ICU (International Components for Unicode) is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. ICU is widely portable and gives applications the same results on all platforms and between C/C++ and Java software. ICU vulnerability is usually not considered severe, since they are unlikely to be exploitable. In browsers such as Chrome, Safari and Firefox, the parameters of the ICU API is always strictly filtered by the frontend. As a result, ICU vulnerability usually cannot be triggered from JavaScript.
We tried to fuzz ICU, with hundreds of crashes produced in one hour. However, most of the crashes are useless because the parameters that produced the crashes can never bypass the filters in browser. After months of study, we found a more efficient way to fuzz ICU. We treat the input data provided by libFuzzer as serialized recipe objects which contain information regarding whether or not to call some ICU API, and how to pass the parameters to the API. After the data was deserialized into recipe objects, the fuzzer will do the specific actions that the recipe objects dictate. For each parameter, the fuzzer can check if it can bypass the filters of a browser. Finally, we hunted 2 memory corruption ICU bugs worked in Chrome, and 1 Out-of-Bound ICU bug worked both in Chrome, Safari, and Firefox. The OOB bug exists in ICU for over 5 years from version 50rc published on 2012 Oct. 22.
For over 70 companies and organizations, hundreds of software use ICU - including very popular software such as Chrome, Android, macOS, iOS, Windows 10, Edge, Firefox. Even cars such as Audi, BMW and more are using ICU. It is estimated that billions of devices maybe be affected for over 5 years. In this presentation, we will talk about our serialized fuzzing approach to hunt for ICU vulnerabilities that can be reached from JavaScript. And finally, we will show the 3 vulnerabilities we found and how to exploit.