New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Jul 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Sign in to add a comment

Issue 746946: Security: Chrome Type Confusion leads to Code Execution

Reported by, Jul 20 2017

Issue description

The following report, shows a RCE in Chrome that can be triggered through a Type confusion.

This is a RCE Exploit without sandbox bypass.

There is a JIT problem in V8 turbofan compiler. In the exploit, there is a TYPE Confusion problem.

Because in the function 1 JIT code, it doesn't check the type of array when it uses the array to preform a read or write.

In function 2, it will change the array type. With these two functions, we can lead to a TYPE Confusion of Array.

Chrome stable channel(59.0.3071.109)

Apparently this vulnerability was closed due to an optimizer fix - not a security fix, Chrome bug ID: 723455.

== Exploit ==
1. Open the latest version of Chrome stable channel(59.0.3071.109) without sandbox(--no-sandbox);
2. Open the complete.html.txt
3. Calc.exe will pop out.

== PoC ==
See poc.html.txt
5.0 KB View Download

Comment 1 by, Jul 20 2017

Components: Blink>JavaScript
I /think/ you're saying that this was fixed in V8 on May 17th by and thus it's expected that it doesn't repro in Chrome stable 60 or Canary, correct?

Comment 2 by, Jul 20 2017

Labels: Needs-Feedback

Comment 3 by, Jul 20 2017

Yes it was fixed

But not because the vulnerability was discovered

Rather because it appears it had performance issue

I think it's a good thing to mark this code as vulnerable in regression testing, otherwise it might get unpatched in the future

Comment 4 by, Jul 20 2017

Project Member
Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "" to the cc list and removing "Needs-Feedback" label.

For more details visit - Your friendly Sheriffbot

Comment 5 by, Jul 20 2017

Ok I will let the V8 team decide how to handle this.

Comment 6 by, Jul 21 2017

Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: NodeJS-Backport-Review
Status: Assigned (was: Unconfirmed)
I suppose we can simply set it to fixed. No merge needed from our side, although maybe node might want to backport it.

Comment 7 by, Jul 21 2017

Labels: M-59

Comment 8 by, Jul 21 2017


Comment 9 by, Jul 21 2017

Would you let us know when we can disclose the findings?

Comment 10 by, Jul 21 2017

awhalley@, can you help with the timing of when this fix will be shipped?

Comment 11 by, Jul 24 2017


Can I get a response relating to the fix being shipped?

Comment 12 by, Jul 24 2017

Labels: Pri-1
Re #11: I suppose disclosure is handled by the Chrome security team/awhalley@. Let's wait for his answer.

Comment 13 by, Jul 24 2017

Status: Fixed (was: Assigned)
Marking as fixed according to #1.

Comment 14 by, Jul 24 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 15 by, Jul 24 2017

The change referenced in #1 is indeed in Chrome 60, which will be release on the Stable channel this week.

Comment 17 by, Oct 3 2017

bmeurer@: Can this bug affect older versions of V8, e.g. V8 5.1 that is part of Node 6.x?

Comment 18 by, Oct 30 2017

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot

Comment 19 by, Nov 14 2017

Labels: reward-topanel

Comment 20 by, Dec 1 2017

Labels: -reward-topanel reward-0

Sign in to add a comment