Skypher » Chrome

Apple QuickTime memory corruption when loading BMP file

SkyLined — Mon, 12 Apr 2010 11:53:01 +0000

From http://support.apple.com/kb/HT4104:
CVE-ID: CVE-2010-0536

Impact: Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in the handling of BMP images. Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of BMP images.

More details here:
http://code.google.com/p/skylined/issues/detail?id=11

Advances in heap spraying #1: when size matters.

SkyLined — Mon, 18 Jan 2010 15:08:02 +0000

http://skypher.com/SkyLined/heap_spray/small_heap_spray_generator.html

I’ve created a heap-spray generator. It generates a small piece of JavaScript that sprays the heap using the following customizable settings:

Shellcode, easy to enter using hexadecimal byte values (see also BETA3).

Target address and block size.

heap header size based on target browsers or manual value.

The resulting code is smaller than any heap-spray I’ve seen in the wild:

The heap-spray code itself is just over 70 bytes.

The shellcode can be encoded using a custom-build 7-bit encoding.

Most exploits contain shellcode encoded as “\uXXXX” or even “%uXXXX”. The resulting encoded shellcode data contains 3 bytes for every byte in the original shellcode. Because this is very wasteful, it is quite easy to improve on this by creating a custom en-/decoder. The “7-bit” encoding I created converts the 16-bit characters in the unicode string that contains the shellcode to a series of 7-bit values, which are encoded into latin-1 characters. The resulting encoded shellcode data contains only 1.125 bytes for every byte in the shellcode, a saving of almost 63% compared to conventional encodings.
The heap-spray will of course need some additional code to decode the shellcode, so the combined code+data will only be smaller for large enough shellcodes. Because my decoder is also rather small (just under 130 bytes), the break-even point is just under 70 bytes of shellcode. For a a 100 byte shellcode, you save about 50 bytes and for a 200 bytes shellcode, you save about 200 bytes!

You can try out the heap-spray generator here.

Cross browser parallel asynchronous XMLHttpRequests with timeout.

SkyLined — Tue, 29 Sep 2009 20:50:33 +0000

AsyncXMLHttpRequest is an extension of XMLHttpRequest with the following improvements:

Uniform behavior on multiple different browsers (Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Opera).

Event handlers are called with the AsyncXMLHttpRequest object to which they apply as the first argument. This makes it easy to have multiple parallel requests because there is no need to find out for which object an event has fired.

A timeout attribute can be set to a number of milliseconds , the request is aborted if it didn’t complete within the given number of milliseconds after calling send().

A timedout attribute has been added that is false as long as the request has not been aborted because of a time out and true when it has.

Arguments passed to the open() and send() methods are saved in attributes of the object for later reference. These attributes are: method, url, user and password for open() and body for send().

Three additional events have been added: onload, onerror and ontimeout. These are called when the readyState has changed to 4 and the request has, respectively, succeeded (no timeout, status == 2xx), failed (no timeout, status != 2xx) or has timed out.

Cross Browser Uniform Behavior
To make AsyncXMLHttpRequest work uniformly across different browsers, it catches and handles some exceptions that are throw in some browsers, but not in others. Specifically, Firefox, MSIE and Opera throw exceptions when calling the open() and send() methods for certain invalid or cross-origin urls. If any of these exceptions are caught and handled, the request will fail similar to other browser by having status == 0 after the readyState has changed to 4.

Parallel Requests
To allow any number of parallel requests to take place and still keep track of which request is in what state, all event handlers are passed the AsyncXMLHttpRequest object to which they apply. In other words, when a certain AsyncXMLHttpRequest object is done (readyState == 4), the onreadystatechange event handler is called with the AsyncXMLHttpRequest object to which it applies as the first argument of the call.

Source
Available through Google code.

Example
This example shows that you can create any number of parallel requests (the browser or OS may have a built in limit) without having to keep track of which object an event is firing for because it is passes as an argument to the event handler:

Security contacts

SkyLined — Wed, 10 Dec 2008 17:52:49 +0000

I’ve created a table with contact information for security teams for mayor software vendors. I’m hoping you’ll find the information useful when you’re trying to report a vulnerability. If you have any more contact information or find an error in the list, let me know.

The list is here:
http://skypher.com/wiki/index.php?title=List_of_security_teams_contact_information

Google Chrome released

SkyLined — Thu, 04 Sep 2008 11:42:22 +0000

Finally I can talk about what I’ve been doing since I left Microsoft: I’ve been working on security for Google Chrome; trying to find as many vulnerabilities before we shipped the beta. In the process I’ve found plenty of bugs in other browsers as well . I’m looking forward to the first real externally found security vulnerability; there have been some reports about crashes but nothing that allows an attacker to completely compromise the machine… we’ll see what happens!