Blog
Attacking the Browser
As a penetration tester, browser escape is one of the options to consider during an engagement. Browsers are already in the sights of attackers using XSSand malicious plugins, and a well-disguised phishing campaign can also produce clickbait hits, so the opportunity to escape the browser is real. Even if the pentest team doesn't have a fully automated and rich-featured JS exploit package ready to go, they can use BeEF Browser Exploitation Framework [BEEF] to manually exploit a browser page loaded during a phishing campaign.
Let’s take a look at recent Google Chrome zero-day vulnerabilities to understand firstly, why a vulnerability management program should be in place to manage and verify updates in a timely manner, and secondly what type of zero-day vulnerabilities could be present in even the most popular and thoroughly reviewed piece of commercial software.
Google Chrome Market Share
There aren’t many mainstream browsers in use these days. Especially when you consider that Microsoft Edge, Opera, and Brave use the open-source Chromium core as their base. ZDNet listed a total of 11 popular browsers that are based on Chrome and including the small fish, they counted a total of 24 projects that include Chromium [ZD-CHR]. This indicates that Chrome has about 70% of the browser market share. When it comes to the allocation of resources for exploit development, attackers are going to use a combination of probability and asset value to decide which attack surfaces to spend their time on. While browsers may not run on systems that represent the highest value in terms of direct data exfiltration, the probability of finding an unpatched version of Google Chrome is high and escaping the browser gives initial access [TA0001] which can lead to privilege escalation [TA0004], and pivoting [TA0008] deeper into network or cloud resources.
Who's Got A Chrome Zero-Day?
Washington D.C.-based IT security firm ZERODIUM advertises a payout of up to $2.5 M USD for a Google Chrome zero-day [Z]. So, if you happen to possess one, there is a serious opportunity to cash in on some big reward. According to reports, in 2020 Google themselves directly paid out $6.7 million to bug bounty hunters, with the Chrome VRP (Vulnerabilities Rewards Program), handing out more than $2.1 million for 300 different Chrome bugs. [ZD-G].
Gray security firm Zerodium may very well be collecting more Chrome zero-day exploits than Google itself, which leads to the question, what exactly do they do with them? According to the Zerodium FAQ, their customers are "government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities" [Z-FAQ]. This implies that exploits sold to Zerodium are used in offensive cyberwarfare. As for the amount of money that a Google Chrome zero-day can fetch on the dark web, it has been reported to be up to 8 digits [DS].
Technical Description Of A Recent Chrome Vulnerability
There have been 399 CVEs issued for Google Chrome since the start of 2021. The weighted average score for these vulnerabilities is 6.8, and the vast majority of these have been issued CVSS v3 scores between 6 and 7, making up 69% of the total, and 4 were issued scores of 9 or higher (critical) making up only 1%. The Google Chrome CVE landscape since 2008 looks a little more daunting, having 7.5% of all disclosures being rated as critical. Let's examine one example of how a Google Chrome vulnerability has been observed being leveraged in the wild.
V8 Vulnerabilities
V8 is Google's open-source high-performance JavaScript and WebAssembly engine. V8 is common amongst all browsers that use the Chromium core package. Since 2021, three CVEs have been issued for vulnerabilities in V8, all of them allowing remote code execution by running specially crafted JavaScript in the browser DOM [CVE-2021-30599] [CVE-2021-30598] [CVE-2021-21224]. Looking further back in time reveals that a constant stream of CVE's have been issued for V8, and the V8 submodule in question TurboFan.
The 2021 vulnerabilities are type-check confusion bugs. The exploit leverages Chrome V8's use of type speculation to reduce the overhead of comparison resolution. By including JavaScript that constructs mistyped values, and using a typer-hardening bypass [TYPER-1] [TYPER-2] arbitrary code execution was achieved [V8-1][V8-2].
The following example code can be executed in Google Chrome (versions prior to 92.0.4515.159) or V8. The expected behaviour is to print "0" twice; in reality "0" and "1" are printed.
To achieve code execution, typer-hardening bypass was exploited against V8 TuboFan's operator optimization [TF-OPT]. V8/TurboFan's MachineOperatorReducer (`src/compiler/machine-operator-reducer.cc` in v8) contains logic to detect bitfield-comparisons of the form `(x & A) == B` (and additionally `(x >> A) & 1`) and combine multiple of those checks into one. The simplest example (in the absence of other optimizations like constant folding) is `((x & 0) ==1) & ((x & 1) == 1)` - as the masks `0` and `1` don't share set bits, the `overlapping_bits`-check is passed, and the checks are combined to `(x & 1) == 1`; this is clearly not equivalent as `(x & 0) == 1` is obviously not satisfiable while `(x & 1) == 1` is. In more complex operator optimization phases the compiler will discover that, according to the available type information, a variable's length check is redundant and eliminate it completely [TYPER-1].
Using this optimization bug, JavaScript was cracked to exploit a lack of length check, returning an object with arbitrary read+write privileges. The attacker can then force TurboFan to store data for further exploitation in ordinarily out-of-bounds memory in the V8 heap.
From this point on, the attack is the same as other V8 exploits in the past: (1) locate the required pointers and object fields through pattern-matching, (2) construct an arbitrary memory access primitive using an extra JS array and ArrayBuffer, (3) follow the pointer chain from a WebAssembly module instance to locate a writable and executable memory page, (4) write a WebAssembly function inside the page with the attacker’s payload, and (6) execute it.
The severity of a V8 vulnerability such as this, which allows arbitrary read+write is that V8's web assembly engine can leverage rwx to execute C/C++ [WASB]. Several other PoC have been published that leverage V8's type check confusion and achieve arbitrary code execution [TYPER-1] [POC-1] [POC-2] [POC-3].
Web browsers are the most common application across the enterprise topography. In some cases, they may be present on legacy infrastructure and should be uninstalled or secured because they simply cannot be updated.
However even a fully up-to-date browser presents some degree of threat. Because browsers are on virtually every device and handle so much day-to-day communication, exploit code developed by APT / black hats could fetch huge sums on the dark web, and be leveraged against organizations to gain initial access.
It's unlikely that the potential threat of Chrome zero-day vulnerabilities is going to change. What’s the solution? For large enterprises, an EDR/XDR solution provides an added layer of assurance by monitoring systems for rogue processes and other IOCs. For penetration testers, it’s worthwhile paying attention to the stockpile of Chrome zero-days and maybe even collecting and developing custom exploits in case you come across unpatched browsers on engagements.
References
[Z] Zerodium - Zerodium Exploit Acquisition Programhttps://zerodium.com/program.html
[Z-FAQ] Zerodium - Frequently Asked Questions https://zerodium.com/faq.html
[ZD-G] ZDNet - Google paid $6.7 million to bug bounty hunters in 2020 https://www.zdnet.com/article/google-paid-6-7-million-to-bug-bounty-hunters-in-2020/
[ZD-CHR] ZDNet - All the Chromium-based browsers https://www.zdnet.com/pictures/all-the-chromium-based-browsers/12/
[BEEF] - The Browser Exploitation Framework https://beefproject.com/
[V8-1] chromium.org - Issue 1234770: v8/Turbofan: Wrong optimization of bitfield checks https://bugs.chromium.org/p/chromium/issues/detail?id=1234770
[V8-2] chromium.org - Issue 1234764: v8/Turbofan: Invalid rotate-right optimization + Typer hardening bypass https://bugs.chromium.org/p/chromium/issues/detail?id=1234764
[TA0001] MITRE ATT&CK - Initial Access https://attack.mitre.org/tactics/TA0001/
[TA0004] MITRE ATT&CK - Privilege Escalation https://attack.mitre.org/tactics/TA0004/
[TA0008] MITRE ATT&CK - Lateral Movement https://attack.mitre.org/tactics/TA0008/
[CVE-2021-30599] https://www.cvedetails.com/cve/CVE-2021-30599/
[CVE-2021-30598] https://www.cvedetails.com/cve/CVE-2021-30598/
[CVE-2021-21224] https://www.cvedetails.com/cve/CVE-2021-21224/
[TYPER-1] Project Zero - In-the-Wild Series: Chrome Infinity Bug https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html
[TYPER-2] Diary of a Reverse Engineer - Circumventing Chrome's hardening of typer bugs https://doar-e.github.io/blog/2019/05/09/circumventing-chromes-hardening-of-typer-bugs/
[TF-OPT] Benedikt Meurer - V8: Behind the Scenes (February Edition feat. A tale of TurboFan) https://benediktmeurer.de/2017/03/01/v8-behind-the-scenes-february-edition
[WASM] I Am Root Blog - WEBASSEMBLY – EXECUTING MALICIOUS CODE USING SYSTEM() https://iamroot.blog/2020/06/29/webassembly-executing-malicious-code-using-system.html
[POC-1] Google CTF justintime exploit https://eternalsakura13.com/2018/11/19/justintime/
[POC-2] Exploiting the Math.expm1 typing bug in V8 https://abiondo.me/2019/01/02/exploiting-math-expm1-v8/#code-execution
[POC-3] Exploiting Chrome V8: Krautflare (35C3 CTF 2018) https://www.jaybosamiya.com/blog/2019/01/02/krautflare/
[DS] Digital Shadows - Vulnerability Intelligence: What’s the Word in Dark Web Forums? https://www.digitalshadows.com/blog-and-research/vulnerability-intelligence-whats-the-word-in-dark-web-forums/