BLACKBERRY PWNAGE THE BLUEJAY STRIKES

Similar documents
Return-orientated Programming

Polishing Chrome for Fun and Profit

Mitigating the unkn0wn When your SMB exploit fails. Nicolas Joly

PlatPal: Detecting Malicious Documents with Platform Diversity

CSC 405 Computer Security Stack Canaries & ASLR

LINUX VULNERABILITIES, WINDOWS EXPLOITS Escalating Privileges with WSL. Saar Amar Recon brx 2018

Is Exploitation Over? Bypassing Memory Protections in Windows 7

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

ios vulnerabilities technical details

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

WINDOWS 10 RS2/RS3 GDI DATA-ONLY EXPLOITATION TALES

Autodesk AutoCAD DWG-AC1021 Heap Corruption

C and C++ Secure Coding 4-day course. Syllabus

Malware

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

How to Impress Girls with Browser Memory Protection Bypasses

Secure Coding Techniques

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Under the Hood: Data Representations, Memory and Bit Operations. Computer Science 104 Lecture 3

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Hackveda Training - Ethical Hacking, Networking & Security

SA31675 / CVE

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Smartphone (in) Security

Exploiting a Coalmine Abusing Complex Bugs in Webkit's RenderArena

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

SA30228 / CVE

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

20: Exploits and Containment

Scientific Programming in C IX. Debugging

Basic Buffer Overflows

KCon. Breaking ios Mitigation Jails to Achieve Your Own Private Jailbreak. Min(Spark) Alibaba Mobile Security

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Confinement (Running Untrusted Programs)

Secure Programming I. Steven M. Bellovin September 28,

Memory, Data, & Addressing II CSE 351 Spring

Jailbreaking. Apple Watch. Max Bazaliy. December 4-7, 2017

Linux Kernel Futex Fun: Exploiting CVE Dougall Johnson

AFRecorder 4800R Serial Port Programming Interface Description For Software Version 9.5 (Last Revision )

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Digital Forensics Lecture 02 PDF Structure

CSE / / 60567: Computer Security. Software Security 4

A Heap of Trouble Exploiting the Linux Kernel SLOB Allocator

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Intrusion Detection and Malware Analysis

Exploit Mitigation - PIE

Bypassing Browser Memory Protections

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Get the (Spider)monkey off your back

Visual Profiler. User Guide

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Core GraphicsMemory Corruption CVE PDF Indexed colorspace buffer overflow

Michel Aubizzierre INFILTRATE Jan 12th 2012

ISA564 SECURITY LAB. Code Injection Attacks

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

From Assembly to JavaScript and Back

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

CS 5460/6460 Operating Systems

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Secure Systems Engineering

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

Final Exam. 11 May 2018, 120 minutes, 26 questions, 100 points

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Foxes Among Us. Foxit Reader Vulnerability Discovery and Exploitation. Steven Seeley (mr_me) of Source Incite

How to perform the DDoS Testing of Web Applications

CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE

Lecture 08 Control-flow Hijacking Defenses

Exploiting JRE - JRE Vulnerability: Analysis & Hunting

Advanced System Security: Vulnerabilities

SafeDispatch Securing C++ Virtual Calls from Memory Corruption Attacks by Jang, Dongseok and Tatlock, Zachary and Lerner, Sorin

Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Sandwiches for everyone

Heaps of Heap-based Memory Attacks

CMPSC 497 Other Memory Vulnerabilities

Stack Overflow COMP620

MBFuzzer - MITM Fuzzing for Mobile Applications

Metasploit Exploit CVE MS IE7 CFunctionPointer Uninitialized Memory Corruption

Receiver for BlackBerry 2.2

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Hardware: Logical View

MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

(Early) Memory Corruption Attacks

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

OAuth 2 and Native Apps

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Transcription:

BLACKBERRY PWNAGE THE BLUEJAY STRIKES Federico Muttis Core Security Technologies Session ID: HTA-T19 Session Classification: Advanced

INFO @ THE MEDIA http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401 http://threatpost.com/en_us/blogs/iphone-blackberry-fall-second-day-pwn2own-031011

INFO @ THE MEDIA

INFO @ THE MEDIA

BLACKBERRY DEVICES WITH KNOWN WORKING EXPLOIT Vulnerable devices (shortened list) Pearl family Curve family (< 9350) Storm family Style 9670 Tour 9630 Bold 9650/9700/9780 Torch 9800

CVE-2010-4577 ARBITRARY READ

CVE-2010-4577 PROOF OF CONCEPT CSS Font Face Parsing Type Confusion Vulnerability http://code.google.com/p/chromium/issues/detail?id=63866

IEEE 754 DOUBLE PRECISION FLOATING-POINT

CVE-2010-4577 CRASH ANALYSIS CSS Font Face Parsing Type Confusion Vulnerability 002ed594 80000000 01718618 chrome_68390000!wtf::stringimpl::create(wchar_t * characters = 0x80000000 "--- memory read error at address 0x80000000 ---", unsigned int length = 0x2cb)+0x24 [c:\b\slave\chrome-official\build\src\third_party\webkit\javascriptcore\wtf\text\stringimpl.cpp @ 99] 80000000 41400000 00000454 chrome_68390000!wtf::string::string(wchar_t * characters = 0x80000000 "--- memory read error at address 0x80000000 ---", unsigned int length = 0x41400000)+0x21

CVE-2010-4577 EXPLOITATION CSS Font Face Parsing Type Confusion Vulnerability Address Size

CVE-2010-4577 EXPLOITATION CSS Font Face Parsing Type Confusion Vulnerability Address Size

A BLUEJAY APPEARS!

DUMPING THE VIRTUAL ADDRESS SPACE BlueJay s early problems Poor man s solution

BLUEJAY AGENT DIAGRAM BlueJay Agent HTTP Push BlueJay Server & Console Exploit dispatcher Memory manager Memory read Pointer Leak Execute code HTML5 Spray HTML5 Edit

DUMPING THE VIRTUAL ADDRESS SPACE BlueJay s helper Java BlackBerry App. Browser running? No Yes Restart browser Reset backlight timer

DUMPING DEMO

DISASSEMBLING AND SEARCHING FOR OLYMPIA BlackBerry s WebKit Browser main() routine

DISASSEMBLING AND LOCATING CVE-2010-4577 CVE-2010-4577 Arbitrary memory read disassembly

BLACKBERRY PROCESS INTERNALS Some syscalls (work in progress...) 0x4 write 0x16 allocexecmem 0x28 shmget 0x2b alloc 0x27 loadlibrary 0x29 shmat 0x2c sem_create 0x2d sem_unlink sem_close 0x41 sendto? 0x46 mkfifo? 0x4a unlink 0x4c mkdir 0x5f open 0x61 lock related (flock/lockf?) 0x67 threads related

CVE-2011-1290 CODE EXECUTION

SEARCHING FOR THE VULNERABILITIES Webkit Integer Overflow near 2011 There is a buffer overflow vulnerability that was released in November 2010 but is still present on the BlackBerry. ( ). To exploit the vulnerability I have to set up the heap in a specifc way so I can overflow a specific structure on the heap. This structure is the internal representation for a piece of text on a website. The vulnerability is in the handling of the text nodes, so this is a good target to overflow. ( ) Once I have a stable way to organize the heap and reliably overflow the pointer to the functions, we can start testing. The first test attempts to redirect execution to code that already exists on the BlackBerry. Instead of the JavaScript nodetype call returning the value 3, I redirect it to existing code elsewhere that returns 0. Now I can control the execution flow in the browser. Willem Pinckaers -

EXPLOITING CVE-2011-1290 CVE-2011-1290 Integer Overflow => Heap Overflow Integer Overflow Heap Overflow

DISASSEMBLING AND LOCATING CVE-2011-1290 CVE-2011-1290 Integer Overflow

DISASSEMBLING AND LOCATING CVE-2011-1290 CVE-2011-1290 Integer Overflow

DISASSEMBLING AND LOCATING CVE-2011-1290 CVE-2011-1290 Integer Overflow => Heap Overflow

DISASSEMBLING AND LOCATING CVE-2011-1290 CVE-2011-1290 Integer Overflow => Heap Overflow

CHAINING THE EXPLOITS

EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern

EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern 2. Leak a heap pointer using CVE-2011-0195 Pointer to a valid heap address

EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern 2. Leak a heap pointer using CVE-2011-0195 3. Walk between [ptr-128k, ptr+128k] looking for the signature Pointer to a valid heap address Pointer to HTML5-Sprayed block ignature signature signature signature signature signature signat HTML5-Spray block

EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern 2. Leak a heap pointer using CVE-2011-0195 3. Walk between [ptr-128k, ptr+128k] looking for the signature 4. HTML5-Spray-Modify to fake a vtable Pointer to HTML5-Sprayed block ignature sigptr+x signature sigptr+y signature signature shellcode signature signature signat HTML5-Spray block

EXPLOITATION RECIPE 1. HTML5-Spray the process s heap with a repeated pattern 2. Leak a heap pointer using CVE-2011-0195 3. Walk between [ptr-128k, ptr+128k] looking for the signature 4. HTML5-Spray-Modify to fake a vtable 5. Point the code execution exploit to your block 6. Achieve code execution! sigptr+x sigptr+y shellcode HTML5-Spray block

BLUEJAY VS REAL DEVICE sigptr sigptr shellcode HTML5-Spray block

BLUEJAY VS SIMULATOR DEMO

SIMULATOR VS DEVICE WebKit s StyleElement::process() http://immunityinc.com/infiltrate/archives/webkit_heap.pdf

Q & A E-mail: fmuttis@gmail.com / acid@coresecurity.com Twitter: @acid_

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback