Many browsers in the world. (Android, iOS, PlayStation4, Nintendo Switch ….etc ) ◦ And also Many Vulnerabilities in them. (See: pwn2own ) • Only browser exploitation? No. The next step comes up to you! ◦ To get higher privilage, (i.e. root) you should do more works! ◦ Kernel Vulnerabilities are good for you to get higher privilage. ◦ Many kinds of target, Linux, Windows, Apple OS X …. • Real world exploitation? ◦ Competition: pwn2own ◦ JailBreak: iOS, Android, PlayStation4 …. etc
Read ◦ When RuleSet::AddRule is called, selectorIndex is 1 ◦ However, we have only ONE CSSSelector in array. ◦ Read non existed second element in array. (OOB Read) • Not only OOB Read, But you can also 1-bit OOB Write! ◦ WebCore::CSSSelector::specify modifies some value from 0 to 1. ◦ So set the only 1 bit to 1 in OOB area! • Restrictive 1-bit write ◦ Where to set the bit to 1? ◦ ArrayBufferView->m_sizeInBytes (from 0x40 -> 0xC0) is good idea!
restricted. What’s next? ◦ We only need 0x40 WebCore object containing vtable ◦ After leaking the vtable of 0x40 WebCore object, free it and fill it with ArrayBufferView at same address. ◦ Then change ArrayBufferView::m_baseAddress poiter for AAR/AAW. • How to free 0x40 WebCore object? ◦ There are no free interface in JavaScript, which uses GC. ◦ Some object, like WebCore::NumberInputType can freed by following code :)
◦ Exploit technique ◦ Control call stack to hjiack program flow ◦ Can bypass NX protection 0x68ea123b 4096 0x63af9c00 0x691c000 0x6100a74f 0x0 0x62f10bd0 0x0 0x6711f000 0x68ea123b: pop rdx (arg3) ret 0x63af9c00: pop rsi (arg2) ret 0x6100a74f: pop rdi (arg1) ret 0x62f10bd0: pop rax (syscall num) ret 0x6711f000: syscall ret Stack
◦ Exploit technique ◦ Control call stack to hjiack program flow ◦ Can bypass NX protection 0x68ea123b 4096 0x63af9c00 0x691c000 0x6100a74f 0x0 0x62f10bd0 0x0 0x6711f000 0x68ea123b: pop rdx (arg3) ret 0x63af9c00: pop rsi (arg2) ret 0x6100a74f: pop rdi (arg1) ret 0x62f10bd0: pop rax (syscall num) ret 0x6711f000: syscall ret Stack rdx = 4096
◦ Exploit technique ◦ Control call stack to hjiack program flow ◦ Can bypass NX protection 0x68ea123b 4096 0x63af9c00 0x691c000 0x6100a74f 0x0 0x62f10bd0 0x0 0x6711f000 0x68ea123b: pop rdx (arg3) ret 0x63af9c00: pop rsi (arg2) ret 0x6100a74f: pop rdi (arg1) ret 0x62f10bd0: pop rax (syscall num) ret 0x6711f000: syscall ret Stack rdx = 4096 rsi = 0x691c000
◦ Exploit technique ◦ Control call stack to hjiack program flow ◦ Can bypass NX protection 0x68ea123b 4096 0x63af9c00 0x691c000 0x6100a74f 0x0 0x62f10bd0 0x0 0x6711f000 0x68ea123b: pop rdx (arg3) ret 0x63af9c00: pop rsi (arg2) ret 0x6100a74f: pop rdi (arg1) ret 0x62f10bd0: pop rax (syscall num) ret 0x6711f000: syscall ret Stack rdx = 4096 rsi = 0x691c000 rdi = 0
◦ Exploit technique ◦ Control call stack to hjiack program flow ◦ Can bypass NX protection 0x68ea123b 4096 0x63af9c00 0x691c000 0x6100a74f 0x0 0x62f10bd0 0x0 0x6711f000 0x68ea123b: pop rdx (arg3) ret 0x63af9c00: pop rsi (arg2) ret 0x6100a74f: pop rdi (arg1) ret 0x62f10bd0: pop rax (syscall num) ret 0x6711f000: syscall ret Stack rdx = 4096 rsi = 0x691c000 rdi = 0 rax = 0
◦ Stack pivot technique ◦ You can set own controled stack ◦ Firstly, jump to 0x6001e4c 0x68ea123b 4096 0x63af9c00 0x691c000 0x6100a74f 0x0 0x62f10bd0 0x0 0x6711f000 0x68ea123b: pop rdx (arg3) ret 0x63af9c00: pop rsi (arg2) ret 0x6100a74f: pop rdi (arg1) ret 0x62f10bd0: pop rax (syscall num) ret 0x6711f000: syscall ret Stack 0x6001e4c: pop rsp ret (own stack address) own stack address
◦ Stack pivot technique ◦ You can set own controled stack ◦ Firstly, jump to 0x6001e4c 0x68ea123b 4096 0x63af9c00 0x691c000 0x6100a74f 0x0 0x62f10bd0 0x0 0x6711f000 0x68ea123b: pop rdx (arg3) ret 0x63af9c00: pop rsi (arg2) ret 0x6100a74f: pop rdi (arg1) ret 0x62f10bd0: pop rax (syscall num) ret 0x6711f000: syscall ret Stack 0x6001e4c: pop rsp ret (own stack address) own stack address rsp = (own stack address)
Next we should move to Kernel exploit ◦ If you want do more complicated code execution, ROP is not usefull. (so many gadgets…) ◦ We should use ROP only for loading and jumping to payload from network. (i.e. stager) ◦ From remote, we can send Kernel exploit payload • Write payload(shellcode) in C ◦ Use only syscalls, because libc’s functions are bit difficult to use in shellcode. ◦ Compile C code with PIE option (shellcode can be loaded at any address) Client WebKit Controlled by ROP waiting paylod to execute... Send kernel exploit payload
FreeBSD ◦ When iret throws #SS exeception, one extra swapgs is perfomed ◦ GS register will switch to the userland GS whilst the kernel still expects kernel GS ◦ Userland GS is fully controllable by attacker ◦ After #SS exception and extra swapgs, kernel jump to do_general_protection ◦ “current” macro uses memory read with GS prefix 290 void do_general_protection(struct pt_regs *regs, long error_code) 291 { 292 struct task_struct *tsk; ... 306 tsk = current; ==> mov %gs:0xc780,%rbx 319 tsk->thread.error_code = error_code; 320 tsk->thread.trap_nr = X86_TRAP_GP;
can control %GS. Next? ◦ Forcus on force_sig_info() that’s called by do_general_protection int force_sig_info(int sig, struct siginfo *info, struct task_struct *t) { struct k_sigaction *action; … action = &t->sighand->action[sig-1]; action->sa.sa_handler = SIG_DFL; // SIG_DFL == 0 ... } • We can write 8-byte 0(SIG_DFL) to arbitrary address in kernel ◦ Use &t->sighand->action->sa.sa_handler = 0 for writing ◦ We can control address of &t (== current == %GS:0xc780)
write consecutive 8-byte 0s? ◦ Modify #PF handler in IDT(Interrupt Descriptor Table) to shellcode address ▪ This approach is used in PlayStation4(FreeBSD) exploit ▪ But in Linux, IDT is set to Read-only :( ◦ Moreover, Intel SMEP prevent direct jump to usermode area from kernelmode area • In kernel ROP(Return Orietend Programming) ◦ Use ROP gadgets in kernel binray(e.g. vmlinux) ◦ Can bypass SMEP ◦ Pivot the kernel stack to crafted stack in usermode area ◦ Disable SMEP by clearing some bits of CR4 register ◦ Finally jump to shellcode in usermode
based on FreeBSD (Many custom syscalls are added) ◦ Many libraries (.sprx) and binary executable (.self) ◦ Internet Browser is based on WebKit • Some security problems in PS4 (fixed in latest version) ◦ Internet Browser is vulnerable against CVE-2012-3748, CVE-2014-1303... ◦ A kernel of OrbisOS is vulnerable aginast CVE-2014-9322(BadIRET) ◦ And also custom syscalls added by Sony have some vulnerablities.
◦ sys_dynlib_XXX system calls … Dynamic linking for modules(.sprx) ◦ sys_jitshm_XXX system calls … For WebKit JIT memory area • WebKit exploit for PS4 ◦ CTurt’s PS4-playground: https://cturt.github.io/PS4-playground/ ◦ You can execute payload by using above site. • Kernel exploit for PS4 ◦ BadIRET exploit written by CTurt ◦ sys_dynlib_prepare_dlclose heap overflow by CTurt and qwertyoruiop