Hacking Browsers - Setup and Debug JavaScriptCore / WebKit

Key Takeaways

my CTF teammate Linus had a WebKit 0d which unfortunately was patched at some point and then he published it on github so I want to use this exploit to start learning about browser exploitation and my goal is to be able to fully understand how it works and that will take a bit but why don't we start by testing out the exploit to see where we want to get to this series on browser exploitation is supported by SSDs secure disclosure check out the description for more information [Music] at the time of preparing this video this is currently only patched in the WebKit master branch not in any version shipped in Mac OS or iOS and works with the latest version of Safari on Mac OS and iOS the back is described as following this is an optimisation error in the way reg X matching is handled by setting last index on a regular object to a JavaScript object which has the function two string defined you can run code although the JIT the just-in-time compiler thinks that reg X matching is side-effect free exploitation is pretty similar to silos exploit for CBE 2018 for 233 what this all means we will learn in the future but let's first run the exploit here I have Safari version 12.01 which should still be vulnerable to execute the exploit we simply start a simple web server to surf the HTML and JavaScript files on localhost port 1 3 3 7 and then we visit this page and can click on this to execute the exploit initialization failed but in the rittany we learned that you need to have a WebSocket server running at port 5000 or you get initialization failed so here is a small script that simply dumps everything that is sent to this WebSocket port this web sock is only used to receive output for example if you would test this on an iOS device and you receive log output here anyway now we can visit the index page again we click on this to start the exploit and we see the different stages of the exploit executing pretty much instantly you also see this output is sent to the web socket so it sets up some fake object clean something up gets a memory read/write primitive downloads the second stage somehow gets access to read and write executable memory copies shell code there and execute the shell code the shell code then prints hello world from assembly awesome probably Noah Safari is based on the WebKit browser engine the WebKit browser engine is used by several products like Safari on Mac and iOS are also on the Nintendo switch or PlayStation WebKit contains mainly two big libraries webcore and javascriptcore web course basically the HTML during stuff and javascriptcore is like the name says the JavaScript part so this exploit is actually a vulnerability in web kids JavaScript engine JavaScript core but let's get started first we want to get a proper debugging environment to do that we should start by getting web kids source code and that is pretty simple WebKit has this getting the code sight but Linus mentioned that the vulnerability is fixed in the current code version so how do we get the little bit older version that is still used in Safari to analyze the bug my first thought was to look at the user agent Safari sends an HTTP requests Safari says it uses WebKit version six of five one one five so I went to the code repository and looked at the source code tags and here I find the tag matching this particular version which also tells us the revision this means we can then use SVN to check out raw version to 255 or four specifically of the WebKit source repository this takes ages to download because it's a couple of gigabytes once it's downloaded I try to use the script build web kit to build javascriptcore with debugging but unfortunately that build failed with a weird error also I was a bit confused because that WebKit version is super old and that doesn't seem right and with a bit of research I actually found out that at some point WebKit decided to freeze the reported version number in the user agent for a few reasons like the user agent sniffing is a terrible way to determine whether a browser supports certain features and overly specific version information provides useful fingerprinting data while providing almost no user benefit anyway so that fit I then asked Linus about this and he said I should clone the github repository which again takes ages and then check out this specific commit he said this is the commit just before the vulnerability was fixed so let's do that with this git log reverse command using the last commit that was vulnerable we can also find the next commit that fixed the issue here's the description regular expression operations should not take fast paths if last index is not numeric that the typo here here are some additional info this is because if last index is an object with the value of method it can execute arbitrary code which may have side effects and side effects are not permitted by the regular expression fast paths arbitrary code refers you not to like a betrayal remote code execution it simply means you can execute arbitrary JavaScript code that can have side effects even those side effects should not happen for this regular expression fast path again what exactly that means we will see later so let's try again to build this version effect kit but to do that you have to make sure that you have Xcode installed and possibly you should also make sure that the Xcode path is probably set then you can simply execute the script build web kit again to build JavaScript core with debug symbols that also takes quite a while to build but eventually it's done and you can find in WebKit build debug bin JSC binary let's execute it this gives you a simple JavaScript interpreter prompt like you may know it from nodejs so one plus one is two or we can also print a string hello from JavaScript core we can also create a regular empty object assign a property with a list and so forth it's like your browser JavaScript console here's a first cool tip I learned about from Linus this is a function that is available in this JavaScript core build which is called describe it can be used to describe an object so for example describe one tells us this is a 32-bit integer with the value 1 or we can also describe a float 13.3 7 and this is a double you may wonder what that huge value here is but that's actually the wrong number representation how you would find it in memory that represents the 13.3 7 in a video from say hello giving an introduction to JavaScript core he also showed how you can look at this with Python the struct module in Python can be used to convert between raw ID for presentations and types so for example we can now pack that huge number again as a 64-bit integer that's the cue and so those are now raw bytes for that number then we can unpack this raw byte string again as a double and we can see that 13.3 seven comes out again so this is just a standard way how doubles are stored in memory as our number anyway we can also describe a string and we start to see a bit more complex info so apparently the string also has something called a structure ID and we will learn more about this later let's describe a list this is getting even more crazy a list is an object at this address in memory and has a so called butterfly at this address the underlying array structure in this case is copy-on-write array within 32 kind of makes sense right this area only had integers if we for example add a floating point value then suddenly we have an array with doubles instead and if we add even more other types it becomes a more generic array with contiguous as far as I know this is basically the most generic version of an array it can hold any object or type playing around with it even more by adding another list into the list we can also create an array with continuous that is not copy-on-write no clue what that exactly means but you can see we can already learn quite a lot about javascript objects just by playing around with this but we can do even more let's check out lol DB ll DB is a debugger like gdb just a different one so we can just open JC with L LD be in case you get a Python error you can add user bin to the path for example with this alias so l l DB uses the correct Python installation now that JC is properly loaded in ll DB we can hit run to execute JSC and now we have the familiar JavaScript prompt so let's play a bit let's create a simple list with one two three four elements and then describe it again this gives us some addresses this array object is apparently at address hex one zero eight zero B four three four zero and has a so called butterfly at eight zero zero zero e four zero zero eight so now we can hit control C to break into the debugger and look at that memory the syntax of LD B is sometimes different from gdb but in case of examining memory it's pretty similar so we can examine eight 64-bit hex values at this address and the second value here looks like the butterfly address so let's examine that and here we find values that look like our array 1 2 3 4 but with some weird high bytes set to ffff what that all means what a butterfly is and why there are those two FF bytes we will learn more about later for now I want to show you one other thing we can do and that is setting a breakpoint for useful built-in functions with B we can set a breakpoint and thanks to debug symbols we can start typing JC math P and then use tab completion this is then listing all the available math functions like math.abs math or math dot max if you are looking for specific functions you can simply search for known terms in the code this is how I figured out that JavaScript math functions have names with the prefix math proto func inside of the JSC namespace anyway let's set a breakpoint to the max function breakpoint set and then we can continue to get back to the JavaScript shell and execute master max with two values 13 and 37 boom breakpoint hit and we can even see the source code of the function so we can now step through the code with for example n next and if we are interested in certain variables we can even print them with P P well or print the current value of the result variable later in the execution it will then become 37 awesome right this is always how I wanted to debug and learn about browser exploits and now we can really do it thanks again to SST secure disclosure for supporting this series check out their website and learn more about the SSD vulnerability disclosure program at SST disclosure com [Music] you [Music]