One Click on a Malicious Site Could Exploit Chrome V8 Engine RCE Vulnerability
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical security vulnerability identified as CVE-2024-5830 has been discovered in Chrome’s V8 JavaScript engine. The flaw, initially reported in May 2024 as bug 342456991.
The vulnerability is a type confusion bug that allows an attacker to execute arbitrary code within the Chrome renderer sandbox by simply getting a victim to visit a malicious website.
A type confusion bug within the V8 engine’s handling of object maps and transitions. Maps, or hidden classes, define the memory layout of objects and optimize property access.
A flaw in the map transition process can lead to incorrect handling of object properties, resulting in a deprecated map being unexpectedly updated to a dictionary map. This discrepancy can cause out-of-bounds (OOB) access, leading to potential exploitation.
Today, Man Yue Mo, a security researcher from the GitHub Security Lab, published a technical write-up ;the vulnerability is triggered when V8 attempts to update the map (hidden class) of an object that has become deprecated due to type changes in the object’s properties.
In certain scenarios, this map update unexpectedly results in the object becoming a “dictionary” type rather than a “fast” type.This causes type confusion, as code that subsequently uses the updated map assumes it is dealing with a fast object, while in reality it is operating on a dictionary object.
An attacker can exploit this confusion to corrupt the internal fields of the dictionary object by carefully manipulating the object properties and layout in JavaScript.
Gaining Arbitrary Read/Write in V8 Heap
The researcher was able to leverage this corruption to construct a fake object within the V8 heap by then triggering a function that attempts to migrate the corrupted dictionary object back to a fast type, the fake object can be referenced, leading to out-of-bounds access to the fake object’s elements.
Using techniquesto groom the heapmemory layoutand predict object addresses, this out-of-bounds access could be turned into anarbitrary read-and-write primitivewithin the V8 heap.
This is a powerful capability that allows the attacker to corrupt and manipulate objects and data structures inside the JavaScript engine.
Escaping the V8 Heap Sandbox
Modern versionsof V8 employ a “heap sandbox” thatisolates the JavaScript heapfrom other memoryregions in the browserprocess, suchas executablecode pages.
This makes achieving code execution more challenging, even with an arbitrary read/write bug in the V8 heap.
However, the researcher found a way to bypass the heap sandbox by exploiting the interaction between V8 and Blink, the rendering engine of Chrome.
In particular, by treating a DOMRect object as a DOMTypedArray, the researcher overwrote the typed array’s backing store pointer.
This provided an arbitrary read/write primitive to the entire Chrome renderer process memory, outside the V8 sandbox.
From there, well-known techniques could be used to locate and corrupt function pointers or JIT-compiled code to gain execution of arbitrary native code.
CVE-2024-5830 – Patch
Google has patched this vulnerability in V8 and released fixed versions of Chrome in late July 2024. The researcher praised Google for their quick response and professional issue handling.
This vulnerability is notable for its severity and the novel techniques demonstrated to escape Chrome’s heap isolation mechanisms.
It underscores the ongoing security challenges in complex codebases like web browsers and the importance of continuing research into hardening and mitigation techniques.
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
One Click on a Malicious Site Could Exploit Chrome V8 Engine RCE Vulnerability
Author: Balaji NA critical security vulnerability identified as CVE-2024-5830 has been discovered in Chrome’s V8 JavaScript engine. The flaw, initially reported in May 2024 as bug 342456991.
The vulnerability is a type confusion bug that allows an attacker to execute arbitrary code within the Chrome renderer sandbox by simply getting a victim to visit a malicious website.
A type confusion bug within the V8 engine’s handling of object maps and transitions. Maps, or hidden classes, define the memory layout of objects and optimize property access.
A flaw in the map transition process can lead to incorrect handling of object properties, resulting in a deprecated map being unexpectedly updated to a dictionary map. This discrepancy can cause out-of-bounds (OOB) access, leading to potential exploitation.
Today, Man Yue Mo, a security researcher from the GitHub Security Lab, published a technical write-up ;the vulnerability is triggered when V8 attempts to update the map (hidden class) of an object that has become deprecated due to type changes in the object’s properties.
In certain scenarios, this map update unexpectedly results in the object becoming a “dictionary” type rather than a “fast” type.This causes type confusion, as code that subsequently uses the updated map assumes it is dealing with a fast object, while in reality it is operating on a dictionary object.
An attacker can exploit this confusion to corrupt the internal fields of the dictionary object by carefully manipulating the object properties and layout in JavaScript.
Gaining Arbitrary Read/Write in V8 Heap
The researcher was able to leverage this corruption to construct a fake object within the V8 heap by then triggering a function that attempts to migrate the corrupted dictionary object back to a fast type, the fake object can be referenced, leading to out-of-bounds access to the fake object’s elements.
Using techniquesto groom the heapmemory layoutand predict object addresses, this out-of-bounds access could be turned into anarbitrary read-and-write primitivewithin the V8 heap.
This is a powerful capability that allows the attacker to corrupt and manipulate objects and data structures inside the JavaScript engine.
Escaping the V8 Heap Sandbox
Modern versionsof V8 employ a “heap sandbox” thatisolates the JavaScript heapfrom other memoryregions in the browserprocess, suchas executablecode pages.
This makes achieving code execution more challenging, even with an arbitrary read/write bug in the V8 heap.
However, the researcher found a way to bypass the heap sandbox by exploiting the interaction between V8 and Blink, the rendering engine of Chrome.
In particular, by treating a DOMRect object as a DOMTypedArray, the researcher overwrote the typed array’s backing store pointer.
This provided an arbitrary read/write primitive to the entire Chrome renderer process memory, outside the V8 sandbox.
From there, well-known techniques could be used to locate and corrupt function pointers or JIT-compiled code to gain execution of arbitrary native code.
CVE-2024-5830 – Patch
Google has patched this vulnerability in V8 and released fixed versions of Chrome in late July 2024. The researcher praised Google for their quick response and professional issue handling.
This vulnerability is notable for its severity and the novel techniques demonstrated to escape Chrome’s heap isolation mechanisms.
It underscores the ongoing security challenges in complex codebases like web browsers and the importance of continuing research into hardening and mitigation techniques.
#Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
