«Как найти 0-day в браузере» Бажанюк

(1)

«Как найти 0-day в браузере»

Бажанюк Александр @Abazhanyuk virvdova@gmail.com

(2)

Who am i?

- BitBlaze Core Research Team

http://bitblaze.cs.berkeley.edu/

- DefCon-UA

- Hack In The Box 2012:

http://conference.hitb.org/hitbsecconf2012ams/alex-bazhanyuk-nikita-tarakanov/

(3)

success story

Ноутбук — взломай и уноси” Браузера Safari под Windows7 CVE-2011-0222

(4)

What? Where? How?

- ЧТО хотим найти? - ГДЕ хотим найти? - КАК хотим искать?

(5)

What do we want to find?

Exception. Logic bug.

(6)

How can we detect exception?

Обрабатываемые исключения Необрабатываемые исключения 1) Windbg 2) PyDbgEng 3) Pybag 4) Winappdbg 5) XcptMon

(7)

winappdbg

Python

Memory dump

C:\Python27\Scripts\crash_logger.py

"C:\Program Files\Internet Explorer\iexplore.exe" http://192.168.1.177/fuzzer.html --log=

(8)

Browsers

Windows Internet Explorer (sandbox) Mozilla Firefox

Google Chrome (sandbox) Safari

Opera

Opera Mini (mobile) Netscape Navigator Midori

Skyfire Dolphin

(9)

Engines

Amaya Gecko – Firefox HTMLayout KHTML Presto Prince Trident

(10)

JS engines

V8

LLInt: http://trac.webkit.org/changeset/108309

(11)

Open source

Firefox Chrome Safari (?) Webkit

(12)

(13)

W3c (http://www.w3.org/TR/)

CSS

CSS Mobile DCCI

Declarative Web Applications Device Description Repository Device Independence Authoring DOM

DOM events

XML Schema XML Signature

XML-binary Optimized Packaging xml:id XPath XPointer XQuery XSL-FO XSLT

(14)

3D in Browser

1. Canvas 3D (API). (JS->OpenGL->GPU)

2. 3D in Flash: Flare 3d. (Flash->GPU)

(15)

Firefox GPU

JS 3D API BSoD

(16)

Chrome

Multiple Licenses http://code.google.com/p/chromium Flash include Sandbox Webkit (socks) V8

(17)

Chrome with ASAN

AddressSanitizer (ASAN) is a fast memory error detector based on compiler instrumentation (LLVM).

It is fully usable for Chrome on Linux and Mac. Dynamic

(18)

(19)

pwn2own

Team

VUPEN: 123 Points 0Day (32 Points each)

Google Chrome: Full sandbox escape and code execution

Microsoft Internet Explorer: Protective Mode Bypass and code execution CVE Challenge (10/9/8 Points each, depending on the day)

CVE-2010-3346 (Internet Explorer) CVE-2009-3077 (Firefox)

CVE-2011-0115 (Safari) CVE-2010-0050 (Safari)

CVE-2010-0248 (Internet Explorer) CVE-2010-2752 (Firefox)

Willem & Vincenzo: 66 Points 0Day (32 Points each)

Mozilla Firefox: Full code execution

CVE Challenge (10/9/8 Points each, depending on the day) CVE-2010-3346 (Internet Explorer)

CVE-2011-0115 (Safari) CVE-2010-0050 (Safari) CVE-2010-2752 (Firefox)

(20)

Pwnium

$10^6

[Ch-ch-ch-ch-ching!!! $60,000] [117226] [117230] Critical CVE-2011-3046: UXSS and bad history navigation. Credit to Sergey Glazunov.

[Like a b-boss!!! $60,000][117620] [117656]Critical CVE-2011-3047:

(21)

Cool guys

[$10,000] [116661] Rockstar CVE-1337-d00d1: Excessive WebKit fuzzing. Credit to miaubiz.

[$10,000] [116662] Legend CVE-1337-d00d2: Awesome variety of fuzz targets. Credit to Aki Helin of OUSPG.

[$10,000] [116663] Superhero CVE-1337-d00d3: Significant pain inflicted upon SVG. Credit to Arthur Gerkis.

(22)

Firefox Analyzer

(23)

Sandbox

Chrome Safari IE9(10)

(24)

IE

(25)

Fuzzer

cross_fuzz

Browser Fuzzer 3 (bf3) is a comprehensive web browser fuzzer that fuzzes CSS, DOM, HTML and JavaScript.

(26)

Bitblaze

~200G trace BitBlaze sockes

(27)

Michal Zalewski

http://lcamtuf.coredump.cx/cross_fuzz/

(28)

logger

Firebug

(29)

Symbols

During vulnerability analysis, debug symbols help a lot. So here are the links for the most popular Web-browsers: 1. IE: http://msdl.microsoft.com/download/symbols.

2. Firefox: http://developer.apple.com/internet/safari/windows_symbols_instructions.html. 3. Safari: http://developer.apple.com/internet/safari/windows_symbol

(30)

Chrome

1) –single-porocess

2) chrome.exe [--wait-for-debugger-children[=filter]] [--wait-for-debugger] * filter = plugin | renderer

•–wait-for-debugger-children waits for a debugger in child processes for 60 •seconds.

(31)

Multithread

(32)

Old results

Firefox 3.6.X – 2. Firefox 4.0.X – no crashes. Chrome – 1. Safari – 3. IE 8 – 3.

(33)

New results

Firefox 3.6.X – 1 (stack limited). Firefox 11.0.X – 1 (stack limited). Chrome – 6.

Safari – 4. IE 9 – 6.

(34)

ie6

(a94.100): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling. This exception may be expected and handled.

eax=05193ad4 ebx=00000000 ecx=00000000 edx=00000000 esi=05193ad4 edi=00000000 eip=3d073142 esp=0205d050 ebp=0205d060 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 mshtml!GetScriptSiteCommandTarget+0x15:

(35)

Safari

and dword ptr ds:0BBADBEEFh, 0 xor eax, eax

call eax

(36)

Not exploitable

ie9: mshtml!DllGetClassObject+0x1a083b mshtml!DllGetClassObject+0x1af4de mshtml!DllGetClassObject+0xeef7b mshtml!Ordinal103+0xe231 mshtml!DllGetClassObject+0x1a084b mshtml!CreateHTMLPropertyPage+0xa36ab mshtml!DllGetClassObject+0xe9840 mshtml!Ordinal103+0xe281 mshtml!DllGetClassObject+0x4f8e5

(37)

Thank you!

Questions? :)

virvdova@gmail.com