BLACKBERRY PWNAGE THE BLUEJAY STRIKES

Federico Muttis Core Security Technologies

Session ID: HTA-T19 Session Classification: Advanced INFO @ THE MEDIA

▶ http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401 ▶ http://threatpost.com/en_us/blogs/iphone-blackberry-fall-second-day-pwn2own-031011 INFO @ THE MEDIA INFO @ THE MEDIA BLACKBERRY DEVICES WITH KNOWN WORKING EXPLOIT

► Vulnerable devices (shortened list)

▶ Pearl family ▶ Curve family (< 9350) ▶ Storm family

Style 9670 Tour 9630 Torch 9800 ▶ Bold 9650/9700/9780 ▶ ▶ ▶ CVE-2010-4577 ARBITRARY READ CVE-2010-4577 – PROOF OF CONCEPT

► CSS Font Face Parsing Type Confusion Vulnerability

http://code.google.com/p/chromium/issues/detail?id=63866 IEEE 754 DOUBLE PRECISION FLOATING-POINT CVE-2010-4577 – CRASH ANALYSIS

► CSS Font Face Parsing Type Confusion Vulnerability

002ed594 80000000 01718618 chrome_68390000!WTF::StringImpl::create(wchar_t * characters = 0x80000000 "--- memory read error at address 0x80000000 ---", unsigned int length = 0x2cb)+0x24 [c:\b\slave\chrome-official\build\src\third_party\webkit\javascriptcore\wtf\text\stringimpl.cpp @ 99] 80000000 41400000 00000454 chrome_68390000!WTF::String::String(wchar_t * characters = 0x80000000 "--- memory read error at address 0x80000000 ---", unsigned int length = 0x41400000)+0x21 CVE-2010-4577 – EXPLOITATION

► CSS Font Face Parsing Type Confusion Vulnerability

Address Size CVE-2010-4577 – EXPLOITATION

► CSS Font Face Parsing Type Confusion Vulnerability

Address Size A BLUEJAY APPEARS! DUMPING THE VIRTUAL ADDRESS SPACE

► BlueJay’s early problems

▶ Poor man’s solution BLUEJAY AGENT DIAGRAM

BlueJay BlueJay Agent HTTP Push Server & Console

Exploit Memory manager dispatcher

HTML5 HTML5 Spray Edit Memory read Pointer Leak Execute code DUMPING THE VIRTUAL ADDRESS SPACE

► BlueJay’s helper – Java BlackBerry App.

Browser running? No

Yes Restart browser

Reset backlight timer DUMPING DEMO DISASSEMBLING AND SEARCHING FOR OLYMPIA

► BlackBerry’s WebKit Browser main() routine DISASSEMBLING AND LOCATING CVE-2010-4577

► CVE-2010-4577 – Arbitrary memory read disassembly BLACKBERRY PROCESS INTERNALS

▶ Some syscalls (work in progress...)

▶ 0x4 write ▶ 0x41 sendto? ▶ 0x16 allocexecmem ▶ 0x46 mk"fo? ▶ 0x28 shmget ▶ 0x4a unlink ▶ 0x2b alloc ▶ 0x4c mkdir ▶ 0x27 loadlibrary ▶ 0x5f open ▶ 0x29 shmat ▶ 0x61 lock related (#ock/lockf?) ▶ 0x2c sem_create ▶ 0x67 threads related ▶ 0x2d sem_unlink || sem_close CVE-2011-1290 CODE EXECUTION SEARCHING FOR THE VULNERABILITIES

► Webkit Integer Over#ow near 2011

There is a bufer overflow vulnerability that was released in November 2010 but is still present on the BlackBerry. (…). To exploit the vulnerability I have to set up the heap in a specifc way so I can overflow a specific structure on the heap. This structure is the internal representation for a piece of text on a website. The vulnerability is in the handling of the text nodes, so this is a good target to overflow. (…)

Once I have a stable way to organize the heap and reliably overflow the pointer to the functions, we can start testing. The first test attempts to redirect execution to code that already exists on the BlackBerry. Instead of the JavaScript nodeType call returning the value 3, I redirect it to existing code elsewhere that returns 0. Now I can control the execution flow in the browser.

Willem Pinckaers - EXPLOITING CVE-2011-1290

► CVE-2011-1290 – Integer Over#ow => Heap Over#ow

Integer Over#ow

Heap Over#ow DISASSEMBLING AND LOCATING CVE-2011-1290

► CVE-2011-1290 – Integer Over#ow DISASSEMBLING AND LOCATING CVE-2011-1290

► CVE-2011-1290 – Integer Over#ow DISASSEMBLING AND LOCATING CVE-2011-1290

► CVE-2011-1290 – Integer Over#ow => Heap Over#ow DISASSEMBLING AND LOCATING CVE-2011-1290

► CVE-2011-1290 – Integer Over#ow => Heap Over#ow CHAINING THE EXPLOITS EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern ▶ 2. Leak a heap pointer using CVE-2011-0195

Pointer to a valid heap address EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern ▶ 2. Leak a heap pointer using CVE-2011-0195 ▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature

Pointer to a valid heap address Pointer to HTML5-Sprayed block

ignature signature signature signature signature signature signat

HTML5-Spray block EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern ▶ 2. Leak a heap pointer using CVE-2011-0195 ▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature ▶ 4. HTML5-Spray-Modify to fake a vtable

Pointer to HTML5-Sprayed block

ignaturesigptr+x signaturesigptr+y signature signature shellcode signature signature signat

HTML5-Spray block EXPLOITATION RECIPE

▶ 1. HTML5-Spray the process’s heap with a repeated pattern ▶ 2. Leak a heap pointer using CVE-2011-0195 ▶ 3. Walk between [ptr-128k, ptr+128k] looking for the signature ▶ 4. HTML5-Spray-Modify to fake a vtable ▶ 5. Point the code execution exploit to your block ▶ 6. Achieve code execution!

sigptr+x sigptr+y shellcode

HTML5-Spray block BLUEJAY VS REAL DEVICE

sigptr sigptr shellcode

HTML5-Spray block BLUEJAY VS SIMULATOR DEMO SIMULATOR VS DEVICE

▶ WebKit’s StyleElement::process()

▶ http://immunityinc.com/infiltrate/archives/webkit_heap.pdf Q & A

▶ E-mail: [email protected] / [email protected] ▶ Twitter: @acid_