«Как найти 0-day в браузере»
Бажанюк Александр @Abazhanyuk virvdova@gmail.com
Who am i?
- BitBlaze Core Research Team
http://bitblaze.cs.berkeley.edu/
- DefCon-UA
- Hack In The Box 2012:
http://conference.hitb.org/hitbsecconf2012ams/alex-bazhanyuk-nikita-tarakanov/
success story
Ноутбук — взломай и уноси” Браузера Safari под Windows7 CVE-2011-0222
What? Where? How?
- ЧТО хотим найти? - ГДЕ хотим найти? - КАК хотим искать?
What do we want to find?
Exception. Logic bug.
How can we detect exception?
Обрабатываемые исключения Необрабатываемые исключения 1) Windbg 2) PyDbgEng 3) Pybag 4) Winappdbg 5) XcptMonwinappdbg
Python
Memory dump
C:\Python27\Scripts\crash_logger.py
"C:\Program Files\Internet Explorer\iexplore.exe" http://192.168.1.177/fuzzer.html --log=
Browsers
Windows Internet Explorer (sandbox) Mozilla Firefox
Google Chrome (sandbox) Safari
Opera
Opera Mini (mobile) Netscape Navigator Midori
Skyfire Dolphin
Engines
Amaya Gecko – Firefox HTMLayout KHTML Presto Prince TridentJS engines
V8
LLInt: http://trac.webkit.org/changeset/108309
Open source
Firefox Chrome Safari (?) Webkit
W3c (http://www.w3.org/TR/)
CSS
CSS Mobile DCCI
Declarative Web Applications Device Description Repository Device Independence Authoring DOM
DOM events
XML Schema XML Signature
XML-binary Optimized Packaging xml:id XPath XPointer XQuery XSL-FO XSLT
3D in Browser
1. Canvas 3D (API). (JS->OpenGL->GPU)
2. 3D in Flash: Flare 3d. (Flash->GPU)
Firefox GPU
JS 3D API BSoD
Chrome
Multiple Licenses http://code.google.com/p/chromium Flash include Sandbox Webkit (socks) V8Chrome with ASAN
AddressSanitizer (ASAN) is a fast memory error detector based on compiler instrumentation (LLVM).
It is fully usable for Chrome on Linux and Mac. Dynamic
pwn2own
Team
VUPEN: 123 Points 0Day (32 Points each)
Google Chrome: Full sandbox escape and code execution
Microsoft Internet Explorer: Protective Mode Bypass and code execution CVE Challenge (10/9/8 Points each, depending on the day)
CVE-2010-3346 (Internet Explorer) CVE-2009-3077 (Firefox)
CVE-2011-0115 (Safari) CVE-2010-0050 (Safari)
CVE-2010-0248 (Internet Explorer) CVE-2010-2752 (Firefox)
Willem & Vincenzo: 66 Points 0Day (32 Points each)
Mozilla Firefox: Full code execution
CVE Challenge (10/9/8 Points each, depending on the day) CVE-2010-3346 (Internet Explorer)
CVE-2011-0115 (Safari) CVE-2010-0050 (Safari) CVE-2010-2752 (Firefox)
Pwnium
$10^6
[Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.
[Like a b-boss!!! $60,000][117620] [117656]Critical CVE-2011-3047:
Cool guys
[$10,000] [116661] Rockstar CVE-1337-d00d1: Excessive WebKit fuzzing. Credit to miaubiz.
[$10,000] [116662] Legend CVE-1337-d00d2: Awesome variety of fuzz targets. Credit to Aki Helin of OUSPG.
[$10,000] [116663] Superhero CVE-1337-d00d3: Significant pain inflicted upon SVG. Credit to Arthur Gerkis.
Firefox Analyzer
Sandbox
Chrome Safari IE9(10)
IE
Fuzzer
cross_fuzz
Browser Fuzzer 3 (bf3) is a comprehensive web browser fuzzer that fuzzes CSS, DOM, HTML and JavaScript.
Bitblaze
~200G trace BitBlaze sockes
Michal Zalewski
http://lcamtuf.coredump.cx/cross_fuzz/
logger
Firebug
Symbols
During vulnerability analysis, debug symbols help a lot. So here are the links for the most popular Web-browsers: 1. IE: http://msdl.microsoft.com/download/symbols.
2. Firefox: http://developer.apple.com/internet/safari/windows_symbols_instructions.html. 3. Safari: http://developer.apple.com/internet/safari/windows_symbol
Chrome
1) –single-porocess
2) chrome.exe [--wait-for-debugger-children[=filter]] [--wait-for-debugger] * filter = plugin | renderer
•–wait-for-debugger-children waits for a debugger in child processes for 60 •seconds.
Multithread
Old results
Firefox 3.6.X – 2. Firefox 4.0.X – no crashes. Chrome – 1. Safari – 3. IE 8 – 3.New results
Firefox 3.6.X – 1 (stack limited). Firefox 11.0.X – 1 (stack limited). Chrome – 6.
Safari – 4. IE 9 – 6.
ie6
(a94.100): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling. This exception may be expected and handled.
eax=05193ad4 ebx=00000000 ecx=00000000 edx=00000000 esi=05193ad4 edi=00000000 eip=3d073142 esp=0205d050 ebp=0205d060 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!GetScriptSiteCommandTarget+0x15:
Safari
and dword ptr ds:0BBADBEEFh, 0 xor eax, eax
call eax
Not exploitable
ie9: mshtml!DllGetClassObject+0x1a083b mshtml!DllGetClassObject+0x1af4de mshtml!DllGetClassObject+0xeef7b mshtml!Ordinal103+0xe231 mshtml!DllGetClassObject+0x1a084b mshtml!CreateHTMLPropertyPage+0xa36ab mshtml!DllGetClassObject+0xe9840 mshtml!Ordinal103+0xe281 mshtml!DllGetClassObject+0x4f8e5Thank you!
Questions? :)
virvdova@gmail.com