New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 27
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 888923: Security: Chrome RCE

Reported by no...@beyondsecurity.com, Sep 25

Issue description

VULNERABILITY DETAILS
A vulnerability in Chrome allows remote attackers to cause Chrome to execute arbitrary code. The vulnerability lies in the V8 optimizer, which leads to a read/write primitive. Shell code executes in the render.

VERSION
Chrome Version: Chrome 67, 68 and 69
Operating System: Windows 10, RS5

REPRODUCTION CASE
Open the provided HTML file and see the magic happen :)

File has been encrypted with security@google.com
 
Chrome RCE.zip.gpg
36.9 KB Download

Comment 1 by dominickn@chromium.org, Sep 25

Cc: mslekova@chromium.org hablich@chromium.org
Components: Blink>JavaScript
Labels: OS-Windows
+ current V8 sheriffs to take a look. Assigning Windows for now but since it's in V8 it may be a vulnerability across all platforms.

Comment 2 by wfh@chromium.org, Sep 25

Cc: amuse@google.com

Comment 3 by wfh@chromium.org, Sep 25

Hi, thanks for your report. unfortunately we cannot decrypt the GPG attachment because it seems to be encrypted to the wrong key.

gpg: encrypted with RSA key, ID 31D00026684184C6
gpg: encrypted with RSA key, ID 0FC941D950CB43FB

The security@google.com gpg key is:
C789A16F 6F4D6519 (OLD)
B8E4105C C9DEDC77 (NEW)

please feel free to re-encrypt with the security@google.com or security@chromium.org (we can handle either/both)

https://pgp.mit.edu/pks/lookup?op=get&search=0xB8E4105CC9DEDC77 (security@google.com)

https://pgp.mit.edu/pks/lookup?op=get&search=0xA73851D532C206B6 (security@chromium.org)

Comment 4 by mmoroz@chromium.org, Sep 25

Labels: Security_Severity-High Security_Impact-Stable M-69 Pri-1

Comment 5 by no...@beyondsecurity.com, Sep 26

Attaching it in unencrypted form
Chrome RCE.zip
35.8 KB Download

Comment 6 by mslekova@chromium.org, Sep 26

Cc: jarin@chromium.org
Pinging other TF team members.

Comment 7 by bugdroid1@chromium.org, Sep 26

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/52a9e67a477bdb67ca893c25c145ef5191976220

commit 52a9e67a477bdb67ca893c25c145ef5191976220
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Wed Sep 26 12:02:11 2018

[turbofan] Fix ObjectCreate's side effect annotation.

Bug:  chromium:888923 
Change-Id: Ifb22cd9b34f53de3cf6e47cd92f3c0abeb10ac79
Reviewed-on: https://chromium-review.googlesource.com/1245763
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56236}
[modify] https://crrev.com/52a9e67a477bdb67ca893c25c145ef5191976220/src/compiler/js-operator.cc
[add] https://crrev.com/52a9e67a477bdb67ca893c25c145ef5191976220/test/mjsunit/compiler/regress-888923.js

Comment 8 by hablich@chromium.org, Sep 26

Owner: jarin@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 9 by hablich@chromium.org, Sep 26

Components: -Blink>JavaScript Blink>JavaScript>Compiler

Comment 10 by hablich@chromium.org, Sep 27

Cc: awhalley@chromium.org
Status: Fixed (was: Assigned)
This essentially takes over the whole renderer. Should we do a 69 respin for this?

Please note that this is not a regression.

Comment 11 by hablich@chromium.org, Sep 27

Labels: ReleaseBlock-Stable

Comment 12 by hablich@chromium.org, Sep 27

Labels: M-70

Comment 13 by sheriffbot@chromium.org, Sep 27

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 14 by awhalley@chromium.org, Oct 1

Labels: reward-topanel

Comment 15 by awhalley@google.com, Oct 2

Labels: Merge-Request-69 Merge-Request-70
We should definitely get it into 70, and a merge to 69 won't hurt in case there does turn out to be another respin.

Comment 16 by sheriffbot@chromium.org, Oct 2

Project Member
Labels: -Merge-Request-70 Merge-Review-70 Hotlist-Merge-Review
This bug requires manual review: We are only 13 days from stable.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 17 by abdulsyed@chromium.org, Oct 2

Cc: gov...@chromium.org
Labels: -Merge-Review-70 Merge-Approved-70
Approving merge for M70. Branch:3538

+govind@ for M69 review. However note that we are about 2 weeks away from M70 stable.

Comment 18 by gov...@chromium.org, Oct 2

We're NOT planning any further M69 respin for Desktop. 
awhalley@, does it still make sense to approve the merge to M69 based on comment #15?

Comment 19 by awhalley@google.com, Oct 2

Either way, my thinking was that if we do a 69 respin it would be urgent at short notice, so getting changes in just in case would be good, but we can also re-assess if that happens.

Comment 20 by gov...@chromium.org, Oct 2

Labels: -Merge-Request-69 Merge-Approved-69
Got it, approving merge to M69 branch 3497 based on comment #19. We will pick up this change for any future M69 respin (if any).

Comment 21 by bugdroid1@chromium.org, Oct 2

Project Member
Labels: merge-merged-7.0
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9e12622c9158384a4f73e73b9b966662b7b5ac73

commit 9e12622c9158384a4f73e73b9b966662b7b5ac73
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Tue Oct 02 21:13:44 2018

Merged: [turbofan] Fix ObjectCreate's side effect annotation.

Revision: 52a9e67a477bdb67ca893c25c145ef5191976220

BUG= chromium:888923 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=gsathya@chromium.org

Change-Id: I712017c082a3520f2ab9971924e564982f8a9741
Reviewed-on: https://chromium-review.googlesource.com/c/1257809
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.0@{#51}
Cr-Branched-From: 6e2adae6f7f8e891cfd01f3280482b20590427a6-refs/heads/7.0.276@{#1}
Cr-Branched-From: bc08a8624cbbea7a2d30071472bc73ad9544eadf-refs/heads/master@{#55424}
[modify] https://crrev.com/9e12622c9158384a4f73e73b9b966662b7b5ac73/src/compiler/js-operator.cc
[add] https://crrev.com/9e12622c9158384a4f73e73b9b966662b7b5ac73/test/mjsunit/compiler/regress-888923.js

Comment 22 by bugdroid1@chromium.org, Oct 2

Project Member
Labels: merge-merged-6.9
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e044c13118780334d87f46032b521e8f5af1fa78

commit e044c13118780334d87f46032b521e8f5af1fa78
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Tue Oct 02 21:31:42 2018

Merged: [turbofan] Fix ObjectCreate's side effect annotation.

Revision: 52a9e67a477bdb67ca893c25c145ef5191976220

BUG= chromium:888923 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org

Change-Id: I39583b87019249c981254cb7f6407e508b674d38
Reviewed-on: https://chromium-review.googlesource.com/c/1257817
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.9@{#62}
Cr-Branched-From: d7b61abe7b48928aed739f02bf7695732d359e7e-refs/heads/6.9.427@{#1}
Cr-Branched-From: b7e108d6016bf6b7de3a34e6d61cb522f5193460-refs/heads/master@{#54504}
[modify] https://crrev.com/e044c13118780334d87f46032b521e8f5af1fa78/src/compiler/js-operator.cc
[add] https://crrev.com/e044c13118780334d87f46032b521e8f5af1fa78/test/mjsunit/compiler/regress-888923.js

Comment 23 by jkummerow@chromium.org, Oct 2

Labels: -Merge-Approved-69 -Merge-Approved-70

Comment 24 by awhalley@google.com, Oct 3

Labels: -ReleaseBlock-Stable

Comment 25 by awhalley@google.com, Oct 4

Labels: -reward-topanel reward-0

Comment 26 by awhalley@google.com, Oct 15

Labels: Release-0-M70

Comment 27 by awhalley@chromium.org, Oct 16

Labels: CVE-2018-17463 CVE_description-missing

Comment 28 by awhalley@chromium.org, Nov 12

Labels: -CVE_description-missing CVE_description-submitted

Comment 29 by hablich@chromium.org, Nov 21

Cc: shuntley@google.com nmehta@google.com

Comment 30 by ofrobots@google.com, Dec 14

Labels: NodeJS-Backport-Done
This was needed on Node.js 10. Backport: https://github.com/nodejs/node/pull/25027

Comment 31 by sheriffbot@chromium.org, Jan 3

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment