Lucene search

K
myhack58佚名MYHACK58:62201787022
HistoryJun 14, 2017 - 12:00 a.m.

The butterfly effect and the program error---a slag-hole the use-vulnerability warning-the black bar safety net

2017-06-1400:00:00
佚名
www.myhack58.com
41

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.235 Low

EPSS

Percentile

96.1%

  1. Description
    A South American Amazon Basin rainforest butterfly, occasionally flapping a few wings, maybe in Texas cause a tornado? This I’m not sure I can determine is the program of any one of the minor errors after amplification are possible for the program to produce disastrous consequences. In the 11 months Seoul, South Korea held the PwnFest game, we use the V8 of a logic error(CVE-2016-9651)to achieve the Chrome remote arbitrary code execution, this logic is very small, can be said to be a product compared to the poor of the slag hole, but through a combination of some of Circo kinky clever, our final realization of the vulnerability of the stable use. This loophole revelation to me is:“never give up easily a loophole, no way to easily determine a vulnerability to non-utilization”.
    This article follows the structure of the organization: the second section describes the V8 engine in the”invisible”object of private property; the third section will lead us to the use of this subtle logic errors; the fourth section describes how to incorporate this logic into an out of bounds read vulnerability; the fifth section will introduce an out of bounds read vulnerability converted to out of bounds write vulnerability in the ideas, this section is of the whole use process in the most ingenious of the a ring; the sixth section is all part of the most difficult step, detailing how to perform a full memory space Feng Shui and how will The out of bounds write vulnerability into arbitrary memory address read and write; the seventh section describes from the arbitrary memory address read and write to arbitrary code execution.

  2. Stealth private property
    In JavaScript, an object is an associative array, also can be seen as a key-value pair collection. These key-value pairs also referred to as object attributes. Properties of the key can be a string also can be a symbol, as shown below:
    ! [](/Article/UploadPic/2017-6/2017614184944156. png? www. myhack58. com)
    Code fragment 1: The object properties
    The above code fragment first defines an object normalObject, then give this object adds two properties. This can be by JavaScript to read and modify the properties of I call them public property. Can through the JavaScript Object Object provides two methods to get an object of All public properties of the button, the following JavaScript statement can give the code 1 normalObject object of All public properties of the key.
    ! [](/Article/UploadPic/2017-6/2017614184944448. png? www. myhack58. com)
    Execution results: ownPublicKeys value[“string”, Symbol(d)]
    In the V8 engine, in addition to public properties, there are some special JavaScript objects there are some special properties that only the engine can be accessed, for user JavaScript is not visible, I will be such a property is called private property. In the V8 engine, the symbol(Symbol)also include two public symbols and private symbols, public symbols is a user JavaScript can create and use private symbols then only the engine can create, is for internal engine use. Private properties generally use private symbols as keys, because the user JavaScript can’t get private symbols, all can not to the private symbol as a key to access private property. Since private property is concealed, then how can the observed private property? d8 is the V8 engine of the Shell program, by the d8 call the runtime function DebugPrint you can view the one object of all attributes. For example, we can through the following ways to view the code 1 as defined in the normalObject all properties:
    ! [](/Article/UploadPic/2017-6/2017614184944952. png? www. myhack58. com)
    From the shown on the d8 output of the results, normalObject only has two public properties, not private properties. Now let us look at a special object the error object’s properties.
    ! [](/Article/UploadPic/2017-6/2017614184944434. png? www. myhack58. com)
    Compare specialObject object’s public properties and all properties can be found in all the property than the public property the A KEY for stack_trace_symbol of the property, this property is a specialObject of a private property. The next section describes the private attributes of a v8 engine logic errors.

  3. Tiny logic error
    In the introduction to this logic error before, first understand the next Object. assign this method,according to the ECMAScript/262 explanation[1]:
    The assign function is used to copy the values of all of the enumerable own properties from one or more source objects to a target object
    So the question is, private property is a v8 engine for internal use property, other JavaScript engines may simply not exist in private properties, the private properties should be enumerable, private property should not be in an assignment is copied, the ECMAScript is simply not made provisions. I guess the v8 developers in the realization of the Object. assign when there is no very careful considering this issue. Private property is for the v8 engine used inside of attributes, an object’s private attributes should not be assigned to another object, otherwise it will lead to the private attribute value is the user JavaScript changes. v8 is a high performance JavaScript engine, in order to pursue high performance, many function implementations have two channels, a fast channel and a slow channel, when a certain condition is satisfied, the v8 engine will use the fast path to improve performance, because the use of fast track to a vulnerability in the case there are many precedents, such as CVE-2015-6764[2], CVE-2016-1646 is because walking fast channel problems. Similarly, in the realization of the Object. assign, the v8 also for the realization of the Quick passage,as the following code shown in[3]: The
    ! [](/Article/UploadPic/2017-6/2017614184945980. png? www. myhack58. com)
    Code fragment 2: a logic error
    In the Object. assign the fast path implementation, the first will determine the current assignment meets the go fast the channel conditions, if not satisfied, simply return failure go slow channel, if you meet the simple will of the source object, all the properties assigned to the target object, and not filter those keys is a proprietary symbol and having enumerated the characteristics of the properties. If the target object also has the same private property, it will result in private property re-assignment. This is the article you want to discuss logical errors. Google for this error the Fix is quite simple [4] is, to the object to increase any attribute, if this attribute is a private attribute, then this attribute is increased, non-enumerable properties. Now the butterfly has been found, that it is how flapping wings can achieve remote arbitrary code execution?, We from the first fan to start, the logic is converted to out of bounds read vulnerability.

  4. From logic errors to out of bounds read
    Now we have the object’s enumerable private property re-assignment of capacity, in order to use this ability, I traverse a v8 in all of the private symbols[5], try to give these private symbols for the key private property re-assignment, hoping to be able to upset the v8 engine of the internal execution flow, it is disappointing to me and not much harvest, but there are two private symbol caught my attention, they are class_start_position_symbol and class_end_position_symbol, from these two symbols of the prefixes we guess which of the two private symbols possible with JavaScript in a class-related. So we define a class to observe all its attributes.

[1] [2] [3] [4] next

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.235 Low

EPSS

Percentile

96.1%