Видео [VXCON 2024] Exploiting Browser JavaScript Engines: Zero to Hero (with Google v8)

[weaver]

Воркшоп с VXCON 2024

In this workshop, we will explore the v8 CVE-2022-4262 vulnerability as a case study to guide participants through a comprehensive workflow of attacking a JavaScript engine. We’ll cover everything from setting up the research platform and analyzing the security patch to conducting a root cause analysis of the bug and developing an exploit. The complexity of this vulnerability and its exploitation technique ensures a rich learning experience, moving beyond superficial understanding associated with more common bugs.

While this workshop will be challenging, participants with prior experience in exploit development and/or JavaScript engines will find it particularly rewarding. Due to time constraints, our focus will be on analytical examinations and guided walkthroughs rather than hands-on coding, making it accessible for beginners willing to embrace some intellectual rigor. Join us for a deep dive into the intricacies of JavaScript engine exploitation!

Слайды:
https://zerodayengineering.com/research/slides/VXCON2024_Workshop.pdf

Видео

 

[DPRKCERT]

Esage is awesome. She is on the US Sanctions List. FREE ALISA!

 

[weaver]

Esage is awesome. She is on the US Sanctions List. FREE ALISA!

But in fact, it's a very weak workshop, a primitive level, rewind the video and you'll understand what I'm talking about. There are things that aren't covered in it.

 

[varwar]

She is on the US Sanctions List.

Should be considered as an achievement.

 

[Okila]

But in fact, it's a very weak workshop, a primitive level, rewind the video and you'll understand what I'm talking about. There are things that aren't covered in it.

а какой посоветовать можешь материал для изучения не "примитивного" уровня?

 

[weaver]

а какой посоветовать можешь материал для изучения не "примитивного" уровня?

Не примитивный уровень это платный тренинг например этот https://www.hexacon.fr/trainer/jimenez/. На самом то деле полезно опираться не только на один источник, а всегда пользоваться большим количеством ресурсов. Просто надо понимать, что один автор может рассказать, то что другие не рассказывают и наоборот. В воркшопе от Алисы мне не понравилось, то что слабо объяснён процесс эксплуатации. Его как такового тут нет. Либо он вырезан и это не полная запись.

Для начала я бы посоветовал вспомнить JavaScript. Так как в основе эксплойтов под брауезеры лежит манипулирование объектами в JavaScript и то как эти объекты лежат в памяти. Затем научиться собирать V8, дальше начать изучать архитектуру V8 и его компоненты, затем смотрим CVE и пишем сплойты. Далеко ходить не надо, если посмотреть на современный CTF, то там эксплуатируют браузеры. Читаешь втрайтап пытаешься повторить за автором. Собираешь нужную версию v8 и пишешь эксплойт.

http://xssforum7mmh3n56inuf2h73hvhnzobi7h2ytb3gvklrfqm7ut3xdnyd.onion/threads/41261/ тут много полезного материала для изучения.

Кстати xvonfers публиковал в твиттере как то roadmap (хотя зайди в описание любого тренинга и будет тебе roadmap)

1/ Experience writing in JavaScript and some understanding of what's under the hood(learn JavaScript fundamentals, closures, prototypes and inheritance, etc)

2.1/ Study V8 Architecture
- V8 architecture and components(core components and how they interact)
- Parser and AST
- Interpreter(Ignition)
- Optimizing Compiler(TF)
- Execution Stages
- Optimization Pipeline
- Memory management(GC, memory allocation,...)

2.2/
- Hidden Classes
- Inline Caches
- Code Optimization/Deoptimization
- Typed Arrays and ArrayBuffer
- Closures and Scopes
- Data Structures
- Function Optimization
....


3/ Read and analyze CVEs
- Study past V8 vulnerabilities and their exploits(reproduce known exploits).


4/ Deep Dive into Exploitation:
- Type Confusion
- JIT Spraying
- UAFs
- OOB
- Heap Corruption
- BoFs
- Integer Overflows/Underflows
- Logic errors


5/ View and analyze ALL recent commits

Commits · v8/v8

The official mirror of the V8 Git repository. Contribute to v8/v8 development by creating an account on GitHub.

github.com

6/ Fuzzing V8:
- Start from Fuzzilli
- Write fuzzers for specific V8 components
- Integrate sanitizers
- Triage crashes
- Minimize test cases
- Increase coverage...

I completely forgot to mention that with the release of Chrome M123(stricter handling, integrity checks, etc), many V8 SBX techniques that relied on manipulating raw pointers inside the V8 sandbox were effectively neutralized.



______________________



1/ First, I advise you to read the following things:
V8 Sandbox Glossary

V8 Sandbox - Glossary

V8 Sandbox - Glossary Author: saelo@ First Published: December 2023 Last Updated: December 2023 Status: Living Doc Visibility: PUBLIC This document is part of the V8 Sandbox Project and explains the technical terms used in the context of the sandbox. A version of this document can also be found...

docs.google.com

Sandbox design(high-level) https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit?usp=sharing
Technical blog post

The V8 Sandbox · V8

V8 features a lightweight, in-process sandbox to limit the impact of memory corruption bugs

v8.dev

Slides @5aelo
from the speech from the last @offensive_con

https://saelo.github.io/presentations/

2/ Understand the V8 Sandbox Architecture:
- Heap memory management
- Isolation Mechanism
- Data type conversions/Sandbox-compatible data types
- .....



3/ Review and analyze last changes in V8 Sandbox:

https://chromium-review.googlesource.com/q/hashtag:%22s

4/ Investigate previous vulnerabilities and their exploits to understand common patterns and techniques used in attacking the V8 engine. This can be done by reproducing known exploits and analyzing their impact on the V8 Sandbox

5/ Deep dive into vulnerabilities(bugs):
- UAFs
- OOB accesses
- Logic issues
- Type Confusion

6.1/ Fuzzing Tools:
- Fuzzilli

GitHub - googleprojectzero/fuzzilli: A JavaScript Engine Fuzzer

A JavaScript Engine Fuzzer. Contribute to googleprojectzero/fuzzilli development by creating an account on GitHub.

github.com

- Autozilli

team.git.corp.google.com - Google Single Sign On: Sign into corp

team.git.corp.google.com

6.2/ Write specific fuzzers for different V8 components within the sandbox, focusing on areas prone to memory corruption(identify critical components of the V8 engine that interact with the V8 sandbox).


6.3/ Advanced input craftings:
- Input generation
- Mutational fuzzing
- Coverage-guided fuzzing


7/ Integrate and use sanitizers:
- Integrate sanitizers such as ASan and UBSan to detect memory errors like UAFs, OOB accesses, and other undefined behaviors.
- Analyze crashes to determine their root causes and reproduce them reliably.


8/ Minimize & analyze test cases
- Reduce test cases to the smallest input that still triggers the issue, making it easier to analyze and fix
- Ensure that the fuzzing process covers as many execution paths as possible to uncover hidden vulns - > increase coverage (gcov, lcov...)