About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

V8 Heap pwn and /dev/memes - WebOS Root LPE- 727

David BuchananPosted 4 Years Ago
  • WebOS is the operating system used by LG TVs. Finding vulnerabilities in this may allow for the compromise of a TV. The LG TV includes a built in developer mode that allows users to sideload applications inside of a chroot jail SSH shell. The applications can either contain native code or be HTML/JS based.
  • V8 is a JavaScript and Web Assembly Engine used in modern browsers for Chrome. Since WebOS is heavily based upon Chrome, attacking V8 is a good vector. Long before this article was written, the author noticed the heavy usage of Snapshot Blobs. Snapshot blobs allow a previously created V8 context to be dynamically loaded to save time. So, what if we modified this upon application load?
  • It turns out that V8 assumes that the snapshots are benign! If you modify anything on the V8 heap, such as the length of some buffer, it takes this as true. Using this primitive, we can trivially compromise the WebOS renderer to escalate our privileges from the CHROOT jail.
  • The author talks some about the V8 exploitation from a CTF that the same exact vulnerability. Overall exploit strategy and RWX in JITed function. In general though, the author corrupts the snapshot to create an easy addrof() and fakeobj primitives then uses this to execute their own shellcode. To me, the interesting part was the finding of the bug in the first place.
  • With code execution in the context of the WebOS's browser engine, we are looking good. However, this user does not run as root. So, it is time for another LPE. In WebOS, the interface /dev/mem is world writable! This gives us direct access to the physical address space, which is the keys to the castle.
  • To actually exploit this, the author did a linear search for the struct cred in RAM. Once they found it, they elevated its creds to root by writing to /dev/mem directly. Another trick they had to use was to find the addresses in physical memory that we wanted by accessing the contents of iomem_resource. Using this, they could find the proper task information to access, eventually modifying the task associated with our process.
  • Overall, this is an interesting article that took a small oversight in the usage of snapshots and turned it into a privilege escalation. Good work!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed