Conference:  Defcon 31

Authors: Bohan Liu Senior Security Researcher, Tencent, GuanCheng Li Senior Security Researcher at Tencent Security Xuanwu Lab, Zheng Wang Senior Security Researcher at Tencent Security Xuanwu Lab

2023-08-01

Chromium is not only the most popular browser in the world but also one of the most widely integrated supply chain components. Nowadays, a large number of popular software is built on frameworks based on Chromium, such as CEF and Electron. This means that vulnerabilities in Chromium will directly affect popular software. In addition, according to Google's vulnerability disclosure policy, most of the details of Chromium vulnerabilities will be publicly disclosed 14 weeks after being fixed, and many of these vulnerabilities are high-impact and may lead to RCE. Unfortunately, we have found that much downstream software is unable to timely fix the Chromium vulnerabilities. This creates a window of opportunity for attackers to carry out RCE attacks on popular software. The cost for attackers to exploit these vulnerabilities during this window is relatively low, as it falls between the time of the Chromium vulnerability disclosure and the completion of fixes for popular software. We refer to this window as the "RCE window period". In this topic, we will first evaluate the "RCE window period" of more than 20 popular software. In the upcoming section, we will showcase how to transform Chromium nday vulnerabilities into popular software 0day vulnerabilities in a low-cost manner within the "RCE window period". To illustrate this process, we will use over 10 RCE 0day vulnerabilities in popular software that we have discovered as examples. Some software will attempt to enable sandbox to mitigate this problem, so we will also provide examples of how to bypass the sandbox by exploiting vulnerabilities in the software itself rather than a Chromium sandbox bug. Finally, we will discuss the reasons for the existence of the RCE window period and the lessons learned from it, hoping to help software developers improve the security of their products.

Conference:  Black Hat Asia 2023

Authors: Ziling Chen, Nan Wang, Hongli Han

2023-05-12

Nowadays, multiple mitigation mechanisms have gradually been added to Google Chrome in order to reduce the traditional RCE attack surfaces (e.g., V8 and Blink), which greatly increases the attack difficulty. Besides these well-known attack surfaces, we found SQLite can be directly accessed by remote attackers via Chrome WebSQL API.In this talk, we will present a mutation-based Fuzzer towards WebSQL. By leveraging extra syntax tree and context analysis, the fuzzer substantially improves the syntactic and semantic correctness of the generated SQL samples, and uncovered new vulnerabilities in WebSQL.Most of the acknowledged CVEs related to WebSQL were discovered by our fuzzer since the SQL statement whitelist restriction has been enhanced in Chrome WebSQL in 2020. Furthermore, the identified vulnerabilities were all rated as high severity. The details and exploits of these vulnerabilities will also be shared by us.

Conference:  Black Hat Asia 2023

Authors: Xu Yuanzhen, Peter Mularien

2023-05-12

It is known to us that Java language has an integrated ecosystem. With the development of cloud computing, more and more cloud-native systems increasingly consist of Java applications. In the meanwhile, the potential new attack surface for Java applications exposes stealthily. Some cloud data platforms supply users with customized database management services, so the users are able to utilize the services flexibly. Java Database Connectivity (JDBC) is the fundamental component of the Java environment and is used to implement database connection and manipulation. I paid close attention to this scenario, and then I discovered the new attack surface. We took a long time to research the mainstream vendors and their JDBC drivers, like Google, IBM, etc. In our research, we will elaborate on both the static and dynamic source code analysis experience with the juicy techniques, like locating the accurate sinks and then we will demonstrate the new gadgets for SSRF and RCE vulnerabilities. We will render the real-world scenario attacking illustrations and detection evasions as well.