Issue metadata
Sign in to add a comment
|
Security: Chrome Type Confusion leads to Code Execution
Reported by
no...@beyondsecurity.com,
Jul 20 2017
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The following report, shows a RCE in Chrome that can be triggered through a Type confusion. This is a RCE Exploit without sandbox bypass. There is a JIT problem in V8 turbofan compiler. In the exploit, there is a TYPE Confusion problem. Because in the function 1 JIT code, it doesn't check the type of array when it uses the array to preform a read or write. In function 2, it will change the array type. With these two functions, we can lead to a TYPE Confusion of Array. VERSION Chrome stable channel(59.0.3071.109) Apparently this vulnerability was closed due to an optimizer fix - not a security fix, Chrome bug ID: 723455. REPRODUCTION CASE == Exploit == 1. Open the latest version of Chrome stable channel(59.0.3071.109) without sandbox(--no-sandbox); 2. Open the complete.html.txt 3. Calc.exe will pop out. == PoC == See poc.html.txt
,
Jul 20 2017
,
Jul 20 2017
Yes it was fixed But not because the vulnerability was discovered Rather because it appears it had performance issue I think it's a good thing to mark this code as vulnerable in regression testing, otherwise it might get unpatched in the future
,
Jul 20 2017
Thank you for providing more feedback. Adding requester "kerrnel@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 20 2017
Ok I will let the V8 team decide how to handle this.
,
Jul 21 2017
I suppose we can simply set it to fixed. No merge needed from our side, although maybe node might want to backport it.
,
Jul 21 2017
,
Jul 21 2017
,
Jul 21 2017
Would you let us know when we can disclose the findings?
,
Jul 21 2017
awhalley@, can you help with the timing of when this fix will be shipped?
,
Jul 24 2017
Hi Can I get a response relating to the fix being shipped?
,
Jul 24 2017
Re #11: I suppose disclosure is handled by the Chrome security team/awhalley@. Let's wait for his answer.
,
Jul 24 2017
Marking as fixed according to #1.
,
Jul 24 2017
,
Jul 24 2017
The change referenced in #1 is indeed in Chrome 60, which will be release on the Stable channel this week.
,
Aug 17 2017
It sounds like POC code for this vulnerability has been published: https://www.bleepingcomputer.com/news/security/rce-vulnerability-affecting-older-versions-of-chrome-will-remain-unpatched/
,
Oct 3 2017
bmeurer@: Can this bug affect older versions of V8, e.g. V8 5.1 that is part of Node 6.x?
,
Oct 30 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 14 2017
,
Dec 1 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jul 20 2017