Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Browser exploitation is extremely complicated and difficult. Most of the bugs are memory corruption issues. Hence, there are multiple layers of exploitation required because of a large amount of sandboxing. In this two part series, ZDI goes through a Firefox browser compromise that uses prototype pollution instead of memory corruption through and through.

In the Firefox JavaScript engine SpiderMonkey, large parts are implemented using built-in JavaScript. The code runs in the same context as the users code, which is interesting. Prototype pollution is a vulnerability class that changes the prototype object of JavaScript to perform unintended operations.

When handling the top level await feature, the function GatherAsyncParentCompletions is called. Within this, there is a call to array.push, which uses the prototype hierarchy. By setting the getter/setter for the prototype, we can trigger an external call to me made. Why does this matter? We can get access to the module type in JavaScript!

The SpiderMonkey code has some privileged function calls. By getting a reference to the module object via the pollution on the prototype, we trivially get memory corruption with out of bounds array writes. Aptly, there is no bounds check with the function named UnsafeSetReservedSlot()

To exploit this, the author goes through a few steps:

1. Create a new array object.
2. Set some of the properties of the object to force the allocation of a slot_ array.
3. Use our out of bounds write bug from above to corrupt the capacity of the array.
4. Use the array to read and write into the heap to corruption all the things.

To get code execution, they wrote their shellcode as floating point numbers in Web Assembly that were JITed. Now, they can jump to this location to start a chain. There are some funny restrictions like the same series of 8 bytes can't be used in a row. So, they call VirtualProtect from their shellcode in order to circumvent the JIT W^X protection.

This compromises the renderer but there is still much more to hack! The next post goes into the sandbox escape.