1. Session ID:
Session Classification: Advanced
HTA-T19
Core Security Technologies
Federico Muttis
BLACKBERRY PWNAGE
THE BLUEJAY STRIKES

2. INFO @THE MEDIA
▶ http://threatpost.com/en_us/blogs/iphone-blackberry-fall-second-day-pwn2own-031011
▶ http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401

3. INFO @THE MEDIA

4. INFO @THE MEDIA

5. BLACKBERRY DEVICESWITH KNOWNWORKING EXPLOIT
► Vulnerable devices (shortened list)
▶ Pearl family ▶ Curve family (< 9350) ▶ Storm family
▶ Tour 9630▶ Style 9670
▶ Bold 9650/9700/9780 ▶ Torch 9800

6. CVE-2010-4577
ARBITRARY READ

7. ► CSS Font Face Parsing Type Confusion Vulnerability
CVE-2010-4577 – PROOF OF CONCEPT
http://code.google.com/p/chromium/issues/detail?id=63866

8. IEEE 754 DOUBLE PRECISION FLOATING-POINT

9. ► CSS Font Face Parsing Type Confusion Vulnerability
CVE-2010-4577 – CRASH ANALYSIS
002ed594 80000000 01718618 chrome_68390000!WTF::StringImpl::create(wchar_t * characters = 0x80000000 "---
memory read error at address 0x80000000 ---", unsigned int length = 0x2cb)+0x24
[c:bslavechrome-officialbuildsrcthird_partywebkitjavascriptcorewtftextstringimpl.cpp @ 99]
80000000 41400000 00000454 chrome_68390000!WTF::String::String(wchar_t * characters = 0x80000000 "---
memory read error at address 0x80000000 ---", unsigned int length = 0x41400000)+0x21

10. ► CSS Font Face Parsing Type Confusion Vulnerability
CVE-2010-4577 – EXPLOITATION
Address Size

11. ► CSS Font Face Parsing Type Confusion Vulnerability
CVE-2010-4577 – EXPLOITATION
Address Size

12. A BLUEJAY APPEARS!

13. ► BlueJay’s early problems
DUMPINGTHEVIRTUAL ADDRESS SPACE
▶ Poor man’s solution

14. BLUEJAY AGENT DIAGRAM
Exploit
dispatcher
Memory read Pointer Leak Execute code
BlueJay
Server &
Console
Memory manager
HTML5
Spray
HTML5
Edit
HTTP PushBlueJay Agent

15. ► BlueJay’s helper – Java BlackBerry App.
DUMPINGTHEVIRTUAL ADDRESS SPACE
Browser running?
Yes
Reset backlight
timer
Restart browser
No

16. DUMPING DEMO

17. ► BlackBerry’s WebKit Browser main() routine
DISASSEMBLING AND SEARCHING FOR OLYMPIA

18. ► CVE-2010-4577 – Arbitrary memory read disassembly
DISASSEMBLING AND LOCATING CVE-2010-4577

19. BLACKBERRY PROCESS INTERNALS
▶ 0x4 write
▶ 0x16 allocexecmem
▶ 0x28 shmget
▶ 0x2b alloc
▶ 0x27 loadlibrary
▶ 0x29 shmat
▶ 0x2c sem_create
▶ 0x2d sem_unlink || sem_close
▶ 0x41 sendto?
▶ 0x46 mkfifo?
▶ 0x4a unlink
▶ 0x4c mkdir
▶ 0x5f open
▶ 0x61 lock related (flock/lockf?)
▶ 0x67 threads related
▶ Some syscalls (work in progress...)

20. CVE-2011-1290
CODE EXECUTION

21. ► Webkit Integer Overflow near 2011
SEARCHING FORTHEVULNERABILITIES
There is a buffer overflow vulnerability that was released in November 2010 but is
still present on the BlackBerry. (…). To exploit the vulnerability I have to set up the
heap in a specifc way so I can overflow a specific structure on the heap. This
structure is the internal representation for a piece of text on a website. The
vulnerability is in the handling of the text nodes, so this is a good target to
overflow. (…)
Once I have a stable way to organize the heap and reliably overflow the pointer to
the functions, we can start testing. The first test attempts to redirect execution to
code that already exists on the BlackBerry. Instead of the JavaScript nodeType call
returning the value 3, I redirect it to existing code elsewhere that returns 0. Now I
can control the execution flow in the browser.
Willem Pinckaers -

22. ► CVE-2011-1290 – Integer Overflow => Heap Overflow
EXPLOITING CVE-2011-1290
Heap
Overflow
Integer
Overflow

23. ► CVE-2011-1290 – Integer Overflow
DISASSEMBLING AND LOCATING CVE-2011-1290

24. ► CVE-2011-1290 – Integer Overflow
DISASSEMBLING AND LOCATING CVE-2011-1290

25. ► CVE-2011-1290 – Integer Overflow => Heap Overflow
DISASSEMBLING AND LOCATING CVE-2011-1290

26. ► CVE-2011-1290 – Integer Overflow => Heap Overflow
DISASSEMBLING AND LOCATING CVE-2011-1290

27. CHAININGTHE EXPLOITS

28. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern

29. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern
▶ 2. Leak a heap pointer using CVE-2011-0195
Pointer to a valid heap address

30. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern
▶ 2. Leak a heap pointer using CVE-2011-0195
▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature
Pointer to HTML5-Sprayed block
Pointer to a valid heap address
ignature signature signature signature signature signature signat
HTML5-Spray block

31. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern
▶ 2. Leak a heap pointer using CVE-2011-0195
▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature
sigptr+x sigptr+y shellcode
HTML5-Spray block
▶ 4. HTML5-Spray-Modify to fake a vtable
ignature signature signature signature signature signature signat
Pointer to HTML5-Sprayed block

32. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern
▶ 2. Leak a heap pointer using CVE-2011-0195
▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature
sigptr+x sigptr+y shellcode
HTML5-Spray block
▶ 4. HTML5-Spray-Modify to fake a vtable
▶ 5. Point the code execution exploit to your block
▶ 6. Achieve code execution!

33. BLUEJAYVS REAL DEVICE
sigptr sigptr shellcode
HTML5-Spray block

34. BLUEJAYVS SIMULATOR DEMO

35. SIMULATORVS DEVICE
▶ WebKit’s StyleElement::process()
▶ http://immunityinc.com/infiltrate/archives/webkit_heap.pdf

36. Q & A
▶ E-mail: fmuttis@gmail.com / acid@coresecurity.com
▶ Twitter: @acid_