New issue
Advanced search Search tips

Issue 746946 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Chrome Type Confusion leads to Code Execution

Reported by no...@beyondsecurity.com, Jul 20 2017

Issue description

VULNERABILITY DETAILS
The following report, shows a RCE in Chrome that can be triggered through a Type confusion.

This is a RCE Exploit without sandbox bypass.

There is a JIT problem in V8 turbofan compiler. In the exploit, there is a TYPE Confusion problem.

Because in the function 1 JIT code, it doesn't check the type of array when it uses the array to preform a read or write.

In function 2, it will change the array type. With these two functions, we can lead to a TYPE Confusion of Array.

VERSION
Chrome stable channel(59.0.3071.109)

Apparently this vulnerability was closed due to an optimizer fix - not a security fix, Chrome bug ID: 723455.

REPRODUCTION CASE
== Exploit ==
1. Open the latest version of Chrome stable channel(59.0.3071.109) without sandbox(--no-sandbox);
2. Open the complete.html.txt
3. Calc.exe will pop out.

== PoC ==
See poc.html.txt
 
complete.html.txt
5.0 KB View Download
Components: Blink>JavaScript
I /think/ you're saying that this was fixed in V8 on May 17th by https://chromium.googlesource.com/v8/v8/+/ea55b873f2ed8336604540a532cbd460eeb66430 and thus it's expected that it doesn't repro in Chrome stable 60 or Canary, correct?
Labels: Needs-Feedback
Yes it was fixed

But not because the vulnerability was discovered

Rather because it appears it had performance issue

I think it's a good thing to mark this code as vulnerable in regression testing, otherwise it might get unpatched in the future
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 20 2017

Cc: kerrnel@chromium.org
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "kerrnel@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Ok I will let the V8 team decide how to handle this.
Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: NodeJS-Backport-Review
Owner: bmeu...@chromium.org
Status: Assigned (was: Unconfirmed)
I suppose we can simply set it to fixed. No merge needed from our side, although maybe node might want to backport it.
Labels: M-59
Owner: ishell@chromium.org
Would you let us know when we can disclose the findings?
Cc: awhalley@chromium.org
awhalley@, can you help with the timing of when this fix will be shipped?
Hi

Can I get a response relating to the fix being shipped?

Labels: Pri-1
Re #11: I suppose disclosure is handled by the Chrome security team/awhalley@. Let's wait for his answer.
Status: Fixed (was: Assigned)
Marking as fixed according to #1.
Project Member

Comment 14 by sheriffbot@chromium.org, Jul 24 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
The change referenced in #1 is indeed in Chrome 60, which will be release on the Stable channel this week. 
bmeurer@: Can this bug affect older versions of V8, e.g. V8 5.1 that is part of Node 6.x?
Project Member

Comment 18 by sheriffbot@chromium.org, Oct 30 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: reward-topanel
Labels: -reward-topanel reward-0

Sign in to add a comment