WebKit memory corruption exploit bloopers-vulnerability warning-the black bar safety net

ID MYHACK58:62201454578
Type myhack58
Reporter 佚名
Modified 2014-10-13T00:00:00


WebKit is currently the most widely used Web rendering engine, whether it is a mainstream browser, Safari, Chrome, etc., the system built-in apps Mail, Dashboard, etc., the mobile end of the various third-party applications, paid, chat, social applications, etc. basically all with the WebKit shadow. Over the years the WebKit vulnerabilities are also emerging, to influence the mobile application security mostly. These vulnerabilities includes a UXSS, information leakage, denial of service, remote code execution etc.

These vulnerabilities, a remote code execution vulnerability against the most. A remote code execution vulnerability can be divided into logical classes and memory destruction of the two categories. The logical class of vulnerabilities on the PC side has virtually disappeared. The Android platform will occasionally arise, but also fill a little one, almost extinct. And memory corruption class of Vulnerability in conjunction with different use of methods, Vulnerability-Based Exploitation, usually can pass to kill all WebKit applications, cross-platform stable use, is a veritable“nuclear weapons”.

In recent years, Google and Apple working closely censored WebKit memory corruption vulnerabilities and a use of the method, so that the WebKit vulnerability discovery and the exploit becomes more and more difficult. Now based on the WebKit memory corruption exploits of the disclosure analysis is less about Pinkie Pie of the Exploiting 6 4-bit Linuxlike a boss and Nils of the Pwn2Own 2 0 1 3 Chrome Exploit of the kind in the past three years and only references. In addition some of on the JS engine, V8, JSC)vulnerabilities, for example, about Pinkie Pie of the Mobile Pwn2Own 2 0 1 3 Chrome exploit, and Ian Beer of the Pwn4Fun 2 0 1 4 Safari Exploit of versatility are slightly worse.

The vulnerability of the mitigation measures, the Arena design is similar to the Microsoft IE isolate the heap, the current Branch of the WebKit version will all of RenderObject into RenderArena, its own maintenance of the FreeList single list pointer is XOR after XOR protection measures employed prior to the use of the method can refer to Georg Wicherski of the Slide of The Exploiting A Coalmine on, almost killed all the RenderObject UAF exploit, and the RenderObject of the UAF accounted for all WebKit UAF 8 5% or more.

In addition, the current WebKit JAVASCRIPT engine V8 and JSC has been unable to explicitly trigger a GC, which makes the exploits of the key aspects-the stack layout becomes difficult. Ian Beer made by JSC in the use of JSStringJoiner to solve the specific conditions of the burrows+the fill hole issue, but in many cases still can not meet the stability Exploit the demand.

ASLR and DEP, has become a modernoperating systemthe“standard”, but a different system of ASLR/DEP strength is also different, for example, iOS dyld_cache mechanisms, all modules share a base address, so that the leakage of a module's base address can be leaked to all the module's base address. And Mac OSX, each module has two base addresses, respectively. DATA and. TEXT base address of that vtable in the. DATA segment, this also means that the leak vtable address is not able to fully bypass ASLR implementation of the ROP because the ROP Gadget in the. The TEXT segment.

Native 6 4-bit apps is also a big trend, Mac OSX in Safari is already a native 6 4-bit, iPhone 5s+, iPad Air+, etc. the device also uses a 6 4-bit iOS system. 6 4-bit address space so that the Heap Spray technology the Hit rate becomes very low, in use process, had to try to avoid the Heap Spray in order to achieve high stability. And this is also to exploit technology presented a great challenge.

WebKit memory corruption exploits have entered the Vulnerability-Based Exploitation era. In other words, for a particular vulnerability on different platforms and even different versions of WebKit, the need to be specific to the use of technology to achieve stable use. And these techniques are also for the vulnerability itself, tailored from a particular vulnerability, a particular use of technology is also meaningless. But the master found that these particular the use of art methods is very meaningful.

I on 1 0 On 1 7 August, BlackHat EU issues in the WEBKIT EVERYWHERE: SECURE OR NOT? on (https://www.blackhat.com/eu-14/briefings.html#webkit-everywhere-secure-or-not in through Vulnerability-Based Exploitation methods based on vulnerabilities related to the use of the method of analysis of a@rock509 find suspected cross-border 1-bit read vulnerability, to achieve cross-border restrictive 1-bit write, and then converted into a finite length of any read and write, and ultimately to achieve arbitrary address read and write. During the use of JS-Controlled Free method to achieve a precise stack layout; the use of WebKit in a native 6 4-bit system, the JIT memory random features of weakness, in not using the Heap Spray and ROP conditions to achieve the Mac OSX Mavericks native 6 4-bit Safari in a stable use. This is also the Pwn2Own 2 0 1 4 we break the Mac OSX used the WebKit vulnerability and the use portion.