Pwningthe Nexus ™of Every - Flanker Sky

Pwning theNexus ™ ofEveryPixel ™

Qidan HeCredits also to: Gengming Liu

*NexusandPixelareregisteredtrademarksofGoogleInc.

#whoami

• Qidan He• SeniorSecurityResearcheratKeenLab• Apple/Android/ChromeCVEhunter(“frequentcreditor”)• SpeakeratBlackHat USA/ASIA,DEFCON,RECON,CanSecWest,HITCON,QMSS• Pwn2Own2016/MobilePwn2Own2016winner

• Gengming Liu• SecurityResearcherInternatKeenLab• CTFenthusiastic,DEFCONCTFfinalplayer• CaptainofAAACTFteam• MobilePwn2Own2016winner

AboutTencent KeenSecurityLab

• Previously known as KeenTeam• 2016PC/MobileMasterofPwn• Pwn2Ownchampionsin2013,2014,2015,2016,(2017currentlyrunning)• Pwnie Nominationsin2015,2016

TL;DR:HowwepwnednewestNexus6P/PixelrunningNougat• Threebugsformsacompleteexploitchain• OneV8bugtocompromisetherenderer• OneIPCbugtoescapesandbox• Onebugingapps allowsappinstall

• Googleresponseveryquickly• V8andIPCbugfixedinmidnightof10.26(CVE-2016-5197andCVE-2016-5198)• Gapp updatepushedin10.27(GoogleVRPcredit)

Agenda• IntroductionandExploitationofV8engine• IntroductionandExploitationofsandboxonAndroid•HowwepwnedNexus/PixelonMobilePwn2Own2016with3bugs• CVE-2016-5197/5198/GoogleVRP bug

HistoryofclassicalChromeexploits

• MWRLabs,Pwn2Own2013• Type-confusioninwebkit• ArbitraryzerowriteinIPC::OnContentBlocked

• PinkiePie,MobilePwn2Own2013• Runtime_TypedArrayInitializeFromArrayLike forrenderercodeexecution• ArbitraryfreeinClipboardHostMsg_WriteObjectsAsync

• Geohot inPwnium 4• PropertyredefinitionleadtoOOBread/writeinrenderer• SpoofIPCMessagetovulnerableextensioninprivilegeddomain

• Lokihart inPwn2Own2015• TOCTOUinGPUprocesssharedmemory

• Juri InPwn2Own2015• UAFinP2PSocketDispatcherHost

V8Javascript Engine

• Widelyknownandused• RuntimeoptimizationandJITtomachinecode• Strongtalk• Crankshaft• Turbofan

ObjectstructureinV8

0x2036cb90a089:[JSArrayBuffer]- map=0xebbd6702db1[FastProperties]- prototype=0x32cfe5005599- elements=0x1b6415782241<FixedArray[0]>[FAST_HOLEY_SMI_ELEMENTS]- internalfields:2- backing_store=0x5652757bea60- byte_length=24929- properties={}- internalfields={00}

vara=newArrayBuffer(0x6161)

0x2036cb90a089:[JSArrayBuffer]- map=0xebbd6702db1[FastProperties]- prototype=0x32cfe5005599- elements=0x1b6415782241<FixedArray[0]>[FAST_HOLEY_SMI_ELEMENTS]- internalfields:2- backing_store=0x5652757bea60- byte_length=24929- properties={}- internalfields={00}

vara=newArrayBuffer(0x6161)

pwndbg$x/30xg0x00002036cb90a0880x2036cb90a088:0x00000ebbd6702db10x00001b64157822410x2036cb90a098:0x00001b64157822410x00006161000000000x2036cb90a0a8:0x00005652757bea600x0000000000000004

BoxinginV8

• Float&Double encapsulatedinV8heap• HeapNumber object• vmovsd QWORDPTR[rax+0x7],xmm0

• SMI• 31bitintegerwithlowestbitsetto0

• Taggedpointer

CVE-2016-5198– ChainofBugs#1

• FoundbyKeenLab andusedforMobilePwn2Own2016• AffectsallenginesbasedonV8andapplicationswithWebview

Howweexploited CVE-2016-5198

CVE-2016-5198ByKeenLab

JITworkflowoverview

• JITcompilermodes• Interpretmode– onstartup,naïve,slow,safe• Optimizedmode– afterprofiling,fast

• Optimizedcodegeneratedaccordingtotype-infocollected• Whatifobjecttypechanged?• maptypecheckwillfail- Deoptimize andregenerate

Deoptimization

• EagerDeoptimization• Usuallyseeninfunctionargumentchecks• Bailouttointerpretermodeimmediately

• LazyDeoptimization• Usuallyseenonglobalobjectaccess• Whochangestheobjectisresponsibleforpatchingfollowingusers

• WhatifitselfisalsoJITed?

OOBinOptimizedJITcode

WhatJITdoes?

OOBinOptimizedJITcode

OptimizedcodeforCtor

Non-optimizedcodeforfunc`Check`

Optimized

optimizedcodeforfunc`Check`

Optimized

0x3f9385872433548b8c1bf4a339d070000REX.Wmovq rax,0x79d334abfc1;;object:0x79d334abfc1PropertyCell for0x130199d54631<aSetwithmap0x1ffdd430c391>

0x3f93858724d45488b400fREX.Wmovq rax,[rax+0xf]

#js:Getglobalvariablen

Optimized

0x3f9385872514949ba0000805e0a4de041REX.Wmovq r10,0x41e04d0a5e8000000x3f93858725b59c4c1f96ec2vmovq xmm0,r100x3f93858726064488b4007REX.Wmovq rax,[rax+0x7]0x3f93858726468488b400fREX.Wmovq rax,[rax+0xf]0x3f93858726872c5fb114007vmovsd [rax+0x7],xmm0

n.xyz =0x826852f4

Heapnumberoverwrite

Map value

PROP_CELL_MAP0x2ab4ce002a99

Map Properties

elements

PropertyCell n: 0x79d334abfc1

JSSet: 0x130199d5c511

tables

JS_SET_TYPE_MAP

mov rax,QWORD PTR [rax+0xf]

mov rax,QWORD PTR [rax+0x7]

0x31337

Map length:1

Non-empty FixedArray

Property1 …

Javascript: n.xyz = 0x31337

• Optimizedcodeassumestheobjectalreadyhaveproperty

Nomaptypecheck

However…

• Whatiftheobjectischangedanditdoesn’thavepropertynow?• Andthemapcheckiseliminatedingeneratedcode…• ASSUMPTIONINVALID!

Map value


Map Properties

elements


JSSet: 0x130199d5c511

tables

JS_SET_TYPE_MAP

Map length:0

Empty FixedArray

Map Hashcode

Null string

length Chars


mov rax,QWORD PTR [rax+0x7]

0x31337

OUT OF BOUNDS HERE!

Map length:1

Non-empty FixedArray

Property1 Property

Map value


Map Properties

elements


JSSet: 0x130199d5c511

tables

JS_SET_TYPE_MAP

Map length:0

Empty FixedArray

Map Hashcode

Null string

length Chars

mov rax,QWORD PTR [rax+0xf]mov rax,QWORD PTR [rax+0x7]

0x826852f4

Map …type

Map for ONE_BYTE_INTERNALIZED_STRING_TYPE

…

vmovsd QWORD PTR [rax+0x7],xmm00x41e04d0a5e800000

Confused to EXTERNAL_STRINGChars interpreted as Pointer

Map Hashcode length Chars

0x4141414141..

AAAA


ExploitationSteps

• OOBwritecharsfieldofnullstringtoleakArrayBufferaddress• OverwriteArrayBufferbacking_store toleakFunctioncodeaddress• OverwriteArrayBufferbacking_store withFunctioncodeaddress• WriteshellcodetoArrayBufferandexec!

Primitives

• Writeprimitive:• Sequentialwrite

• n.b =0x31337• HeapNumber write

• *(p+8)=v

• Readprimitive• ArrayBuffer storageisourfriend

• Heapnumber overwriteArrayBuffer_len_ptr (storage-8)• Butfirst… leakanArrayBuffer addresstoknowwheretowriteto

• Use#nullstringtocoldstart!

StructureofONE_BYTE_INTERNALIZED_STRINGpwndbg>job0x28b4ff7ab259#nullpwndbg>x/40xg0x28b4ff7ab2580x28b4ff7ab258: 0x0000090b4b182361 0x000000005887594a0x28b4ff7ab268: 0x0000000400000000 0xdeadbeed6c6c756e

#nullstringascoldstart– Run#1

• OOBwritenullstringlength• OOBwritecharsfield• m.d =ab(newArrayBuffer)• newString(null)

• charCodeAt foreachbyte• ArrayBuffer and#nullstringaddressleaked!

• Turnlimitedsequentialwriteintoarbitraryaddresswrite

Map length:0

Empty FixedArray

Map Hashcode

Null string

length

m.a = m.a

unchanged

m.c = 0x200000

overwritten

var ab = new ArrayBuffer(40000);

chars(Now #null

pointer)

chars(Now ab

ptr)

m.e = ab

m.d = null_str

Note:canassignobjecttofieldbutcannotdirectlyassignPointertofielde.g.`hashcode`(willdereferencefieldasPointerwrappedasfloatin64bit!)

#nullstringascoldstart– Run#2

• PerformHeapNumber overwriteinnextoptimizationrun• m.d =unpackIEEE754(ab_len_addr)

Map length:0

Empty FixedArray

Map (Overwritten)

Null string

length

m.a = m.a

unchanged

m.c = 0x200000

overwritten


chars(Now #null

pointer)

chars(Now ab

ptr)

m.d = *float*(ab_len_ptr)

Map Properties

Elements length storage

PlaywithFunction– Run#3

• Function allocatd atbeginning• ab_storage_ptr =ab_len_ptr +8• m.b =unpackIEEE754(addr_of_code - 8)• Canabitrary readnow...Readwhat?

• DuringstartupFunctionaddressalsoliesbeforeArrayBuffer• HeapNumber overwrite*ab_storage_ptr =code_loc – 8• Code_ptr =ab[3]<<32+ab[2]

Map length:0

Empty FixedArray

MapNow

#ab_len ptr)

Null string

length

m.a = m.a

unchanged

m.c = 0x200000

overwritten


chars(Now #null

pointer)

chars(Now ab

ptr)

m.b = *float*(code_ptr - 8)

Map Properties

Elements length

storage(Overwri

tten)Map Properti

esElement

s … … CODE

PlaywithFunction– Finalrun

• m.b =unpackIEEE754(code_ptr)• *ab_storage_ptr =code_ptr• Writeshellcodewithabaccess• CallFunction• Gameover!J

Map length:0

Empty FixedArray

MapNow

#ab_len ptr)

Null string

length

m.a = m.a

unchanged

m.c = 0x200000

overwritten


chars(Now #null

pointer)

chars(Now ab

ptr)

m.e = *float*(code_ptr)

Map Properties

Elements length

storage(Overwri

tten)Map Properti

esElement

s … … CODE

Write your shellcode on new Uint32Array(ab)!

0x2f8c75784bc0 <Function:~ :1>: 0x8b485756e5894855 0x41830f498b482f4f 0x2f8c75784bd0 <Function:~ :1+16>: 0x000c50a53b49011b 0xfff57b20e8057300 0x2f8c75784be0 <Function:~ :1+32>: 0xbab9bb48a0458b49 0x4383000021ea1e72 0x2f8c75784bf0 <Function:~ :1+48>: 0x7a86e8501f79d10b 0x72bab9bb4858fff5 0x2f8c75784c00 <Function:~ :1+64>: 0x00ba49000021ea1e 0x4c00001800000000 0x2f8c75784c10 <Function:~ :1+80>: 0x900008c2c9075389 0xdeadbeed00000000’

Sorenderercodeexecutiongot…

• Nowwhat?

Theanatomy ofChromesandbox

• AlluntrustedcoderunsinTargetprocess• RelaymostoperationstoBroker• Trybestto• lockdownthecapabilitiesofrenderer

• Evenrendereriscompromised• Accessisstillstrictlyprohibited

• GPUprocesshavehigherlevelaccess• Thannormalsandboxprocess

Untrusted_app

ProcessprivilegesinAndroid

Isolated_app

media

radio

System_server

KernelAdb shell

State-of-artdefenseofAndroidsandbox

• DACintroducedbynatureofLinux• IsolatedProcess introducedinJellyBean• SELinux enforcedinKitKat• Furtherrestrictedinsubsequentrelease

So… HowdoweescapethesandboxinMobilePwn2Own2016?ChainofBugs#2

Webviewinappisnotisolated

• Webview stillrunsinthesameuid/processasordinaryapp• Findsomeappwhichacceptscontrolled-URLtoattack• Oops..NoBROWSABLEones… butwehaveIPCbugtorescue!

void RenderViewImpl::LaunchAndroidContentIntent(const GURL&intent,size_t request_id,bool is_main_frame){if (request_id !=expected_content_intent_id_)return;

//Removethecontenthighlightingifany.ScheduleComposite();

if (!intent.is_empty()){base::RecordAction(base::UserMetricsAction("Android.ContentDetectorActivated"));Send(newViewHostMsg_StartContentIntent(GetRoutingID(),intent,is_main_frame));}}//src/content/renderer/renderer_view_impl.cc

bool RenderWidgetHostViewAndroid::OnMessageReceived(const IPC::Message&message){//…bool handled=true;IPC_BEGIN_MESSAGE_MAP(RenderWidgetHostViewAndroid,message)IPC_MESSAGE_HANDLER(ViewHostMsg_StartContentIntent,OnStartContentIntent)IPC_MESSAGE_HANDLER(ViewHostMsg_SmartClipDataExtracted,OnSmartClipDataExtracted)IPC_MESSAGE_HANDLER(ViewHostMsg_ShowUnhandledTapUIIfNeeded,OnShowUnhandledTapUIIfNeeded)IPC_MESSAGE_UNHANDLED(handled=false)IPC_END_MESSAGE_MAP()return handled;}

publicvoidonStartContentIntent(Contextcontext,StringintentUrl,boolean isMainFrame){Intentintent;//PerformgenericparsingoftheURItoturnitintoanIntent.try{intent=Intent.parseUri(intentUrl,Intent.URI_INTENT_SCHEME);

Stringscheme=intent.getScheme();intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);}catch(Exceptionex){Log.w(TAG,"BadURI%s",intentUrl,ex);return;

}try{

context.startActivity(intent);}catch(ActivityNotFoundException ex){}}

CVE-2016-5197Arbitraryintentstartinbroker

CVE-2016-5197

CVE-2016-5197ByKeenLab

MobilePwn2OwnChainofBugs#3

• SeethatholyGoogleDrive• HavefullaccesstoGoogleaccount• TrustedbyGooglePlay• To“install”app

• Blindlyopensanyintent-controlledURL• Pwn ittojumpfromisolatedtountrusted• PlusAppinstallationability!

Sandbox (runs v8)(isolated_app)

Broker(untrusted_app)

startContentIntentString

Google Drive(Runs v8)OpenUrlActivity

Intent with payload URL

`Click` IPCs

Intent is added Browsable

Chainitalltogether

• UseCVE-2016-5198togaincontrolofrendererinChromebrowser• Note:ChromeonAndroidcurrentlyis32bit

• SearchforIPCobjects,issueViewHostMsg_StartContentIntentrequest• JumptoGoogleDrive,openEXPpageagain• Note:GoogleDriveisa64bitappsoitswebview isalso64bit

• Gotashellinuntrusted_app contextfromGoogleDrive• Reloadplay.google.com,uploadcookies.db inappdatadirectory• OrjustsendintenttoGooglePlay appforittoinstall

• Sendinstallapprequest,waitforBOOM

Mitigations?

• ForbidopeninguntrustedURLs(tempsolution)• Webview multiprocess aslongtermsolution• Buthowaboutdevicespre-N?

• On-deviceconfirmationwheninstallingfromplay.google.com?

NoGooglePlay/GoogleDrive,noconcern?

• Vendorsmakemorestupidmistakes• Variousappstores containswebview• Oneevenrunswebview assystem-uid - -!

Furtherthought

• Isitpossibletoapplywebview sandboxingatapplicationlevelinpre-Ndevices?

Acknowledgements

• AllcolleaguesatKeenLab

Questions?

Pwningthe Nexus ™of Every - Flanker Sky

Documents

Transcript of Pwningthe Nexus ™of Every - Flanker Sky