2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute

Exploit Your Java Native
Vulnerabilities on Win7/JRE7 in One
Minute
Or how to exploit a single java vulnerability
in three different ways

Today we are not talking about how to
find 0day java native vulnerabilities, but
how to “cook” them

About me
• Architect, Trend Micro China
Development Center
• Interested in vulnerabilities,
sandbox technique, anti-APT
solution
• Hardcore ACG otaku

Agenda
• Background
• The vulnerability
• Exploit method 1
• Conclusion

What is java native vulnerability?
• Vulnerability which exists in JRE native code
(C/C++ code)
– Stack overflow
– Heap overflow
– Buffer overflow/underflow
– …
• Aka, java memory corruption vulnerability

Trends of Java native vulnerability

Exploit Java native vulnerability
• JRE 6
– No DEP, ASLR
– Find a schoolchild and teach him Heap Spray
• JRE 7
– Opt-in DEP, ASLR, windows 7, windows 8 …
– Hmmm, seems much harder ?
– Actually not so hard, we will show you how to in
this presentation

CVE-2013-1491
• Found by Joshua J. Drake (jduck)
• Used on Pwn2013, defeated JRE 7 +
Windows8 (Accuvant Lab's White Paper)
• We also discovered the same issue in Feb
2013, via our java font fuzzer, and finished the
exploits in April 2013

CFF Font Instructions
• Compact Font Format, or Type2 font
• You can write instructions (byte codes) to help
building a character at runtime
private static native long
0A: call sub routine
0B: return from sub routine
0C 0A: add
0C 0B: sub
0C 0C: div
0C 0D: load
stack

Related Data Structures
• TopDictInfo
– buildCharArray – dynamic allocated array
– reg_WeightVector – static array in the structure

The two vulnerable instructions
• store [0, j, index, count]
• load [0, index, count]
No array boundary checks on store/load !

What can we do with it
• Read/Write arbitrary 16-bit range in the
buildCharArray and regWeightVector
• By over writing the buildCharArray pointer,
we can achieve arbitrary address read/write

Example
Initial State
T->topDictData
…
buildCharArray
…
reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x2100000

Step1
put(0, 0x0c0c0c0c)
T->topDictData
…
buildCharArray
…
reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x2100000
0c0c0c0c
buildCharArray[0] = 0x0c0c0c0c;

Step2
store(0, -18, 0, 1)
T->topDictData
…
buildCharArray
…
reg_WeightVector
0x2000000
0x200087c
0x20007b4 0x2100000
0c0c0c0c
reg_WeightVector[-18] = buildCharArray[0];

Step3
put(0, 0x41414141)
T->topDictData
…
buildCharArray
…
reg_WeightVector
0x2000000
0x200087c
0x20007b4
0x0c0c0c0c
41414141
buildCharArray[0] = 0x41414141;

Information Leak
• Read a function pointer from the structure
• Sub a pre-computed offset from the function
pointer address, to get base address of t2k.dll
• Get other dll base (e.g. msvcrt) from IAT of
t2k.dll

ROP
1. Write ROP gadgets into buildCharArray
2. Set jmp_buf->eip to the first ROP instruction
3. Set jmp_buf->esp to buildCharArray
4. Trig an internal error to call longjmp
struct TopDictInfo {
tsiMemObject *mem;
…
}
struct
tsiMemObject {
…
jmp_buf env;
…
}
…
esp
…
…
eip

Overwrite Array Length +
Statement

Java Array in memory
Object
Head length a[0] a[1] … a[n]
8 bytes 4 bytes
If we can overwrite the length field, then we can read/write
out of the bound of this java array

Overwrite Array length
• Set buildCharArray to 0x23ad27d8 (this address may
vary in different OS)
• Write “0x7fffffff” to 0x23ad27d8, which will be the
new array length

Overwrite ACC in Statement Object
• Statement: call method on a target object
• AccessControlContext: check permission on
privileged operations

Overwrite ACC in Statement Object
• When a new statement is created, the acc is set to
the “snapshot” of current calling context
• If you created the statement in low privileged code,
the acc will be a low privileged ACC
• We can replace the acc with a powerful ACC in
memory
Object
Head acc target … ……
Statement Object memory layout
Powerful
ACC

Method 2 – Exploit Procedure
length
data
1. Allocate arrays
acc
statement2. Allocate statement
object right after the array
Memory Space
3. Overwrite array length
new length
4. Overwrite acc in statement
powerful acc

Demo
• Exploit CVE-2013-1491 using Array length
overwriting + Statement

Method2 - Limitation
• You need to be able to overwrite memory of
Java Object Heap
JVM
java object heapjava native heap
Java
object
Java
Array
Default heap
of JRE native
code

History of JIT Spray
• Dion Blazakis - interpreter exploitation:
pointer inference and spraying
• Alexey Sintsov- Writing JIT shellcode for fun
and profit
• TT Tsai - The Flash JIT Spraying is Back

History of JIT Spray
• Mostly focus on flash
• No practical POC & Guide on Java

Java JIT Compiler
Java compiler,
into byte code in class file
JIT compiler, into native code

Java JIT Compiler (.cont)
• View JIT generated code
– -XX:+UnlockDiagnosticVMOptions -
XX:+PrintAssembly
• CompileThreshold
– Only when a function is called > CompileThreshold
times, it will be JITed
– Default value: 1500 for client JVM

XOR in java JIT compiler
public int spray(int a) {
int b = a;
b ^= 0x90909090;
b ^= 0x90909090;
b ^= 0x90909090;
return b;
}
0x01c21507: cmp 0x4(%ecx),%eax
0x01c2150a: jne 0x01bbd100 ;
0x01c21510: mov %eax,0xffffc000(%esp)
0x01c21517: push %ebp
0x01c21518: sub $0x18,%esp
0x01c2151b: xor $0x90909090,%edx
0x01c21521: xor $0x90909090,%edx
0x01c21527: xor $0x90909090,%edx
…
0x01c21539: ret

XOR in java JIT compiler (.cont)
• The XOR statement is compiled to an instruction of
six bytes
– 81 F2 90 90 90 3C xor edx, 0x3C909090
• We can replace the 3 NOP bytes with our shellcode

Set EIP in the middle
$0: 81 F2 90 90 90 3C : xor edx, 0x3C909090
$6: 81 F2 90 90 90 3C : xor edx, 0x3C909090
$12: 81 F2 90 90 90 3C : xor edx, 0x3C909090
$0: 81 F2
$2: 90 nop
$3: 90 nop
$4: 90 nop
$5: 3C 81 cmp al, 81
$7: F2 repne
$8: 90 nop
$9: 90 nop
$10: 90 nop
$11: 3C 81 cmp al, 81
EIP
EIP

Find a reliable EIP to jump to
• 0x02cd70b7
– Fairly reliable on the tested systems:
– windows xp sp3, windows 7 home edition,
windows 7 enterprise edition, windows 8 home
edition

Spray multiple functions at runtime
• ClassLoader.loadClass
JIT00002.classJIT00001.class …
Exploit.class

Performance
• First version: 20 ~ 40s to spray 2400 functions
– Because we have to call a function 1500 times
before it can be JITed
• Use pre warm up: 7 ~ 9s

Shellcode
• Two-Staged
– Stage0: Sprayed by JIT functions, will search for
Stage1 shellcode and execute it (egg-hunt)
– Stage1: Defined in java string, do the real work

Demo
• Exploit CVE-2013-1491 using JIT Spray

Add JIT Spray to your POC in one
minute
• Demo
– Add JIT Spray to CVE-2013-0809 POC
– We will public all related code after the
presentation

Optional Demo
• JRE 7 native 0day + Win8 + Java JIT Spray

Java JIT Spray - Limitation
• Currently only works on 32bits platform
• You need to be able to control EIP precisely

Conclusion
• We introduced 3 different methods to exploit
a java native vulnerability and bypass
DEP/ASLR
• You need to choose the one that fit your
vulnerability

Conclusion
• Choose JIT Spray if 32bits & you can control
the EIP
• Choose Array + Statement if you can overwrite
a java array on java object heap
• Choose Information Leak + ROP if you are
Vupen

"Heapsprays are for the 99%"
“And so are JIT sprays."

2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute

Semelhante a 2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute (20)

Último

Último (20)

2013 syscan360 yuki_chen_syscan360_exploit your java native vulnerabilities on win7jre7 in one minute