pwning the nexus of every pixel
play

Pwning the Nexus of Every Pixel Qidan He Gengming Liu CanSecWest - PowerPoint PPT Presentation

Nov 08, 2023 •484 likes •1.22k views

Pwning the Nexus of Every Pixel Qidan He Gengming Liu CanSecWest 2017 Vancouver #whoami Qidan He Apple/Android/Chrome CVE hunter (dozens of credits got) Speaker at BlackHat USA/ASIA, DEFCON, RECON, CanSecWest, HITCON

  1. Pwning the Nexus ™ of Every Pixel ™ Qidan He Gengming Liu CanSecWest 2017 Vancouver

  2. #whoami • Qidan He • Apple/Android/Chrome CVE hunter (dozens of credits got) • Speaker at BlackHat USA/ASIA, DEFCON, RECON, CanSecWest, HITCON • Pwn2Own 2016/ Mobile Pwn2Own 2016 winner • Gengming Liu • CTF enthusiastic, DEFCON CTF final player • Captain of AAA CTF team • Mobile Pwn2Own 2016 winner • Too busy occupied in Pwn2Own to talk L

  3. About Tencent Keen Security Lab • Previously known as KeenTeam • Won iOS 7 category in Mobile Pwn2Own 2013 • Won Nexus 6p/iOS 10.1 and got “Master of Pwn” in Mobile Pwn2Own 2016

  4. TL;DR: How we pwned newest Nexus6P/Pixel running Nougat • Three bugs forms a complete exploit chain • One V8 bug to compromise the renderer • One IPC bug to escape sandbox • One bug in gapps allows app install • Google response very quickly • V8 and IPC bug fixed in midnight of 10.26 (CVE-2016-5197 and CVE-2016- 5198) • Gapp update pushed in 10.27 (Google VRP credit) • Also affects all apps using webview/chromium

  5. Agenda • Introduction and Exploitation of V8 engine • Introduction and Exploitation of sandbox on Android • How we pwned Nexus/Pixel on Mobile Pwn2Own 2016 with 3 bugs • CVE-2016-5197/5198/GoogleVRP bug

  6. History of classical Chrome exploits • MWR Labs, Pwn2Own 2013 • Type-confusion in webkit • Arbitrary zero write in IPC::OnContentBlocked • Pinkie Pie, Mobile Pwn2Own 2013 • Runtime_TypedArrayInitializeFromArrayLike for renderer code execution • Arbitrary free in ClipboardHostMsg_WriteObjectsAsync • Geohot in Pwnium 4 • Property redefinition lead to OOB read/write in renderer • Spoof IPC Message to vulnerable extension in privileged domain • Lokihart in Pwn2Own 2015 • TOCTOU in GPU process sharedmemory • Juri In Pwn2Own 2015 • UAF in P2PSocketDispatcherHost

  7. V8 Javascript Engine • Widely known and used • Runtime optimization and JIT to machine code • Strongtalk • Crankshaft • Turbofan

  8. Object structure in V8

  9. var a = new ArrayBuffer(0x6161) 0x2036cb90a089: [JSArrayBuffer] - map = 0xebbd6702db1 [FastProperties] - prototype = 0x32cfe5005599 - elements = 0x1b6415782241 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS] - internal fields: 2 - backing_store = 0x5652757bea60 - byte_length = 24929 - properties = { } - internal fields = { 0 0 }

  10. var a = new ArrayBuffer(0x6161) 0x2036cb90a089: [JSArrayBuffer] gdb-peda$ x/30xg 0x00002036cb90a088 - map = 0xebbd6702db1 [FastProperties] 0x2036cb90a088: 0x00000ebbd6702db1 - prototype = 0x32cfe5005599 0x00001b6415782241 - elements = 0x1b6415782241 <FixedArray[0]> 0x2036cb90a098: 0x00001b6415782241 [FAST_HOLEY_SMI_ELEMENTS] 0x0000616100000000 - internal fields: 2 0x2036cb90a0a8: 0x00005652757bea60 - backing_store = 0x5652757bea60 0x0000000000000004 - byte_length = 24929 - properties = { } - internal fields = { 0 0 }

  11. Boxing in V8 • Float&Double encapsulated in V8 heap • HeapNumber object • vmovsd QWORD PTR [rax+0x7],xmm0 • SMI • Tagged pointer

  12. Case study: CVE-2016-1646 • V8 Array.concat redefinition out-of-bounds in Pwn2Own 2016 • Reported by Wen Xu from KeenLab

  13. Case study: CVE-2016-1646

  14. CVE-2016-5197 – Chain of Bugs #1 • Found by KeenLab and used for Mobile Pwn2Own 2016 • Affects all engines based on V8 and applications with Webview

  15. How we exploited CVE-2016-5198

  16. CVE-2016-5198 By KeenLab

  17. CVE-2016-5197

  18. How your JIT sucks • JIT compiles with type-info in mind • Access code generated accordingly • What if object type changed? • Deoptimize and regenerate • But… there will be mistakes • What if JITed access on globals?

  19. function Ctor () { var n; n = new Set (); function Ctor() { } n = new Set(); function Check () { } n.xyz = 0 x826852f4 ; function Check() { n.xyz = 0x826852f4; parseInt ( 'AAAAAAAA' ); } } Ctor(); for ( var i =0; i <2000; ++ i ) { Ctor(); %OptimizeFunctionOnNextCall(Ctor); Ctor (); Ctor(); } Check(); for ( var i =0; i <2000; ++ i ) { Check(); Check (); %OptimizeFunctionOnNextCall(Check); Check(); } Ctor(); Ctor (); Check(); Check (); parseInt('AAAAAAAA') print (" finish ");

  21. OOB in Optimized JIT code

  22. OOB in Optimized JIT code

  23. Optimized code for Ctor

  24. Non-optimized code for func `Check`

  25. Optimized

  26. Optimized

  27. 0x3f938587243 35 48b8c1bf4a339d070000 REX.W movq rax,0x79d334abfc1 ;; object: 0x79d334abfc1 PropertyCell for 0x130199d54631 <a Set with map 0x1ffdd430c391> 0x3f93858724d 45 488b400f REX.W movq rax,[rax+0xf]

  28. Optimized

  29. 0x3f938587251 49 49ba0000805e0a4de041 REX.W movq r10,0x41e04d0a5e800000 0x3f93858725b 59 c4c1f96ec2 vmovq xmm0,r10 0x3f938587260 64 488b4007 REX.W movq rax,[rax+0x7] 0x3f938587264 68 488b400f REX.W movq rax,[rax+0xf] 0x3f938587268 72 c5fb114007 vmovsd [rax+0x7],xmm0

  30. Heap number overwrite

  31. Normally… • Optimized code assumes the object already have property

  32. � � PROP_CELL_MAP 0x2ab4ce002a99 Javascript: n.xyz = 0x41414141 0x41414141 Map value mov rax,QWORD PTR [rax+0xf] PropertyCell n: 0x79d334abfc1 mov rax,QWORD PTR [rax+0xf] Property Map length:1 … 1 Properti element Map tables es s Non-empty FixedArray JSSet: 0x130199d5c511 mov rax,QWORD PTR [rax+0x7] JS_SET_TYPE_MAP

  33. However… • What if the object is changed and it doesn’t have property now?

  34. � � PROP_CELL_MAP 0x2ab4ce002a99 Property Map length:1 Property 1 Map value Non-empty FixedArray PropertyCell n: 0x79d334abfc1 OUT OF BOUNDS HERE! mov rax,QWORD PTR [rax+0xf] mov rax,QWORD PTR [rax+0x7] Properti element Hashco Map tables Map length:0 Map length Chars es s de JSSet: 0x130199d5c511 Empty FixedArray Null string mov rax,QWORD PTR [rax+0xf] JS_SET_TYPE_MAP 0x41414141

  35. Out-of-bound to null string • Overwriting fields of null string • With heapnumber overwrite we can do an indirect write

  36. � � PROP_CELL_MAP 0x2ab4ce002a99 Property Map length:1 Property 1 Map value Non-empty FixedArray PropertyCell n: 0x79d334abfc1 mov rax,QWORD PTR [rax+0xf] Chars interpreted as Pointer mov rax,QWORD PTR [rax+0x7] Properti element Hashco Chars Map tables Map length:0 Map length es s de 0x4141414141.. JSSet: 0x130199d5c511 Empty FixedArray Null string mov rax,QWORD PTR [rax+0xf] vmovsd QWORD PTR [rax+0x7],xmm0 JS_SET_TYPE_MAP 0x41e04d0a5e800000 0x826852f4 Map …type … Map for ONE_BYTE_INTERNALIZED_STRING_TYPE OUT OF BOUNDS HERE! Confused to EXTERNAL_STRING

  37. Exploitation Steps • OOB write chars field of null string to leak ArrayBuffer address • Overwrite ArrayBuffer backing_store to leak Function code address • Overwrite ArrayBuffer backing_store with Function code address • Write shellcode to ArrayBuffer and exec!

  38. Primitives Structure of ONE_BYTE_INTERNALIZED_STRING • Write primitive: pwndbg> job 0x28b4ff7ab259 • HeapNumber write #fuck pwndbg> x/40xg 0x28b4ff7ab258 • *(p + 8) = v 0x28b4ff7ab258: 0x0000090b4b182361 0x000000005887594a • Read primitive 0x28b4ff7ab268: 0x0000000400000000 0xdeadbeed6b637566 • ArrayBuffer length is our friend • But first … leak an ArrayBuffer address • Use #null string to cold start!

  39. #null string as cold start – Run #1 • OOB write null string length • OOB write chars field • m.d = ab (new ArrayBuffer) • new String(null) • charCodeAt for each byte • ArrayBuffer and #null string address leaked! • Got something to write at… • But still, how to turn sequential write into arbitrary address write?

  40. #null string as cold start – Run #2 • Write address of #null itself to its field! • m.d = null_str • Perform HeapNumber overwrite in next optimization run • m.d = unpackIEEE754(ab_len_ptr)

  41. Play with Function – Run #3 • Allocate Function at begining • ab_storage_ptr = ab_len_ptr + 8 • m.b = unpackIEEE754(addr_of_code - 8) • HeapNumber overwrite *ab_storage_ptr = code_loc – 8 • Code_ptr = ab[3]<< 32 + ab[2]

  42. Play with Function - Run ## • m.b = unpackIEEE754(code_ptr) • *ab_storage_ptr = code_ptr • Write shellcode with ab access • Call Function • Game over! J

  43. So renderer code execution got… • Now what?

  44. The anatomy of Chrome sandbox • All untrusted code runs in Target process • Relay most operations to Broker • Try best to • lock down the capabilities of renderer • Even renderer is compromised • Access is still strictly prohibited • GPU process have higher level access • Than normal sandbox process

  46. The new comer: GPU process

  47. Evolution of the Android Sandbox (old time)

  48. Evolution of the Android Sandbox (current state)

  49. Process privileges in Android media Isolated_ Adb shell Untrusted_app app Kernel System_server radio

  50. State-of-art defense of Android sandbox • DAC introduced by nature of Linux • IsolatedProcess introduced in JellyBean • SELinux enforced in KitKat • Further restricted in subsequent release

  51. Chromium Android Sandbox (cont.) • On Android, Chromium leverages the isolatedProcess feature to implement its sandbox.

Recommend

Pixel Presentation What is Pixel Pixel is an education and training institution with a specific

Pixel Presentation What is Pixel Pixel is an education and training institution with a specific

Pixel Presentation What is Pixel Pixel is an education and training institution with a specific expertise in International cooperation and project management Where is Pixel Pixel Quality and Accreditations Pixel has received the following

1.37k views • 67 slides
Pixel Art What is pixel art? Pixel art is a digital art form that is created in raster in its

Pixel Art What is pixel art? Pixel art is a digital art form that is created in raster in its

VA 402 class presentation by Berrin Sun Supervised by Ekmel Ertan Pixel Art What is pixel art? Pixel art is a digital art form that is created in raster in its original size, and that is edited in pixel level. Types isometric non-isometric

590 views • 40 slides
FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT DEVICES LIKE A BOSS) (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18 ABOUT ME ABOUT ME Head of Research @ Econocom Digital

1.73k views • 83 slides
Nexus Maximus IV September 8 11 th , 2017 Goals A signature Nexus Learning experience

Nexus Maximus IV September 8 11 th , 2017 Goals A signature Nexus Learning experience

Nexus Maximus IV September 8 11 th , 2017 Goals A signature Nexus Learning experience Build relationships Learn collaboration tools and skills Break new ground Launch pad for further work Nexus Learning Nexus Maximus

722 views • 16 slides
Water Energy Nexus Energy sector Water sector What is energy-water nexus? Milad

Water Energy Nexus Energy sector Water sector What is energy-water nexus? Milad

6/23/2017 Content Water Energy Nexus Energy sector Water sector What is energy-water nexus? Milad Pooladsanj Why is nexus important? S upervisors: Amin Nobakhti Nexus in Iran Mahdi S harifzadeh Quantifying the

694 views • 9 slides
Development of the CMS Phase-1 Pixel Online Monitoring System and the Evolution of Pixel Leakage

Development of the CMS Phase-1 Pixel Online Monitoring System and the Evolution of Pixel Leakage

Development of the CMS Phase-1 Pixel Online Monitoring System and the Evolution of Pixel Leakage Current Fengwangdong Zhang On behalf of CMS Pixel Collaboration The 9th International Workshop on Semiconductor Pixel Detectors for Particles and

564 views • 39 slides
The NEXus Collaborative and PhD/DNP Education Presenters : Paula McNeil, RN, MS NEXus Project

The NEXus Collaborative and PhD/DNP Education Presenters : Paula McNeil, RN, MS NEXus Project

2/25/2014 The NEXus Collaborative and PhD/DNP Education Presenters : Paula McNeil, RN, MS NEXus Project Director and Executive Director, WIN Kathy Magilvy, PhD, RN, FAAN Consultant Immediate Past Chair, NEXus Executive Board Anna Galas, MS

490 views • 13 slides
NEXUS Medical Devices USC I nitial Market Projections Definition of Medical Devices NEXUS

NEXUS Medical Devices USC I nitial Market Projections Definition of Medical Devices NEXUS

NEXUS NEXUS Medical Devices USC I nitial Market Projections Definition of Medical Devices NEXUS Diagnosis, prevention, monitoring, treatment or alleviation of a disease, an injury or a handicap. Investigation, replacement or

636 views • 22 slides
PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All

PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All

PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win CTFs and to build secure systems. Do not hack your

957 views • 50 slides
The pixel hybrid photon detectors The pixel hybrid photon detectors f or the LHCb LHCb- RI CH

The pixel hybrid photon detectors The pixel hybrid photon detectors f or the LHCb LHCb- RI CH

Pixel 2000 Pixel 2000 I nt ernat ional Workshop on Semiconduct or Pixel Det ect ors f or Part icles and X-Rays J une 5-8, 2000 Port o Ant ico, Genova, I t aly The pixel hybrid photon detectors The pixel hybrid photon detectors f or the LHCb

503 views • 17 slides
PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov,

PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov,

PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov, Dennis Felsch, Jrg Schwenk About @jensvoid Passionate bounty hunter Interests: IoT, web security Likes mixing old tech and new tech

822 views • 34 slides
DEPFET Pixel: A Pixel Device with Integrated Amplification Johannes Ulrici Bonn University

DEPFET Pixel: A Pixel Device with Integrated Amplification Johannes Ulrici Bonn University

Pixel 2000 Conference Genova, 4.6.-8.6. 2000 DEPFET Pixel: A Pixel Device with Integrated Amplification Johannes Ulrici Bonn University FAUST Semiconductor Lab Outline The DEPFET-Principle Measurements on DEPFET Single Pixel Devices

264 views • 22 slides
PIXEL DETECTOR for X-RAY experiments PIXEL DETECTOR for X-Rays Experiments Jean-Claude CLEMENS

PIXEL DETECTOR for X-RAY experiments PIXEL DETECTOR for X-Rays Experiments Jean-Claude CLEMENS

PIXEL DETECTOR for X-RAY experiments PIXEL DETECTOR for X-Rays Experiments Jean-Claude CLEMENS Centre de Physique des Particules de Marseille JC Clemens, CNRS/IN2P3/CPPM, FRANCE Pixel 2000, Genova, June 2000 PIXEL DETECTOR for

367 views • 15 slides
Sales Tax Affiliate Nexus Stemming From Sales Tax Affiliate Nexus Stemming From Online Business

Sales Tax Affiliate Nexus Stemming From Sales Tax Affiliate Nexus Stemming From Online Business

Presenting a live 110 minute webinar with interactive Q&amp;A Sales Tax Affiliate Nexus Stemming From Sales Tax Affiliate Nexus Stemming From Online Business Presence Meeting the Challenges of Tough State Laws and Court Rulings THURSDAY,

921 views • 79 slides
Pay Attention to the Pixel, Understand the Scene Better Shu Kong CS, ICS, UCI Background: Scene

Pay Attention to the Pixel, Understand the Scene Better Shu Kong CS, ICS, UCI Background: Scene

Pay Attention to the Pixel, Understand the Scene Better Shu Kong CS, ICS, UCI Background: Scene Parsing pixel level labeling semantic segmentation -- assigning a class label to each pixel wall painting pillow sofa cabinet

1.14k views • 80 slides
Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional improvement of level-1 pixel trigger performance. Procedure of pixel track isolation Reconstructed pixel tracks using kinematic parameters

669 views • 27 slides
Ohio Tax Advanced: Nexus Wars!!! Emerging Issues in State Tax Nexus The Most Rapidly

Ohio Tax Advanced: Nexus Wars!!! Emerging Issues in State Tax Nexus The Most Rapidly

26th Annual Tuesday &amp; Wednesday, January 2425, 2017 Hya Regency Columbus, Columbus, Ohio Workshop DD Ohio Tax Advanced: Nexus Wars!!! Emerging Issues in State Tax Nexus The Most Rapidly Changing Area of Taxation Wednesday,

921 views • 71 slides
SOCIAL SCIENCE RESEARCH RELEVANT TO THE HOUSING-SCHOOL NEXUS 1 02/11/2016 Mutually

SOCIAL SCIENCE RESEARCH RELEVANT TO THE HOUSING-SCHOOL NEXUS 1 02/11/2016 Mutually

02/11/2016 The Nature of the Housing-School Nexus 1. The Impact of School Desegregation and Housing 2. Integration Policies on the Nexus The Connection Between the Perception of Place and 3. Implicit Biases Literature to Research on

91 views • 5 slides
Sales Tax Affiliate Nexus: Latest Developments Sales Tax Affiliate Nexus: Latest Developments

Sales Tax Affiliate Nexus: Latest Developments Sales Tax Affiliate Nexus: Latest Developments

Presenting a live 110 minute teleconference with interactive Q&amp;A Sales Tax Affiliate Nexus: Latest Developments Sales Tax Affiliate Nexus: Latest Developments Adjusting Multi State Compliance Under New State Laws for Online Business

539 views • 39 slides
Pixels Pixels Row and column indicates a PIXEL not a POINT. A pixel can theoretically contain

Pixels Pixels Row and column indicates a PIXEL not a POINT. A pixel can theoretically contain

Pixels Pixels Row and column indicates a PIXEL not a POINT. A pixel can theoretically contain infinitely many points Drawing lines with pixels: fill pixels along the trajectory of a line from point p1 to p2 Aliasing Antialiasing

498 views • 15 slides
KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune

KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune

KERNELFAULT: Pwning Linux using Hardware Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 22, 2017 Who are we? Niek Timmers (@tieknimmers) Security Analyst @

1.08k views • 70 slides
Stormwater-Wastewater Nexus: Compliance Planning to Avoid Enforcement EPA Region 6 Stormwater

Stormwater-Wastewater Nexus: Compliance Planning to Avoid Enforcement EPA Region 6 Stormwater

Stormwater-Wastewater Nexus: Compliance Planning to Avoid Enforcement EPA Region 6 Stormwater Conference October 4, 2016 Presented by: Stefanie Albright and Nathan Vassar What is the Wastewater- Stormwater Nexus? Nexus and Goals -Compliance

616 views • 14 slides
Nexus Vehicle Rental How Nexus Can Help APSE Members 1 st March 2018 The Widest Range of Vehicles

Nexus Vehicle Rental How Nexus Can Help APSE Members 1 st March 2018 The Widest Range of Vehicles

Nexus Vehicle Rental How Nexus Can Help APSE Members 1 st March 2018 The Widest Range of Vehicles We have access to over 550,000 rental vehicles throughout the UK including: Cars standard, prestige and minibus LCVs small vans,

561 views • 11 slides
Errors in Pixel Offset Analysis

Errors in Pixel Offset Analysis

Errors in Pixel Offset Analysis Satoshi Okuyama (AIST) 1/20 Pixel Offset Analysis Pixel Offset Analysis (Offset Tracking, Image Matching, etc.) Coregistrate two

392 views • 20 slides

More recommend