Google Chrome V8 vulnerabilities technical analysis and protection solution-vulnerability warning-the black bar safety net

ID MYHACK58:62201678415
Type myhack58
Reporter 苏少博
Modified 2016-08-26T00:00:00


Google Chrome V8 engine 3. 2 0 to 4. 2 version of in the presence of a remote code execution vulnerability, the vulnerability is due to source code“observe_accept_invalid”the exception type is mistakenly written as“observe_invalid_accept”in. An attacker can exploit the vulnerability to cause kMessages key object information disclosure, arbitrary code execution. Based on Android 4.4. 4 to 5. 1 version of the system of the WebView control to develop the mobile APP can be can be affected by the above vulnerability.

Wherein the Vulnerability Information list as follows:

| CNNVD_ID | level | description ---|---|--- CNNVD-2 0 1 6 0 8-4 1 4 | serious | source code“observe_accept_invalid”the exception type is mistakenly written leading to remote code execution

For more details, see the following address:


What is the Google Chrome V8 engine?

Google V8 JavaScript Engine is the United States Google company for the Chrome browser to develop a set of open source JavaScript engine. V8 in a run before the JavaScript is compiled into machine code rather than byte code or interpreted it, in order to improve performance. Further, the use of such as inline caching inline caching and other methods to improve performance. With these features, JavaScript programs with V8 engine speed comparable to the binary compile.

Affected version

  • Google Chrome JavaScript V8 engine 3.20-4.2 in.
  • Android 4.4.4-5.1 on using the WebView control the development of the APP.

The non-affected version

  • Google Chrome JavaScript V8 engine > 4.2 in.

Vulnerability analysis

The V8 is a Google developed open source high-performance JavaScript engine. V8 its built-in mechanisms of the underlying native object, or the code is exposed to the upper layer JavaScript code for access calls, thus providing efficiency. This BadKernel vulnerability exists in the ConvertAcceptListToTypeMap function. The function code, see the following address:<>is.

! V8-1

In MakeTypeError, the author incorrect use of“observe_accept_invalid”in. In the http://androidxref. com/5.0. 0_r2/xref/external/chromium_org/v8/src/messages. js#7 5 can be seen and there is no definition of“observe_accept_invalid”, but the definition of“observe_invalid_accept”in.

! V8-2

Therefore, the attacker can be through the delicate Memory Controller, through this vulnerability to call the object's observe method to achieve information disclosure, and thus achieve arbitrary code execution.

This vulnerability of the calling process:

  1. The JavaScript code calls the object's observe method, the Object. observe()

  2. http://androidxref. com/5.0. 0_r2/xref/external/chromium_org/v8/src/bootstrapper. cc#1 6 3 3

! V8-3

  1. http://androidxref. com/5.0. 0_r2/xref/external/chromium_org/v8/src/object-observe. js#3 7 5

! V8-4

  1. http://androidxref. com/5.0. 0_r2/xref/external/chromium_org/v8/src/object-observe. js#ConvertAcceptListToTypeMap

! V8-5

  1. http://androidxref. com/5.0. 0_r2/xref/external/chromium_org/v8/src/messages. js#3 2 3

  2. http://androidxref. com/5.0. 0_r2/xref/external/chromium_org/v8/src/messages. js#MakeGenericError

  3. http://androidxref. com/5.0. 0_r2/xref/external/chromium_org/v8/src/messages. js#FormatMessage

! V8-6

[1] [2] next