Coordinated Disclosure Timeline
协调披露时间表
- 2024-03-27: Issue reported to Chromium security team as 331383939
2024 年 3 月 27 日:向 Chromium 安全团队报告的问题为 331383939 - 2024-04-16: Issue fixed in version 124.0.6367.60/.61 as CVE-2024-3833
2024 年 4 月 16 日:在版本 124.0.6367.60/.61 中作为 CVE-2024-3833 修复的问题
Summary 总结
Opening a malicious website in affected versions of Chrome can lead to object corruption that can be exploited to gain code execution in Chrome’s renderer.
在受影响的 Chrome 版本中打开恶意网站可能会导致对象损坏,可利用这些损坏在 Chrome 渲染器中执行代码。
Project 项目
Chromium 铬
Tested Version 测试版本
Chromium version 123.0.6312.58
Chromium 版本 123.0.6312.58
Details 详
JS object corruption in WasmJs::InstallTypeReflection (GHSL-2024-070)
WasmJs::InstallTypeReflection 中的 JS 对象损坏 ( GHSL-2024-070 )
In InstallConditionalFeatures, a check is in place to check that the WebAssembly object does not contain the Function property to avoid adding duplicate properties in the object:
在 InstallConditionalFeatures 中,检查 WebAssembly 对象是否不包含该 Function 属性,以避免在对象中添加重复的属性:
void WasmJs::InstallConditionalFeatures(Isolate* isolate,
Handle<NativeContext> context) {
...
// Install Wasm type reflection features (if not already done).
Handle<String> function_string = v8_str(isolate, "Function");
if (!JSObject::HasRealNamedProperty(isolate, webassembly, function_string)
.FromMaybe(true)) {
InstallTypeReflection(isolate, context);
}
}
}
However, InstallTypeReflection also adds properties in various other objects, and those are not checked:
但是, InstallTypeReflection 还会在各种其他对象中添加属性,并且这些属性不会被选中:
void WasmJs::InstallTypeReflection(Isolate* isolate,
Handle<NativeContext> context) {
Handle<JSObject> webassembly(context->wasm_webassembly_object(), isolate);
#define INSTANCE_PROTO_HANDLE(Name) \
handle(JSObject::cast(context->Name()->instance_prototype()), isolate)
InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_table_constructor), "type",
WebAssemblyTableType, 0, false, NONE,
SideEffectType::kHasNoSideEffect);
InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_memory_constructor), "type",
WebAssemblyMemoryType, 0, false, NONE,
SideEffectType::kHasNoSideEffect);
InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_global_constructor), "type",
WebAssemblyGlobalType, 0, false, NONE,
SideEffectType::kHasNoSideEffect);
InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_tag_constructor), "type",
WebAssemblyTagType, 0);
#undef INSTANCE_PROTO_HANDLE
...
In the above, the type property is added to the prototype of wasm_table_constructor etc., without checking that the properties already exists. This leads to issues like 40056206 where duplicate properties are installed on objects.
在上面, type 该属性被添加到 prototype of wasm_table_constructor 等中,而不检查这些属性是否已存在。这会导致在对象上安装重复属性的40056206等问题。
Impact 冲击
This issue can be exploited to gain RCE in Chrome renderer.
可利用此问题在 Chrome 渲染器中获取 RCE。
CVE
- CVE-2024-3833
Credit 信用
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
此问题由 GHSL 团队成员 @m-y-mo (Man Yue Mo) 发现并报告。
原文始发于Man Yue Mo:GHSL-2024-070: Remote Code Execution (RCE) in Chromium – CVE-2024-3833
转载请注明:GHSL-2024-070: Remote Code Execution (RCE) in Chromium – CVE-2024-3833 | CTF导航
相关文章
