Naenara Browser 3.5 exploit (JACKRABBIT)

Naenara is a North Korean intranet web browser software developed by the Korean Computer Center for use of the national Kwangmyong intranet. It is developed from a version of Mozilla Firefox that is distributed with the Linux-based operating system Red Star OS which North Korea developed due to licensing and security issues with Microsoft Windows. The team at Hacker House have previously identified a number of vulnerabilities within both the OS and it’s browser which can be leveraged for Computer Network Attacks (CNA), today we will look at a more interesting exploitation example. A uninitialized memory use vulnerability in Naenara Browser which leverages modern browser exploitation techniques to achieve a high reliability rating and bypass NX & ASLR. As the Naenara browser makes use of FireFox code as a base it is also affected by the same vulnerabilities that impact on FireFox 3.5. We decided to exploit CVE-2009-2477 which makes use of uninitialized memory through the JIT engine via escape(). Public exploits for this flaw exist which target Windows environments, as RedStar OS is Linux based we had to write our own exploit for this bug. This makes RedStar OS a great hands-on practical OS for security analysts looking to cut their teeth in the world of exploit development. First let’s review what happens when we crash the firefox (Naenara) process using a simple PoC trigger.

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
0x00533965 in ?? ( from /usr/lib/xulrunner-1.9.1/libmozjs.so
(gdb) i r $eax
eax 0x4000002d
(gdb) x/i $eip
=> 0x533965: mov 0x4(%eax),%eax

The application is making use of uninitialized memory which is held in the EAX register. When the process tries to read from the pointer stored at this location, the application crashes as 0x4000002d is not mapped. By making use of heap-spraying techniques we can force this page to be mapped and pass the out-of-bounds read/write error resulting in the following crash.

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
0x0053397b in ?? () from /usr/lib/xulrunner-1.9.1/libmozjs.so
(gdb) x/i $eip
=> 0x53397b: call *0x24(%eax)
(gdb) x/x 0x4000002d
0x4000002d: 0x40100000

The application is crashing as it is now trying to make use of our mapped memory in a call instruction from our user supplied pointer 0x401000000. We now need to manipulate the heap to store objects which hold our pointers in a structured way so as to leverage the “call *0x24(%eax)” where we have control over EAX. As the heap is not executable, we cannot return directly into the heap. ASLR is enabled and all libraries and shared objects within the process address space are randomized, except for one.

08048000-0805e000 r-xp 00000000 08:01 9148471 /Applications/Naenara.app/Contents/lib/firefox

Using the “firefox” binary from Naenara we can build a ROP gadget and control the execution flow by building gadgets from the binary We will construct a stack frame on the heap and use a stack-pivot technique to perform ret-into-libc style attack once the initial gadgets are executed. We will use a “xchg %eax,%esp” (0x08055a91) gadget, then pad the heap with “ret” (0x08056885) instruction gadgets to act like a NOP sled. The heap spray blocks will need to be constructed in a probabilistic way so as to ensure that our block for the pivot lands at 0x40100000 which is the address we supply from our heap spray for our call instruction. The block will look similar to the following once our mappings are performed.

(gdb) x/12x 0x40100000
0x40100000: 0x08056885 0x41414141 0x41414141 0x41414141
0x40100010: 0x41414141 0x41414141 0x41414141 0x41414141
0x40100020: 0x41414141 0x08055a91 0x41414141 0x10000040

We then use the procedure linkage table (PLT) to find a return address for our ROP gadget that we can use to perform mmap(). There are only a small number of imported libc functions within the “firefox” binary – both mmap and memcpy are present. We can see an example for PLT of mmap in the image below, this allows us to use a ret-into-libc style attack from our stack pivot by chaining the PLT entries!


By building our stack frame to call mmap(), we create a new memory page with PROT_READ / PROT_WRITE and PROT_EXEC permissions at 0x00020000, we can then call memcpy() to copy a NOP sled and Linux x86 payload into that address and execute it. Our stack frame on the heap looks like the following.

080490dc : mmap();
0804bda4 : pop pop pop pop pop pop ret
00020000 : address to mmap()
000f0000 : size
00000007 : rwx protections
00000022 : map to memory region
00000000 : null arg
00000000 : null arg
080491ec : memcpy
00020000 : return to mmap() area
00020000 : dest
4010e3c1 : src (our heap buffer)
00001000 : size
00020000 : one more ret for good luck
90909090 : nop zone for regular code

Using these techniques we now have a practical exploit for Naenara Browser 3.5 that can be used to load arbitrary Linux x86 payloads. We had to pack our payload bytes in a peculiar way as the mapping and pivot caused some misalignment to occur. We included a python script to assist in packaging your own payload. Our example exploit makes use of a connect() shellcode for a basic C2 example. The desktop contains strict firewall rules enforced by default, C2 needs to make use of port 80 without any DNS to be successful on a generic install. This exploit could then facilitate the installation of an implant using previously disclosed privilege escalation attacks. The video below shows our exploit in use to achieve code execution and is around 90% reliable in its execution.

Naenara Browser 3.5 exploit (JACKRABBIT) from Hacker Fantastic

You can download JACKRABBIT from here. We hope you enjoyed this blog post and as a reward for reading all the way to the end we throw in a few more fun disclosures! RSSMON & BEAM are webmin based management services used for configuration of Red Star OS 3.0 server editions. These services are run on high TCP ports from (10000 to 65535) and in a default state are not accessible through the Red Star server firewall. In the event an Administrator misconfigures or disables the firewall these services maybe network accessible, they are always accessible from the localhost once configured. Both services are the officially supported ways of performing system administration tasks and monitoring for Red Star server platforms. These services run as “root” once configured and configuration is detailed in the Red Star server guides included on the installation ISO. The shipped bash package in Red Star server is vulnerable to shellshock and can be exploited through these services in a reliable manner. SELinux policy enforcements prevents RSSMON from making use of network resources once compromised so BEAM is the better target candidate. You can download a remote root exploit that leverages these attacks from here. Merry Haxmas everyone!

Comments are closed.