44CON-slides.pdf

8/11/2019 44CON-slides.pdf

1/51

Browser Bug HuntingMemoirs of a last man standing

Atte Kettunen (@attekett)OUSPG

https://code.google.com/p/ouspg/
https://code.google.com/p/ouspg/


2/51

Picture by @dominic_sim


3/51

Started at OUSPG in summer 2011

First security bug from Chrome 2011-12

Since then

~100 Vulns

~60 Rewards

39 CVEs

Atte Kettunen


4/51

Mozilla since 2004

- Sec-High/Critical $3,000

Google since 2010

- Typical security bugs $1,000-$3,133.7

- Possibility for bonus rewards PoC, exploit, awesomeness

(Microsoft 2013 June 25 - July 25)

Browser Bug Bounty Programs


5/51

Easy to get started - Lots of bugs \o/

Helpful vendor security teams and supportiveresponses to first bug submissions

Supportive (secretive/competitive)community of other bounty hunters

Browser Bug Bounty Programs


6/51

Use-after-free DOM

CSS Rendering

Buffer-overflow

Media formats Parsers Decoders Coordinates

Where the bugs are


7/51

AddressSanitizer - global-buffer-overflow - READ of size 2 #0 nsCharTraits::length()

#1 nsAString_internal::Assign().

Repro-file:

Some bug - CVE-2012-4185 - Firefox


8/51


9/51


10/51

Three golden rules:

Hunting for living


11/51

Three golden rules:

1. Stay green

Hunting for living


12/51

Three golden rules:

1. Stay green - Features

Hunting for living


13/51

Three golden rules:


2. Stay green - Competition

Hunting for living


14/51

Three golden rules:



3. Stay green - Tools

Hunting for living


15/51


New features are published all the time New code \o/

Some changes are not highlighted Minor updates to JavaScript API support etc.

Old bugs fixed

New code \o/

Old features can change Prefixes disappear(-webkit,-moz), Features can get disabled

Hunting for living


16/51

1. Stay Green - Features

Firefox Aurora - Release note: "Partial support for

Web Audio, targeted at web developers for testing"(May 17, 2013)

Hunting for living


17/51


Tools Different approach -> Different bugs?

Targets

Find new minefields

Platforms Different code on different platforms

Hunting for living


18/51


@cevans: "@j00ru has melted polar ice withhis PDF fuzzing on 9k cores."

Hunting for living


19/51


Instrumentations New instrumentation -> detect new issues

Build environments Broken builds @#!#...

Fuzzers New techniques

Hunting for living


20/51


: WTF??? On Chromium startup:

==25254== ERROR: AddressSanitizer: global-buffer-overflow on address

0x000011d3dde5 at pc 0x5ab21a bp 0x7fff00659450 sp 0x7fff00659428READ of size 10 at 0x000011d3dde5 thread T0

#0 0x5ab219 in __interceptor_memcmp _asan_rtl_

#1 0xa1edc08 in fillInUnixFile .../sqlite/amalgamation/sqlite3.c:28654

#2 0xa1efe7c in unixOpen .../sqlite/amalgamation/sqlite3.c:29294

:

Diff of /trunk/tools/build/scripts/slave/runtest.py:

+ # Avoid aggressive memcmp checks until http://crbug.com/178677 is fixed.

+ os.environ['ASAN_OPTIONS'] = 'strict_memcmp=0'

Hunting for living


21/51

Instrumentation

Fuzzers

Hardware/Infrastructure

Tools


22/51

Clang compiler plugin

Adds instrumentation to check memory

access at runtime

Similar to Valgrind

Only 2x slowdown

Created at Google Used by Google & Mozilla

Linux & OS X

http://www.chromium.org/developers/testing/addresssanitizer

AddressSanitizer
http://www.chromium.org/developers/testing/addresssanitizer


23/51

Awesome with use-after-frees

Very good for buffer-overflows and out ofbounds access

Good but confused with type confusions

AddressSanitizer


24/51

==6==ERROR: AddressSanitizer: heap-use-after-freeon address0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298

READof size 8 at 0x6070000268d0 thread T0 (chrome)

#0 0x7f845771029e (... /asan-linux-release-209136/chrome+0x96f229e)

#1 0x7f84576aacea (... /asan-linux-release-209136/chrome+0x968ccea) #2 0x7f8451ce00f3 (... /asan-linux-release-209136/chrome+0x3cc20f3)

.0x6070000268d0 is located64 bytesinside of 72-byte region[0x607000026890,0x6070000268d8)

freed by thread T19 (AudioOutputDevi) here:

#0 0x7f844f58e101 (... /asan-linux-release-209136/chrome+0x1570101)

#1 0x7f845887b5ec (... /asan-linux-release-209136/chrome+0xa85d5ec)

.

AddressSanitizer


25/51

==6==ERROR: AddressSanitizer: heap-use-after-freeon address0x6070000268d0 at pc 0x7f845771029fbp 0x7fff...2a0 sp 0x7fffc7eea298

READ of size 8at 0x6070000268d0 thread T0 (chrome)

#0 0x7f845771029e in WebCore::WaveShaperDSPKernel::lazyInitializeOversampling(...).../WebKit/Source/wtf/OwnPtr.h:138

#1 0x7.a in WebCore::WaveShaperProcessor::setOversample(...) .../WebKit/Source/modules/webaudio/WaveShaperProcessor.cpp:70

.

0x6070000268d0 is located 64 bytes inside of 72-byte region[0x607000026890,0x6070000268d8)

freed by thread T19 (AudioOutputDevi) here:

#0 0x7.1 in operator delete(void*) _asan_rtl_

#1 0x7.c in WebCore::AudioDSPKernelProcessor::uninitialize()src/third_party/WebKit/Source/wtf/OwnPtrCommon.h:47

.

AddressSanitizer


26/51

Used to instrument binaries

Redirects heap-related calls to own run-

time library

Currently only heap-instrumentation

Chrome/Chromium only atm. About 3x Slowdown

Windows only

https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument

SyzyASan
https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument


27/51

SyzyASAN error: heap-buffer-overflowon address0x0379D1A7 (stack_id=0x44CB69D7)

READ of size 8at 0x0379D000

#0 0x000068ef23bein (unknown) #1 0x000068f387f4 in (unknown)

#2 0x000068eeb486 in (unknown)

#3 0x000068e8add7 in (unknown)

.

.

.

SyzyASan


28/51

Bad access information: +0x000 alloc_stack : [62] 0x0f999970 Void +0x0f8 alloc_stack_size : 0x3c '


29/51

Crash stack:

chrome_dll!SkOpSegment::addTCoincident+0x18e

chrome_dll!SkOpContour::calcCoincidentWinding+0x9f

chrome_dll!CoincidenceCheck+0x3cchrome_dll!Op+0x26a

.

Allocation stack:

asan_rtl!asan_HeapAlloc+0x48chrome_dll!malloc+0x17chrome_dll!realloc+0x15chrome_dll!SkOpSegment::addT+0x9bchrome_dll!AddIntersectTs+0xceb

chrome_dll!Op+0x244

SyzyASan


30/51

Heap allocation monitoring for Windows

No feedback - Only crash :(

Works on Chrome/Chromium

env: CHROME_ALLOCATOR="winheap"

Enable Chrome error reporting ->

minidumps

Firewall Chrome( No free 0-days for Google ;) )

Debugging tools x86

Page-Heap


31/51

ExceptionAddress: 564a0cd7 (chrome_..!WebCore::WaveShaperDSPKernel::lazyInitializeOversampling+0x0...06) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000NumberParameters: 2

Parameter[0]: 00000000 Parameter[1]: 27261fe4Attempt to readfrom address 27261fe4

.

STACK_TEXT:chrome_...!WebCore::WaveShaperDSPKernel::

lazyInitializeOversampling+0x6 [...\webkit\source\modules\webaudio\waveshaperdspkernel.cpp @ 53]chrome_...!WebCore::WaveShaperProcessor::setOversample+0x29

.

APPLICATION_FAULT_INVALID_POINTER_READ_chrome!WebCore::

WaveShaperDSPKernel::lazyInitializeOversampling+6

Dump-analysis


32/51

Dumb fuzzing Yes, still works

Yes, you can still find bugs with bit-flipping ofimage-files

Smart fuzzing Finds bugs fast but runs out of bugs faster. :(

Fuzzers


33/51

Dumb fuzzing

Radamsa || Surku \o/ https://code.google.com/p/ouspg/

Mutate old repros

( find ./src/ -type d -name *crashtest* |xargs ls; )

Collect winnings

Fuzzers
https://code.google.com/p/ouspg/https://code.google.com/p/ouspg/


34/51

Smart fuzzing

W3C/MDN(/MSDN)

Again stay green

Most of the JavaScript APIs in

browsers are really similar

Some of the public tools have the logic

in them already W3C spec + grep + sed = $$$

Fuzzers


35/51

Smart fuzzing

WebAudio API - PannerNode - Specification

interface PannerNode: AudioNode { void setPosition(doublex, doubley, doublez);

void setOrientation(doublex, doubley, doublez);

void setVelocity(doublex, doubley, doublez);

attributedouble refDistance;

attributedoublemaxDistance;

attributedoublerolloffFactor;

};

Fuzzers


36/51

Smart fuzzing

2D Canvas API - Specification // rects

void clearRect(unrestricted doublex, unrestricted doubley, unrestricted doublew, unrestricted doubleh);void fillRect(unrestricted doublex, unrestricted doubley,unrestricted doublew, unrestricted doubleh);

// shadows

attribute unrestricted double shadowOffsetX; // (default 0)

attribute unrestricted double shadowOffsetY; // (default 0)

attribute unrestricted double shadowBlur; // (default 0)

Fuzzers


37/51

Individuals:

Physical machines -> sysadmining New HW->Bug->Bounty...



38/51

8x Dual Core CPU, 2GB ram, USB-stick,

aka. Badgers

OUSPG - 2011


39/51

University HW:

Badgers

6x Quad core AMD A10, 16GB ram, SSD

6x Dual Dual Core AMD antique, 8GB, 10k rpm

BYOD:

4x Quad core i7-3770K, 16GB ram, SSD

And additional 30+ cores misc hardware with133.7+ GB of ram and bunch of SSDs

OUSPG - 2013


40/51

OUSPG - 2013


41/51


42/51

ClusterFuzz aka. CF

Google fuzzing cluster

2012 - 6000 Chrome instances

50m+ test cases per day

Plans for quadrupling at that time

ASAN, multiple fuzzers, minimization,

regression ranges, verify fixes, dupes &

dupes & dupes...



43/51

cluster-fuzz is a soulless bug hunting machine.

It has no want or need for your gratitude. It

lives only to feed on bugs.

ClusterFuzz


44/51

12 machines running 24/7

~50 cores, ~133.7GB of RAM

approx. 20m test cases per day

19 file-formats

git, scp, auto-update, auto-minimize

Radamsa and ...

My stuff


45/51

Browser fuzzer harness

Written in JavaScript ( Node.js )

Linux, Windows, OS X

Test case generators and instrumentations

loaded as modules

Uses WebSockets for test case injection to

browser Stable - https://code.google.com/p/ouspg/downloads/list Trunkish - https://github.com/attekett/NodeFuzz

NodeFuzz
https://code.google.com/p/ouspg/downloads/listhttps://code.google.com/p/ouspg/downloads/listhttps://github.com/attekett/NodeFuzzhttps://code.google.com/p/ouspg/downloads/list


46/51

Requirements: Google Chrome installed

$ sudo apt-get install nodejs

$ git clone https://github.com/attekett/NodeFuzz.git

$ cd NodeFuzz

$ npm install

$ vim config.js #Optional

$ node nodefuzz.js

NodeFuzz - Setup - Ubuntu


47/51

Fairly new JS API (Chrome 2011, FF2013)

"The API has been designed to allow modularrouting.(UAF)Basic audio operations are performedby audio nodesthat are linked together to form anaudio routing graphs.(UAF/BOF)Inside a same

context, several sources are supported, with differentkind of channel layout.(UAF/BOF)This modulardesign allows for great flexibility and for the creationof complex audio functions and of dynamic effects.(BOF)" - MDN

NodeFuzz - module - WebAudio


48/51

Bugs found:

Chrome - 4 UAF, 3 BOF Firefox - 1 UAF, 8 BOF



49/51

CVE-2013-0879 - Chrome - BOFtry{var context= new webkitAudioContext()}catch(e){}try{var oscillator= context.createOscillator()}catch(e){}

try{oscillator.start(0.701,0.7,0.7)}catch(e){}

setInterval(function(){

try{oscillator.connect(context.destination);}catch(e){}},4)

try{oscillator.stop(0.70)}catch(e){}



50/51

CVE-2013-2845 - Chrome - UAFvar Context0= new webkitAudioContext()varAnalyser0=Context0.createAnalyser();varWaveShaper0=Context0.createWaveShaper();var Convolver3=Context0.createConvolver();

Analyser0.connect(WaveShaper0);WaveShaper0.connect(Context0.destination);

Convolver3.connect(Analyser0);

setInterval(function(){Analyser0.disconnect();},4)



51/51

DEMO!!!

&&Q&A

44CON-slides.pdf

Documents

Transcript of 44CON-slides.pdf