New issue
Advanced search Search tips
Starred by 4 users
Status: Fixed
Owner:
Closed: May 18
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux, Android, Windows, Chrome, Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment
Type Confusion In Chrome Lead to RCE
Reported by soulchen...@gmail.com, May 16 Back to list
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce the problem:
1. open the hello_chrome.html with the latest version of chrome
2. We can control the RIP and go to the shellcode which is 0xcc(int 3)
3. 

What is the expected behavior?
nothing to happen

What went wrong?
We can control the RIP and go to the shellcode which is 0xcc(int 3)
The zip's passwrod:72427200dabao

Did this work before? N/A 

Chrome version: 58.0.3029.110  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

This problem belongs to the crankshaft,in the latest V8 version(16th May 2017)(use crankshaft to JIT),I can reproduce this issue.And this is a FULL EXP which works on the latest chrome stable version( 58.0.3029.110 ).At this version,the chrome use crankshaft to JIT.
 
hello_chrome.zip
2.0 KB Download
Project Member Comment 1 by clusterf...@chromium.org, May 16
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5115844635131904
Status: Untriaged
This doesn't seem to crash in Canary, which fires the following script error: 
Uncaught TypeError: First argument to DataView constructor must be an ArrayBuffer
    at new DataView (<anonymous>)
    at hello_chrome.html:263

It does crash in M58; crash/bc9f55e170000000

Cc: haraken@chromium.org jochen@chromium.org hablich@chromium.org
Components: Blink>JavaScript
Labels: -Pri-2 Security_Severity-High Security_Impact-Stable Pri-1
Project Member Comment 4 by clusterf...@chromium.org, May 16
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5537737125134336
Project Member Comment 5 by clusterf...@chromium.org, May 16
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5976780828835840
Project Member Comment 6 by clusterf...@chromium.org, May 16
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4676478607556608
I just get "TypeError: First argument to DataView constructor must be an ArrayBuffer" every time, I've tried with d8 5.8.283.38 built with asan with --crankshaft flag. I also can't get a crash on clusterfuzz...
On Windows Stable, I see the alert message and then the tab crashes. Might it not crash on Clusterfuzz due to the alert() dialog?

Google Chrome	58.0.3029.110 (Official Build) (64-bit)
Revision	691bdb490962d4e6ae7f25c6ab1fdd0faaf19cd0-refs/branch-heads/3029@{#830}
OS	Windows
JavaScript	V8 5.8.283.38
Flash	25.0.0.171 C:\Users\elawrence\AppData\Local\Google\Chrome\User Data\PepperFlash\25.0.0.171\pepflashplayer.dll
User Agent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Command Line	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --flag-switches-begin --mark-non-secure-as=non-secure --enable-features=password-import-export --flag-switches-end -- "C:\Users\elawrence\Desktop\hello_chrome.html"
Variations
ea8deb27-3f4a17df
241fff6c-ca7d8d80
3095aa95-3f4a17df
7c1bc906-f55a7974
1c752ce9-33c3eba5
ba3f87da-45bda656
cf558fa6-48a16532
f1ab784a-3d47f4f4
f3499283-7711d854
349d561b-65bced95
9e201a2b-65bced95
5274eb09-3f4a17df
b684f56f-4d2fac87
b791c1b8-ca7d8d80
9773d3bd-ca7d8d80
b22b3d54-4e046809
2e109477-ca7d8d80
99144bc3-3cc2175e
9e5c75f1-45096096
f79cb77b-3f4a17df
b7786474-d93a0620
23a898eb-ca7d8d80
4ea303a6-68942f92
7aa46da5-669a04e0
69bf80fa-91c810ef
b2f0086-93053e47
6844d8aa-669a04e0
494d8760-3d47f4f4
f47ae82a-746c2ad4
3ac60855-3ec2a267
f296190c-fd6d2f5a
4442aae2-4ad60575
ed1d377-e1cc0f14
75f0f0a0-d7f6b13c
e2b18481-6e3b1976
e7e71889-e1cc0f14
61b920c1-ca7d8d80
828a5926-c6c0a780
Compiler	MSVC 2015 (PGO)
Project Member Comment 9 by clusterf...@chromium.org, May 16
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4670544841801728
Project Member Comment 10 by clusterf...@chromium.org, May 16
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5537984622624768
Comment 11 Deleted
Project Member Comment 12 by clusterf...@chromium.org, May 16
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4771582068391936
thanks, I can now repro on 5.8.283.38 but not 6.0.0 (candidate) r45347. Will see if I can persuade CF to repro...
Project Member Comment 14 by clusterf...@chromium.org, May 16
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5744343037247488
Project Member Comment 15 by clusterf...@chromium.org, May 16
ClusterFuzz has detected this issue as fixed in range 43658:43659.

Detailed report: https://clusterfuzz.com/testcase?key=5744343037247488

Job Type: linux_asan_d8
Crash Type: UNKNOWN READ
Crash Address: 0x0024e2458007
Crash State:
  v8::internal::MemoryChunk::heap
  v8::internal::HeapObject::HeapObjectShortPrint
  v8::internal::operator<<
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: V8: 43658:43659

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5744343037247488


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member Comment 16 by clusterf...@chromium.org, May 16
Detailed report: https://clusterfuzz.com/testcase?key=5744343037247488

Job Type: linux_asan_d8
Crash Type: UNKNOWN READ
Crash Address: 0x0024e2458007
Crash State:
  v8::internal::MemoryChunk::heap
  v8::internal::HeapObject::HeapObjectShortPrint
  v8::internal::operator<<
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: V8: 36651:36652
Fixed: V8: 43658:43659

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5744343037247488


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.

CF analysis seems wrong - I can still repro on rev 43659 - v8 commit 76224f7e4994af40e896069a1372373e25699a7c
I manual bisected the first commit where this bug is fixed is 0f716acadaed1d9e194593543dbe1340d600d6fc "Turn on Ignition + TurboFan."
Project Member Comment 19 by clusterf...@chromium.org, May 17
Labels: ClusterFuzz-Verified
Status: Verified
ClusterFuzz testcase 5744343037247488 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Comment 20 Deleted
Labels: -ClusterFuzz-Verified ClusterFuzz-Wrong
Status: Assigned
Comment 22 Deleted
Cc: mvstan...@chromium.org danno@chromium.org
Owner: jkummerow@chromium.org
Please note that ClusterFuzz is a bot which automatically recommend certain actions. Your report looks very interesting. Let me CC some more folks to look into fixing this
#22: This is definitely a high-severity security issue. Please keep the reports coming! (Especially for Turbofan; but as long as Crankshaft is shipping on the stable channel, we definitely care about that too.)

Fix is up for review: https://chromium-review.googlesource.com/c/507209/
Thanks for the great fix, Jakob!
Project Member Comment 26 by sheriffbot@chromium.org, May 17
Labels: M-58
Project Member Comment 27 by bugdroid1@chromium.org, May 17
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e33fd30777f99a0d6e16b16d096a2663b1031457

commit e33fd30777f99a0d6e16b16d096a2663b1031457
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Wed May 17 13:11:02 2017

[crankshaft] Fix HAliasAnalyzer for constants

BUG= chromium:722756 

Change-Id: I04fc7fa0b8ef1e56d25f829fc5c8f53ae439aa52
Reviewed-on: https://chromium-review.googlesource.com/507209
Reviewed-by: Daniel Clifford <danno@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45375}
[modify] https://crrev.com/e33fd30777f99a0d6e16b16d096a2663b1031457/src/crankshaft/hydrogen-alias-analysis.h
[add] https://crrev.com/e33fd30777f99a0d6e16b16d096a2663b1031457/test/mjsunit/regress/regress-crbug-722756.js

#24:Thank you for your imformation.

I will do some testings for your patch.

And in #1,there is a FULL EXPLOIT for this issue.If there are any confusions,welcome to contact me any time.
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: Merge-Request-58 Merge-Request-59 OS-Android OS-Chrome OS-Linux OS-Mac
Status: Fixed
Fixed by #27.

We don't have Canary coverage yet, but Canary coverage is also not going to be particularly useful in this case, because the bug is in Crankshaft, which is not used on Canary any more. Requesting merges now.

M59: Currently the Crankshaft pipeline is still being finched to a small fraction of users. As long as that is the case, we should fix this bug there.

M58: This is a high-severity security issue on the stable channel. I think that's a good reason to backmerge the fix? (Even if we don't immediately roll a new release for this.)

Note to security team / reward panel: The buggy code was >3 years old (I haven't verified if all releases in this time were vulnerable, but I assume so). I've verified that the exploit indeed allows execution of arbitrary attacker-provided machine code on M58.
Project Member Comment 30 by sheriffbot@chromium.org, May 18
Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 31 by bugdroid1@chromium.org, May 18
Labels: merge-merged-5.9
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7af4a42fc2a4e78e1acc0270531b2e2282ae828a

commit 7af4a42fc2a4e78e1acc0270531b2e2282ae828a
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Thu May 18 13:46:35 2017

Merged: [crankshaft] Fix HAliasAnalyzer for constants

Revision: e33fd30777f99a0d6e16b16d096a2663b1031457

BUG= chromium:722756 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=cbruni@chromium.org

Change-Id: I948e25bcaa536475e04702ea8124f22d9492c184
Reviewed-on: https://chromium-review.googlesource.com/508352
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.9@{#57}
Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1}
Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591}
[modify] https://crrev.com/7af4a42fc2a4e78e1acc0270531b2e2282ae828a/src/crankshaft/hydrogen-alias-analysis.h
[add] https://crrev.com/7af4a42fc2a4e78e1acc0270531b2e2282ae828a/test/mjsunit/regress/regress-crbug-722756.js

Labels: -Merge-Approved-59
Cc: awhalley@chromium.org amineer@chromium.org
+ awhalley@ for M58 merge review. Please note we're not planning further M58 releases. 
Labels: -Merge-Request-58 Merge-Rejected-58
Not sec sev critical, there's no need to merge this late post branch.
Project Member Comment 35 by sheriffbot@chromium.org, May 19
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Could you please assign a CVE to this issue?
Thanks
Labels: -Hotlist-Merge-Approved -M-58 M-59
soulchen8650@ - we assign CVEs when the fix goes out in a stable release.  That should be in a couple of weeks for M59.
Labels: reward-topanel
Comment 39 Deleted
Comment 40 Deleted
Thanks for your information.Here is my acknowledgment information:
Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team
May be someting is wrong,my coomment have been deleted automatically...
Labels: Release-0-M59
Labels: -reward-topanel reward-unpaid reward-750
Labels: -reward-750 reward-7500
Congratulations! The VRP panel decided to award $7,500 for this report!  A member of our finance team will be in touch shortly.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an established charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
Labels: -reward-unpaid reward-inprocess
Labels: CVE-2017-5070
Hello,

Could you mind to tell me how long will I get the reward?

Hello - should be about two weeks at this point.
Project Member Comment 49 by sheriffbot@chromium.org, Aug 25
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.
Hello,

Where can I get hello_chrome.html from? I would like to understand the issue better, and see if my product that is based on Chromium 53 is affected.



#51: I don't know where you can get hello_chrome.html, but I can tell you with certainty that M53 is affected (see #29).

(It's probably affected by a bunch of other security issues too -- you really should update, and keep it up to date!)
Sign in to add a comment