aspect of Windows is the ability to share memory between two processes, using a so-called Section Object, and to give such an object a name that is globally visible. Once the name is known, applications can attempt to then map this shared memory and access it as well. While Windows provides the mechanisms to make access to this shared memory protected against a malicious application or account, many developers do not leverage this feature, and accordingly, the shared memory becomes accessible by anyone. In turn, consumers, services, and privileged processes that trust this memory, are now dealing with malicious data. This talk will describe the various insecurities inherent to named objects, and specifically shared memory sections, and show at least one vulnerable major application with an insecure shared memory object. Then, we'll move onto an insecure named object from the Windows kernel itself, and follow the path to exploitation from a user-mode process, bypassing SMEP on the way there using a novel technique that relies on self-referencing PML4 entries and AWE memory.