of Keen Lab, Tencent • Kernel vulnerability hunting and exploitation since 2014 • @returnsme • github.com/retme7 • Fan of console games, anime and mystery novels()
still good enough to finish daily work • Easy to use • Some models can be very cheap • It is very SECURE.
• Chrome browser • Sandbox • Both apps and system services are isolated and sandboxed. • Secure file system / storage • Read-only root file system • Verified boot and dm-verity • Additional Linux security module is stacked ahead of SELinux • Automatic updates • Fix known bugs ASAP • Apply security patches to the kernel regularly
different kind of restrictions: • User id • Capabilities • Namespace • Seccomp filter policy • SeLinux policy • More details check the official documents [1] [2]
in Linux kernel. • Protect system partition from being modified. • Will calculate the checksum of every block on the disk before I/O operation. • Will crash the whole system if the checksum is wrong.
symlinks that will redirect system’s write actions during boot (designed_docs) • Refuse to mount a path with symlinks • Hardening against loading module/firmware
reward for participants that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e. guest to guest persistence with interim reboot, delivered via a web page).” – Chrome VRP • Previously it was $100k, raised to $150k this July.
in IndexedDB • CVE-2019-16508: Privilege escalation in kernel mode • CVE-2019-13690: Privilege escalation in user mode • CVE-2019-13689: Chrome OS persistence bug • Credit goes to Gengming Liu, Jianyu Chen, Zhen Feng, Jessica Liu and Retme at Tencent Keenlab
CVE-2019-5826 By Gengming on Blackhat USA, Las Vegas CVE-2019-16508 By Retme on Code Blue, Tokyo CVE-2019-13690 & CVE-2019-13689 By Gengming & Melody on POC, Seoul
of March,2019 • We already had V8 bug for RCE and sandbox escape • But no privilege escalation and Persistence • We need ROOT privilege to trigger the persistent exploitation
need to find a Linux kernel vulnerability that affect all Linux distribution. • A bug targeted at official Chrome OS hardware will be fine. • Need to make it within 30 days or so • Let’s find a vendor bug on specific Chromebook.
will be card0,card1,card2… , if you have multiple video card • It is accessible for normal user (chronos) on Chrom OS. • It exposes IOCTL interface for users
kernel and flash it to Chromebook [1][2] • Define fuzzing rules targeting PowerVR interface PVR_SRVKM_CMD • Run the fuzzer via SSH and wait for one night • Maybe play some games on PS4 during my wait …
user input psSyncPrimOpCreateIN, which may lead to an integer overflow. • It’s able to convert this bug to a heap out-of-bound write, then achieve arbitrary memory overwriting.
That happens when my heap spray failed, the copy_from_user() overwrite some small heap slots. 128 128 128 128 … pArrayArgsBuffer kmalloc-8192 kmalloc-128 copy_from_user(ptr-object-128,buffer-8192,8192) KERNEL PANIC BY HARDENED_USERCOPY
bytes to object-128 previously • Actually copying 0x20 bytes is good enough to overwrite iov_base. • The copied content is {0, 0, kADDR, iov_len} 128 128 128 128 … pArrayArgsBuffer kmalloc-8192 kmalloc-128 copy_from_user(ptr-object-128,buffer-8192,0x20) It will NOT crash when my spray failed any more.