Blog CVE-2024-4947: v8 incorrect AccessInfo for module namespace object causes Maglev type confusion, we have a oob read/write inside of sandbox.
By
@mistymntncop
and me
PoC and writeup about CVE-2024-5830: incorrect handing of deprecated map in [[CreateDataProperty]] from Man Yue Mo.
This vuln is not that complicated and i guess it's all about exploit techniques.
By me and jj
@mistymntncop
CVE-2024-4761: ITW v8 type confusion of WasmObjects causes oob read/writes inside of sandbox PoC, from
@mistymntncop
It's a shock for me that we could oob just through writing zeros...🤪
My writeup about CVE-2024-2625, non-allowed main thread handle deref during off-thread parsing in v8
"Since the bug reporter shared this bug into Google just before Pwn2Own2024, I think this bug is not exploitable." 🤣
CVE-2024-4761: ITW v8 type confusion of WasmObjects causes oob read/writes inside of sandbox PoC, from
@mistymntncop
It's a shock for me that we could oob just through writing zeros...🤪
PoC of v8 CVE-2024-3159: enumcache oob v2.0
It's related to CVE-2023-4427.
As a security researcher who has long been aware of the potential bugs in MapUpdater and enumcache, I should reflect on my careless code review and outdated workflow.
In this post I'll use CVE-2023-4069, a type confusion bug in the Maglev JIT compiler of Chrome that I reported in July, to gain RCE in the Chrome renderer sandbox:
Blog about issue-339736513: [v8ctf M125] v8 missing check of WasmObject type causing IC type confusion and OOB access
Shout out to
@mistymntncop
, i can't believe the poly IC technique from CVE-2023-3079 is still alive😅
🤔
[334120897][wasm][sandbox]In-sandbox corruption could cause i64 values to be passed to functions expecting an i32 -> SBX:
Regress test:
./d8 --wasm-staging --sandbox-testing regress-334120897.js
In a new guest blog,
#Pwn2Own
winner
@_manfp
details CVE-2024-2887 - a bug he used to exploit both
#Chrome
and
#Edge
during the contest on his way to winning Master of Pwn. He breaks down the root cause and shows how he exploited it. Read the details at
Here are the slides for our talk, 'Find and exploit race condition bugs in modern JS engines' at
#Zer0Con2023
. Thanks
@POC_Crew
for a great conference!
My writeup about CVE-2023-6702: v8 type confusion when capturing async stack traces in promise contexts
My previous writeup about another Promise-related vuln CVE-2023-4355
@alisaesage
, thank you so much for the talk at
#hitbxphdays
.
In fact,
@buptsb
,
@mistymntncop
,
@wwkenwong
, and I are excited to watching on your talk together. The deep dive part is the greatest part which also links up ECMA specification to check out internal JSE function.
We are happy to share our slides for TyphoonCon 2024 and the exploit code for v8ctf. We hope this will be helpful for those who study browser exploits :)
Thanks to events like Pwn2Own or our V8CTF (~= exploit bounty program), we now have more data about the types of bugs exploited in V8. Based on that, we've gathered some basic statistics:
Here are the slides for our talk, 'Find and exploit race condition bugs in modern JS engines' at
#Zer0Con2023
. Thanks
@POC_Crew
for a great conference!
WasmObject is a devil released by the v8 type system, if i had realized this a month ago then this tweet would have been sent from my Lamborghini's dashboard🤣😇
Weird situation in CVE-2024-0517, Maglev has an more aggressive memory optimization than Turbofan, TF calls into `FastNewObject` builtin but ML uses `AllocateRaw` and do allocation folding.
v8 has a 4-tiers stack just like JSC:
Ignition(interpreter)
Sparkplug(single-pass non-optimizing baseline compiler)
TurboProp(a subset of TurboFan, deprecated for now)
Maglev(a mid-tier minimal SSA-based optimising compiler)
TurboFan(heavyweight, top-notch optimizing compiler)
I have been breadth-first search through v8 codebase towarding CVE-2024-0519 for more than 72h (including sleep), the problem for me as an inexperienced researcher is how depth should i go before switching into next branch, and when to give up the whole process
This quick doc only demonstrates the d8 crash without the real oob write, i just publish it without noticing that this is an v8 ITW vuln. Apologize for my carelessness 🥹
To those who report fuzzer crashes immediately without even looking at a single line of source code, just take a glance and your bounty will get doubled...
you guys don't read zh-cn can't understand many interesting points inside the leakage chat history... and i can't write a post about it even though there is almost nothing sensitive inside 🤫
(CVE-2024-2884)SEGV in turboshaft-loop-peeling
This will allow attackers to forge malformed objects on the v8 heap and then leak it to user space through another fakeobj vulnerability -> AAR primitive, thereby achieving a complete exploit.
@Kipreyyy
This looks like a candidate for Chrome v8 0day bug used by
@_manfp
in his Pwn2Own 2024 exploit (CVE-2024-2887, just patched in Chrome stable 123.0.6312.86/.87)
wasm module decoder had a missing check of type section size in a branch of DecodeTypeSection, easy to spot manually:
Previously property `stack` is a `native accessor`(AccessInfo), whose getter would be called during Object.defineProperty(makes `Error.prepareStackTrace()` a toValue/toString alike side-effects function call), now its a `JavaScript accessor`(AccessPair).
Correction to my last post. The author of the hole exploitation writeup was
@h0meb0dysj
. You can find another version of the writeup on his personal blog (Korean). Good stuff!
@ajxchapman
@buptdsb
@_tsuro
oh man, if this person's entry is either CVE-2024-4947 or CVE-2024-4761 i'll be seriously impressed. Both very weak primitives, not particularly easy to work with. I guess CVE-2024-4947 is showing more promise for the moment...
Tried to inspect why the symbol is not hightlighted, to understand the obfuscated js code is just like v8 source code which demands a lot of imagination...
The cross ref system of Chromium has been broken for about dozon of months, I think they don't actually use it internally so nobody has even noticed that for so long...
The cross ref system of Chromium has been broken for about dozon of months, I think they don't actually use it internally so nobody has even noticed that for so long...
Its quite challenging for me to digest all these backend vulns in ML/TF, and I doubt if anyone could find these vulns through methods other than fuzzing?
Patch candidate for Chrome v8 Use-after-free to RCE bug (CVE-2024-3914) exploited by
@0x10n
at Pwn2Own 2024 Vancouver against both Chrome and Microsoft Edge. Patched in Chrome 124.0.6367.60/.61
This is not "quite" v8 - it's kinda blink reachable from v8. Classic array neutering
Fast deletion migrate recv to its parent map, the recv may have just extended the property array size but the `unused property fields` in parent map is 0. But it seems like harmless.
8 minutes to index latest v8 with `clangd -j=16`, i dont know if it support `iceccd` since i use that to build v8 through a little build farm of 3 machines.
This issue is due to a incomplete fix to CloneObjectIC that I mentioned in my reading notes: , which is used by the first v8ctf commit.
The condition function is still dog shit for now, but it works...
To those who report fuzzer crashes immediately without even looking at a single line of source code, just take a glance and your bounty will get doubled...