Presented at
Objective by the Sea version 6.0 (2023),
Oct. 13, 2023, 11:50 a.m.
(40 minutes).
Browsers provide attackers with an excellent foothold into a victim's computer. And Safari is no exception on Apple devices. Updates are made to Webkit, the open-source upstream repository of Safari, every day. The increasingly featureful JavaScript engine in Webkit, called JavaScriptCore, sees significant code churn.\n\n Our talk focuses on a massive commit added to JavaScriptCore that revamped the for-in enumerator implementation. We found several bugs in that one commit, some of which we use in our JavaScriptCore exploit. \n\n We talk about our fuzzing approach and how fuzzing and code auditing complement each other in the discovery of impactful bugs. The first bug is a register spill leading to a type confusion; the second is an issue with representation of floats and NaNs leading to an arbitrary object dereference; the third and final bug led us to misuse a feature of the JIT engine and leverage it to bypass ASLR. We show how all this is used in tandem to achieve arbitrary read/write in the renderer process of Safari. \n\n Finally, we discuss the role of modern Apple-specific exploit mitigations such as PAC and APRR and wrap up with takeaways on how the issues found could have been avoided.
Presenters:
-
Javier Jimenez
- Vulnerability Researcher at Exodus Intelligence
Javier Jimenez is a vulnerability researcher at Exodus Intelligence. Currently focusing on browser exploitation with a big focus on bug hunting via fuzzing. Javier has given trainings at conferences such as BSides London and BlackHat USA, and has many other public blog posts on exploit development research. These also include the discovery of vulnerabilities in Apache httpd and Chrome's V8.
-
Vignesh Rao
- Vulnerability Researcher at Exodus Intelligence
Vignesh Rao is a vulnerability researcher at Exodus Intelligence. He is currently focusing on bug hunting and exploitation of Apple's Safari browser. He loves anything MacOS/iOS system security related and has researched multiple userland and kernel applications before. \n\n Vignesh also used to be an avid CTF player and regularly participated in CTF's as a part of the bi0s team in the past.
Links:
Similar Presentations: