Session ID:

Session Classification: Advanced

HTA-T19

Core Security Technologies

Federico Muttis

BLACKBERRY PWNAGETHE BLUEJAY STRIKES

INFO @ THE MEDIA

▶ http://threatpost.com/en_us/blogs/iphone-blackberry-fall-second-day-pwn2own-031011▶ http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401

INFO @ THE MEDIA

INFO @ THE MEDIA

BLACKBERRY DEVICES WITH KNOWN WORKING EXPLOIT

► Vulnerable devices (shortened list)

▶ Pearl family ▶ Curve family (< 9350) ▶ Storm family

▶ Tour 9630▶ Style 9670▶ Bold 9650/9700/9780 ▶ Torch 9800

CVE-2010-4577ARBITRARY READ

► CSS Font Face Parsing Type Confusion Vulnerability

CVE-2010-4577 – PROOF OF CONCEPT

http://code.google.com/p/chromium/issues/detail?id=63866

IEEE 754 DOUBLE PRECISION FLOATING-POINT

► CSS Font Face Parsing Type Confusion Vulnerability

CVE-2010-4577 – CRASH ANALYSIS

002ed594 80000000 01718618 chrome_68390000!WTF::StringImpl::create(wchar_t * characters = 0x80000000 "--- memory read error at address 0x80000000 ---", unsigned int length = 0x2cb)+0x24[c:\b\slave\chrome-official\build\src\third_party\webkit\javascriptcore\wtf\text\stringimpl.cpp @ 99] 80000000 41400000 00000454 chrome_68390000!WTF::String::String(wchar_t * characters = 0x80000000 "--- memory read error at address 0x80000000 ---", unsigned int length = 0x41400000)+0x21

► CSS Font Face Parsing Type Confusion Vulnerability

CVE-2010-4577 – EXPLOITATION

Address Size

► CSS Font Face Parsing Type Confusion Vulnerability

CVE-2010-4577 – EXPLOITATION

Address Size

A BLUEJAY APPEARS!

► BlueJay’s early problems

DUMPING THE VIRTUAL ADDRESS SPACE

▶ Poor man’s solution

BLUEJAY AGENT DIAGRAM

Exploit dispatcher

Memory read Pointer Leak Execute code

BlueJay Server & Console

Memory manager

HTML5Spray

HTML5Edit

HTTP PushBlueJay Agent

► BlueJay’s helper – Java BlackBerry App.

DUMPING THE VIRTUAL ADDRESS SPACE

Browser running?

Yes

Reset backlighttimer

Restart browser

No

DUMPING DEMO

► BlackBerry’s WebKit Browser main() routine

DISASSEMBLING AND SEARCHING FOR OLYMPIA

► CVE-2010-4577 – Arbitrary memory read disassembly

DISASSEMBLING AND LOCATING CVE-2010-4577

BLACKBERRY PROCESS INTERNALS

▶ 0x4 write▶ 0x16 allocexecmem▶ 0x28 shmget▶ 0x2b alloc▶ 0x27 loadlibrary▶ 0x29 shmat▶ 0x2c sem_create▶ 0x2d sem_unlink || sem_close

▶ 0x41 sendto?▶ 0x46 mk"fo?▶ 0x4a unlink▶ 0x4c mkdir▶ 0x5f open▶ 0x61 lock related (#ock/lockf?)▶ 0x67 threads related

▶ Some syscalls (work in progress...)

CVE-2011-1290CODE EXECUTION

► Webkit Integer Over#ow near 2011

SEARCHING FOR THE VULNERABILITIES

There is a buffer overflow vulnerability that was released in November 2010 but is still present on the BlackBerry. (…). To exploit the vulnerability I have to set up the heap in a specifc way so I can overflow a specific structure on the heap. This structure is the internal representation for a piece of text on a website. The vulnerability is in the handling of the text nodes, so this is a good target to overflow. (…)

Once I have a stable way to organize the heap and reliably overflow the pointer to the functions, we can start testing. The first test attempts to redirect execution to code that already exists on the BlackBerry. Instead of the JavaScript nodeType call returning the value 3, I redirect it to existing code elsewhere that returns 0. Now I can control the execution flow in the browser.

Willem Pinckaers -

► CVE-2011-1290 – Integer Over#ow => Heap Over#ow

EXPLOITING CVE-2011-1290

Heap Over#ow

Integer Over#ow

► CVE-2011-1290 – Integer Over#ow

DISASSEMBLING AND LOCATING CVE-2011-1290

► CVE-2011-1290 – Integer Over#ow

DISASSEMBLING AND LOCATING CVE-2011-1290

► CVE-2011-1290 – Integer Over#ow => Heap Over#ow

DISASSEMBLING AND LOCATING CVE-2011-1290

► CVE-2011-1290 – Integer Over#ow => Heap Over#ow

DISASSEMBLING AND LOCATING CVE-2011-1290

CHAINING THE EXPLOITS

EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern

EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern

▶ 2. Leak a heap pointer using CVE-2011-0195

Pointer to a valid heap address

EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern

▶ 2. Leak a heap pointer using CVE-2011-0195

▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature

Pointer to HTML5-Sprayed block

Pointer to a valid heap address

ignature signature signature signature signature signature signat

HTML5-Spray block

EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern

▶ 2. Leak a heap pointer using CVE-2011-0195

▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature

sigptr+x sigptr+y shellcode

HTML5-Spray block

▶ 4. HTML5-Spray-Modify to fake a vtable

ignature signature signature signature signature signature signat

Pointer to HTML5-Sprayed block

EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern

▶ 2. Leak a heap pointer using CVE-2011-0195

▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature

sigptr+x sigptr+y shellcode

HTML5-Spray block

▶ 4. HTML5-Spray-Modify to fake a vtable▶ 5. Point the code execution exploit to your block▶ 6. Achieve code execution!

BLUEJAY VS REAL DEVICE

sigptr sigptr shellcode

HTML5-Spray block

BLUEJAY VS SIMULATOR DEMO

SIMULATOR VS DEVICE

▶ WebKit’s StyleElement::process()

▶ http://immunityinc.com/infiltrate/archives/webkit_heap.pdf

Q & A

▶ E-mail: fmuttis@gmail.com / acid@coresecurity.com▶ Twitter: @acid_