Watch videos with subtitles in your language, upload your videos, create your own subtitles! Click here to learn more on "how to Dotsub"

CANVAS: MS11_032 & 64-bit Unsigned Driver Install

0 (0 Likes / 0 Dislikes)
Hello this is Miguel Turner, I'm a developer at Immunity For this demo we're going to be taking a look at the MS11_032 privilege escalation exploit For the OpenType signed integer vulnerability on Windows You may have seen this in our previous demo by AlexM a few weeks ago however this time we're going to be going a few steps further To demonstrate how the exploit is able to bypass the code integrity checks of Windows systems The driver we're going to be using is an unsigned copy of our HCN rootkit. This is a 64 bit version of the driver that is also able to bypass PatchGuard protection on 64 bit Windows. To begin I'm going to demonstrate how this process would normally fail. I am on a 64 bit Windows 7 machine with an Administrator console open And I'm now going to run the command to install the HCN rootkit. As you can see this command completes successfully, however in a few seconds a dialog will pop up. This dialog is created by the program compatibility assistant, which is monitoring the registry for changes to a specific key that is updated on driver installation to bypass this you can simply stop the pca service so first I'm going to delete our HCN rootkit. Then I'm going to stop the pca service. so that the user of this machine will not be notified of the unsigned driver installation Now I'm going to attempt to reinstall the HCN rootkit And as you can see as before, the command completes successfully. Now it is safe to restart the PCA service. Now I'm going to attempt to start our HCN rootkit And as you can see this command fails This is the Code Integrity check in action and this is what Immunity's MS11_032 exploit is able to bypass So now I'm going to go to my ubuntu machine here which is running CANVAS and I'm going to show a 64 bit Windows 7 machine running Service Pack 1 On the CANVAS side you can see that we have already received the callback and I've gone ahead and run MS11_032 to receive a node with SYSTEM level privileges. Now I'm going to run that same series of commands to install and run our HCN rootkit So first I'm going to stop the PCA service With the PCA service stopped, it is now safe to install the HCN rootkit without notifying the target machine's user As you can see the command completed successfully , so now I'm going to restart the PCA service and now again I'm going to attempt to start our HCN rootkit As you can see, this time the running the rootkit completed successfully So I'm going to go now to our windows machine. where you can see that no errors or dialog boxes have been displayed However if we look at the task manager we can see the two callbacks one for MS11_032 and one for MOSDEF, are plainly visible in our Task Manager and if I run a netstat we can see that the destination port 5555 is visible so fortunately we have our HCN rootkit installed, so using a simple commandline utility I can hide those two processes, and the TCP port. So first, using this command I'm going to hide the processes. And now I'm going to hide the TCP connection. Those commands complete I'm going to go back to my Windows machine, and we can see in the Task Manager those callback processes are not being displayed and if I run netstat again, our port 5555 is also invisible. So what we have here is a 64 bit Windows 7 fully patched to Service Pack 1 Running our HCN rootkit and giving us full control of the machine MS11_032 is currently available to all of our CANVAS Early Update customers and the 64 bit version of our HCN rootkit is not currently released However the 32 bit version is currently included in CANVAS I should also mention that D-Square, one of our partners will be adding 64 bit kernel detection to Drosera, which is their live forensics framework and that framework would be able to detect an attack like this. We hope you enjoyed the demo and thank you for your time!

Video Details

Duration: 6 minutes and 30 seconds
Country: United States
Language: English
Producer: Immunity
Director: Immunity
Views: 259
Posted by: daveaitel on Jun 2, 2011

This demonstrates Immunity CANVAS's MS11_032 exploit turning off Code Integrity in the Windows x64 Kernel.

Caption and Translate

    Sign In/Register for Dotsub to translate this video.