Skip to content

Latest commit

 

History

History

fpvi_firefox_exploit

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
attacker.html
attacker.html
 
 
fpvi.js
fpvi.js
 
 
index.html
index.html
 
 
logo.png
logo.png
 
 

README.md

FPVI Exploit

Demo

youtube demo video

Requirements

To make sure that the exploit works:

How to run

The simplest way to run the exploit is to open the attacker.html page locally. In this way you can leak the content of your page. If you want to test the cross-origin leak, you must host the content of this folder on two different domains and then adjust the iframe location inside the file index.html

The exploit provides 3 functions:

  • Calibrate: this button starts the calibration process to find the threshold to distingish among cache hit and cache miss times. On success, it will plot two graphs showing the distribution of hit/miss times. Moreover, the threshold will be displayed as a green line

  • Leak: this button will leak 256 bytes from the provided address. We suggest to attach gdb to the firefox process to verify that the leaked content matches. Another possibility is to use the memory tool to make a snapshot of the memory and then using the denominators view to obtain a list of leakable addresses.

  • Auto-attack: this button will start an automatic attack that, after breaking ASLR, leaks the content of Firefox process memory. This attack can be seen as a wrapper of Leak preceeded by an ASLR break step.

Troubleshooting

  • Ensure that the precise timers are enabled by setting to false privacy.reduceTimerPrecision and privacy.reduceTimerPrecision.unconditional.

  • Ensure that you are not using a patched Firefox version (>= 87). Be aware that Firefox updates itself as soon as you restart it. Use About Firefox button to be sure that you are running on an affected Firefox version.

  • If the calibration always fail, try to tweak the following parameters at the beginning of fpvi.js

    • AMPLIFICATION: higher the better but slower leaks
    • STRIDE and STRIDE_LOG: 1024, 2048 and 4096 should be always fine
    • K: currently is set to allocate 128MB of reload buffers, increasing it a little may help
    • ITER: higher the better but slower leaks