The latest efforts to harden software against exploitable memory corruption vulnerabilities come in the form of hardware-assisted control flow integrity and pointer authentication. Most notably, these ISA extensions are commonly referred to as Pointer Authentication (PAC) on ARM and Control-flow Enforcement Technology (CET) on Intel.

With a growing number of consumer devices embracing this generation of security mitigations, it is naturally a point of interest for security enthusiasts to become familiar with how to bypass these hardening technologies. In this post, we will cover the basics of exploiting a simple ‘Hello World!’ buffer overflow against an interactive PAC protected ARM64 binary hosted on our browser-based educational platform.

PAC thwarting a classic stack buffer overflow

In this post we will examine a vulnerability in the WebAssembly subsystem of JavaScriptCore, the JavaScript engine used in WebKit and Apple Safari. The issue was patched in Safari 14.1.1. This vulnerability was discovered through source review and weaponized to achieve remote code execution in our Pwn2Own 2021 submission. A future post will detail the kernel mode sandbox escape.

Debugging is traditionally a tedious, monotonous endeavor. While some people love the archaeological process of using a debugger to uncover software defects or perform tasks in software reverse engineering, virtually everyone agrees that the tools have started to show their age against modern software.

Our methods of runtime introspection are still hyper-focused on individual states of execution. This is a problem because software has grown dramatically more complex, requiring more context and ‘situational awareness’ to properly interpret. The emergence of timeless debugging has alleviated some of these growing pains, but these solutions are still built around conventional methods of inspecting individual states rather than how they relate to one another.

I am open sourcing Tenet, an IDA Pro plugin for exploring execution traces. The goal of this plugin is to provide more natural, human controls for navigating execution traces against a given binary. The basis of this work stems from the desire to research new or innovative methods to examine and distill complex execution patterns in software.

Tenet is an experimental plugin for exploring software execution traces in IDA Pro

Recently, we blogged about the Hex-Rays microcode that powers the IDA Pro decompiler. We showed how a few days spent hacking on the microcode API could dramatically reduce the cost of certain reverse engineering tasks. But developing for the microcode API can be challenging due to the limited examples to crib from, and the general complexity of working with decompiler internals.

Today, we are publishing a developer-oriented plugin for IDA Pro called Lucid. Lucid is an interactive Hex-Rays microcode explorer that makes it effortless to study the optimizations of the decompilation pipeline. We use it as an aid for developing and debugging microcode-based augmentations.

Lucid is a Hex-Rays microcode explorer for microcode plugin developers

Recently I came across a special binary that was compiled to run on a fixed, well-defined set of modern computer hardware. This rather large binary performs many physics simulations via floating-point computations, emitted strictly as instructions from Intel’s Advanced Vector Extensions (AVX).

While IDA Pro has excellent support decompiling ‘legacy’ SSE (floating-point) instructions, it makes no effort to generate higher level pseudocode for AVX instructions. In this post, we will demonstrate how the Hex-Rays decompiler can be extended to support new or otherwise unsupported instructions using the microcode API.

The practical application of this research has been packaged and released as a plugin called MicroAVX.

Decompiling AVX instructions by extending the Hex-Rays decompiler

Lighthouse is a powerful code coverage plugin for IDA Pro and Binary Ninja. As an extension of the leading disassemblers, Lighthouse enables one to interactively explore code coverage data in new and innovative ways when symbols or source may not be available for a given binary.

This post documents the long overdue release of Lighthouse v0.9 – the largest update in the project’s history. The major additions include full Python 2/3 compatibility, support for loading simpler coverage file formats, the ability to cross-reference coverage, custom user-defined themes, and a huge refactor to properly support Binary Ninja 2.0.

Binary Ninja & IDA Pro using different Lighthouse themes

Beneath the surface, the modern web is made possible only through a growing labryinth of technology standards. Standards are designed to govern the interoperability of technology and data. Web standards are both among the most broadly adopted and rapidly evolving, with changes often leading to heated debate amongst browser vendors, web developers, and consumers alike.

In this blogpost, we will detail how a well-defined and universally adopted web standard can be considered harmful when followed blindly. Abusing this issue, we demonstrate practical remote exploitability in a (now fixed) “steal all the money” attack against a popular cryptocurrency service.

Over the past several years, we have watched the Capture The Flag circuit mature in both complexity and creativity. The best CTF’s strive to push the envelope, but the skill cap of the active community has risen with it. As the lines begin to blur between a game and actuality, CTF challenges are more frequently having an impact on the real-world [1, 2, 3].

Last month while playing in the qualification round of DEFCON CTF 2019, we identified asymmetric behavior within Intel’s Transactional Synchronization Extensions (TSX). In this blogpost we will discuss how we were able to leverage this subtle issue to perform a simple, yet novel, CPU-level attack.

Modeling an attack against the CPU to escape a TSX-based machine-code jail

Lighthouse is an open source code coverage explorer designed for security professionals. This post documents the landmark release of Lighthouse v0.8, most notably introducing support for Binary Ninja, a more consistent cross-platform user experience, and countless other features, tweaks, and bugfixes.

To give some perspective, over 35 files (of ~40) that make up the core plugin were modified. The journey from Lighthouse v0.7 to v0.8.1 consists of a long and twisted ~96 commits, making up a third of the entire project’s commit history. Under the hood, multiple components of the project underwent substantial changes.

A gource visualization of the code contributions behind Lighthouse v0.8

The shortage of proficient cyber operators in a world now dependent on connectivity and information has left nations scrambling to build capabilities in a volatile and high stakes race for digital arms. Despite the availability of near infinite capital, the industry finds itself bottlenecked by a scarcity of experts. This deficit has been further aggravated by the increasing complexity of the field, and lack of upstream educational investments.

As strong advocates of security education, we’ve dedicated time towards developing a number of unique technologies to help address this widening deficit. We demonstrate how these tools can be used to educate larger, less specialized demographics, improve student-autonomy, and scale the security workforce to meet market demands.

The browser-based lab workspace for the RET2 Wargames Platform

As the sixth and final post of our Pwn2Own 2018 series, we document the long and twisted road of weaponizing CVE-2018-4193 to exploit the macOS WindowServer. Serving as a memory-corruption based privilege escalation to root, this was used as a zero-day to escape the Safari sandbox on macOS 10.13.3.

First, we will describe the constraints of our discovered vulnerability. We then cover the tools and techniques used to discover interesting corruption targets compatible with our vulnerability, followed by a detailed walkthrough of the exploit as developed for Pwn2Own 2018. Finally, we publish the source to our complete exploit at the end of the post, offering a challenge and reward for the community to build a better exploit.

Demonstrating the standalone macOS 10.13.3 WindowServer privilege escalation to root (~90s)

When exploiting real world software or devices, achieving arbitrary code execution on a system may only be the first step towards total compromise. For high value or security conscious targets, remote code execution is often succeeded by a sandbox escape (or a privilege escalation) and persistence. Each of these stages usually require their own entirely unique exploits, making some weaponized zero-days a ‘chain’ of exploits.

Considered high risk consumer software, modern web browsers use software sandboxes to contain damage in the event of remote compromise. Having exploited Apple Safari in the previous post, we turn our focus towards escaping the Safari sandbox on macOS in an effort to achieve total system compromise.

Using Frida to fuzz the macOS WindowServer from the lockscreen

Software bugs come in many shapes and sizes. Sometimes, these code defects (or ‘asymmetries’) can be used to compromise the runtime integrity of software. This distinction is what helps researchers separate simple reliability issues from security vulnerabilities. At the extreme, certain vulnerabilities can be weaponized by meticulously exacerbating such asymmetries to reach a state of catastrophic software failure: arbitrary code execution.

In this post, we shed some light on the process of weaponizing a vulnerability (CVE-2018-4192) in the Safari Web Browser to achieve arbitrary code execution from a single click of an unsuspecting victim. This is the most frequently discussed topic of the exploit development lifecycle, and the fourth post in our Pwn2Own 2018 series.

A weaponized version of CVE-2018-4192, executing arbitrary code against JavaScriptCore in early 2018

In software security, root cause analysis (RCA) is the process used to “remove the mystery” from irregular software execution and measure the security impact of such asymmetries. This process will often involve some form of user controlled input (a Proof-of-Concept) that causes a target application to crash or misbehave otherwise.

This post documents the process of performing root cause analysis against a non-deterministic bug we discovered while fuzzing JavaScriptCore for Pwn2Own 2018. Utilizing advanced record-replay debugging technology from Mozilla, we will identify the underlying bug and use our understanding of the issue to speculate on its exploitability.

Using Mozilla's rr, one can place a memory breakpoint, and run an execution trace backwards

Vulnerability discovery is the first stage of the exploit development lifecycle. The duration of this phase is open-ended because the search space, code quality, and evaluation process for a given target can vary wildly. Deciding between manual and automated vulnerability discovery is often a question of priorities and can be difficult to balance effectively.

As part two of our Pwn2Own 2018 blogpost series, we will discuss our methodology of researching a complex software target (the Safari Web Browser), narrowing our scope of evaluation, selecting a vulnerability discovery strategy, and developing a browser fuzzer unique to this engagement.

A snippet of a JavaScript testcase generated by our grammar based JS fuzzer

For a top-level discussion of this blog series and our entire Pwn2Own 2018 exploit-chain, check out part one.

Pwn2Own is an industry-level security competition organized annually by Trend Micro’s Zero Day Initiative. Pwn2Own invites top security researchers to showcase zero-day exploits against high-value software targets such as premiere web browsers, operating systems, and virtualization solutions.

We were interested in participating for the first time this year, choosing to target Apple Safari on macOS because the software & platform was one that we had not worked with before.

For the purpose of this competition, we discovered and exploited two previously unknown vulnerabilities in Apple software to achieve remote code execution as root through a single click in the Safari Web Browser.

Joshua Smith from ZDI evaluating our submitted zero-day at Pwn2Own 2018

At RET2, we take pride in the breadth and depth of the security research that we perform. Our passion and pursuit of niche subjects has taken us through all walks of the industry. In each new space we touch on, we hope to leave it having made some measurable innovation. But as interest fades, we oftentimes archive this work and move on.

This past weekend, we encountered a candid opportunity to publicly exercise some of our previously unpublished research and technology. Specifically, this blogpost will detail the practical application of an interactive decompiler we wrote for the Ethereum bytecode.

We demonstrate how this technology trivialized the reverse engineering of a closed source smart contract for the qualification round of DEFCON CTF 2018, continuing our narrative on the importance of interactive security tooling.

Decompiling the EVM bytecode from within Binary Ninja

It has been about two months since I pushed out the previous update to Lighthouse, a code coverage plugin for IDA Pro. Overdue for an update, I spent the past several days adding new features to the plugin, addressing feedback, and fixing up bugs that have accumulated since the v0.6 release.

This post marks the release of Lighthouse v0.7 - Big ticket changes include Frida support, a right click context menu, improved usability for large IDB’s, C++ name demangling and a multitude of other tweaks + bugfixes.

Lighthouse v0.7 comes with a right click context menu and function prefixing capabilities

Traditional (assembly level) reverse engineering of software is a tedious process that has been made far more accessible by modern day decompilers. Operating only on compiled machine code, a decompiler attempts to recover an approximate source level representation.

'... and I resisted the temptation, for years. But, I knew that, if I just pressed that button ...' --Dr. Mann (Interstellar, 2014)

There’s no denying it: the science and convenience behind a decompiler-backed disassembler is awesome. At the press of a button, a complete novice can translate obscure ‘machine code’ into human readable source and engage in the reverse engineering process.

The reality is that researchers are growing dependent on these technologies too, leaving us quite exposed to their imperfections. In this post we’ll explore a few anti-decompilation techniques to disrupt or purposefully mislead decompiler-dependent reverse engineers.

ripr is a plugin for Binary Ninja that automatically extracts and packages snippets of machine code into a functionally identical python class backed by Unicorn-Engine. This allows one to quickly and easily reuse logic embedded in binaries, from python.

In the past two weeks, I’ve found time to revisit the project, add several new features, and fix a number of bugs. This blogpost will touch on some of the major updates to ripr.

Generating a python class with ripr

New features include: Automatic Function Argument Mapping, a “Basic Block” mode, and an uninitialized variable detection analysis. Additionally, ripr’s dependency on PyQt5 has been removed.

October 13th marked the conclusion of FireEye’s fourth annual Flare-On Challenge. Every year the Flare-On challenge attracts thousands of hackers, security researchers, and enthusiasts alike in a race to solve a diverse suite of increasingly difficult reverse engineering challenges.

The eleventh challenge (second to last) presented itself as a single PE32 with a subleq based virtualized obfuscator, an architecture consisting of only a single instruction.

Dumping the subleq assembly for the challenge

Some of you will find this eerily reminiscent of movfuscator, a toy compiler by domas which implements a subset of the x86 instruction set using only the mov instruction.

In this post I’ll detail a practical approach towards untangling this challenge. We will implement a custom architecture plugin for Binary Ninja, and then proceed to augment it with some basic reasoning to de-obfuscate the challenge.

Lighthouse is a code coverage plugin for IDA Pro. Last week I promoted the github development branch to master and tagged the release as Lighthouse v0.6. This post details some of its noteworthy changes.

Highlights for this release include a Lighthouse compatible Intel pintool, cyclomatic complexity metrics, batch loading, and a number of important bugfixes.

Lighthouse is a plugin to explore and visualize externally collected code coverage in IDA Pro

/SUBSYSTEM:POSIX

You’ve seen it before, haven’t you? It’s strange. It’s like a face you passed on the street but can’t quite place. Was it déjà vu? A doppelganger? Maybe the first time you saw it it was in a sea of linker flags on MSDN, or perhaps when fumbling around with the project settings in Visual Studio some years ago.

You lingered for an extra second thinking “What on earth…?” while your eyes glazed over in reverie.

POSIX Subsystem Linker Flag in Visual Studio 2015

An artifact of evolution and monument to supporting legacy software. It was built by the ancients, forgotten, and left for new generations to rediscover.

No, this isn’t the new Windows Subsystem for Linux. Beneath this flag lay the classic POSIX Subsystem on Windows.