2. INFO @THE MEDIA
▶ http://threatpost.com/en_us/blogs/iphone-blackberry-fall-second-day-pwn2own-031011
▶ http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401
21. ► Webkit Integer Overflow near 2011
SEARCHING FORTHEVULNERABILITIES
There is a buffer overflow vulnerability that was released in November 2010 but is
still present on the BlackBerry. (…). To exploit the vulnerability I have to set up the
heap in a specifc way so I can overflow a specific structure on the heap. This
structure is the internal representation for a piece of text on a website. The
vulnerability is in the handling of the text nodes, so this is a good target to
overflow. (…)
Once I have a stable way to organize the heap and reliably overflow the pointer to
the functions, we can start testing. The first test attempts to redirect execution to
code that already exists on the BlackBerry. Instead of the JavaScript nodeType call
returning the value 3, I redirect it to existing code elsewhere that returns 0. Now I
can control the execution flow in the browser.
Willem Pinckaers -
29. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern
▶ 2. Leak a heap pointer using CVE-2011-0195
Pointer to a valid heap address
30. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern
▶ 2. Leak a heap pointer using CVE-2011-0195
▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature
Pointer to HTML5-Sprayed block
Pointer to a valid heap address
ignature signature signature signature signature signature signat
HTML5-Spray block
31. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern
▶ 2. Leak a heap pointer using CVE-2011-0195
▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature
sigptr+x sigptr+y shellcode
HTML5-Spray block
▶ 4. HTML5-Spray-Modify to fake a vtable
ignature signature signature signature signature signature signat
Pointer to HTML5-Sprayed block
32. EXPLOITATION RECIPE
▶ 1. HTML5-Spray the process’s heap with a repeated pattern
▶ 2. Leak a heap pointer using CVE-2011-0195
▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature
sigptr+x sigptr+y shellcode
HTML5-Spray block
▶ 4. HTML5-Spray-Modify to fake a vtable
▶ 5. Point the code execution exploit to your block
▶ 6. Achieve code execution!