New Attack Surface in Safari: Using Just One Web Audio Vulnerability to Rule Safari

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 11:20 a.m. (40 minutes)

In the past, Safari vulnerability researchers often focused on the DOM or JS engine, but some system libraries used by Safari, such as audio, video, font, etc., haven't received enough attention. There are few successful cases using vulnerabilities found in these modules to break Safari. Due to the built-in heap isolation mechanism of Safari, the heap used by these system libraries is not the same as the heap where the DOM objects and JS objects are located. As a result, the out-of-bounds writing vulnerabilities in these modules make it extremely difficult to overwrite some key JS objects. These vulnerabilities are difficult to exploit alone without the coordination of an info leak. I have invested a lot of time on bug hunting in the Web Audio module, and have achieved amazing results. A total of 15+ out-of-bounds read bugs and 10+ out-of-bounds write bugs have been discovered so far. At present, 12 bugs have been credited by Apple. Since it is difficult for us to perform heap spraying on OSX Heap, most of the out-of-bounds writing is difficult to use in Safari alone, but I found that there is a bug that can overwrite JS objects in a clever way, bypassing Safari's heap isolation, ASLR and other defense mechanisms, and finally achieve arbitrary code execution. I demonstrated the attack at the Tianfu Cup International Cyber ​​Security Competition hosted by the Chengdu Municipal Government of China, and successfully pwned Safari with only one shot.


Presenters:

  • JunDong Xie - Senior Security Researcher, Ant Security Light-Year Lab
    <p>JunDong Xie, a senior security researcher of Ant Security Light-Year Lab, graduated from Zhejiang University and was a member of the AAA CTF team. His main research areas are binary fuzzing, browser security, and macOS security. He has participated in three Tianfu Cup International Cybersecurity Contests with the team from 2018 to 2020 and has broken the Safari browser, PDF reader and many mobile devices in the competition. Follow him on Twitter: <a href="https://protect-us.mimecast.com/s/Ua9JCOYEZruAK24rkhExiMI?domain=twitter.com" data-mce-href="https://protect-us.mimecast.com/s/Ua9JCOYEZruAK24rkhExiMI?domain=twitter.com">https://twitter.com/Jdddong</a></p>

Links:

Similar Presentations: