Classic Vulnerabilities (ACCU Keynote 2022)
0 likes•755 views
The document discusses various vulnerabilities related to heap exploitation, including historical insights and specific cases like CVE-2019-2215, along with techniques for exploiting these vulnerabilities. It also features a detailed code analysis on memory allocation and deallocation practices that could lead to vulnerabilities in C++ programs. The final sections address traditional mitigations and tools for detecting these types of memory issues.
![TurtleSec
@pati_gallardo 19
Metadata stored in the heap
Mem
block
Mem
block
allocated_blocks[tag]
Next
Previous](https://image.slidesharecdn.com/classicvulnerabilitiesaccukeynote20221-220408111204/85/Classic-Vulnerabilities-ACCU-Keynote-2022-19-320.jpg)
![TurtleSec
@pati_gallardo 21
@pati_gallardo
1. static void Z_RemoveBlock(memblock_t * block) {
2. // Unlink from list
3.
4. if (block->prev == nullptr) {
5. // Start of list
6.
7. allocated_blocks[block->tag] = block->next;
8. } else {
9. block->prev->next = block->next;
10. }
11.
12. if (block->next != nullptr) {
13. block->next->prev = block->prev;
14. }
15. }
16.
Classic unlinking from a
doubly linked list
src/z_native.cpp](https://image.slidesharecdn.com/classicvulnerabilitiesaccukeynote20221-220408111204/85/Classic-Vulnerabilities-ACCU-Keynote-2022-21-320.jpg)
![TurtleSec
@pati_gallardo 22
22
@pati_gallardo
src/z_native.cpp
1. static void Z_RemoveBlock(memblock_t * block) {
2. if (block->prev == nullptr) {
3. allocated_blocks[block->tag] = block->next;
4. } else {
5. block->prev->next = block->next;
6. }
7. if (block->next != nullptr) {
8. block->next->prev = block->prev;
9. }
10. }
block block->next
block->prev](https://image.slidesharecdn.com/classicvulnerabilitiesaccukeynote20221-220408111204/85/Classic-Vulnerabilities-ACCU-Keynote-2022-22-320.jpg)
![TurtleSec
@pati_gallardo 24
24
@pati_gallardo
1. static void Z_RemoveBlock(memblock_t * block) {
2. if (block->prev == nullptr) {
3. allocated_blocks[block->tag] = block->next;
4. } else {
5. block->prev->next = block->next;
6. }
7. if (block->next != nullptr) {
8. block->next->prev = block->prev;
9. }
10. }
where
where what
If we control block->prev
we control the where this write will happen
(adjusted for the offset of next)
If we control block->next
we control what to write there
src/z_native.cpp
Write-What-Where](https://image.slidesharecdn.com/classicvulnerabilitiesaccukeynote20221-220408111204/85/Classic-Vulnerabilities-ACCU-Keynote-2022-24-320.jpg)
![TurtleSec
@pati_gallardo 27
27
@pati_gallardo
1. static void Z_RemoveBlock(memblock_t * block) {
2. if (block->prev == nullptr) {
3. allocated_blocks[block->tag] = block->next;
4. } else {
5. block->prev->next = block->next;
6. }
7. if (block->next != nullptr) {
8. block->next->prev = block->prev;
9. }
10. }
block block->next
block->prev
src/z_native.cpp
next offset &where:NULL &what: 0x42424242
block->prev->next =
block->prev + next offset](https://image.slidesharecdn.com/classicvulnerabilitiesaccukeynote20221-220408111204/85/Classic-Vulnerabilities-ACCU-Keynote-2022-27-320.jpg)
![TurtleSec
@pati_gallardo 59
CVE-2017-15416
@pati_gallardo 59
"Heap buffer overflow in
Blob API in Google Chrome
[...] allowed a remote
attacker to potentially
exploit heap corruption"](https://image.slidesharecdn.com/classicvulnerabilitiesaccukeynote20221-220408111204/85/Classic-Vulnerabilities-ACCU-Keynote-2022-59-320.jpg)
![TurtleSec
@pati_gallardo 64
CVE-2021-30860
@pati_gallardo 64
"An integer overflow was
addressed [...] Processing a
maliciously crafted PDF may
lead to arbitrary code
execution."](https://image.slidesharecdn.com/classicvulnerabilitiesaccukeynote20221-220408111204/85/Classic-Vulnerabilities-ACCU-Keynote-2022-64-320.jpg)
![TurtleSec
@pati_gallardo 65
@pati_gallardo
Guint numSyms;
numSyms = 0;
for (i = 0; i < nRefSegs; ++i) {
if ((seg = findSegment(refSegs[i]))) {
if (seg->getType() == jbig2SegSymbolDict) {
numSyms += ((JBIG2SymbolDict *)seg)->getSize();
} else if (seg->getType() == jbig2SegCodeTable) {
codeTables->append(seg);
}
} else {
error(errSyntaxError, getPos(),
"Invalid segment reference in JBIG2 text region");
delete codeTables;
return;
}
}
// ...
// get the symbol bitmaps
syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *));
kk = 0;
for (i = 0; i < nRefSegs; ++i) {
if ((seg = findSegment(refSegs[i]))) {
if (seg->getType() == jbig2SegSymbolDict) {
symbolDict = (JBIG2SymbolDict *)seg;
for (k = 0; k < symbolDict->getSize(); ++k) {
syms[kk++] = symbolDict->getBitmap(k);
}
}
}
}
32 bit uint
Increment with
attacker controlled
data
Allocate a buffer
too small based
on wrapped uint
Overflow too small
buffer](https://image.slidesharecdn.com/classicvulnerabilitiesaccukeynote20221-220408111204/85/Classic-Vulnerabilities-ACCU-Keynote-2022-65-320.jpg)
Classic Vulnerabilities (ACCU Keynote 2022)
- 2. TurtleSec @pati_gallardo 2 @pati_gallardo 2 TurtleSec Living in the future
- 3. TurtleSec @pati_gallardo 3 TurtleSec @pati_gallardo 3 2000 2022 Zoomers: Taylor Swift was 11 Boomers: Y2K Systems Programming Binary Exploitation
- 4. TurtleSec @pati_gallardo 4 Classic Vulnerabilities ACCU 2022 Patricia Aas Turtle Sec
- 5. TurtleSec @pati_gallardo 5 Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
- 6. TurtleSec @pati_gallardo 6 @pati_gallardo 6 Mod(C++) TurtleSec Intermediate Fundamentals Wha do I kno ?
- 7. TurtleSec @pati_gallardo 7 (In)Secure C++ @pati_gallardo 7 TurtleSec Wha do I kno ?
- 9. TurtleSec @pati_gallardo 9 @pati_gallardo 9 2000 Do Com I finished my bachelor TurtleSec I started my bachelor
- 10. TurtleSec @pati_gallardo 10 2000 : 22 years ago Say My Name - Destiny's Child Bye Bye Bye - *NSYNC
- 11. TurtleSec @pati_gallardo 11 In July 2000 Solar Designer (Alexander Peslyak) introduced the first Generic Heap Exploitation Technique
- 12. TurtleSec @pati_gallardo 12 @pati_gallardo 12 TurtleSec Doug Lea's malloc The idea was to create a portable exploit that worked against many applications
- 13. TurtleSec @pati_gallardo 13 ● JPEG COM Marker Processing Vulnerability (CVE-2000-0655), Solar Designer, https://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability ● Vudo malloc tricks, MaXX, 2001-08-11 Phrack Magazine, http://phrack.org/issues/57/8.html ● Once upon a free()..., anonymous, 2001-08-11 Phrack Magazine, http://phrack.org/issues/57/9.html ● The Heap: Once upon a free() - bin 0x17, LiveOverflow, https://youtu.be/gL45bjQvZSU ● The Heap: dlmalloc unlink() exploit - bin 0x18, LiveOverflow, https://youtu.be/HWhzH--89UQ ● Alexander Peslyak (Solar Designer), https://en.wikipedia.org/wiki/Solar_Designer Unlink Vulnerability Resources
- 15. TurtleSec @pati_gallardo 15 @pati_gallardo 15 TurtleSec Chocolate-Doom Source port of the original Doom game from the early 90s
- 16. TurtleSec @pati_gallardo 16 @pati_gallardo 16 TurtleSec Z_Malloc Allocator for Doom has a metadata section used to manage the memory
- 17. TurtleSec @pati_gallardo 17 @pati_gallardo 17 memblock_t* sizeof(memblock_t) sizeof(floormove_t) Z_Malloc : Doom allocations void* 1. floormove_t * floor = 2. (floormove_t *) Z_Malloc(sizeof(floormove_t), PU_LEVSPEC, NULL); tag user
- 18. TurtleSec @pati_gallardo 18 18 @pati_gallardo memblock_t 1. struct memblock_t { 2. int id; // = ZONEID 3. int tag; 4. int size; 5. void ** user; 6. memblock_t * prev; 7. memblock_t * next; 8. }; tag user Doubly linked list src/z_native.cpp z_native is an implementation of Z_Malloc memblock_t Memory allocated
- 19. TurtleSec @pati_gallardo 19 Metadata stored in the heap Mem block Mem block allocated_blocks[tag] Next Previous
- 20. TurtleSec @pati_gallardo 20 @pati_gallardo 1. void Z_Free(void * ptr) { 2. auto * byte_ptr = static_cast<uint8_t *>(ptr); 3. auto * block = reinterpret_cast<memblock_t *>(byte_ptr - sizeof(memblock_t)); 4. 5. if (block->id != ZONEID) { 6. I_Error("Z_Free: freed a pointer without ZONEID"); 7. } 8. 9. if (block->tag != PU_FREE && block->user != nullptr) { 10. // clear the user's mark 11. 12. *block->user = nullptr; 13. } 14. 15. Z_RemoveBlock(block); 16. 17. // Free back to system 18. 19. free(block); 20. } Metadata on allocation stored adjacent to the allocated heap memory Before freeing the memory, remove the block from internal data structures src/z_native.cpp
- 21. TurtleSec @pati_gallardo 21 @pati_gallardo 1. static void Z_RemoveBlock(memblock_t * block) { 2. // Unlink from list 3. 4. if (block->prev == nullptr) { 5. // Start of list 6. 7. allocated_blocks[block->tag] = block->next; 8. } else { 9. block->prev->next = block->next; 10. } 11. 12. if (block->next != nullptr) { 13. block->next->prev = block->prev; 14. } 15. } 16. Classic unlinking from a doubly linked list src/z_native.cpp
- 22. TurtleSec @pati_gallardo 22 22 @pati_gallardo src/z_native.cpp 1. static void Z_RemoveBlock(memblock_t * block) { 2. if (block->prev == nullptr) { 3. allocated_blocks[block->tag] = block->next; 4. } else { 5. block->prev->next = block->next; 6. } 7. if (block->next != nullptr) { 8. block->next->prev = block->prev; 9. } 10. } block block->next block->prev
- 23. TurtleSec @pati_gallardo 23 @pati_gallardo 23 TurtleSec Insight If we can control both sides of an allocation we can create a Write-What-Where primitive
- 24. TurtleSec @pati_gallardo 24 24 @pati_gallardo 1. static void Z_RemoveBlock(memblock_t * block) { 2. if (block->prev == nullptr) { 3. allocated_blocks[block->tag] = block->next; 4. } else { 5. block->prev->next = block->next; 6. } 7. if (block->next != nullptr) { 8. block->next->prev = block->prev; 9. } 10. } where where what If we control block->prev we control the where this write will happen (adjusted for the offset of next) If we control block->next we control what to write there src/z_native.cpp Write-What-Where
- 25. TurtleSec @pati_gallardo 25 @pati_gallardo 25 TurtleSec Proof of Concept Corrupt the memblock_t metadata before freeing the memory
- 26. TurtleSec @pati_gallardo 26 @pati_gallardo 1. void * guard = Z_Malloc(10, PU_LEVEL, nullptr); 2. void * ptr = Z_Malloc(10, PU_LEVEL, nullptr); 3. void * guard2 = Z_Malloc(10, PU_LEVEL, nullptr); 4. 5. auto * byte_ptr = ( uint8_t *) ptr; 6. auto * header = ( memblock_t *) (byte_ptr - sizeof(memblock_t)); 7. 8. long * where = nullptr; 9. long ** where_ptr = &where; 10. long what = 0x42424242; 11. long * what_ptr = &what; 12. 13. auto distance = (uint8_t*)(&(header->next)) - (uint8_t*) header; 14. uint8_t * byte_where_ptr = ( uint8_t*) where_ptr; 15. uint8_t * adjusted_byte_where_ptr = byte_where_ptr - distance; 16. 17. header->prev = (memblock_t *) adjusted_byte_where_ptr; 18. header->next = (memblock_t *) what_ptr; 19. 20. assert(where == nullptr); 21. Z_Free(ptr); 22. assert(where != nullptr); 23. assert(*where == 0x42424242); Free memory - unlink happens Adjust what for distance to next Allocate memory Get memblock* Prepare where Prepare what where has been set to what
- 27. TurtleSec @pati_gallardo 27 27 @pati_gallardo 1. static void Z_RemoveBlock(memblock_t * block) { 2. if (block->prev == nullptr) { 3. allocated_blocks[block->tag] = block->next; 4. } else { 5. block->prev->next = block->next; 6. } 7. if (block->next != nullptr) { 8. block->next->prev = block->prev; 9. } 10. } block block->next block->prev src/z_native.cpp next offset &where:NULL &what: 0x42424242 block->prev->next = block->prev + next offset
- 28. TurtleSec @pati_gallardo 28 @pati_gallardo 28 TurtleSec Traditional mitigation Check the pointers before unlinking
- 29. TurtleSec @pati_gallardo 29 29 @pati_gallardo block block->next block->prev src/z_native.cpp 1. // ... 2. if (block->prev->next != block) 3. exit(1); 4. block->prev->next = block->next; 5. // ... 6. if (block->next->prev != block) 7. exit(1); 8. block->next->prev = block->prev; 9. // ...
- 30. TurtleSec @pati_gallardo 30 @pati_gallardo 30 TurtleSec How to exploit Using a heap buffer overflow
- 31. TurtleSec @pati_gallardo 31 31 @pati_gallardo Heap Grooming to overwrite adjacent memory 1. struct memblock_t { 2. int id; 3. int tag; 4. int size; 5. void ** user; 6. memblock_t * prev; 7. memblock_t * next; 8. }; memblock_t *next void ** user Overflow block To be freed memblock_t *prev Overflow block Overflow block To be freed padding int tag int id int size
- 32. TurtleSec @pati_gallardo 32 32 @pati_gallardo Heap Grooming to overwrite adjacent memory 1. struct memblock_t { 2. int id; 3. int tag; 4. int size; 5. void ** user; 6. memblock_t * prev; 7. memblock_t * next; 8. }; &what void ** user Overflow block To be freed &where - distance Overflow block Overflow block To be freed padding int tag int id int size
- 33. TurtleSec @pati_gallardo 33 @pati_gallardo 33 TurtleSec How to find them Hard to find without in-code checks This is valid memory that is being corrupted.
- 34. TurtleSec @pati_gallardo 34 @pati_gallardo 34 Test case fails in ASan Global-buffer-overflow on address 0x0001083a58b8 at pc 0x000107d40d1b bp 0x7ffee84542b0 sp 0x7ffee84542a8 WRITE of size 8 at 0x0001083a58b8 thread T0 0x107d40d1a Z_RemoveBlock z_native.cpp:109 0x107d4054c Z_Free z_native.cpp:138 0x1078b6e85 ____C_A_T_C_H____T_E_S_T____12 test_z_native.cpp:97 0x1079614a2 Catch::TestInvokerAsFunction::invoke const catch.hpp:14321 0x10793442d Catch::TestCase::invoke const catch.hpp:14160 0x10793408a Catch::RunContext::invokeActiveTestCase catch.hpp:13020 0x107925d11 Catch::RunContext::runCurrentTest catch.hpp:12985 0x107921d40 Catch::RunContext::runTest catch.hpp:12754 0x10794637c Catch::TestGroup::execute catch.hpp:13347 0x10794335d Catch::Session::runInternal catch.hpp:13553 0x1079421c2 Catch::Session::run catch.hpp:13509 0x1079d01fd Catch::Session::run<…> catch.hpp:13231 0x1079cfd93 main catch.hpp:17526 0x7fff2055ef3c start
- 35. TurtleSec @pati_gallardo 35 ● PR: https://github.com/chocolate-doom/chocolate-doom/pull/1454 ● PoC https://gist.github.com/patricia-gallardo/e8aef21a397b8c928a3aae9e4ae8445f ● Issue: https://github.com/chocolate-doom/chocolate-doom/issues/1453 Doom Vulnerability Resources
- 37. TurtleSec @pati_gallardo 37 @pati_gallardo 37 TurtleSec Bad Binder: Android In-The-Wild Exploit CVE-2019-2215
- 38. TurtleSec @pati_gallardo 38 @pati_gallardo 38 CVE-2019-2215 "A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel."
- 39. TurtleSec @pati_gallardo 39 Kernel space User space Caller Callee Binder Driver: /dev/binder Binder: Androids IPC mechanism
- 40. TurtleSec @pati_gallardo 40 TurtleSec @pati_gallardo 40 NSO Group is an Israeli technology firm. They have a product called Pegasus that enables remote surveillance of smartphones. The Bad Binder Android exploit was attributed to NSO Group. When it was reported it was being used in the wild. Threat Actor: NSO Group
- 41. TurtleSec @pati_gallardo 41 @pati_gallardo 41 TurtleSec Information available Arbitrary kernel read/write primitive CONFIG_DEBUG_LIST breaks the primitive
- 42. TurtleSec @pati_gallardo 42 @pati_gallardo 1. void __list_del_entry(struct list_head *entry) { 2. struct list_head *prev, *next; 3. prev = entry->prev; 4. next = entry->next; 5. 6. if (WARN(next == LIST_POISON1, 7. "list_del corruption, %p->next is LIST_POISON1 (%p)n", 8. entry, LIST_POISON1) || 9. WARN(prev == LIST_POISON2, 10. "list_del corruption, %p->prev is LIST_POISON2 (%p)n", 11. entry, LIST_POISON2) || 12. WARN(prev->next != entry, 13. "list_del corruption. prev->next should be %p, " 14. "but was %pn", entry, prev->next) || 15. WARN(next->prev != entry, 16. "list_del corruption. next->prev should be %p, " 17. "but was %pn", entry, next->prev)) { 18. BUG_ON(PANIC_CORRUPTION); 19. return; 20. } 21. __list_del(prev, next); 22. } lib/list_debug.c CONFIG_DEBUG_LIST breaks the primitive by enabling this check This might look familiar This is the standard unlink vuln mitigation
- 43. TurtleSec @pati_gallardo 43 @pati_gallardo 43 TurtleSec How to exploit Use After Free
- 44. TurtleSec @pati_gallardo 44 Allocation Exploitation Deallocation Heap: Use After Free P N P N Where What Memory is reallocated: used for attacker controlled data When unlinking is performed after free, this becomes a read/write primitive
- 45. TurtleSec @pati_gallardo 45 The unlinking is done in privileged code therefore this becomes: Use-after-free leading to arbitrary kernel read/write primitive
- 46. TurtleSec @pati_gallardo 46 @pati_gallardo 46 TurtleSec How to find them Address Sanitizer Static Analysis usually doesn't work very well for Use After Free
- 47. TurtleSec @pati_gallardo 47 Tools: Use After Free 1. void TXT_OpenURL(cstring_view url) { 2. size_t cmd_len = url.size() + 30; 3. char * cmd = static_cast<char *>(malloc(cmd_len)); 4. 5. // ... 6. 7. int retval = system(cmd); 8. free(cmd); 9. if (retval != 0) { 10. fmt::fprintf(stderr, 11. "error executing '%s'; return code %dn", 12. cmd, retval); 13. } 14. } textscreen/txt_window.cpp "Local variable 'cmd' may point to deallocated memory" Clang-Tidy: "Use of memory after it is freed"
- 48. TurtleSec @pati_gallardo 48 ● Bad Binder: Finding an Android In The Wild (video), Maddie Stone, https://youtu.be/TAwQ4ezgEIo ● Bad Binder: Finding an Android In The Wild (blog post), Maddie Stone, https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wil d-exploit.html ● CVE-2019-2215, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2215 ● Issue 1942: Android: Use-After-Free in Binder driver, https://bugs.chromium.org/p/project-zero/issues/detail?id=1942 CVE-2019-2215 Resources
- 51. TurtleSec @pati_gallardo 51 Ho In Herre Dilemma f . Kelly Rowland 2002 : 20 years ago
- 52. TurtleSec @pati_gallardo 52 ● Basic Integer Overflows, blexim, 2002-12-28 Phrack Magazine, http://phrack.org/issues/60/10.html Integer Overflows Resources
- 53. TurtleSec @pati_gallardo 53 @pati_gallardo 53 TurtleSec Signed Integer Overflow Unsigned Int Wraparound
- 54. TurtleSec @pati_gallardo 54 Copying buffers first second buf first second first_len second_len buf_len Is it safe to copy first and second into buf? 1. if(first_len + second_len < buf_len) 2. copy(first, second, buf);
- 55. TurtleSec @pati_gallardo 55 second_len MAX_INT Exploitation: Buffer Overflow first second buf first second first_len buf_len 1. if(first_len + second_len < buf_len) 2. copy(first, second, buf); Signed Integer Overflow Result is negative Buffer Overflow
- 56. TurtleSec @pati_gallardo 56 buf_len (small) second_len MAX_UINT Exploitation: Buffer Overflow first second buf first second first_len 1. buf_len = first_len + second_len; 2. buf = allocate(buf_len); 3. copy(first, second, buf); Unsigned Integer Wraparound Result is small Buffer Overflow
- 59. TurtleSec @pati_gallardo 59 CVE-2017-15416 @pati_gallardo 59 "Heap buffer overflow in Blob API in Google Chrome [...] allowed a remote attacker to potentially exploit heap corruption"
- 60. TurtleSec @pati_gallardo 60 Example: CVE-2017-15416 Heap buffer overflow in Blob API in Google Chrome 1. // Validate our reference has good offset & length. 2. - if (input_element.offset() + length > ref_entry->total_size()) { 3. + uint64_t end_byte; 4. + if (!base::CheckAdd(input_element.offset(), length) 5. + .AssignIfValid(&end_byte) || 6. + end_byte > ref_entry->total_size()) { 7. status = BlobStatus::ERR_INVALID_CONSTRUCTION_ARGUMENTS; 8. return; 9. } chromium/storage/browser/blob/blob_storage_context.cc Check against ref_entry total_size Assign to end_byte If add is safe
- 61. TurtleSec @pati_gallardo 61 ● CVE-2017-15416, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15416 ● CVE-2017-15416 (fix), https://chromium.googlesource.com/chromium/src.git/+/11bd4bc92f3fe704 631e3e6ad1dd1a4351641f7c%5E%21/ ● Popping Calc with Hardware Vulnerabilities CVE-2017-15416 (exploitation), Stephen Roettger, https://youtu.be/ugZzQvXUTIk CVE-2017-15416 Resources
- 63. TurtleSec @pati_gallardo 63 @pati_gallardo 63 TurtleSec Apple iOS, iPadOS and macOS CVE-2021-30860
- 64. TurtleSec @pati_gallardo 64 CVE-2021-30860 @pati_gallardo 64 "An integer overflow was addressed [...] Processing a maliciously crafted PDF may lead to arbitrary code execution."
- 65. TurtleSec @pati_gallardo 65 @pati_gallardo Guint numSyms; numSyms = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { numSyms += ((JBIG2SymbolDict *)seg)->getSize(); } else if (seg->getType() == jbig2SegCodeTable) { codeTables->append(seg); } } else { error(errSyntaxError, getPos(), "Invalid segment reference in JBIG2 text region"); delete codeTables; return; } } // ... // get the symbol bitmaps syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *)); kk = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { symbolDict = (JBIG2SymbolDict *)seg; for (k = 0; k < symbolDict->getSize(); ++k) { syms[kk++] = symbolDict->getBitmap(k); } } } } 32 bit uint Increment with attacker controlled data Allocate a buffer too small based on wrapped uint Overflow too small buffer
- 66. TurtleSec @pati_gallardo 66 ● A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution, Project Zero team at Google, https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zer o-click.html ● FORCEDENTRY, https://en.wikipedia.org/wiki/FORCEDENTRY ● CVE-2021-30860, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860 ● FORCEDENTRY: Sandbox Escape, Ian Beer & Samuel Groß, https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-esc ape.html CVE-2021-30860 Resources
- 67. TurtleSec @pati_gallardo 67 @pati_gallardo 67 TurtleSec How to find them UB Sanitizer Integer Sanitizer
- 68. TurtleSec @pati_gallardo 68 @pati_gallardo 68 C++20 Safe Integer Comparisons 1. #include <utility> 2. 3. int main() 4. { 5. static_assert( sizeof(int) == 4 ); 6. 7. static_assert( -1 > 1U ); 8. static_assert( 0xFFFFFFFFU > 1U ); 9. static_assert( 0xFFFFFFFFU == static_cast<unsigned>(-1) ); 10. 11. static_assert( std::cmp_less( -1, 1U ) ); 12. static_assert( std::cmp_less_equal( -1, 1U ) ); 13. static_assert( ! std::cmp_greater( -1, 1U ) ); 14. static_assert( ! std::cmp_greater_equal( -1, 1U ) ); 15. 16. static_assert( -1 == 0xFFFFFFFFU ); 17. static_assert( std::cmp_not_equal( -1, 0xFFFFFFFFU ) ); 18. } Example Code from cppreference.com C++20
- 70. TurtleSec @pati_gallardo 70 Rihanna - Rude Boy Lady Gaga - Bad Romance 2010 : 12 years ago
- 72. TurtleSec @pati_gallardo 72 ● A Eulogy for Format Strings, Captain Planet, 2010-11-17 Phrack Magazine, http://phrack.org/issues/67/9.html ● Advances in format string exploitation, riq & gera, 2002-07-28 Phrack Magazine, http://phrack.org/issues/59/7.html Format String Vulnerability Resources
- 74. TurtleSec @pati_gallardo 74 Format String Features A couple of Lesser Known @pati_gallardo 74 TurtleSec
- 75. TurtleSec @pati_gallardo 75 @pati_gallardo TurtleSec field_width.c 1. int main(void) { 2. printf("% 17dn", 10); 3. printf("% *dn", 18, 10); 4. printf("%2$ *1$dn", 19, 10); // Direct Access 5. } $ clang -o field_width field_width.c $ ./field_width 10 10 10 Field width 17 18 19
- 76. TurtleSec @pati_gallardo 76 @pati_gallardo TurtleSec chars_written_1.c 1. int main(void) { 2. int num = 0; 3. printf("abcdef%nn", &num); 4. printf("%dn", num); 5. } $ clang -o chars_written chars_written_1.c $ ./chars_written abcdef 6 Chars written
- 77. TurtleSec @pati_gallardo 77 @pati_gallardo TurtleSec chars_written_2.c 1. int main(void) { 2. int num = 0; 3. printf("%42d%nn", 1, &num); // Field width 4. printf("%dn", num); 5. } $ clang -o chars_written chars_written_2.c $ ./chars_written 1 42 Chars written 42
- 79. TurtleSec @pati_gallardo 79 @pati_gallardo 79 TurtleSec Apple iOS CVE-2021-30800
- 80. TurtleSec @pati_gallardo 80 CVE-2021-30800 @pati_gallardo 80 "Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution."
- 82. TurtleSec @pati_gallardo 82 @pati_gallardo 82 TurtleSec How to find them Address Sanitizer GCC & Clang: -Wformat=2
- 84. TurtleSec @pati_gallardo 84 @pati_gallardo 84 TurtleSec Living in the future
- 85. TurtleSec @pati_gallardo 85 Cross community learning @pati_gallardo 85 TurtleSec
- 86. TurtleSec @pati_gallardo 86 Questions? Photos from pixabay.com and Wikipedia Patricia Aas, TurtleSec Turtle Sec