Speaker(s): Kai Song and Ce Qin, Tencent Security Xuanwu Lab
With the development of the Internet, especially the mobile Internet, browsers and its security issues have received widespread attention. Lots of security features have applied on modern browser to defends browser-based vulnerabilities. Despite the best efforts of all browser vendors, vulnerabilities exist and can potentially be exploited. In this talk we are going to introduce a new way to transform a memory safety vulnerability into a method of running arbitrary native code on a target device.This presentation is organized as two parts.
First of all, we will detail a vulnerability in Chakra, and introduce the way to get arbitrary address read&write. In some attack scenarios, arbitrary read&write means full RCE exploit. But as for Chakra in Edge, there is something different.
In the second part we will focus on the exploit technologies. Windows has introduced many exploit mitigations such as ASLR, DEP, CFG, CIG, ACG, with witch running arbitrary code on a target device can be costly. However, there will not be a way to break all exploit. We will detail the mitigations ,and introduce a new way to bypass all these guards. With the method, we could execute arbitrary code inside browser. It can further cooperate with other Privilege Escalations to get a full exploit on a target device.