Wednesday, 18 March 2020

InfoSect Coronavirus (COVID-19) Announcement

InfoSect prides itself in providing high-quality, in person training with low student numbers per class and specialised instruction from our trainers. However, with the current Coronavirus pandemic sweeping the world, we understand this is not feasible for the near to medium term.

During this time InfoSect is planning to run live, interactive training courses.

What does this mean for students?

  1. Students will be provided a link the day before training starts to log into a virtual classroom.
  2. The virtual classroom will include a live stream of Silvio teaching the course.
  3. Students will be able to ask questions and engage live with Silvio during the course.
  4. Lab guides will be provided in soft copy instead of hard copy.
  5. Hands-on labs will be facilitated remotely, with the same hands-on, interactive challenges.
  6. InfoSect swag will be posted following the course.
Requirements to attend:
  1. A place to study.
  2. An Internet connection.
  3. A laptop with a browser and capable of SSH.
  4. A microphone or headset to talk, though a chat client will also be accessible.
We hope everyone stays safe during this time and we are available to answer any extra questions you may have at info@infosectcbr.com.au

Please see our course offerings at https://infosect.eventbrite.com.au or email us on the above email to directly to book training.


Tuesday, 10 March 2020

Heap Exploitation in Chrome's PartitionAlloc - part 1

Dr Silvio Cesare
@silviocesare


Summary

PartitionAlloc is the hardened heap allocator used in Google's Chrome web browser. It is susceptible to a number of attacks. This blog post describes the first attack in a series of posts. I will talk about freelist poisoning and how to make an allocation request return an arbitrary pointer. This can be used with application-logic to develop an arbitrary write primitive.

Introduction

In heap allocators, freelists maintain a group of free memory chunks that are available to be recycled by an allocation request. Freelist poisoning corrupts this list and injects a "fake chunk" pointer. A later allocation will return this fake chunk pointer. So it is possible to make an allocation request return an arbitrary pointer.

I have blogged about freelist poisoning extensively. It is a common attack that many allocators are vulnerable to.

https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html
https://blog.infosectcbr.com.au/2019/12/freelist-heap-exploitation-on-docker.html

https://blog.infosectcbr.com.au/2019/12/attacks-on-tcmalloc-heap-allocator.html
https://blog.infosectcbr.com.au/2019/11/avr-libc-freelist-poisoning.html
https://blog.infosectcbr.com.au/2019/11/diet-libc-freelist-poisoning.html
https://blog.infosectcbr.com.au/2019/07/linux-heap-tcache-poisoning.html 

ParitionAlloc Freelist Poisoning

PartitionAlloc, like many allocators, maintains freelists. It keeps the pointers used in these freelist in the payload area of a free chunk of memory. The main difference between this approach and the typical freelist implementation, is that PartitionAlloc stores the pointer in big endian format on x86 or other little endian architectures, and as a bitwise complement on big endian architectures. Here is the code:

ALWAYS_INLINE PartitionFreelistEntry* partitionFreelistMask(PartitionFreelistEntry* ptr)
{
    // We use bswap on little endian as a fast mask for two reasons:
    // 1) If an object is freed and its vtable used where the attacker doesn't
    // get the chance to run allocations between the free and use, the vtable
    // dereference is likely to fault.
    // 2) If the attacker has a linear buffer overflow and elects to try and
    // corrupt a freelist pointer, partial pointer overwrite attacks are
    // thwarted.
    // For big endian, similar guarantees are arrived at with a negation.
#if CPU(BIG_ENDIAN)
    uintptr_t masked = ~reinterpret_cast<uintptr_t>(ptr);
#else
    uintptr_t masked = bswapuintptrt(reinterpret_cast<uintptr_t>(ptr));
#endif
    return reinterpret_cast<PartitionFreelistEntry*>(masked);
}


The inline comment describes this "mitigation". It can prevent trivial off-by-1's and the like. However, if an attacker is able to overwrite the entire freelist pointer, then they can simply apply the correct transformation of the pointer.

I have moved ParitionAlloc out of Chrome and made it a standalone library for ease of testing. Here is an example of the freelist poisoning attack using this library.


And when we run that, we are able to gain an arbitrary write to foo and change it to 0x41414141424242. The attack works.

Conclusion

In this blog post, I demonstrated the classic freelist poisoning attack against PartitionAlloc. This allocator has a number of mitigations and hardening strategies. However, attacks still exist. In future blog posts I will talk about other attacks against this allocator.

Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...