HITB 2017 Writeup : SGX_Browser
After HITB 2017, It’s neary half month of this contest, I have free time to play some pwnable challenge I haven’t solved during CTF time. In this post, I wrote about SGX_Browser which is an interesting challenge. We have to exploit a browser in Ubuntu 16.04 environment.
So let’s analysis the binary, lucky for me, this binary is compiled with debug symbol so we don’t spend much time to reverse everything. This Browser provides javascript interface which called SGX_Code:
- SGX_Implement: create Enclave database.
- Enclave: can create SGX_Code which stored array number and have some methods to refer and derefer a SGX_Code.
- SGXCode: an object that stored long long int number. This type of object have two type: normal SGXCode (present as 0 ) and refer SGXCode (present as 1).
After awhile I figured out the vulnerability of this browser, in refer and derefer an SGX_Code. I show to you in serveral pictures below.
Let see in method refer of Enclave object. The method Enclave::refer get 3 params : name of normal SGXCode, name of refer SGXCode and index to store normal SGXCode to refer SGXCode database.
They assign the third param to data_refer_index of normal SGXCode, then get id of normal SGXCode and use 2 values : index and id to store to refer SGXCode (refer_code_data).
In method SGXCode::AddCodeRefer we can see that vref_stack_idx is verify again. It’s seem to be fine with security coding.
Let’s analysis Enclave::derefer method. We can see that they fetch index of Code Refer from normal SGXCode and use this idx to remove this value from array.
We see SGXCode::DelCodeRefer method in image above the ref_stack_idx is signed integer and with no verify this value this function seem to be vunerable with out of bound read / write bug.
Get back to Enclave::refer method if we apply index with negative number like -1 the method Enclave::refer is fail but value data_refer_idx still set to this value. After that, we call Enclave::derefer this method is happy to reuse this negative number to remove value from array, so we got out of bound read/write bug.
Let’s analysis further for leaking address and building exploit to popup gnome-calculator.
Look at QArrayData struct, this struct is stored our number value in SGXCode object. The offset value present as offset from beginning of this struct to the first value of QArrayData. We can use this vulnerability above which set this offset to zero by set data_refer_idx is -1, that mean content of QArrayData now point to beginning of this struct, so we can simply set size of QArrayData more than they have to read our needed information heap segment.
In my exploit, I’m going to create a lot of SGXCode (2 types) with magic value that help me located exactly where they are in memory.
In modern web browser , Javascript engine is used JIT technique to improve speed. By checking memory mapped page we can see Javascript engine map some page read/write/execute so we can use this to put our shellcode, then overwrite SGXCode vtable point to our fake vtable link to our shellcode.
We can see my payload and practice again to understand more:
- Payload : https://gist.github.com/peternguyen93/e79f275322581f05fcaeee0c3d17260f
- Binary : https://drive.google.com/drive/folders/0BzJ4CX4jElkjSEM1Q2tVSGRYMlk?usp=sharing
Video clip demo:
