header-logo
Suggest Exploit
vendor:
Chromium
by:
Project Zero
7,8
CVSS
HIGH
Use-After-Free
416
CWE
Product Name: Chromium
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, Windows
2020

JsRuntimeState UAF

In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState object(rcx+158h in 64-bit). But the garbage collector doesn't mark this saved value. So it results in a UAF. Unlike in our test environment(Linux), it doesn't make reliable crashes on Windows. So another bug(#1258) was used to confirm the bug. If the UAF bug doesn't exist, the "crash" function will not be called(See poc.js).

Mitigation:

The garbage collector should be updated to mark the saved value.
Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259

In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState object(rcx+158h in 64-bit). But the garbage collector doesn't mark this saved value. So it results in a UAF.

Unlike in our test environment(Linux), it doesn't make reliable crashes on Windows. So I used another bug(#1258) to confirm the bug. If the UAF bug doesn't exist, the "crash" function will not be called(See poc.js).

The password of the zip file is "calleruaf"


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42092.zip

Navigation

Suggest Exploit

Services By CQR