Using Hermes’s Quicksort to run Doom: A tale of JavaScript exploitation

At Meta, our Bug Bounty program is an important element of our “defense-in-depth” approach to security. Our internal product security teams investigate every bug submission to assess its maximum po…

Luigi Coniglio
14 min readadvanced
--
View Original

Overview

This article discusses a security vulnerability found in the Hermes JavaScript engine, specifically within its Quicksort implementation, which allowed for out-of-bounds memory reads. The investigation led to the discovery of how this bug could be exploited to execute arbitrary code, demonstrated by running the classic game Doom directly from Hermes.

What You'll Learn

1

How to identify and exploit vulnerabilities in JavaScript engines

2

Why understanding sorting algorithms is crucial for security

3

How to manipulate memory allocation to achieve arbitrary code execution

Prerequisites & Requirements

  • Understanding of JavaScript and memory management concepts
  • Experience with security vulnerabilities and exploitation techniques

Key Questions Answered

What vulnerability was found in the Hermes JavaScript engine?
A bug in Hermes's Quicksort implementation allowed for blind out-of-bounds memory reads, which could be exploited for arbitrary code execution. This was discovered through a bug report received in August 2020, leading to a $12,000 bounty payout for the researcher.
How did the Quicksort bug lead to arbitrary code execution?
The Quicksort bug allowed manipulation of the sorting algorithm to access memory beyond the original array size. By carefully crafting the sorting logic, the exploit could swap indices and ultimately lead to arbitrary code execution, demonstrated by running Doom.
What steps were taken to exploit the Quicksort vulnerability?
The exploitation involved creating an extended array, manipulating the sorting callback to trigger out-of-bounds reads, and controlling memory layout through strategic memory allocation. This led to the ability to overwrite pointers in memory, enabling arbitrary read/write access.
What was the outcome of the investigation into the Hermes bug?
The investigation revealed significant security implications, leading to the implementation of fixes and improvements in internal fuzzing efforts. The researcher who reported the bug was awarded a $12,000 bounty for their findings.

Key Statistics & Figures

Bounty payout for the discovered bug
$12,000
This amount was awarded to the researcher who reported the vulnerability after further investigation revealed its potential for arbitrary code execution.
Typical bounty range for similar findings
$500 to $3,000
Most bug reports similar to the Hermes vulnerability typically receive bounties within this range, depending on the severity and impact.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Javascript Engine
Hermes
Hermes is an open-source JavaScript engine optimized for mobile applications, particularly used in React Native.
Programming Language
Javascript
JavaScript is the language in which the vulnerabilities were found and exploited within the Hermes engine.

Key Actionable Insights

1
Security researchers should focus on understanding the underlying algorithms of programming languages to identify potential vulnerabilities.
By gaining insights into how algorithms like Quicksort function, researchers can better predict where bugs may arise, leading to more effective vulnerability discovery.
2
Implementing robust memory management practices can help mitigate risks associated with out-of-bounds errors.
By ensuring strict bounds checking and using safer memory allocation techniques, developers can reduce the likelihood of similar vulnerabilities in their applications.
3
Engaging with bug bounty programs can provide valuable insights into real-world vulnerabilities and their implications.
Participating in or following bug bounty programs allows developers to learn from actual cases, improving their understanding of security practices and vulnerabilities.

Common Pitfalls

1
Assuming that sorting algorithms are immune to vulnerabilities can lead to serious security issues.
Many developers overlook the potential for exploitation in seemingly benign operations like sorting. Understanding the underlying mechanics can help prevent such oversights.

Related Concepts

Javascript Security Vulnerabilities
Memory Management Techniques
Sorting Algorithms And Their Implications