Smashing The Browser:From Vulnerability Discovery To Exploit学习记录
浏览器Fuzz技术
漏洞挖掘
-
白盒挖掘
代码审计
自动化代码分析 -
黑盒挖掘
Fuzzing
两种Fuzzing技术
静态Fuzzing
-
基于变异的
- 文件、文档
- 多媒体
- bf3
-
基于生成的
- 浏览器
-
重点是测试用例的生成
动态Fuzzing
-
Fuzzing框架
- Grinder
-
Fuzzing工具
- CrossFuzz
- ndujaFuzz
- NodeFuzz
- X-Fuzzer
- jsFunFuzz
-
重点是测试用例的重建、Crash样本的捕获
怎么动手写Fuzzing工具
-
1.搜集POC
-
2.规范文档
- W3C
- MDN
- MSDN
-
3.目标
- javascript
- HTML
- CSS
策略
数据VS关系
数据类型朝向VS逻辑朝向
代码路径覆盖率->浏览器状态覆盖率
- DOM Tree状态
- 渲染森林状态
- 布局状态
- 事件句柄状态
- 多页面状态
规范标准
- W3C
- MDN
- MSDN
最终的指导
- HTML
- CSS
逻辑元素->各个字典(见下)->规范标准和指导
- 基础字典
- property字典
- 函数字典
- Style字典
目标
UAF漏洞
构造->Fuzz->Free->Use
释放的节点->无引用
Traverse Node 横穿节点??
1.保存引用(id[idex])
2.DOM实现(document.all[index])
节点引用
1.caching
2.clearing tree node
3.递归清除子树
Get Property
1.动态获取
- ProperTies
- FuncTions
- Events
2.缓存Caching
3.for...in
4.typeof
Fuzz Property
1.smart values->specification
2.random values->no dictionary
Fuzz Function
Functional programming + eval()
DOM Tree构造
-
Base DOM Tree
-
random nodes
-
随机树生成算法
-
for loop
-
document.createElement
-
node.appendChild
 -
Smarter structure
-
Form
-
Table
-
Map
-
List
-
Audio
-
Video
-
Svg
-
Network
-
XMLHttpRequest
-
WebSocket
Prelude
-
TextNode
-
Special nodes
- Window
- Document
- Attribute
- NamedNodeMap
-
Group
-
Range
-
Selection
-
NodeIterator
-
TreeWalker
-
Multiple Pages
-
Iframe
-
Window.open
-
Recursively nested iframes
-
Renderer process <=> Instance
-
Web Worker & SharedWorker
-
MulTple threads
-
Event handler
-
“ATM”
-
CSS
-
PseudoMclasses & pseudoMelements
-
Render forest
-
Initial properties
-
Start states
Fuzzing
-
DOM Node
-
ProperTes
-
Functions
-
Styles
-
Return value -> Fuzzing list
-
Fuzzing Values
-
Normal
-
Dirty
-
Random
-
Return
-
Force Layout
-
Node.offsetParent
-
Clear DOM SubTree
-
innerHTML
-
outerHTML
-
innerText
-
outerText
-
Clear whole DOM Tree
-
write
-
writeln
-
open
-
documentElement.innerHTML
-
DOM Tree Modify
-
appendChild
-
insertBefore
-
insertAdjacentElement
-
insertAdjacentHTML
-
insertAdjacentText
-
removeChild
-
replaceChild
-
cloneNode
-
Special node manipulate
-
Group manipulate
-
execCommand
-
Multiple pages
-
Mutual manipulate
-
Mutual clear
-
setTimeout
-
Disrupt the Tme sequence
-
Garbage Collect
-
Force IE Memory Protector to reclaim
Finale
- GC
- Reuse all elements
- Properties
- Functions
- Styles
- Reuse group
- Reuse special nodes
- Reuse funcTon return values
Ditionary
通过准确性和完整性来判断字典的好坏。
字典->规范
- 规范
- Scripts(or grep + sed)
- Manual
扩展性
- 新东西
- 地理位置
- 客户端数据库
- Canvas
- Blobs
- 语音合成
规范+智能的值=字典
评估一种Fuzz方法的好坏要看它的结果。
-
漏洞
-
UAF
-
Double Free
-
OOB
-
Bug
-
空指针引用
-
栈上溢
Event Handle
-
Idea
-
Fuzzing:rendering engine ->some state
-
Set event handler: fuzzing and clear
-
Fuzzing: fire event
-
Kind of race condiTon
-
StateFuzzer
-
CFlatMarkupPointer UAF
-
CInput UAF
-
CFrameSetSite CTreeNode UAF (CVE-2014-1769)
-
CCaret Tracker UAF
-
CClipStack OOB Access (CVE-2014-1773)