Threat Research

Turning (Page) Tables- Bypassing Kernel Mitigations to Successfully Escalate Privileges

By Omri Misgav | August 09, 2018

A FortiGuard Labs Threat Analysis Report: This blog originally appeared on the enSilo website on August 09, 2018, and is republished here for threat research purposes. enSilo was acquired by Fortinet in October 2019.

On August 8th, at the BSides Conference in Las Vegas, enSilo’s Threat Intelligence team (now part of FortiGuard Labs) unveiled a new exploitation technique against the Microsoft Windows operating system. It's a general technique to leverage with kernel vulnerabilities and make privilege escalation easier.

In this blog post, we’ll provide a high-level overview of the technique. You can also view here a recording of our presentation and the slides are viewable here of the BSides Las Vegas conference in which we discuss the technical details and conduct a demonstration.

Now, for the details. Microsoft has implemented a number of mitigations designed to protect the kernel from attacks. The following is only a partial list:

1. Not enabled by default; 2. Require VBS; 3. Mitigations that constantly improve

One of the most significant additions is the use of a hypervisor (Hyper-V) in desktop operating systems, dubbed VBS (Virtualization Based Security) by Microsoft. The result of all of these mitigations is that it is significantly more challenging to develop kernel exploits. While Microsoft continues to strengthen Windows kernel security and improve its mitigations, our research again proves that adversaries can devise novel methods to achieve higher privileges - including SYSTEM.

We are able to demonstrate a way to bypass Microsoft kernel mitigations and escalate privileges by carefully manipulating page tables, the data structures operating systems use to map virtual memory to physical memory. Our technique involves manipulating page tables in such a way that allows modification of shared code pages to affect all processes in the system. The key to the success of the technique is the fact that the same code for both low and high privilege processes is stored in the same place in RAM in an effort to more efficiently consume physical memory.

Our technique involves leveraging this shared memory, which is maintained by the OS, and causing the higher-level privilege process to execute a malicious payload. Attackers are not limited to escalating to SYSTEM privileges with this technique. They can also use lower-level privileges that are less restricted than sandboxed processes (such as browsers).

The main difference between this technique and previous publications is that it is possible to execute even in the presence of hypervisor-level protection. Therefore, the technique still works if Virtualization Based Security (VBS) is enabled.

While our presentation at BSides focused on demonstrating the technique with Microsoft Windows, we believe it will be just as successful on OSX and Linux and be just as effective. The reason why is that the technique is based on an optimization leveraged by almost all modern operating systems. By bringing knowledge of this technique to the forefront, our goal is to help organizations better defend themselves against criminals and raise awareness of the need for greater levels of security.

Note: We fully disclosed our technique to Microsoft prior to our presentation at BSides.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.