Issue metadata
Sign in to add a comment
|
Security: v8 Use-after-free claimed on StackOverflow (missing repro) |
||||||||||||||||||||||
Issue descriptionThis was originally published at http://stackoverflow.com/questions/41246721/javascript-warning-i-created-dangerous-troyan-keylogger-in-javascript-vulnerab . It was removed, but I pulled this from the Google search cache. Posted by "lucyheartfilia" ----------------------------------------- I downloaded v8 source code and I studied it a lot. After more than two months of trying, I finally found a hole in it. I succeeded to execute assembly code directly in Chrome's memory using pure JavaScript. I could use it to hack someone, but no, I decided to tell everyone, so it Google can fix it as soon as possible. Ok, this is how my code works. Based on concepts on how v8 works, I came with the following idea, which actually turned to be true and it works pretty well. My script is based on the following steps: 1. Create a new function using Function constructor and put assembly code in a string somewhere in function's body. 2. Use some clever reference manipulation to dereference a function from its variable. 3. Create a closure, but force dereferenced function to stay pointing to deleted object. 4. Exploit v8 engine's garbage collection. Use clever mechanisms to keep a callable reference of non-existing function. 5. Replace function with a buffer and call it (it will be threated like a function). Lets explain it briefly. Firstly, we create a simple function with eval in it, and we must return a function from it (create a closure) like this: const main = (a => { return b => a(b); })(eval); So, now we can manipulate this closure anyway we want, because we can execute whatever we want in it. We also need a buffer (in browser you can use UInt8Array or ArrayBuffer or whatever you want, but you should be able to put arbitrary order of consecutive bytes in it). Lets create an empty buffer: const buff = fs.readFileSync('test.o'); Here test.o is just compiled assembly code (i.e. using nasm). In browser, you can obtain file content in many ways, for example using XMLHttpRequest. Now we need to execute Clever Dereference script [[[ This is a link to https://wsdwa1022.github.io/clever-dereference.min.js which is now dead. -- Avi]]] I made based on disadvantages of v8 which actually allow us to free memory region of any function or object, but KEEPING its reference (we can still call a function or access object's properties). The problem is because if we execute anything after it, theoretically something may be written to that memory location, because it is now FREE. So, we MUST execute function immediatelly after it. But firstly, we need to change it's content. This is how you call it: const func = Function('return "' + '\x90'.repeat(0x400) + '"'); CleverDereference.remove(main, func, 8, 0x400); CleverDereference.assign(buff, 0, 0x400); Ok, let me explain what we did here. Firstly, we create a new function using Function constructor which returns string containing only bytes of char code 0x90 (this is 8086 nop code which does nothing). So, somewhere in memory we have 1KB space for our assembly program. Now call my function which forces v8 to free this memory region. Here 8 is offset (because of return ") and 0x400 is the actual length. After that using my another function we switch references. Now, we made buff (which is a Buffer instance) callable. Now, we can call it like this buff(). The thread will immediatelly jump to its memory location and start executin our code. What a huge vulnerability issue. Now, let me show you how it actually works. I've created a simple hello world assembly program in nasm and compiled it to an object file. ; Push these two, because Chrome uses it for data tracing push eax push ebx ; Call some procedures to prevent Chrome from killing this thread xor edx, eax add edx, ebx xor ebx, ecx call dword [edx] mov edx, ebx inc edx call dword [edx] ; Import message box function from `user32.dll` (or reuse imported) xor eax, eax push eax push ecx call dword [edx] push ebx call dword [edx] ; Pop important values back, so Chrome will know we are done pop ebx pop eax Now lets test it. I did it in browser just to mention how vulnerable it is, but it can be also done in Node.js. This is how it looks when executed: you can see HERE. [[[ https://i.imgur.com/S14kUMS.png ; I am attaching in case it comes down. -- Avi]]] You can see random characters, but it is because I tried to show here minimal assembly code. We could pass some arguments when calling MessageBoxA, but we just called it with whatever was on stack at that time, that is why scrambled text. Imagine what attackers can do with this. Anyone can clickbait you to website where this script will be executed. They can create new thread in your Chrome which will trace all data and all sites you visit and sent to attackers. This should be fixed asap.
,
Dec 20 2016
,
Dec 20 2016
Hi Michael, Any help labeling and tasking this security bug in V8 would be appreciated!
,
Dec 20 2016
,
Dec 21 2016
,
Dec 21 2016
,
Dec 21 2016
Adding jochen@ (security) and hpayer@ (V8 GC). Does the repro description sound reasonable and valid?
,
Dec 21 2016
without some additional details on this clever script, there's not enough information in this report :-/
,
Dec 21 2016
,
Dec 21 2016
The user "lucyheartfilia" on StackOverflow is gone. The link pointed to user "WsDwA1022" on GitHub. I can't figure out how to send a message on GitHub, and I'm not sure that's possible. In the WsDwA1022's repo, there were a few commits with the email "software.engineer171@gmail.com" as the committer. I know that it's not reliable, but it was the only thing I had, so I emailed to that address asking them if they were the exploit writer lucyheartfilia and encouraging them to follow the instructions to properly file. No reply, but it didn't bounce. If anything moves on this front I'll follow up here.
,
Dec 22 2016
I wrote: > lucyheartfilia— > > Are you the user who posted on Stack Overflow about a vulnerability you found in the Chrome > V8 JavaScript engine? > > If so, you said at the end of the post that "This should be fixed asap." If you can follow > the instructions at https://www.chromium.org/Home/chromium-security/reporting-security-bugs > to file a security bug, the Chrome security team would work with you to make sure that it > gets fixed. > > If you have any questions, feel free to ask, and I'd be happy to help. > > Happy holidays, and thank you in advance for helping make the web a safe place. > > Avi Drissman > Chrome Security and just got an answer: > Delivered-To: avi@google.com > From: Thomas Thomas <software.engineer171@gmail.com> > Date: Thu, 22 Dec 2016 16:48:53 +0100 > Subject: Re: Your post about a Chrome JavaScript vulnerability > To: Avi Drissman <avi@google.com> > > Content-Type: text/plain; charset=UTF-8 > > Oh, I didn't expected my joke will go this far. I'm so sorry if you or > anyone from your team thought it was real. > > I've just wrote totally random stuff which is supposed to look like a real > bug (if you look carefully, the assembly code I've posted wont even compile > correctly). With a little knowledge about assembly, c++ and JavaScript ES7, > I just tried to draw attention on a "bug" I've found. You can see (if you > still can reach that question) that my task bar is blured. I've just > created hello world msg box program in c++ and minimized console, so it > looks like it is alerted from Chrome. > > Moreover, v8 engine's code is so good that I cannot understand why do you > think someone can found such a huge vulnerable issue. You can be totally > calm, Chrome is stable and user privacy is not endangered at all. > > Sorry again for this inappropriate joke. Happy hollidays. Regards. So I'm going to close this, and write back with encouragement. This is quite plausible, so I'm hoping that encouraging will be a good path to take.
,
Mar 31 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by a...@chromium.org
, Dec 20 2016