get the spider monkey off your back
play

Get the (Spider)monkey off your back Exploiting Firefox through the - PowerPoint PPT Presentation

Jan 16, 2024 •447 likes •1.02k views

Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex Who are we? Security enthusiasts who dabble in vulnerability research on their free time as part of phoenhex. Member of CTF

  1. Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex

  2. Who are we? Security enthusiasts who dabble in vulnerability research on their free time as part of phoenhex. Member of CTF teams: ● Eat Sleep Pwn Repeat ● KITCTF Strong advocates for CTF challenges without guessing ;) You can reach out to us on twitter: ● @edgarboda ● @bkth_ ● @phoenhex

  3. Introduction to Spidermonkey

  4. What is Spidermonkey? ● Mozilla’s Javascript engine, written in C and C++ ● Shipped as part of Firefox ● Implements ECMAScript specifications ● Main components: ○ Interpreter ○ Garbage Collector ○ Just-In-Time (JIT) compilers

  5. Javascript Objects Internally, a Javascript object has the simplified representation: class NativeObject { js::GCPtrObjectGroup group_; GCPtrShape shape_; // used for storing property names js::HeapSlot* slots_; // used to store named properties js::HeapSlot* elements_; // used to store dense elements } shape_ : list storing property names and their associated index into the slots_ array slots_: objects corresponding to named properties elements_: objects corresponding to indices

  6. Javascript Objects Let’s consider the following piece of Javascript code: var x = {}; // Creates an “empty” object x.a = 3; // Creates property “a” on object x x.b = “Hello”; // Creates property “b” on object x

  7. Javascript Objects var x = {}; shape_ elements_ x.a = 3; group_ slots_ x.b = “Hello”; Object x 3 “hello” name: “ a ” name: “ b ”, index: 0 index: 1

  8. What about arrays? Arrays use the elements_ pointer to store the indexable elements. Let’s consider the following piece of Javascript code: var x = []; // Creates an “empty” array x[0] = 3; x[2] = “Hello”;

  9. What about arrays? var x = []; x[0] = 3; shape_ slots_ elements_ group_ x[2] = “Hello”; Object x 3 undefined “hello” An array stored like that is called a dense array

  10. What about arrays? Now let’s consider the following example: var x = [] a[0] = 3 a[0x7fff] = “Hello” So simply reserve memory for 0x8000 elements, right?

  11. What about arrays? var x = [] a[0] = 3 shape_ elements_ group_ slots_ a[0x7fff] = “Hello” Object x name: “0x7fff”, “Hello” 3 index: 0 An array stored like that is called a sparse array

  12. JavaScript Values Values internally represent the actual JavaScript value such as 3, “hello”, { a: 3 } Spidermonkey uses NaN-boxing: - On 32 bits platforms: 32 bits of tag and 32 bits for the actual value - On 64 bits platforms: 17 bits of tag and 47 bits for the actual value As an attacker, we don’t have full control over what is written in memory (well ;)...)

  13. Case study of an exploit

  14. Feature analysis Web workers ● execute Javascript code in background threads ● communication between the main script and the worker thread. Shared array buffers ● Shared memory (between workers for example)

  15. Feature analysis Let’s look at a simple example: var w = new Worker('worker_script.js'); var obj = { msg: "Hello world!" }; w.postMessage(obj); The worker script can also handle messages coming from the invoking thread using an event listener: this.onmessage = function(msg) { var obj = msg; // do something with obj now } Objects are transferred in serialized form, created by the structured clone algorithm (SCA)

  16. Shared array buffers Shared array buffers have the following abstract layout in memory inheriting from NativeObject : class SharedArrayBufferObject { js::GCPtrObjectGroup group_; GCPtrShape shape_; js::HeapSlot* slots_; js::HeapSlot* elements_; js::SharedArrayRawBuffer* rawbuf ; } SharedArrayBufferObject has the interesting property that rawbuf always points to the same object, even after duplication by the structured clone algorithm.

  17. First Bug All bug credits go to our fellow phoenhex member saelo. The SharedArrayRawBuffer has the following structure: class SharedArrayRawBuffer { void SharedArrayRawBuffer::dropReference() { uint32_t refcount = --this->refcount_; mozilla::Atomic< uint32_t , mozilla::ReleaseAcquire > refcount_; if (refcount) [...] return; } void SharedArrayRawBuffer::addReference() { // If this was the final reference, release the buffer. [...] [...] UnmapMemory(address, allocSize); ++this->refcount_; // Atomic. [...] } } The refcount_ field keeps track of number of SharedArrayBufferObject pointing to this object.

  18. First Bug All bug credits go to our fellow phoenhex member saelo. The SharedArrayRawBuffer has the following structure: class SharedArrayRawBuffer { void SharedArrayRawBuffer::dropReference() { uint32_t refcount = --this->refcount_; mozilla::Atomic< uint32_t , mozilla::ReleaseAcquire > refcount_; if (refcount) [...] return; } void SharedArrayRawBuffer::addReference() { // If this was the final reference, release the buffer. [...] [...] UnmapMemory(address, allocSize); ++this->refcount_; // Atomic. [...] } } The refcount_ field keeps track of number of SharedArrayBufferObject pointing to this object. CAN YOU SPOT THE BUG?

  19. First Bug All bug credits go to our fellow phoenhex member saelo. The SharedArrayRawBuffer has the following structure: class SharedArrayRawBuffer { void SharedArrayRawBuffer::dropReference() { uint32_t refcount = --this->refcount_; mozilla::Atomic< uint32_t , mozilla::ReleaseAcquire > refcount_; if (refcount) [...] return; } void SharedArrayRawBuffer::addReference() { // If this was the final reference, release the buffer. [...] [...] UnmapMemory(address, allocSize); ++this->refcount_; // Atomic. [...] } } The refcount_ field keeps track of number of SharedArrayBufferObject pointing to this object. call addReference() 2³² times

  20. First Bug All bug credits go to our fellow phoenhex member saelo. The SharedArrayRawBuffer has the following structure: class SharedArrayRawBuffer { void SharedArrayRawBuffer::dropReference() { uint32_t refcount = --this->refcount_; mozilla::Atomic< uint32_t , mozilla::ReleaseAcquire > refcount_; if (refcount) [...] return; } void SharedArrayRawBuffer::addReference() { // If this was the final reference, release the buffer. [...] [...] UnmapMemory(address, allocSize); ++this->refcount_; // Atomic. [...] } } The refcount_ field keeps track of number of SharedArrayBufferObject pointing to this object. 2³² * addReference() → refcount_ == 1

  21. First Bug All bug credits go to our fellow phoenhex member saelo. The SharedArrayRawBuffer has the following structure: class SharedArrayRawBuffer { void SharedArrayRawBuffer::dropReference() { uint32_t refcount = --this->refcount_; mozilla::Atomic< uint32_t , mozilla::ReleaseAcquire > refcount_; if (refcount) [...] return; } void SharedArrayRawBuffer::addReference() { // If this was the final reference, release the buffer. [...] [...] UnmapMemory(address, allocSize); ++this->refcount_; // Atomic. [...] } } The refcount_ field keeps track of number of SharedArrayBufferObject pointing to this object. 2³² * addReference() → refcount_ == 1 → dropReference()

  22. First Bug All bug credits go to our fellow phoenhex member saelo. The SharedArrayRawBuffer has the following structure: class SharedArrayRawBuffer { void SharedArrayRawBuffer::dropReference() { uint32_t refcount = --this->refcount_; mozilla::Atomic< uint32_t , mozilla::ReleaseAcquire > refcount_; if (refcount) [...] return; } void SharedArrayRawBuffer::addReference() { // If this was the final reference, release the buffer. [...] [...] UnmapMemory(address, allocSize); ++this->refcount_; // Atomic. [...] } } The refcount_ field keeps track of number of SharedArrayBufferObject pointing to this object. 2³² * addReference() → refcount_ == 1 → dropReference() → calls UnmapMemory()

  23. First Bug All bug credits go to our fellow phoenhex member saelo. The SharedArrayRawBuffer has the following structure: class SharedArrayRawBuffer { void SharedArrayRawBuffer::dropReference() { uint32_t refcount = --this->refcount_; mozilla::Atomic< uint32_t , mozilla::ReleaseAcquire > refcount_; if (refcount) [...] return; } void SharedArrayRawBuffer::addReference() { // If this was the final reference, release the buffer. [...] [...] UnmapMemory(address, allocSize); ++this->refcount_; // Atomic. [...] } } The refcount_ field keeps track of number of SharedArrayBufferObject pointing to this object. Use-After-Free!

  24. Great! Now let’s exploit this!

  25. Well…………...

  26. Bug Analysis: reference count overflow How can we call addReference() ? There really is only one code path: writeSharedArrayBuffer() onMessage(sab); postMessage(sab); readSharedArrayBuffer()

  27. Bug Analysis: reference count overflow How can we call addReference() ? There really is only one code path: bool JSStructuredCloneWriter::writeSharedArrayBuffer(HandleObject obj) { Rooted<SharedArrayBufferObject*> sharedArrayBuffer(context(), &CheckedUnwrap(obj)->as<SharedArrayBufferObject>()); SharedArrayRawBuffer* rawbuf = sharedArrayBuffer->rawBufferObject(); [...] rawbuf->addReference(); [...] } writeSharedArrayBuffer() onMessage(sab); postMessage(sab); readSharedArrayBuffer()

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali

Monkey-Spider Detection of Malicious Web Sites Final presentation of the diploma thesis Ali Ikinci ali[at]ikinci.info 9. July 2007 Head of Department: Prof. Dr. Felix Freiling Supervisor: Dipl.-Inform. Thorsten Holz Laboratory for Dependable

665 views • 32 slides
How to estimate a density on a spider web ? Dominique Picard How to estimate a density on a

How to estimate a density on a spider web ? Dominique Picard How to estimate a density on a

How to estimate a density on a spider web ? How to estimate a density on a spider web ? Dominique Picard How to estimate a density on a spider web ? 2020 1 / 37 Spider web from exhibition On Air Tomas Saraceno spider web spider web Spider

753 views • 40 slides
Homo erectus Neanderthals monkey see, monkey (mostly cannot) do Social learning

Homo erectus Neanderthals monkey see, monkey (mostly cannot) do Social learning

Homo erectus Neanderthals monkey see, monkey (mostly cannot) do Social learning cumulative cultural evolution The Descent of the Homo lineage from 2 MYA Human capacity for culture evolved about here The Worlds 7000 -8000

412 views • 27 slides
SPIDER VEINS What are Spider veins? are small dilated blood vessels near the surface of the

SPIDER VEINS What are Spider veins? are small dilated blood vessels near the surface of the

SPIDER VEINS What are Spider veins? are small dilated blood vessels near the surface of the skin characterized as purple, blue or red lines are similar to varicose veins but are much thinner in diameter and not palpable permanent

168 views • 15 slides
By Laura and Holly Spider Diagram of Spider Diagram of Classical Books Classical Books

By Laura and Holly Spider Diagram of Spider Diagram of Classical Books Classical Books

By Laura and Holly Spider Diagram of Spider Diagram of Classical Books Classical Books Victorian 1900s Time Poor Classical Books Setting Characters Orphans Streets Posh To op p 3 3 C Cl la as ss si ic ca al l B Bo oo

600 views • 8 slides
A Class y Spider W E B SC R AP IN G IN P YTH ON Thomas Laetsch Data Scientist , NYU Yo u r

A Class y Spider W E B SC R AP IN G IN P YTH ON Thomas Laetsch Data Scientist , NYU Yo u r

A Class y Spider W E B SC R AP IN G IN P YTH ON Thomas Laetsch Data Scientist , NYU Yo u r Spider import scrapy from scrapy.crawler import CrawlerProcess class SpiderClassName(scrapy.Spider): name = &quot;spider_name&quot; # the code for

454 views • 28 slides
Biomimetics and biomaterials Presentation on Spider Silk, Spring 2015 Facts about spiders There

Biomimetics and biomaterials Presentation on Spider Silk, Spring 2015 Facts about spiders There

Biomedicine, bioengineering or Biomimetics and biomaterials Presentation on Spider Silk, Spring 2015 Facts about spiders There are more than 150,000 different species of spider about 35,000 are identified. Elsewhere I read that as of 2008

1.25k views • 75 slides
Neural Monkey Du san Vari s Institute of Formal and Applied Linguistics Faculty of

Neural Monkey Du san Vari s Institute of Formal and Applied Linguistics Faculty of

Neural Monkey Du san Vari s Institute of Formal and Applied Linguistics Faculty of Mathematics and Physics Charles University September 4, 2018 Neural Monkey Toolkit for training neural models for sequence-to-sequence tasks

257 views • 21 slides
Surfing the Infinite Monkey Theorem for Fun and Profit Dr. Jim Webber Chief Scientist Overview

Surfing the Infinite Monkey Theorem for Fun and Profit Dr. Jim Webber Chief Scientist Overview

Surfing the Infinite Monkey Theorem for Fun and Profit Dr. Jim Webber Chief Scientist Overview The Infinite Monkey Theorem Neo4j and graph data Evolutionary, inclusive architecture Science! Revenge of the monkeys End OK,

376 views • 34 slides
Orange Empire Signal Garden Lessons Learned OR Remove spider * before servicing main board. *

Orange Empire Signal Garden Lessons Learned OR Remove spider * before servicing main board. *

Orange Empire Signal Garden Lessons Learned OR Remove spider * before servicing main board. * For those of you who's first language is not English spider is a bug + not a computer term.. + Bug denotes an animal again not a

1.25k views • 103 slides
HelenOS in the Year HelenOS in the Year of the Fire Monkey of the Fire Monkey

HelenOS in the Year HelenOS in the Year of the Fire Monkey of the Fire Monkey

HelenOS in the Year HelenOS in the Year of the Fire Monkey of the Fire Monkey http://www.helenos.org/ http://d3s.mff.cuni.cz Jakub Jerm jakub@jermar.eu Martjn Dck decky@d3s.mff.cuni.cz HelenOS in a Nutshell HelenOS in a Nutshell

788 views • 32 slides
S P I D E R J o a c h I m F r a n k SPIDER is a command-driven application written

S P I D E R J o a c h I m F r a n k SPIDER is a command-driven application written

S P I D E R J o a c h I m F r a n k SPIDER is a command-driven application written predominantly in FORTRAN 90. Available for Linux, Irix, and AIX. More than 80 suites of operations (with a total of more than 450 operations)

168 views • 14 slides
Building Myself Back Up: Tracking and Habit Formation Post-Concussion Maggie Delano

Building Myself Back Up: Tracking and Habit Formation Post-Concussion Maggie Delano

Building Myself Back Up: Tracking and Habit Formation Post-Concussion Maggie Delano maggied@mit.edu @maggied Insider Monkey / Flickr Tom Simpson / Flickr Time spent on computer each week Head injury Too much computer Actually resting

1.02k views • 25 slides
TechSEO360 SEO Spider Software for Windows and Mac. Complete technical SEO and sitemaps

TechSEO360 SEO Spider Software for Windows and Mac. Complete technical SEO and sitemaps

TechSEO360 SEO Spider Software for Windows and Mac. Complete technical SEO and sitemaps tool. Flexible crawler and filtering of collected data. Can crawl and handle very large websites. History TechSEO360 merges features from A1

852 views • 33 slides
Character Analysis: Monkey King Ryan C 4/8/2020 English 10 He wants to be god He is

Character Analysis: Monkey King Ryan C 4/8/2020 English 10 He wants to be god He is

Character Analysis: Monkey King Ryan C 4/8/2020 English 10 He wants to be god He is ambitious Character He is determined Background Include picture Internals Mental: stubborn Spiritual: superior to others Emotional:

572 views • 7 slides
Olfactory sensitivity of spider monkeys ( Ateles geoffroyi ) for six structurally related aromatic

Olfactory sensitivity of spider monkeys ( Ateles geoffroyi ) for six structurally related aromatic

Department of Physics, Chemistry and Biology Master Thesis Olfactory sensitivity of spider monkeys ( Ateles geoffroyi ) for six structurally related aromatic aldehydes Luna Kjeldmand LiTH-IFM- Ex--xxxx--SE Supervisor: Matthias Laska,

511 views • 22 slides
CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

812 views • 51 slides
CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client

CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client

9/12/18 CS314 Software Engineering Responsive Clients Dave Matthews Solution Technology Client Protocol Server ReactJS HTTP Java Spark Bootstrap JSON Gson ReactStrap TFFI JavaScript HTML CSS 1

162 views • 4 slides
Thoughts on Software Quality Is it just a cultural thing? Are we doomed? Bertrand Delacrtaz

Thoughts on Software Quality Is it just a cultural thing? Are we doomed? Bertrand Delacrtaz

Thoughts on Software Quality Is it just a cultural thing? Are we doomed? Bertrand Delacrtaz @bdelacretaz, grep.codeconsult.ch Principal Scientist, CQ/AEM R&amp;D group, Adobe Basel Apache Software Foundation Member and Director

359 views • 33 slides
JAVASCRIPT IS COMING TO EAT YOU Citizen Tim Electric Citizen | June 2019 JAVASCRIPT IS COMING

JAVASCRIPT IS COMING TO EAT YOU Citizen Tim Electric Citizen | June 2019 JAVASCRIPT IS COMING

JAVASCRIPT IS COMING TO EAT YOU Citizen Tim Electric Citizen | June 2019 JAVASCRIPT IS COMING TO EAT YOU Citizen Tim Electric Citizen | June 2019 HOW WHO How do I start? Does this affect me? WHEN WHAT Now? What is it?? WHERE WHY W51H

754 views • 52 slides
Well-typed programs cant be blamed Philip Wadler University of Edinburgh Robert Bruce Findler

Well-typed programs cant be blamed Philip Wadler University of Edinburgh Robert Bruce Findler

Well-typed programs cant be blamed Philip Wadler University of Edinburgh Robert Bruce Findler University of Chicago The mathematics of programming languages is deep and elegant examples other than Curry-Howard? terms other than

731 views • 38 slides
R2RML-F: Towards Sharing and Executing Domain Logic in R2RML Mappings Christophe Debruyne and

R2RML-F: Towards Sharing and Executing Domain Logic in R2RML Mappings Christophe Debruyne and

R2RML-F: Towards Sharing and Executing Domain Logic in R2RML Mappings Christophe Debruyne and Declan OSullivan ADAPT Centre (http://www.adaptcentre.ie/) Trinity College Dublin (http://www.tcd.ie/) 2016-04-12 @ Linked Data on the Web

532 views • 15 slides
State of JS Implementations, 2014 Edition webengineshackfest.org Andy Wingo Agenda History

State of JS Implementations, 2014 Edition webengineshackfest.org Andy Wingo Agenda History

State of JS Implementations, 2014 Edition webengineshackfest.org Andy Wingo Agenda History New things A brief history of JS 1996-2008: slow 2014: fastish A brief history of JS 1996-2008: slow 2014: fastish Environmental forcing

782 views • 22 slides
Node.js on the JVM Node.js on the JVM JavaScript Evented I/O &amp; more JavaScript Evented I/O

Node.js on the JVM Node.js on the JVM JavaScript Evented I/O &amp; more JavaScript Evented I/O

Node.js on the JVM Node.js on the JVM JavaScript Evented I/O &amp; more JavaScript Evented I/O &amp; more for the Java Enterprise Ecosystem for the Java Enterprise Ecosystem Niko Kbler ( @dasniko ) {JavaScript} Training I'm to hire! I'm

677 views • 43 slides

More recommend