Shulou(Shulou.com)05/31 Report--

How to analyze and exploit the principle of CVE-2019-5786 loophole, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Discover the essence of the vulnerability from the patch

First of all, according to the Google blog to collect information about the CVE-2019-5786 vulnerability: High CVE-2019-5786: Use-after-free in FileReader, we learned that it is a UAF vulnerability on FileReader.

Then check the patches on https://github.com/chromium/chromium/commit/ba9748e78ec7e9c0d594e7edf7b2c07ea2a90449?diff=split

Comparing the patch, you can see that DOMArrayBuffer* result = DOMArrayBuffer::Create (raw_data_- > ToArrayBuffer ()), the operation is put after the judgment finished_loading, and the return value changes from result to array_buffer_result_ (copy of result). Guess this return value may be the cause of the problem.

Analysis code

Raw_data_- > ToArrayBuffer () may return a copy of the internal buffer or a pointer to its offset buffer.

According to the description of FileReader.readAsArrayBuffer () in MDN:

The readAsArrayBuffer () method provided by the FileReader interface is used to start reading the specified Blob or File content. When the read operation is complete, the readyState becomes DONE and the loadend event is triggered, and an ArrayBuffer object is contained in the result property to represent the data of the file being read.

The FileReader.onprogress event is triggered when the progress is processed, and the onprogress event is triggered multiple times when the data is too large.

So when calling the FileReader.result property, it returns the pointer to the WTF::ArrayBuffer object created by WTF::ArrayBufferBuilder, points to a copy of WTF::ArrayBuffer when the Blob has not been read, and returns the WTF::ArrayBuffer created by WTF::ArrayBufferBuilder itself when it has been read.

Then the flag finished_loading may have been loaded when it is set to ture, so the result returned in the onprogress and onloaded events may be the same result. By assigning a worker to release one of the result pointers, you can make the other dangling, resulting in a UAF vulnerability.

Loophole exploitation thought

The Chrome72.0.3626.81 version of the 32-bit win7 environment I choose can make Chrome free 512MB to retain memory by applying for 1GB's ArrayBuffer, and then allocate space on the 512MB's memory by exception handling so that OOM does not cause crash.

Calling FileReader.readAsArrayBuffer will trigger multiple onprogress events, and if the events are timed correctly, the last two events can return the same ArrayBuffer. The ArrayBuffer block of memory is freed by releasing one of the pointers, which can be referenced later by another dangling pointer. The released area is then filled by spraying the marked JavaScript object (scattered in the TypedArrays) into the heap.

Look for the mark through the hanging pointer. The address of any object can be disclosed by setting the address of any object to the property of the found object, and then reading the property value by hanging the pointer. Destroy the backup storage of the sprayed TypedArray and use it to achieve arbitrary read and write access to the address space.

The WebAssembly module can then be loaded to map the read / write execution storage area of the 64KiB to the address space, which has the advantage of avoiding bypassing the DEP or using the ROP chain to execute the shellcode.

Use any read / write primitive to traverse the JSFunction object hierarchy of the exported functions in the WebAssembly module to find the address of the read / write executable area. Replace the code for the WebAssembly function with shellcode, and then execute it by calling the function.

Accessing a web page through a browser can result in the execution of arbitrary code

Help

I encountered a lot of problems when debugging the browser for the first time. Here I list some problems to reduce the detours we take.

Because chrome is in multi-process mode, there will be multiple chrome processes when debugging. If you just start to do browser vulnerabilities, you will be very confused and don't know which process to debug or how to debug. You can use chrome's own task manager to help us lock the ID of the process to be debugged.

.

Here the process ID of the new tab is the PID that we will append later.

Chrome needs symbols when debugging, which is the symbol server provided by google (Over the wall is required when loading symbols). In windbg, you can add it to the symbol server search path using the following command, where c:\ Symbols is the local cache directory:

.sympath + SRV * c:\ Symbols * https://chromium-browser-symsrv.commondatastorage.googleapis.com

Because of Chrome's sandboxing mechanism, you need to close the sandbox during debugging before you can execute arbitrary code. You can close the sandbox by adding no-sandbox to the shortcut.

Due to this vulnerability mechanism, it may not be successful every time, but we can achieve stable utilization by loading scripts multiple times.

There is a chromuim source code on github. When analyzing the source code, it is recommended to use the plug-in sourcegraph, which can view the definition and reference of variables.

When you need a specific version of Chrome, you can go to the build source code or go to the Internet to find sites collected by successive releases of chrome.

When watching exp and writing by yourself, you need to pay attention to the pointer problem of the V8 engine. V8 has done pointer compression, so the pointer accessed in memory may be different from the actual data location address.

After reading the above, have you mastered how to analyze and exploit the principle of CVE-2019-5786 vulnerability? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.