Hacking Team Android browser attacks during the vulnerability analysis Stage 2-vulnerability warning-the black bar safety net

ID MYHACK58:62201568384
Type myhack58
Reporter MarcusAurelius
Modified 2015-10-28T00:00:00


A, vulnerability introduction: Hacking team of the year broke out for android4. 0. x-4.3. x android browser vulnerabilities to attack the use of the code. The exploit code, by successive use of a plurality of browser and kernel vulnerabilities, is done through Javascript to the virtual memory write data, code execution, elevation to root privileges, and eventually reach to the target phone in the implantation of a malicious program purposes. This attack process is divided into 5 stages, I before the previous two articles one, two, and has to Stage0 And Stage1, conducted analysis, this paper mainly analyzes the Stage2 job. In a previous article finally, the attacker first through Stage0 and Stage1, the two vulnerabilities combined to address leakage, to obtain a Javascript assignment of 4M array hereinafter referred to as the page block's base address. Then, by Stage1 of the vulnerability to get a Can to the full address space 4-byte write can be controlled the write pointer. Finally, by XSL to provide the generate-id of the operation to obtain the xml element id, you can reverse calculate the xml element object where the approximate address range of the accuracy of 6 to 0 Bytes in. Prior to use the full address range of the write pointer operation, so that we can be completely controlled by the generate-id generates id value of the corresponding xml element object. This article will be the analysis of Stage2 of the process, mainly through the Stage1 finally obtained can be controlled xml elements of the field in the pointer information, the leakage and locate the webkit Dynamic Link Library start address, and for the Stage3 will be carried out by the ROP off the memory, executable protection operation. Second, the use of the detailed information 0. Overview Stage2 of the operation process: (1)leakage webkit Dynamic Link Library load address. Stage2 by the nodes of type XML_TEXT_NODE type of node in the name field of the pointer value is read, followed by a series of operation, to achieve the leakage webkit Dynamic Link Library loading the address of the object. Can leak webkit Dynamic Link Library loading address information of the operation is: because the name field pointer is usually pointing to the string is a webkit module in string constant,so when the attackers get the constant address when you can by one by one forward scanning the memory pages of the top locations for the“ELF”string, which determine the webkit to load the address. So as to achieve the webkit Dynamic Link Library address leakage of the object, thereby bypassing address randomization. (2)access to entire memory space of literacy. The attacker will be Stage1, stage the use of the vulnerability of the package into xsltobj object, by xsltobj objects can be memory read and write delete operation the delete operation to the xmlNode object as a unit for deleting. (3)optimization for the entire memory space of literacy. Because each xsltobj object for memory read and write,we need to re-load the xsl file. Therefore,the attacker used in this stage Stage1 vulnerability generated xsltobj objects, the memory to the appropriate read and write, create a DataView object to a more convenient full memory read and write. This stage, the attacker is required at 4M controllable page block, to apply a controllable ArrayBuffer array, by modifying the ArrayBuffer array of management structures. Then the modified ArrayBuffer arrays packaged into a DataView object, so the use of a DataView in a greater variety of methods, can be more convenient for memory read and write operations. By xsltobj create a DataView object: the attacker through xsltobj object, can free page-block in a continuous period memory, after the memory is filled with a large number of ArrayBuffer objects and on the page block to find the just free the memory whether there is an ArrayBuffer of the management structure, if it exists, through the page blocks modify the ArrayBuffer of the management structure, which will be the starting address is set to 0×0, the length is set to 0xffffffff, after by the ArrayBuffer object to create the DataView object the DataView will be the ArrayBuffer in the starting address and the length directly copied to itself, whereby the attacker can obtain a read-write full memory of the DataView object. (4)obtain a controlled TextNode node, by modifying the TextNode object to a function pointer, to achieve control flow hijacking purposes. And, the attacker can through the TextNode of the indexOf function in the Dynamic Link Library to find a specific instruction. 1. Leaked webkit address operation When xmlNode node of type XML_TEXT_NODE type, the node name field will point to a value of“text”string of the address. The following Fig. ! Figure 1 XML_TEXT_NODE type the name of the field pointing to the When xmlNode node of type XML_TEXT_NODE, its name field will point to a“text”string, since this string is webkit a static constant, so the string stored in the webkit Dynamic Link Library, and therefore xmlNode node name field of the pointer to a webkit in a fixed position. The attacker can use the“text”string where the address, by one by one forward scanning the memory pages of the top locations for the“ELF”string, it is judged webkit to load the address. 2. Package a can be for any memory write xsltobj object With Stage1 the use of vulnerability similar principle, an attacker can create a xsltobj object. Through this object may be the memory address of an arbitrary readable and writable you can delete the destination address region as illegal xmlNode object deletion, compared to Stage1, the memory can be written can be deleted, xsltobj to read and write the delete operation of the package, to better achieve the code reuse. Below we briefly xsltobj object creation process. (1)by the page in the block is filled with data, modify Stage1 to get the xml elements in the field. ! Figure 2 to the memory-filled information Figure 2 is the memory-filled information, by using the Stage1 vulnerability in these populated information can be modified Stage1, the use of nsuri node in any field. (2)by modifying the nsuri of the node data, you can completely control the nsuri of the node in the fields of information, so that we can use the nsuri of the node memory address to read, write, delete operation. ! Figure 3 memory filled with information the graphical display of the As Figure 3 shows, the app will go through 4 DTD type, for the nsuri of the node type, children, name the three fields to be modified so that these three fields completely controllable. !

[1] [2] next