2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one...
-
Upload
chen-yuki -
Category
Technology
-
view
1.207 -
download
0
description
Transcript of 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one...
![Page 1: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/1.jpg)
Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One
Minute
Or how to exploit a single java vulnerability
in three different ways
![Page 2: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/2.jpg)
Today we are not talking about how to find 0day java native vulnerabilities, but
how to “cook” them
![Page 3: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/3.jpg)
About me
• Architect, Trend Micro China Development Center
• Interested in vulnerabilities, sandbox technique, anti-APT solution
• Hardcore ACG otaku
![Page 4: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/4.jpg)
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
![Page 5: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/5.jpg)
What is java native vulnerability?
• Vulnerability which exists in JRE native code (C/C++ code)
– Stack overflow
– Heap overflow
– Buffer overflow/underflow
– …
• Aka, java memory corruption vulnerability
![Page 6: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/6.jpg)
Trends of Java native vulnerability
![Page 7: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/7.jpg)
Exploit Java native vulnerability
• JRE 6
– No DEP, ASLR
– Find a schoolchild and teach him Heap Spray
• JRE 7
– Opt-in DEP, ASLR, windows 7, windows 8 …
– Hmmm, seems much harder ?
– Actually not so hard, we will show you how to in this presentation
![Page 8: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/8.jpg)
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
![Page 9: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/9.jpg)
CVE-2013-1491
• Found by Joshua J. Drake (jduck)
• Used on Pwn2013, defeated JRE 7 + Windows8 (Accuvant Lab's White Paper)
• We also discovered the same issue in Feb 2013, via our java font fuzzer, and finished the exploits in April 2013
![Page 10: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/10.jpg)
CFF Font Instructions
• Compact Font Format, or Type2 font
• You can write instructions (byte codes) to help building a character at runtime
private static native long
0A: call sub routine0B: return from sub routine0C 0A: add0C 0B: sub0C 0C: div0C 0D: load
stack
![Page 11: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/11.jpg)
Related Data Structures
• TopDictInfo
– buildCharArray – dynamic allocated array
– reg_WeightVector – static array in the structure
![Page 12: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/12.jpg)
The two vulnerable instructions• store [0, j, index, count]
• load [0, index, count]
No array boundary checks on store/load !
![Page 13: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/13.jpg)
What can we do with it
• Read/Write arbitrary 16-bit range in the buildCharArray and regWeightVector
• By over writing the buildCharArray pointer, we can achieve arbitrary address read/write
![Page 14: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/14.jpg)
Example
Initial State
T->topDictData…
buildCharArray
…reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x2100000
![Page 15: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/15.jpg)
Step1put(0, 0x0c0c0c0c)
T->topDictData…
buildCharArray
…reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x2100000
0c0c0c0c
buildCharArray[0] = 0x0c0c0c0c;
![Page 16: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/16.jpg)
Step2store(0, -18, 0, 1)
T->topDictData…
buildCharArray
…reg_WeightVector
0x2000000
0x200087c
0x20007b4 0x2100000
0c0c0c0c
reg_WeightVector[-18] = buildCharArray[0];
![Page 17: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/17.jpg)
Step3put(0, 0x41414141)
T->topDictData…
buildCharArray
…reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x0c0c0c0c
41414141
buildCharArray[0] = 0x41414141;
![Page 18: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/18.jpg)
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
![Page 19: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/19.jpg)
Information Leak + ROP
![Page 20: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/20.jpg)
Information Leak
• Read a function pointer from the structure
• Sub a pre-computed offset from the function pointer address, to get base address of t2k.dll
• Get other dll base (e.g. msvcrt) from IAT of t2k.dll
![Page 21: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/21.jpg)
ROP
1. Write ROP gadgets into buildCharArray
2. Set jmp_buf->eip to the first ROP instruction
3. Set jmp_buf->esp to buildCharArray
4. Trig an internal error to call longjmp
struct TopDictInfo {tsiMemObject *mem; …
}
struct tsiMemObject {
…jmp_buf env;…
}
…
esp
…
…
eip
![Page 22: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/22.jpg)
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
![Page 23: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/23.jpg)
Overwrite Array Length + Statement
![Page 24: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/24.jpg)
Java Array in memory
Object Head length a[0] a[1] … a[n]
8 bytes 4 bytes
If we can overwrite the length field, then we can read/write out of the bound of this java array
![Page 25: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/25.jpg)
Array Spray
![Page 26: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/26.jpg)
Overwrite Array length
• Set buildCharArray to 0x23ad27d8 (this address may vary in different OS)
• Write “0x7fffffff” to 0x23ad27d8, which will be the new array length
![Page 27: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/27.jpg)
Overwrite ACC in Statement Object
• Statement: call method on a target object
• AccessControlContext: check permission on privileged operations
![Page 28: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/28.jpg)
Overwrite ACC in Statement Object• When a new statement is created, the acc is set to
the “snapshot” of current calling context
• If you created the statement in low privileged code, the acc will be a low privileged ACC
• We can replace the acc with a powerful ACC in memory
Object Head acc target … ……
Statement Object memory layout
Powerful ACC
![Page 29: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/29.jpg)
Method 2 – Exploit Procedure
length
data
1. Allocate arrays
acc
statement2. Allocate statement
object right after the array
Memory Space
3. Overwrite array length
new length
4. Overwrite acc in statement
powerful acc
![Page 30: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/30.jpg)
Demo
• Exploit CVE-2013-1491 using Array length overwriting + Statement
![Page 31: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/31.jpg)
Method2 - Limitation
• You need to be able to overwrite memory of Java Object Heap
JVM
java object heapjava native heap
Java object
Java Array
Default heap of JRE native code
![Page 32: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/32.jpg)
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
![Page 33: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/33.jpg)
JIT Spray
![Page 34: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/34.jpg)
History of JIT Spray
• Dion Blazakis - interpreter exploitation: pointer inference and spraying
• Alexey Sintsov- Writing JIT shellcode for fun and profit
• TT Tsai - The Flash JIT Spraying is Back
![Page 35: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/35.jpg)
History of JIT Spray
• Mostly focus on flash
• No practical POC & Guide on Java
![Page 36: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/36.jpg)
Java JIT Compiler
Java compiler,
into byte code in class file
JIT compiler, into native code
![Page 37: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/37.jpg)
Java JIT Compiler (.cont)
• View JIT generated code
– -XX:+UnlockDiagnosticVMOptions -XX:+PrintAssembly
• CompileThreshold
– Only when a function is called > CompileThreshold times, it will be JITed
– Default value: 1500 for client JVM
![Page 38: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/38.jpg)
XOR in java JIT compiler
public int spray(int a) {
int b = a;
b ^= 0x90909090;
b ^= 0x90909090;
b ^= 0x90909090;
return b;
}
0x01c21507: cmp 0x4(%ecx),%eax
0x01c2150a: jne 0x01bbd100 ;
0x01c21510: mov %eax,0xffffc000(%esp)
0x01c21517: push %ebp
0x01c21518: sub $0x18,%esp
0x01c2151b: xor $0x90909090,%edx
0x01c21521: xor $0x90909090,%edx
0x01c21527: xor $0x90909090,%edx
…
0x01c21539: ret
![Page 39: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/39.jpg)
XOR in java JIT compiler (.cont)
• The XOR statement is compiled to an instruction of six bytes
– 81 F2 90 90 90 3C xor edx, 0x3C909090
• We can replace the 3 NOP bytes with our shellcode
![Page 40: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/40.jpg)
Set EIP in the middle$0: 81 F2 90 90 90 3C : xor edx, 0x3C909090
$6: 81 F2 90 90 90 3C : xor edx, 0x3C909090
$12: 81 F2 90 90 90 3C : xor edx, 0x3C909090
$0: 81 F2
$2: 90 nop
$3: 90 nop
$4: 90 nop
$5: 3C 81 cmp al, 81
$7: F2 repne
$8: 90 nop
$9: 90 nop
$10: 90 nop
$11: 3C 81 cmp al, 81
EIP
EIP
![Page 41: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/41.jpg)
![Page 42: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/42.jpg)
Find a reliable EIP to jump to
• 0x02cd70b7
– Fairly reliable on the tested systems:
– windows xp sp3, windows 7 home edition, windows 7 enterprise edition, windows 8 home edition
![Page 43: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/43.jpg)
Spray multiple functions at runtime
• ClassLoader.loadClass
JIT00002.classJIT00001.class …
Exploit.class
![Page 44: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/44.jpg)
Performance
• First version: 20 ~ 40s to spray 2400 functions
– Because we have to call a function 1500 times before it can be JITed
• Use pre warm up: 7 ~ 9s
![Page 45: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/45.jpg)
Shellcode
• Two-Staged
– Stage0: Sprayed by JIT functions, will search for Stage1 shellcode and execute it (egg-hunt)
– Stage1: Defined in java string, do the real work
![Page 46: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/46.jpg)
Demo
• Exploit CVE-2013-1491 using JIT Spray
![Page 47: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/47.jpg)
Add JIT Spray to your POC in one minute
• Demo
– Add JIT Spray to CVE-2013-0809 POC
– We will public all related code after the presentation
![Page 48: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/48.jpg)
Optional Demo
• JRE 7 native 0day + Win8 + Java JIT Spray
![Page 49: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/49.jpg)
Java JIT Spray - Limitation
• Currently only works on 32bits platform
• You need to be able to control EIP precisely
![Page 50: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/50.jpg)
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
![Page 51: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/51.jpg)
![Page 52: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/52.jpg)
Conclusion
• We introduced 3 different methods to exploit a java native vulnerability and bypass DEP/ASLR
• You need to choose the one that fit your vulnerability
![Page 53: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/53.jpg)
Conclusion
• Choose JIT Spray if 32bits & you can control the EIP
• Choose Array + Statement if you can overwrite a java array on java object heap
• Choose Information Leak + ROP if you are Vupen
![Page 54: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/54.jpg)
"Heapsprays are for the 99%"
“And so are JIT sprays."
![Page 55: 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute](https://reader034.fdocuments.in/reader034/viewer/2022042816/558fc7ac1a28ab654e8b475e/html5/thumbnails/55.jpg)
Thank you!
Q & A