New Series: Getting Into Browser Exploitation
TLDR
Introduction to the new series on Browser Exploitation!
Series
- 0x00: New Series: Getting Into Browser Exploitation
- 0x01: Setup and Debug JavaScriptCore / WebKit
- 0x02: The Butterfly of JSObject
- 0x03: Just-in-time Compiler in JavaScriptCore
- 0x04: WebKit RegExp Exploit addrof() walk-through
- 0x05: The fakeobj() Primitive: Turning an Address Leak into a Memory Corruption
- 0x06: Revisiting JavaScriptCore Internals: boxed vs. unboxed
- 0x07: Preparing for Stage 2 of a WebKit Exploit
- 0x08: Arbitrary Read and Write in WebKit Exploit
Introduction
For several years, I've been whining about the fact that I don't understand Browser Exploitation. I'm sure I've annoyed some people, and I apologize. I think I can theoretically understand this subject, but I kinda gave up and never really spent time trying it out practically. During the time of 33c3 CTF, there was a Firefox exploitation challenge, and I thought it would be a perfect time for me to get started in the field of Browser Exploitation. But back then, I already failed to compile a debug version of Firefox, and I gave up. Browser Exploitation has always been a scary topic for me and I had no clue where to start and soon it became a frustration (I'm sure many can relate to that).
The strange thing is, In some way, I knew how to get in this field - I should watch one of my own videos like the "The Secret step-by-step Guide to learn Hacking". It just takes time to get good at something or even to learn new stuff, but it overwhelmed me. I already have a good understanding about the fundamentals of exploitation and I also have somewhat of an intuition on how Browser Exploitation might work - but only on an abstract level. I just couldn't get into it on a technical level.
It's not that people keep the knowledge as a secret or something since there are not tons of resources on this subject, but there are more than what we might think, and it's just enough for us to get started. For example, Saelo's Phrack paper on Attacking Javascript Engines, or argp's article on Exploiting Firefox, or CTurt's PlayStation 4 WebKit exploit writeup that includes a commented exploit, or writeups from Project Zero and many others. Additionally, honorable mentions should also go to RET2Systems. They have a multi part writeup about the WebKit exploit that they used in Pwn2Own. Unfortunately I stumbled over this fairly late in my adventure of creating the series, but that would have been a great way to start too. Beyond all those resources, thanks to playing CTFs and engaging with the community, I know several people who could answer my questions. But instead of following my own advice on How(not) to ask a technical question, I bothered people by asking questions like "I don't know how to get started", "Please help meeee", "I don't understand this" and I got sick of this myself. Now it's about time I finally take responsibility and properly approach this.
No magic
I just need to sit down and invest the time necessary to learn. I know the process is slow and it will take time, but if we put the time and effort into it, we can learn anything. I've been whining for about four years or so, and I just feel that I was scared about this topic and I let it overwhelm me. But then I remembered that this was the same feeling I had when I got started in Security/Wargames/CTFs a couple of years ago and in the end, I was able to get into it as well. Now why not apply the same principles of learning in the case of Browser Exploitation? There's no Magic, it just takes time and persistence for you to be good at something.
Rough plan
At the 35c3, I saw Jonathan Jacobi's talk From Zero to Zero Day where he talks about his path of learning and finding an exploit in ChakraCore. In the beginning of the talk he is referencing one of my tweet as one piece of advice.
Also Ned Williamson's talk on Attacking Chrome IPC, he reminds me of the fact that it takes a lot of practice and he shares how he approaches these challenges. These two talks played a huge role into why I've decided to tackle browser exploitation again. And so I recommend you to watch these two talks - they're great!
Here's a rough plan on what you can expect from the series. Browser exploitation is a huge field with different browser engines and operating systems. Browsers are next to operating systems probably the most complex software, including many disciplines from computer science. So what do we look at? DOM, network layers, Javascript engines? If we were to pick one let's say Javascript Engines, there are many like v8, Chakra, Spidermonkey or JavaScriptCore. Well, all of these seem to be complicated, and it's easy to get overwhelmed, but since this is a long path with no proper route, we just have to start somewhere, and I choose JavaScriptCore.
JavaScriptCore
Here are my reasons why I chose this engine.
- My CTF teammate has published an exploit for JavaScriptCore, and it has a proof of concept for Safari, and as of getting started with this, my Safari was still vulnerable to this exploit.
- The above bug is similar to saelo's exploit for CVE-2018-4233, and also Niklas B has written a different implementation for the same bug. Both of the exploits are available on GitHub for us to look at.
- Recently, Zero Day Initiative has written a blog post about the same bug but from a different researcher's perspective.
- Additionally, I found a two-hour long video walkthrough by saelo on the case study of an older exploit in JavaScriptCore which is related to his Phrack paper on Attacking Javascript Engines. That was a goldmine, unfortunately it is in german.
The fact that we have the same bug exploited in different ways, allows us to compare see it from a slightly different angles.
Summary
So this series is going to be about WebKit which uses JavaScriptCore as the Javascript engine. I'm going to be doing this on MacOS, but it should also be doable on Linux as well. If you don't have the experience with exploitation fundamentals, then it would be a good time for you to get started with my Binary Exploitation Series before jumping into the ocean of complexity. Additionally, I'd recommend you to play some Wargames and CTFs like OverTheWire, PicoCTF and Exploit Education to get the practical intuition necessary for this series. I would also like to mention that this series is not a replacement for a "professional training" on the topic. Like I already mentioned, I just got started with this topic, and this series is going to document my journey of learning browser exploitation - in a video format. This means I might say some wrong stuff due to the fact that I lack the experience. So from episode to episode you can see my process of learning and hopefully it motivates people like you as well.
Anyway, we will start off the series by setting up the WebKit and JavaScriptCore and then learn a bit about the internals and how debug stuff. And slowly we'll make our way to Linus's and Niklas's exploits. So I hope you are as excited as I am. And if you like to support the free videos I make, you can support me through Patreon or Youtube Membership.
Thanks ❤