Kernel shellcode persistence technique in APT attacks and SAS CTF challenge

On May 18, 2024, Kaspersky’s Global Research & Analysis Team (GReAT) hosted the qualifying stage of the SAS CTF, an international cybersecurity competition linked to the Security Analyst Summit. Over 800 teams participated, tackling challenges based on real-world security incidents encountered by GReAT. Among the challenges was one related to a vulnerability, specifically an incomplete fix for CVE-2010-4398, which allows kernel shellcode to execute during system boot on updated Windows 7 and Windows Server 2008 R2 systems. Despite Microsoft ceasing support for Windows 7 in early 2020, this security flaw remained unaddressed, as the discovered patch was insufficient even prior to support termination.

The vulnerability stems from a design flaw affecting older Windows versions, enabling the persistence and launch of kernel shellcode by manipulating specific system registry areas. The Windows Kernel API function RtlQueryRegistryValues, which retrieves registry values, can be exploited due to improper handling of data types, resulting in buffer overflow vulnerabilities particularly in Windows 7 and earlier OS versions. Although Microsoft introduced a type-checking flag to address possible privilege escalation vulnerabilities, it was only applied selectively and did not cover critical vulnerable registry paths that could be accessed with admin rights.

Exploitation techniques involve two main DirectX drivers, “dxgmms1.sys” and “dxgkrnl.sys”. Attackers can use the insecure implementation of RtlQueryRegistryValues in these drivers to manipulate registry values and execute malicious shellcode. The exploits occur in two stages: first, attackers trigger buffer overflows in “dxgmms1.sys” to write shellcode to kernel memory. Then, in the second stage facilitated by “dxgkrnl.sys”, they overwrite return addresses to execute this shellcode, leading to further exploitation of the system.

In the SAS CTF challenge, participants were provided with registry hive files and tasked with recreating a situation where a virtual machine crashes due to exploiting this vulnerability. Through careful analysis and debugging, participants identify the appropriate registry values causing crashes and exploit memory spaces to inject malicious code. Detailed instructions highlight specific environments, including the necessity to ensure a functioning Direct3D support configuration, which plays a pivotal role in triggering the exploit.

To analyze the effects of the exploit, participants employed strategies such as parsing registry hives, setting up kernel debugging, and modifying registry values to recreate faulty behavior during system boot. Debuggers were used to track system crashes and extract crash data, assisting participants in understanding the mechanics behind the exploitation process.

The ultimate goal was to identify and decrypt a second stage shellcode that could facilitate payload delivery into a user-mode process. The payload turned out to be a keylogger, specifically designed to capture keystrokes and send them via UDP. Participants leveraged captured network traffic to extract the keylogger’s operational data, employing decryption algorithms derived from registry settings.

As the challenge progressed, it became evident that reconstructing registry values influenced system behavior and allowed participants to successfully debug the kernel. Analyzing the captured data led to discussions on shifting detected values into more functional formats, facilitating better comprehension of the system’s memory operations.

In its conclusion, the contest not only tested participants’ technical skills on real-world vulnerabilities but also encouraged creative problem-solving in a competitive environment. The top eight teams from this qualifying stage were slated to move on to the final competition set to take place in Bali from October 22-25, 2024, marking an exciting culmination to the challenges posed during the summit. The findings from this event underscore the critical nature of ongoing cybersecurity vigilance, particularly related to vulnerabilities in legacy systems like Windows 7 and the implications of exploited vulnerabilities against user security.