Introduction to the new series on Browser Exploitation!
- 0x00: New Series: Getting Into Browser Exploitation
- 0x02: The Butterfly of JSObject
- 0x04: WebKit RegExp Exploit addrof() walk-through
- 0x05: The fakeobj() Primitive: Turning an Address Leak into a Memory Corruption
- 0x07: Preparing for Stage 2 of a WebKit Exploit
- 0x08: Arbitrary Read and Write in WebKit Exploit
For several years, I've been whining about the fact that I don't understand Browser Exploitation. I'm sure I've annoyed some people, and I apologize. I think I can theoretically understand this subject, but I kinda gave up and never really spent time trying it out practically. During the time of 33c3 CTF, there was a Firefox exploitation challenge, and I thought it would be a perfect time for me to get started in the field of Browser Exploitation. But back then, I already failed to compile a debug version of Firefox, and I gave up. Browser Exploitation has always been a scary topic for me and I had no clue where to start and soon it became a frustration (I'm sure many can relate to that).
The strange thing is, In some way, I knew how to get in this field - I should watch one of my own videos like the "The Secret step-by-step Guide to learn Hacking". It just takes time to get good at something or even to learn new stuff, but it overwhelmed me. I already have a good understanding about the fundamentals of exploitation and I also have somewhat of an intuition on how Browser Exploitation might work - but only on an abstract level. I just couldn't get into it on a technical level.
I just need to sit down and invest the time necessary to learn. I know the process is slow and it will take time, but if we put the time and effort into it, we can learn anything. I've been whining for about four years or so, and I just feel that I was scared about this topic and I let it overwhelm me. But then I remembered that this was the same feeling I had when I got started in Security/Wargames/CTFs a couple of years ago and in the end, I was able to get into it as well. Now why not apply the same principles of learning in the case of Browser Exploitation? There's no Magic, it just takes time and persistence for you to be good at something.
At the 35c3, I saw Jonathan Jacobi's talk From Zero to Zero Day where he talks about his path of learning and finding an exploit in ChakraCore. In the beginning of the talk he is referencing one of my tweet as one piece of advice.
Also Ned Williamson's talk on Attacking Chrome IPC, he reminds me of the fact that it takes a lot of practice and he shares how he approaches these challenges. These two talks played a huge role into why I've decided to tackle browser exploitation again. And so I recommend you to watch these two talks - they're great!
Here are my reasons why I chose this engine.
- The above bug is similar to saelo's exploit for CVE-2018-4233, and also Niklas B has written a different implementation for the same bug. Both of the exploits are available on GitHub for us to look at.
- Recently, Zero Day Initiative has written a blog post about the same bug but from a different researcher's perspective.
The fact that we have the same bug exploited in different ways, allows us to compare see it from a slightly different angles.