|
2 | 2 |
|
3 | 3 | The analysis of this bug can be found [here](https://securitylab.github.com/research/in_the_wild_chrome_cve_2021_37975). This is a Chrome bug that is reported by an anonymous researcher and was believed to be exploited in the wild. |
4 | 4 |
|
5 | | -The exploit here is tested on `v8` version 9.4.146.16 (commit `452f57b`), which is the version shipped with Chrome 94.0.4606.71, the one before the bug is fixed, on Ubuntu 20.04. Tested on two different desktop devices with different specs. |
| 5 | +The exploit `poc.js` is tested on `v8` version 9.4.146.16 (commit `452f57b`), which is the version shipped with Chrome 94.0.4606.61, the one before the bug was fixed, on Ubuntu 20.04. It is tested on two different desktop devices with different specs. |
6 | 6 |
|
7 | 7 | To test, check out `v8` at commit `452f57b` and compile with the default settings using `tools/dev/gm.py x64.release`. Then open the file `poc.js` with `d8`: |
8 | 8 |
|
@@ -42,6 +42,57 @@ shellArray addr: 0x8048d75 |
42 | 42 | $ |
43 | 43 | ``` |
44 | 44 |
|
45 | | -Shell code may need changing on other platforms. |
| 45 | +Shell code and some offsets may need changing on other platforms. |
46 | 46 |
|
47 | | -The exploit is not reliable, (probably about 50 percent success rate). The variable `gcSize` may need changing depending on the device, and the variable `mapAddr` also depends on the version of v8 (it is an offset). Changing the variable `sprayParam` may also improve the reliability. The current parameter seems to give reasonable reliability across the two devices tested. |
| 47 | +The exploit is fairly reliable, (> 80% success rate on the two tested devices). The variable `gcSize` may need changing depending on the device, and the variable `mapAddr` also depends on the version of v8 (it is an offset). Changing the variable `sprayParam` may also improve the reliability. The current parameter seems to give reasonable reliability across the two devices tested. The `gcSize` parameter should be ok for desktop devices, but may need changing for devices with low memory (e.g. mobile) |
| 48 | + |
| 49 | +The Chrome poc are the files `chrome_poc_parent.html` and `chrome_poc_child.html`. It is tested with Linux build 94.0.4606.61 (commit `c3f0a75`) on Ubuntu 20.04, with the following parameters: |
| 50 | + |
| 51 | +``` |
| 52 | +is_debug = false |
| 53 | +symbol_level = 2 |
| 54 | +blink_symbol_level = 2 |
| 55 | +dcheck_always_on = false |
| 56 | +is_official_build = true |
| 57 | +chrome_pgo_phase = 0 |
| 58 | +``` |
| 59 | + |
| 60 | +To build this, I have to comment out part of a script `chrome/browser/resources/tools/optimize_webui.py` to fix the build: |
| 61 | + |
| 62 | +``` |
| 63 | +@@ -178,16 +178,16 @@ def _bundle_v3(tmp_out_dir, in_path, out_path, manifest_out_path, args, |
| 64 | + manifest_out_path) |
| 65 | + assert len(generated_paths) == len(bundled_paths), \ |
| 66 | + 'unexpected number of bundles - %s - generated by rollup' % \ |
| 67 | + (len(generated_paths)) |
| 68 | + |
| 69 | +- for bundled_file in bundled_paths: |
| 70 | +- with open(bundled_file, 'r') as f: |
| 71 | +- output = f.read() |
| 72 | +- assert "<if expr" not in output, \ |
| 73 | +- 'Unexpected <if expr> found in bundled output. Check that all ' + \ |
| 74 | +- 'input files using such expressions are preprocessed.' |
| 75 | ++# for bundled_file in bundled_paths: |
| 76 | ++# with open(bundled_file, 'r') as f: |
| 77 | ++# output = f.read() |
| 78 | ++# assert "<if expr" not in output, \ |
| 79 | ++# 'Unexpected <if expr> found in bundled output. Check that all ' + \ |
| 80 | ++# 'input files using such expressions are preprocessed.' |
| 81 | + |
| 82 | + return bundled_paths |
| 83 | + |
| 84 | + def _optimize(in_folder, args): |
| 85 | + in_path = os.path.normpath(os.path.join(_CWD, in_folder)).replace('\\', '/') |
| 86 | +``` |
| 87 | + |
| 88 | +This part seems to be doing some sanity checks of some generated config files related to webui, so I don't expect it to affect the exploit. |
| 89 | + |
| 90 | +The Chrome exploit should be 100% reliable by using different origin `iframe` to avoid crashing the parent frame. (Idea similar to the one in "Making a Stealth Exploit by abusing Chrome's Site Isolation" in [this article](https://blog.exodusintel.com/2019/01/22/exploiting-the-magellan-bug-on-64-bit-chrome-desktop/?fbclid=IwAR0WiWjsUnun8AuipENIUCMwTvWl35I7rAgsTflQTecmazElNoCAYvm0BsA) of Ki Chan Ahn, but on a smaller scale) The parent frame will reset the child frame every 5 seconds and change its origin to make sure it starts fresh, during which it'll print out `resetChild` on the page. It should not take too many attempts to succeed and will pop `xcalc` on Ubuntu. To test it, host these pages at `127.0.0.1`, `127.0.0.2` and `127.0.0.3`: |
| 91 | + |
| 92 | +``` |
| 93 | +python3 -m http.server --bind 127.0.0.1 |
| 94 | +python3 -m http.server --bind 127.0.0.2 |
| 95 | +python3 -m http.server --bind 127.0.0.3 |
| 96 | +``` |
| 97 | + |
| 98 | +Then open `localhost:8000/chrome_poc_parent.html` on Chrome built with the above instructions and wait. It should pop `xcalc` within a few trials. |
0 commit comments