[guardian-dev] Replicating TorBB/Firefox exploit in Orweb/Webkit?
Tom Ritter
tom at ritter.vg
Mon Aug 5 12:55:36 EDT 2013
Well, I think you have the right thoughts, but your focus on this
particular bug won't lead you anywhere. The underlying bug is
https://www.mozilla.org/security/announce/2013/mfsa2013-53.html - and
it's going to be very specific to the underlying engine that's used
(which should be Gecko). Trying to replicate it in WebKit is
extremely unlikely to turn anything up.
But all that said, WebKit has lots of bugs, and yes, they have been
exploited on Android. Crowdstrike loaned Charlie Miller an Android
exploit he used onstage at Black Hat '12: open a web browser, and it
owns your phone. Pwn2Own used to have Android as a target. A WebKit
bug, combined with one of many kernel bugs gives root on an Android.
A WebKit bug alone would probably be enough to get a phone to call out
to a server, which combined with a subpoena to a carrier would
de-anonymize a user.
You should look into the difficulty of exploiting apps on Android[0]
if you are interested in this line of defense. That said, I don't
think you can opt-in to any extra protections - the particular version
of Android either has DEP/ASLR or it doesn't. ProGuard[1] may make it
marginally harder for someone to engineer an exploit, but that's not
really its purpose.
-tom
[0] Good place to start is
http://2012.ruxconbreakpoint.com/assets/Uploads/bpx/Tackling%20the%20Android%20Challenge.pptx
and anything by Josh Drake aka jduck
[1] http://developer.android.com/tools/help/proguard.html
More information about the Guardian-dev
mailing list