Pwn2Own 2013 - Java 7 SE Memory Corruption.pdf

《Pwn2Own 2013 - Java 7 SE Memory Corruption.pdf》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、Pwn2Own2013:Java7SEMemoryCorruptionMay21,2013Revision:1.0IntroductionInMarch2013,duringtheannualPwn2OwncompetitionatCanSecWest,AccuvantLABS’JoshuaJ.DrakedemonstratedasuccessfulattackagainstOracle’sJavaRuntimeEnvironment(JRE).Thedemonstrationprovedexploitingmemoryc

2、orruptionvulnerabilitiesinOracle’sJRE7isstillpossibledespitemodernexploitmitigations.Thispostaimstodocumenthisparticipationintheeventaswellasthegrittytechnicaldetailsoftheexploitusedintheattack.Webeginbydiscussingsomebackgroundoftheeventandthechosentarget.Next,wed

3、etailthespecificimplementationissuesthatallowedasuccessfulcompromise.Afterthat,wediscusstheexploitationprimitivesprovidedbytheseissues.Finally,wetakeatechnicaldeepdiveintothespecifictechniquesusedtoachievearbitrarycodeexecution.th1NOTE:TheseissueswereaddressedinJa

4、va7Update21whichwasreleasedonApril16,2013.Ifyouhavenotupdated(oreliminated)yourJavainstallations,pleasetakethetimetodosobeforereadingon.Pwn2Own2013BackgroundEachyear,theZeroDayInitiative(ZDI)folkshostacompetitionattheCanSecWestconference.Inthisevent,competitorshav

5、ethechancetowinbigprizesinexchangefordemonstratingworkingexploitsagainststateoftheartconsumercomputersystems.Therulesandprizeamountschangeeachyear.Thisyearincludedanimpressivelistoftargetswithacorrespondinglyattractivetarget-specificprize2packageforeach.Earlyinthe

6、contest,theZDIteamdrewthenamesoftheregisteredparticipantstodeterminetheorderinwhichtheywillbegivenachancetowin.Manyresearchersdislikethisaspectofthegamesincepeoplegenerallydonotregisterunlesstheirexploitiscertaintosucceed.Hencethefirstpersontogotypicallywins.Manyr

7、esearcherseventwentsofarastocallthis“Rand2Pwn”,orsimilar.However,thisyeartheZDIteamdecidedtoawardallregisteredparticipantsthatwereabletodemonstrateaworkingexploit.Combinedwithincreasedprizeamounts,thesechangeswilllikelyincreaseparticipationandmakeforamoreexcitinga

8、ndrewardingeventgoingforward.Target:OracleJRE3HavingdonesignificantpriorresearchintomemorycorruptionvulnerabilitiesinOracle’sJavaRuntime,itwasnosurprise