1 / 34

Exploiting Firefox Vulnerabilities: Insights into Code Injection and Instrumentation Techniques

This overview delves into the intricacies of exploiting vulnerabilities in Firefox through the manipulation of JavaScript and C++ code. We explore how buggy JavaScript interpreters can lead to remote code execution and demonstrate the use of instrumentation tools like Daikon and LiveShield to find and enforce invariants. The discussion is enriched with examples of binary variables, disassembled code, and techniques for identifying exploit root causes, offering a comprehensive view of the exploitation landscape and ongoing security challenges.

zelda-carroll
Télécharger la présentation

Exploiting Firefox Vulnerabilities: Insights into Code Injection and Instrumentation Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview • Firefox exploit • Code injection using buggy javascript interpeter • Javascript code exploiting the bug • The bug in C++ • The bug in assembly code • Instrumentation: Finding values • Daikon: Finding invariants • LiveShield: Enforcing invariants DARPA AC MIT Site Visit

  2. Remote Code Execution Exploit html Load Java script From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 2

  3. JavaScript Exploit Code // spray payload memory = new Array(); for (i=0;i<heapBlocks;i++) // Insert x86 instructions for calling shell code. memory[i]= …; // Invoke injected code InstallTrigger.install.call(0x9800000, "a", "a"); April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 3

  4. JavaScript Interpreter (C++ code) // getting C++ object from JavaScript object nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)JS_GetPrivate(cx, obj); // bug: doesn’t check the type of nativeThis nativeThis->UpdateEnabled(globalObject, XPI_WHITELIST, &enabled); // exploit point April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 4

  5. Disassembled Code nativeThis->UpdateEnabled(globalObject, XPI_WHITELIST, &enabled); // exploit point push ecx push 1 push dword ptr [ebp-10h] push ebx call dword ptr [eax+0Ch] // ptr[eax+0Ch] is the method address April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 5

  6. Overview • Firefox exploit • Instrumentation: Finding values • Register and memory values, jumps, calls, and returns • Daikon: Finding invariants • LiveShield: Enforcing invariants DARPA AC MIT Site Visit

  7. Instrumentation April 10, 2007 • To find invariants without source code or debug symbol access • Captures important values • Finding exploit root causes is challenging • Currently manually select locations for instrumentation • Memory firewall (Determina) may help to locate DARPA AC MIT Site Visit DARPA AC MIT Site Visit 7

  8. Binary Variable Examples • Binary variable: a variable in machine (binary) code • Name: instruction address and register name • Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 8

  9. Binary Variable Examples • Binary variable: a variable in machine (binary) code • Name: instruction address and register name • Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 9

  10. x86 Instrumentation Output • Binary variable: a variable in machine (binary) code • Name: instruction address and register name • Value : value of register or reference mov dword ptr [ebp-34h],esi mov eax,dword ptr [ebx] push ecx instrumentation xpinstal.dll:0xa111 BV esi 0x00000000 xpinstal.dll:0xa114 BV ebx 0x01f13bcc xpinstal.dll:0xa114 BV [ebx] 0x6005c6d8 xpinstal.dll:0xa116 BV ecx 0x0012ecf4 April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 10

  11. Output for Firefox Normal Runs call dwordptr [eax+0Ch] xpinstal.dll:0xa11d BV [eax+0Ch] 0x6004592d […] xpinstal.dll:0xa11d BV [eax+0Ch] 0x6004592d […] xpinstal.dll:0xa11d BV [eax+0Ch] 0x6004592d […] April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 11

  12. Normal VS Exploit Runs • Normal run xpinstal.dll:0xa11d BV [eax+0Ch] 0x6004592d • Exploit run xpinstal.dll:0xa11d BV [eax+0Ch] 0x1200002c April 10, 2007 DARPA AC MIT Site Visit DARPA AC MIT Site Visit 12

  13. Overview • Firefox exploit • Instrumentation: Finding values • Daikon: Finding invariants • Grouping values into basic blocks • Grouping basic blocks into program points • Finding invariants among variables in a program point • LiveShield: Enforcing invariants DARPA AC MIT Site Visit

  14. Basic Block Basic Block Basic Block Grouping values into basic blocks Thread Address (dll+offset) opcode (BV=Binary Variable) • ... • 1588 xpinstal.dll:0x5ebe BV esp 0x0012df20 • 1588 xpinstal.dll:0x5ebe ICALL ret xpinstal.dll:0x5ec1 • xpinstal.dll:0x5ecf BV esp 0x0012df1c • 1588 xpinstal.dll:0x5ecf BV [4+esp] 0x1e78e98 • ... • 1588 xpinstal.dll:0x5ed9 BV [0+esp] 0x60045ec1 • xpinstal.dll:0x5ed9 RET to xpinstal.dll:0x5ec1 • xpinstal.dll:0x5ec1 BV eax 0x00000002 • ... DARPA AC MIT Site Visit

  15. Grouping basic blocks into program points • You might need variables from previous basic-blocks to find the right invariant • For example: • The right invariant might be: • The size of the buffer is less than 256: Some.dll:0x1bb1d mov eax, … char* p = …; while (*p) { … } Some.dll:0x1bccc mov …, [eax] eax@Some.dll:0x1bccc - eax@Some.dll:0x1bb1d < 256 DARPA AC MIT Site Visit

  16. Algorithm to create Daikon input • Partition the basic blocks into functions • Build a control-flow-graph for each function • Calculate dominators • The program point of each basic block includes the binary-variables in its dominators DARPA AC MIT Site Visit

  17. Invariant for Firefox Exploit Buggy Code xpinstal.dll:0xa11d call [eax+0Ch] xpinstal.dll:0xa120 cmp … Invariant [eax+0Ch]@xpinstal.dll:0xa11d == 0x6004592d DARPA AC MIT Site Visit

  18. Overview • Firefox exploit • Instrumentation: Finding values • Daikon: Finding invariants • LiveShield: Enforcing invariants • Code in C that is woven into the application when loaded into the code cache • Determina’s product • Distributed and managed in the central controller DARPA AC MIT Site Visit

  19. LiveShield for Firefox Exploit <file name="xpinstal.dll"/> <patch offset="0xa116"> <function type="detector" name="ff_detector"/> <function type="protector" name="ff_protector“ return="0xa120"/> </patch> LiveShield hotp_exec_status_t ff_detector(const hotp_context_t *hotp_context) { if (POI(EAX+0xC) != 0x6004592d) return HOTP_EXEC_EXPLOIT_DETECTED | HOTP_EXEC_LOG_EVENT; return HOTP_EXEC_EXPLOIT_NOT_DETECTED; } LiveShield hotp_exec_status_t ff_protector(hotp_context_t *hotp_context) { UNREFERENCED_PARAMETER(hotp_context); return HOTP_EXEC_CHANGE_CONTROL_FLOW | HOTP_EXEC_LOG_EVENT; } LiveShield DARPA AC MIT Site Visit

  20. Demo • Run the FireFox exploit • Turn on a previously generated LiveShield • Run the FireFox exploit again on a different community workstation DARPA AC MIT Site Visit

  21. Firefox Exploits DARPA AC MIT Site Visit

  22. IE Exploits DARPA AC MIT Site Visit

  23. IE exploit – Illegal function call • Exactly like the FireFox exploit • Same fix: skip the call <body onLoad="window();"> jscript.dll:75c5f429 call [ecx+0x8] DARPA AC MIT Site Visit

  24. IE exploit – buffer overflow <object type="////…/////AAAAAAAAAAAAAAAA"/> • String is checked for proper buffer size • Then '/' is changed into '_/_' • Invariant: • Fix: 761240CE lea eax, [ebp+0x104] ... 761240E1 mov [eax], 5Fh 761240E4 inc eax ... eax<=(ebp+0x104)+242) if (eax>(ebp+0x104)+242) eax = (ebp+0x104)+242 DARPA AC MIT Site Visit

  25. Current Protection Process • For example: Vista bug ms06-17 • Determina creates a LiveShield • Knowledge and labor intensive, tedious • Dec 20 : Microsoft informed • Mar 27 : attack in the wild • Apr 3: Microsoft develops a patch • Patch is deployed in the community DARPA AC MIT Site Visit

  26. Application Community Protection Process • Application Community learns • Exploit deployed by blackhats • Exploit automatically recognized • Patch automatically generated • 0-day exploit → 0-day patch DARPA AC MIT Site Visit

  27. Summary • Instrumentation: Finding values • Register and memory values, jumps, calls, and returns • Daikon: Finding invariants • Grouping values into program points • LiveShield: Enforcing invariants • Code in C that is woven into the application • Real exploits: 4 in Firefox, 5 in IE DARPA AC MIT Site Visit

  28. End • Any questions? DARPA AC MIT Site Visit

  29. Eventhandlers – buffer overflow <foo onclick=foo onclick=foo … > 748D94CF mov ecx, [eax+45Ch] eax+0x45C<=93 if (eax+0x45C>93) eax = 93 DARPA AC MIT Site Visit

  30. isComponentInstalled – buffer overflow obj.isComponentInstalled("…") lstrcatA(&subkey_buf, clsid); strlen(clsid)<=93 if (eax+0x45C>93) eax = 93 DARPA AC MIT Site Visit

  31. IE VML – buffer overflow <html xmlns:v="urn:schemas-microsoft-com:vml"> <head> <title>IE VML crash</title> <style> v\:* { behavior: url(#default#VML); } </style> </head> <body> <v:rect style="width:20pt;height:20pt" fillcolor="red"> <v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"/> </v:rect> </body> </html> DARPA AC MIT Site Visit

  32. Strechbelt – Denial of Service <img src="1000x1000.png" width="41943034" height="41943034"> if (width > MAX_WIDTH) width = MAX_WIDTH; if (height > MAX_HEIGHT) height = MAX_HEIGHT; DARPA AC MIT Site Visit

  33. 2218 false positives, out of 41360, which is 5.36% BB-xpinstal.dll_0xbe86-InFunction-xpinstal.dll_0x19818::: xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 < xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe86 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe87 xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 < xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe86 - xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe87 + 4 == 0 xpinstal.dll_0xbe86__0_esp__xpinstal.dll_0xbe87 > xpinstal.dll_0xbe86_esp_xpinstal.dll_0xbe87 At ppt BB-xpinstal.dll_0xa10b-InFunction-xpinstal.dll_0x1b9f6:::, Invariant 'xpinstal.dll_0xa10b__12_eax__xpinstal.dll_0xa11d one of { 301989932, 1610897709 }' invalidated by sample xpinstal.dll_0xa10b__12_eax__xpinstal.dll_0xa11d=301989932: at line 13720 in file ff_exploit.dtrace.gz DARPA AC MIT Site Visit

  34. Application Communities MIT CSAIL, Determina

More Related