44CON-slides.pdf
Transcript of 44CON-slides.pdf
-
8/11/2019 44CON-slides.pdf
1/51
Browser Bug HuntingMemoirs of a last man standing
Atte Kettunen (@attekett)OUSPG
https://code.google.com/p/ouspg/
https://code.google.com/p/ouspg/ -
8/11/2019 44CON-slides.pdf
2/51
Picture by @dominic_sim
-
8/11/2019 44CON-slides.pdf
3/51
Started at OUSPG in summer 2011
First security bug from Chrome 2011-12
Since then
~100 Vulns
~60 Rewards
39 CVEs
Atte Kettunen
-
8/11/2019 44CON-slides.pdf
4/51
Mozilla since 2004
- Sec-High/Critical $3,000
Google since 2010
- Typical security bugs $1,000-$3,133.7
- Possibility for bonus rewards PoC, exploit, awesomeness
(Microsoft 2013 June 25 - July 25)
Browser Bug Bounty Programs
-
8/11/2019 44CON-slides.pdf
5/51
Easy to get started - Lots of bugs \o/
Helpful vendor security teams and supportiveresponses to first bug submissions
Supportive (secretive/competitive)community of other bounty hunters
Browser Bug Bounty Programs
-
8/11/2019 44CON-slides.pdf
6/51
Use-after-free DOM
CSS Rendering
Buffer-overflow
Media formats Parsers Decoders Coordinates
Where the bugs are
-
8/11/2019 44CON-slides.pdf
7/51
AddressSanitizer - global-buffer-overflow - READ of size 2 #0 nsCharTraits::length()
#1 nsAString_internal::Assign().
Repro-file:
Some bug - CVE-2012-4185 - Firefox
-
8/11/2019 44CON-slides.pdf
8/51
-
8/11/2019 44CON-slides.pdf
9/51
-
8/11/2019 44CON-slides.pdf
10/51
Three golden rules:
Hunting for living
-
8/11/2019 44CON-slides.pdf
11/51
Three golden rules:
1. Stay green
Hunting for living
-
8/11/2019 44CON-slides.pdf
12/51
Three golden rules:
1. Stay green - Features
Hunting for living
-
8/11/2019 44CON-slides.pdf
13/51
Three golden rules:
1. Stay green - Features
2. Stay green - Competition
Hunting for living
-
8/11/2019 44CON-slides.pdf
14/51
Three golden rules:
1. Stay green - Features
2. Stay green - Competition
3. Stay green - Tools
Hunting for living
-
8/11/2019 44CON-slides.pdf
15/51
1. Stay green - Features
New features are published all the time New code \o/
Some changes are not highlighted Minor updates to JavaScript API support etc.
Old bugs fixed
New code \o/
Old features can change Prefixes disappear(-webkit,-moz), Features can get disabled
Hunting for living
-
8/11/2019 44CON-slides.pdf
16/51
1. Stay Green - Features
Firefox Aurora - Release note: "Partial support for
Web Audio, targeted at web developers for testing"(May 17, 2013)
Hunting for living
-
8/11/2019 44CON-slides.pdf
17/51
2. Stay green - Competition
Tools Different approach -> Different bugs?
Targets
Find new minefields
Platforms Different code on different platforms
Hunting for living
-
8/11/2019 44CON-slides.pdf
18/51
2. Stay green - Competition
@cevans: "@j00ru has melted polar ice withhis PDF fuzzing on 9k cores."
Hunting for living
-
8/11/2019 44CON-slides.pdf
19/51
3. Stay green - Tools
Instrumentations New instrumentation -> detect new issues
Build environments Broken builds @#!#...
Fuzzers New techniques
Hunting for living
-
8/11/2019 44CON-slides.pdf
20/51
3. Stay green - Tools
: WTF??? On Chromium startup:
==25254== ERROR: AddressSanitizer: global-buffer-overflow on address
0x000011d3dde5 at pc 0x5ab21a bp 0x7fff00659450 sp 0x7fff00659428READ of size 10 at 0x000011d3dde5 thread T0
#0 0x5ab219 in __interceptor_memcmp _asan_rtl_
#1 0xa1edc08 in fillInUnixFile .../sqlite/amalgamation/sqlite3.c:28654
#2 0xa1efe7c in unixOpen .../sqlite/amalgamation/sqlite3.c:29294
:
Diff of /trunk/tools/build/scripts/slave/runtest.py:
+ # Avoid aggressive memcmp checks until http://crbug.com/178677 is fixed.
+ os.environ['ASAN_OPTIONS'] = 'strict_memcmp=0'
Hunting for living
-
8/11/2019 44CON-slides.pdf
21/51
Instrumentation
Fuzzers
Hardware/Infrastructure
Tools
-
8/11/2019 44CON-slides.pdf
22/51
Clang compiler plugin
Adds instrumentation to check memory
access at runtime
Similar to Valgrind
Only 2x slowdown
Created at Google Used by Google & Mozilla
Linux & OS X
http://www.chromium.org/developers/testing/addresssanitizer
AddressSanitizer
http://www.chromium.org/developers/testing/addresssanitizer -
8/11/2019 44CON-slides.pdf
23/51
Awesome with use-after-frees
Very good for buffer-overflows and out ofbounds access
Good but confused with type confusions
AddressSanitizer
-
8/11/2019 44CON-slides.pdf
24/51
==6==ERROR: AddressSanitizer: heap-use-after-freeon address0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298
READof size 8 at 0x6070000268d0 thread T0 (chrome)
#0 0x7f845771029e (... /asan-linux-release-209136/chrome+0x96f229e)
#1 0x7f84576aacea (... /asan-linux-release-209136/chrome+0x968ccea) #2 0x7f8451ce00f3 (... /asan-linux-release-209136/chrome+0x3cc20f3)
.0x6070000268d0 is located64 bytesinside of 72-byte region[0x607000026890,0x6070000268d8)
freed by thread T19 (AudioOutputDevi) here:
#0 0x7f844f58e101 (... /asan-linux-release-209136/chrome+0x1570101)
#1 0x7f845887b5ec (... /asan-linux-release-209136/chrome+0xa85d5ec)
.
AddressSanitizer
-
8/11/2019 44CON-slides.pdf
25/51
==6==ERROR: AddressSanitizer: heap-use-after-freeon address0x6070000268d0 at pc 0x7f845771029fbp 0x7fff...2a0 sp 0x7fffc7eea298
READ of size 8at 0x6070000268d0 thread T0 (chrome)
#0 0x7f845771029e in WebCore::WaveShaperDSPKernel::lazyInitializeOversampling(...).../WebKit/Source/wtf/OwnPtr.h:138
#1 0x7.a in WebCore::WaveShaperProcessor::setOversample(...) .../WebKit/Source/modules/webaudio/WaveShaperProcessor.cpp:70
.
0x6070000268d0 is located 64 bytes inside of 72-byte region[0x607000026890,0x6070000268d8)
freed by thread T19 (AudioOutputDevi) here:
#0 0x7.1 in operator delete(void*) _asan_rtl_
#1 0x7.c in WebCore::AudioDSPKernelProcessor::uninitialize()src/third_party/WebKit/Source/wtf/OwnPtrCommon.h:47
.
AddressSanitizer
-
8/11/2019 44CON-slides.pdf
26/51
Used to instrument binaries
Redirects heap-related calls to own run-
time library
Currently only heap-instrumentation
Chrome/Chromium only atm. About 3x Slowdown
Windows only
https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument
SyzyASan
https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument -
8/11/2019 44CON-slides.pdf
27/51
SyzyASAN error: heap-buffer-overflowon address0x0379D1A7 (stack_id=0x44CB69D7)
READ of size 8at 0x0379D000
#0 0x000068ef23bein (unknown) #1 0x000068f387f4 in (unknown)
#2 0x000068eeb486 in (unknown)
#3 0x000068e8add7 in (unknown)
.
.
.
SyzyASan
-
8/11/2019 44CON-slides.pdf
28/51
Bad access information: +0x000 alloc_stack : [62] 0x0f999970 Void +0x0f8 alloc_stack_size : 0x3c '
-
8/11/2019 44CON-slides.pdf
29/51
Crash stack:
chrome_dll!SkOpSegment::addTCoincident+0x18e
chrome_dll!SkOpContour::calcCoincidentWinding+0x9f
chrome_dll!CoincidenceCheck+0x3cchrome_dll!Op+0x26a
.
Allocation stack:
asan_rtl!asan_HeapAlloc+0x48chrome_dll!malloc+0x17chrome_dll!realloc+0x15chrome_dll!SkOpSegment::addT+0x9bchrome_dll!AddIntersectTs+0xceb
chrome_dll!Op+0x244
SyzyASan
-
8/11/2019 44CON-slides.pdf
30/51
Heap allocation monitoring for Windows
No feedback - Only crash :(
Works on Chrome/Chromium
env: CHROME_ALLOCATOR="winheap"
Enable Chrome error reporting ->
minidumps
Firewall Chrome( No free 0-days for Google ;) )
Debugging tools x86
Page-Heap
-
8/11/2019 44CON-slides.pdf
31/51
ExceptionAddress: 564a0cd7 (chrome_..!WebCore::WaveShaperDSPKernel::lazyInitializeOversampling+0x0...06) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000NumberParameters: 2
Parameter[0]: 00000000 Parameter[1]: 27261fe4Attempt to readfrom address 27261fe4
.
STACK_TEXT:chrome_...!WebCore::WaveShaperDSPKernel::
lazyInitializeOversampling+0x6 [...\webkit\source\modules\webaudio\waveshaperdspkernel.cpp @ 53]chrome_...!WebCore::WaveShaperProcessor::setOversample+0x29
.
APPLICATION_FAULT_INVALID_POINTER_READ_chrome!WebCore::
WaveShaperDSPKernel::lazyInitializeOversampling+6
Dump-analysis
-
8/11/2019 44CON-slides.pdf
32/51
Dumb fuzzing Yes, still works
Yes, you can still find bugs with bit-flipping ofimage-files
Smart fuzzing Finds bugs fast but runs out of bugs faster. :(
Fuzzers
-
8/11/2019 44CON-slides.pdf
33/51
Dumb fuzzing
Radamsa || Surku \o/ https://code.google.com/p/ouspg/
Mutate old repros
( find ./src/ -type d -name *crashtest* |xargs ls; )
Collect winnings
Fuzzers
https://code.google.com/p/ouspg/https://code.google.com/p/ouspg/ -
8/11/2019 44CON-slides.pdf
34/51
Smart fuzzing
W3C/MDN(/MSDN)
Again stay green
Most of the JavaScript APIs in
browsers are really similar
Some of the public tools have the logic
in them already W3C spec + grep + sed = $$$
Fuzzers
-
8/11/2019 44CON-slides.pdf
35/51
Smart fuzzing
WebAudio API - PannerNode - Specification
interface PannerNode: AudioNode { void setPosition(doublex, doubley, doublez);
void setOrientation(doublex, doubley, doublez);
void setVelocity(doublex, doubley, doublez);
attributedouble refDistance;
attributedoublemaxDistance;
attributedoublerolloffFactor;
};
Fuzzers
-
8/11/2019 44CON-slides.pdf
36/51
Smart fuzzing
2D Canvas API - Specification // rects
void clearRect(unrestricted doublex, unrestricted doubley, unrestricted doublew, unrestricted doubleh);void fillRect(unrestricted doublex, unrestricted doubley,unrestricted doublew, unrestricted doubleh);
// shadows
attribute unrestricted double shadowOffsetX; // (default 0)
attribute unrestricted double shadowOffsetY; // (default 0)
attribute unrestricted double shadowBlur; // (default 0)
Fuzzers
-
8/11/2019 44CON-slides.pdf
37/51
Individuals:
Physical machines -> sysadmining New HW->Bug->Bounty...
Hardware/Infrastructure
-
8/11/2019 44CON-slides.pdf
38/51
8x Dual Core CPU, 2GB ram, USB-stick,
aka. Badgers
OUSPG - 2011
-
8/11/2019 44CON-slides.pdf
39/51
University HW:
Badgers
6x Quad core AMD A10, 16GB ram, SSD
6x Dual Dual Core AMD antique, 8GB, 10k rpm
BYOD:
4x Quad core i7-3770K, 16GB ram, SSD
And additional 30+ cores misc hardware with133.7+ GB of ram and bunch of SSDs
OUSPG - 2013
-
8/11/2019 44CON-slides.pdf
40/51
OUSPG - 2013
-
8/11/2019 44CON-slides.pdf
41/51
-
8/11/2019 44CON-slides.pdf
42/51
ClusterFuzz aka. CF
Google fuzzing cluster
2012 - 6000 Chrome instances
50m+ test cases per day
Plans for quadrupling at that time
ASAN, multiple fuzzers, minimization,
regression ranges, verify fixes, dupes &
dupes & dupes...
Hardware/Infrastructure
-
8/11/2019 44CON-slides.pdf
43/51
cluster-fuzz is a soulless bug hunting machine.
It has no want or need for your gratitude. It
lives only to feed on bugs.
ClusterFuzz
-
8/11/2019 44CON-slides.pdf
44/51
12 machines running 24/7
~50 cores, ~133.7GB of RAM
approx. 20m test cases per day
19 file-formats
git, scp, auto-update, auto-minimize
Radamsa and ...
My stuff
-
8/11/2019 44CON-slides.pdf
45/51
Browser fuzzer harness
Written in JavaScript ( Node.js )
Linux, Windows, OS X
Test case generators and instrumentations
loaded as modules
Uses WebSockets for test case injection to
browser Stable - https://code.google.com/p/ouspg/downloads/list Trunkish - https://github.com/attekett/NodeFuzz
NodeFuzz
https://code.google.com/p/ouspg/downloads/listhttps://code.google.com/p/ouspg/downloads/listhttps://github.com/attekett/NodeFuzzhttps://code.google.com/p/ouspg/downloads/list -
8/11/2019 44CON-slides.pdf
46/51
Requirements: Google Chrome installed
$ sudo apt-get install nodejs
$ git clone https://github.com/attekett/NodeFuzz.git
$ cd NodeFuzz
$ npm install
$ vim config.js #Optional
$ node nodefuzz.js
NodeFuzz - Setup - Ubuntu
-
8/11/2019 44CON-slides.pdf
47/51
Fairly new JS API (Chrome 2011, FF2013)
"The API has been designed to allow modularrouting.(UAF)Basic audio operations are performedby audio nodesthat are linked together to form anaudio routing graphs.(UAF/BOF)Inside a same
context, several sources are supported, with differentkind of channel layout.(UAF/BOF)This modulardesign allows for great flexibility and for the creationof complex audio functions and of dynamic effects.(BOF)" - MDN
NodeFuzz - module - WebAudio
-
8/11/2019 44CON-slides.pdf
48/51
Bugs found:
Chrome - 4 UAF, 3 BOF Firefox - 1 UAF, 8 BOF
NodeFuzz - module - WebAudio
-
8/11/2019 44CON-slides.pdf
49/51
CVE-2013-0879 - Chrome - BOFtry{var context= new webkitAudioContext()}catch(e){}try{var oscillator= context.createOscillator()}catch(e){}
try{oscillator.start(0.701,0.7,0.7)}catch(e){}
setInterval(function(){
try{oscillator.connect(context.destination);}catch(e){}},4)
try{oscillator.stop(0.70)}catch(e){}
NodeFuzz - module - WebAudio
-
8/11/2019 44CON-slides.pdf
50/51
CVE-2013-2845 - Chrome - UAFvar Context0= new webkitAudioContext()varAnalyser0=Context0.createAnalyser();varWaveShaper0=Context0.createWaveShaper();var Convolver3=Context0.createConvolver();
Analyser0.connect(WaveShaper0);WaveShaper0.connect(Context0.destination);
Convolver3.connect(Analyser0);
setInterval(function(){Analyser0.disconnect();},4)
NodeFuzz - module - WebAudio
-
8/11/2019 44CON-slides.pdf
51/51
DEMO!!!
&&Q&A