Summary: While fuzzing webkit the UIProcess subsystem in WebKit, as used in WebKitGTK through 2.23.90 and WebKitGTK+ through 2.22.6 and other products, does not prevent the script dialog size from exceeding the web view size, which allows remote attackers to cause a denial of service (Buffer Overflow) or possibly have unspecified other impact, related to files such as UIProcess/API/gtk/WebKitScriptDialogImpl.cpp and UIProcess/API/gtk/WebKitWebViewGtk.cpp.
System Specifications: My setup was done using Ubuntu 16.04 LTS (my base OS). You can use macOS as well as it has Xcode and Safari by default. If you are using Ubuntu in VM please allocate as much memory and CPUs as possible.
Source Code: You can download webkit source code from here or simply git:
cmd: git clone git://git.webkit.org/WebKit.git webkit
Before you build webkit make sure to install necessary dependencies, it will require a lot of trial and error while installing the dependencies but perseverance always wins.
cmd: ./Tools/gtk/install-dependencies
Build: To build webkit in macOS use,
cmd: ./Tools/Scripts/build-webkit
cmd: mkdir build
cd build
CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 ../
ninja
For ASAN:
Enabling ASAN or MSAN flags to see runtime bugs while building the packages.
cmd: -DCMAKE_CXX_FLAGS="-fsanitize=address -fsanitize=leak -g"
The compilation of webkit is a time and memory consuming task, make sure you don't run out of patience. Once successfully build you can test by running safari or providing the path of any webkit application.
cmd: ./Tools/Scripts/run-safari
cmd: ./Tools/Scripts/run-webkit-app
Start fuzzing: From the /build directory you can run fuzzer[1]
cmd: ./fuzz/cert -max_len=1000 -jobs=32 -workers=32 ../fuzz/cert_corpus/
This is one of the methods to fuzz webkit, while running the libFuzzer continuously for multiple days, I did not observe any crashes or hangs. The reason being there are many researchers out there who have fuzzed webkit and reported several bugs in past. (and I've just started..)
Now what?
I started researching more about webkit and found out that "epiphany-browser" utilizes the webkit browser engine, I thought that this browser might have been untouched in terms of fuzzing by a lot of the researchers, hence this time I used AFL to fuzz epiphany. For test-cases, I used domato from google project zero (A DOM fuzzer) to provide input to AFL
Source code: Epiphany Browser
With AFL:
cmd: mkdir build && cd build
CC=afl-gcc meson --default-library=static ../
AFL_HARDEN=1 ninja
Once done you can start fuzzing epiphany with AFL.
cmd: afl-fuzz -i in/ -o out/ binary @@
I let AFL running for 4 days and observed 16 crashes, among those 7 were unique crashes and 4 were hangs (Happy face). I started analyzing the observed hangs. One of the PoC from AFL freezes the epiphany browser by causing the UI process to terminate and below debug traces were left.
Rather than using AFL PoC every time, I generated my own test-case as I just needed to pass some random characters in native UI windows to produce this hang.
Metasploit module: It is a denial of service vulnerability and you can simply use RemoteHTTPServer to write a quick MSF module for this.
In the past, I have created BFuzz (DOM Fuzzer) which automates the task of generating multiple test-cases using domato, which can be further used to fuzz browsers of your choice.
However, there are still 7 unique crashes and 3 hangs which I haven't analyzed yet, that may be covered in one of my upcoming blog posts.
System Specifications: My setup was done using Ubuntu 16.04 LTS (my base OS). You can use macOS as well as it has Xcode and Safari by default. If you are using Ubuntu in VM please allocate as much memory and CPUs as possible.
Source Code: You can download webkit source code from here or simply git:
cmd: git clone git://git.webkit.org/WebKit.git webkit
Before you build webkit make sure to install necessary dependencies, it will require a lot of trial and error while installing the dependencies but perseverance always wins.
cmd: ./Tools/gtk/install-dependencies
Build: To build webkit in macOS use,
cmd: ./Tools/Scripts/build-webkit
cmd: mkdir build
cd build
CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 ../
ninja
For ASAN:
Enabling ASAN or MSAN flags to see runtime bugs while building the packages.
cmd: -DCMAKE_CXX_FLAGS="-fsanitize=address -fsanitize=leak -g"
The compilation of webkit is a time and memory consuming task, make sure you don't run out of patience. Once successfully build you can test by running safari or providing the path of any webkit application.
cmd: ./Tools/Scripts/run-safari
cmd: ./Tools/Scripts/run-webkit-app
Start fuzzing: From the /build directory you can run fuzzer[1]
cmd: ./fuzz/cert -max_len=1000 -jobs=32 -workers=32 ../fuzz/cert_corpus/
This is one of the methods to fuzz webkit, while running the libFuzzer continuously for multiple days, I did not observe any crashes or hangs. The reason being there are many researchers out there who have fuzzed webkit and reported several bugs in past. (and I've just started..)
Now what?
I started researching more about webkit and found out that "epiphany-browser" utilizes the webkit browser engine, I thought that this browser might have been untouched in terms of fuzzing by a lot of the researchers, hence this time I used AFL to fuzz epiphany. For test-cases, I used domato from google project zero (A DOM fuzzer) to provide input to AFL
Source code: Epiphany Browser
With AFL:
cmd: mkdir build && cd build
CC=afl-gcc meson --default-library=static ../
AFL_HARDEN=1 ninja
Once done you can start fuzzing epiphany with AFL.
cmd: afl-fuzz -i in/ -o out/ binary @@
I let AFL running for 4 days and observed 16 crashes, among those 7 were unique crashes and 4 were hangs (Happy face). I started analyzing the observed hangs. One of the PoC from AFL freezes the epiphany browser by causing the UI process to terminate and below debug traces were left.
(epiphany:4423): Gdk-WARNING **: Native Windows wider or taller than 32767 pixels are not supported Gdk-Message: Error 71 (Protocol error) dispatching to Wayland displayLooking at the above traces I came to the conclusion that the native UI window cannot open dialog boxes more than 32767 pixels.
Rather than using AFL PoC every time, I generated my own test-case as I just needed to pass some random characters in native UI windows to produce this hang.
<script>
var a = '';
for (var i = 1; i <= 5000; i++)
{
a += 'A';
}
alert(a);
</script>
You can run the above JS on a vulnerable version of epiphany browser to test this issue. I went ahead and found that WebKitScriptDialogGtk.cpp along with WebKitScriptDialogImpl.cpp & WebKitWebViewGtk.cpp from webkit source code are responsible for this issue and figured out the below snippet of code from WebKitScriptDialogGtk.cpp was the source of the vulnerability.static GtkWidget* webkitWebViewCreateJavaScriptDialog(WebKitWebView* webView, GtkMessageType type, GtkButtonsType buttons, int defaultResponse, const char* primaryText, const char* secondaryText = nullptr)
{
GtkWidget* parent = gtk_widget_get_toplevel(GTK_WIDGET(webView));
GtkWidget* dialog = gtk_message_dialog_new(WebCore::widgetIsOnscreenToplevelWindow(parent) ? GTK_WINDOW(parent) : nullptr,
GTK_DIALOG_DESTROY_WITH_PARENT, type, buttons, "%s", primaryText);
if (secondaryText)
gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(dialog), "%s", secondaryText);
GUniquePtr<char> title(g_strdup_printf("JavaScript - %s", webkitWebViewGetPage(webView).pageLoadState().url().utf8().data()));
gtk_window_set_title(GTK_WINDOW(dialog), title.get());
if (buttons != GTK_BUTTONS_NONE)
gtk_dialog_set_default_response(GTK_DIALOG(dialog), defaultResponse);
return dialog;
}
After that I submitted this bug in webkit, the issue was patched and CVE-2019-8375 was assigned which states "This allows remote attackers to cause a denial of service (Buffer Overflow) or possibly have unspecified other impact."Metasploit module: It is a denial of service vulnerability and you can simply use RemoteHTTPServer to write a quick MSF module for this.
In the past, I have created BFuzz (DOM Fuzzer) which automates the task of generating multiple test-cases using domato, which can be further used to fuzz browsers of your choice.
However, there are still 7 unique crashes and 3 hangs which I haven't analyzed yet, that may be covered in one of my upcoming blog posts.