Баги и эксплойты в браузерах / Browsers bugs and exploits

[SynQ]

Тема для линков и обсуждения write-up'ов по публичным багам в основных браузерах (IE/Firefox/Chrome/Safari).


Интересный, ранее не до конца закрытый баг в Safari (WebKit), вновь проявившийся на x64 системах:
pwn4fun Spring 2014 Safari
Integer truncation и затем heap overflow при вызове array.join()

[SynQ]

Не обойтись без линка на блог VUPEN:
http://www.vupen.com/blog/

Цитата:

Advanced Exploitation of Mozilla Firefox "BumpChunk" Use-After-Free (Pwn2Own 2014)
Published on 2014-05-20

Advanced Exploitation of Internet Explorer 10 on Windows 8 / Pwn2Own 2013 Exploit
Published on 2013-05-22

Advanced Exploitation of Internet Explorer MSXML Uninitialized Memory (MS12-043)
Published on 2012-07-17

Advanced Exploitation of Internet Explorer 9 Heap Overflow / Pwn2Own 2012 Exploit
Published on 2012-07-10

Advanced Exploitation of Mozilla Firefox Use-after-free Vulnerabilities (MFSA 2012-22)
Published on 2012-06-25

Advanced Exploitation of Internet Explorer Heap Overflows (MS12-004 / CVE-2012-0003)
Published on 2012-01-16

Advanced Exploitation of Adobe Flash Zero-Day with ASLR/DEP Bypass (CVE-2011-0609)
Published on 2011-03-26

Advanced Exploitation of Adobe Reader Zero-Day with ASLR/DEP Bypass (CVE-2010-2883)
Published on 2010-09-09

[SynQ]

Большая подборка:
http://uknowy.wordpress.com/2014/08/...hunting-links/

Код:

[exploit technique]

http://www.garage4hackers.com/content.php?r=143-Beginners-Guide-to-Use-after-free-Exploits-IE-6-0-day-Exploit-Development

https://labs.mwrinfosecurity.com/system/assets/538/original/mwri_polishing-chrome-slides-nsc_2013-09-06.pdf

https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

http://fuzzysecurity.com/tutorials/expDev/11.html

http://packetstormsecurity.com/files/116320/Internet-Explorer-Script-Interjection-Code-Execution.html

http://ifsec.blogspot.kr/2013/11/exploiting-internet-explorer-11-64-bit.html

https://code.google.com/p/chromium/issues/detail?id=352369&can=1&q=vupen&colspec=ID%20Pri%20M%20Iteration%20ReleaseBlock%20Cr%20Status%20Owner%20Summary%20OS%20Modified

http://cansecwest.com/slides/2013/DEP-ASLR%20bypass%20without%20ROP-JIT.pdf

https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf

http://blog.fortinet.com/Advanced-Exploit-Techniques-Attacking-the-IE-Script-Engine/

https://www.blackhat.com/us-14/archives.html#svg-exploiting-browsers-without-image-parsing-bugs

http://www.secniu.com/the-art-of-leaks-the-return-of-heap-feng-shuidemo-code/

http://blog.exodusintel.com/2013/11/26/browser-weakest-byte/

https://github.com/rapid7/metasploit-framework/blob/master/test/modules/exploits/test/explib2_ie11_exec_test_case.rb

https://community.rapid7.com/community/metasploit/blog/2014/04/07/hack-away-at-the-unessential-with-explib2-in-metasploit

http://www.secniu.com/how-to-use-vbscript-to-turn-on-the-god-mode/

http://hi.baidu.com/yuange1975/item/863a25e4501f542c5a7cfb7b

https://github.com/demi6od/Smashing_The_Browser

 

[CVE Analysis]

http://www.exploit-db.com/wp-content/themes/exploit/docs/20084.pdf

http://www.exploit-db.com/wp-content/themes/exploit/docs/21832.pdf

http://pgnsc.tistory.com/348

http://training.nshc.net/KOR/Document/vuln/20130405_Microsoft_Internet_Explorer_CButton%20Object_Use_After_Free_Vulnerability.pdf

http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

http://hacksum.net/?p=2030

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Microsoft-IE-zero-day-and-recent-exploitation-trends-CVE-2014/ba-p/6461820

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/The-mechanism-behind-Internet-Explorer-CVE-2014-1776-exploits/ba-p/6476220

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Double-Dip-Using-the-latest-IE-0-day-to-get-RCE-and-an-ASLR/ba-p/6466280

http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

http://hdwsec.fr/blog/CVE-2014-0322.html

 

[Mitigation]

http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf

http://neilscomputerblog.blogspot.kr/2014/04/vtguard.html

http://blog.trendmicro.com/trendlabs-security-intelligence/isolated-heap-for-internet-explorer-helps-mitigate-uaf-exploits/

https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-heap-friends—object-allocation-hardening-in-web-browsers/

http://researchcenter.paloaltonetworks.com/2014/07/beginning-end-use-free-exploitation/#more-6158

http://www.contextis.com/blog/windows-mitigaton-bypass/

http://hitcon.org/2014/downloads/P2_01_Keen%20Team%20-%20New%20Exploit%20Mitigation%20In%20Internet%20Explorer.pdf

 

[Bypass Sandbox]

http://monsterz.kr/wp-content/uploads/2014/08/Newbies-Travels-To-Sandbox.pdf

https://github.com/tyranid/IE11SandboxEscapes

http://www.contextis.com/documents/79/IE_Sandbox_Escapes_Presentation.pdf

http://conference.hitb.org/hitbsecconf2013kul/materials/D2T1%20-%20Mark%20Vincent%20Yason%20-%20Diving%20Into%20IE10’s%20Enhanced%20Protected%20Mode%20Sandbox.pdf

 

[fuzzer]

https://sites.google.com/site/tentacoloviola/fuzzing-with-dom-level-2-and-3

https://ouspg.googlecode.com/files/44CON-slides.pdf

https://github.com/stephenfewer/grinder

https://code.google.com/p/ouspg/wiki/NodeFuzz

http://lcamtuf.coredump.cx/cross_fuzz/

https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument

https://code.google.com/p/chromium/issues/list?q=label:ClusterFuzz

http://blog.chromium.org/2012/04/fuzzing-for-security.html

http://www.secbiz.org/blog/browser-fuzzing-with-bamboo-js

http://dinaburg.org/binfuzzjs.html

https://blog.mozilla.org/security/2012/06/20/7-tips-for-fuzzing-firefox-more-effectively/

http://www.csnc.ch/misc/files/publications/2006_IE_Fuzzing.pdf

http://sebug.net/paper/Meeting-Documents/hitbsecconf2012ams/D1T1%20-%20Roberto%20Suggi%20and%20Scott%20Bell%20-%20Browser%20Bug%20Hunting%20in%202012.pdf

 

[Labs]

http://www.vupen.com/blog/

http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/index.xhtml

http://researchcenter.paloaltonetworks.com/tag/vulnerability-exploit/

http://www.security-assessment.com/page/archive.htm

http://lcamtuf.coredump.cx/

http://www.agarri.fr/blog/

http://www.harmonysecurity.com/

http://www.zer0mem.sk/?p=5

 

[misc]

https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhTmphLUE&usp=drive_web#gid=0

http://conference.hitb.org/hitbsecconf2013ams/materials/D2T2%20-%20Rosario%20Valotta%20-%20Abusing%20Browser%20User%20Interfaces%20for%20Fun%20and%20Profit.pdf

https://www.troopers.de/wp-content/uploads/2012/10/TROOPERS09_sood_browser_design_flaws.pdf

http://sindro.me/assets/sindro.me/2011/7/2/Advances_in_Win32_ASLR_Evasion.pdf

http://media.blackhat.com/bh-us-10/presentations/Shah/BlackHat-USA-2010-Shah-DOM-Hacks-Shreeraj-slides.pdf

http://codeengn.com/file/conference/09/2013_CodeEngn_Conference_09_hooking_and_visualization_%5BBlueH4G%5D.pdf

https://media.blackhat.com/eu-13/briefings/Liu/bh-eu-13-liu-advanced-heap-slides.pdf

http://www.kahusecurity.com/2014/wild-wild-west-072014/

http://lucid7.egloos.com/2737749

 

[Paper]

https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf

http://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf

http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf

http://www.iitg.ernet.in/stud/drbj153/WebBrowser%20Vulnerability.pdf

[SynQ]

https://rh0dev.github.io/blog/2015/fun-with-info-leaks/

Цитата:

This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit.

[Matthew]

Analysis on Internet Explorer's UXSS

http://innerht.ml/blog/ie-uxss.html

Original report:
http://seclists.org/fulldisclosure/2015/Feb/0