1377 High-yield Nukes
@buptsb
Followers
1,461
Following
1,169
Media
110
Statuses
3,993
Frontend / Chromium / V8 / Devtools(TTD) / Networking(TCP/QUIC) / ? he/him, DMs open
Hong Kong
Joined March 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
ORM BE RIGHT BACK
• 477031 Tweets
jeonghan
• 183052 Tweets
MILE WITH BVLGARI TRUNKSHOW
• 113444 Tweets
CALLING ALL PRETTY GIRLS
• 102867 Tweets
#PeacefulPropertySeriesEP5
• 86536 Tweets
DAOU x OFFROAD
• 85789 Tweets
Varane
• 82921 Tweets
WANWAND SING ALONG
• 57882 Tweets
#櫻坂46_IWTC
• 55539 Tweets
UNSTOPPABLE KAIRAIN
• 44720 Tweets
#佐久間19歳
• 40032 Tweets
GULF X NINEENT BIRTHDAY
• 34662 Tweets
BINI SURFRESANG BANGO EP1
• 33256 Tweets
#推しの子
• 30344 Tweets
羽賀研二
• 28807 Tweets
シーザー
• 27932 Tweets
#Aぇヤンタン
• 18831 Tweets
The Next Prince Q7
• 18406 Tweets
BEAUTIFUL SKIN WITH LK
• 18006 Tweets
レイジョ
• 16093 Tweets
Sluka
• 15464 Tweets
ジャクソン
• 13770 Tweets
ウィリアムバローズ
• 13020 Tweets
Rapha
• 12357 Tweets
미수반2
• 11966 Tweets
UNLV
• 11877 Tweets
Bárbara Rey
• 11699 Tweets
Blog CVE-2024-4947: v8 incorrect AccessInfo for module namespace object causes Maglev type confusion, we have a oob read/write inside of sandbox.
By
@mistymntncop
and me
5
38
143
PoC and writeup about CVE-2024-5830: incorrect handing of deprecated map in [[CreateDataProperty]] from Man Yue Mo.
This vuln is not that complicated and i guess it's all about exploit techniques.
By me and jj
@mistymntncop
2
27
125
CVE-2024-4761: ITW v8 type confusion of WasmObjects causes oob read/writes inside of sandbox PoC, from
@mistymntncop
It's a shock for me that we could oob just through writing zeros...🤪
2
41
121
CVE-2023-4762 yet another v8 HOLE leak during element access reducing, poc:
2
18
107
My writeup about CVE-2024-2625, non-allowed main thread handle deref during off-thread parsing in v8
"Since the bug reporter shared this bug into Google just before Pwn2Own2024, I think this bug is not exploitable." 🤣
1
33
105
CVE-2024-2887 WebAssembly type confusion PoC
Missed out on the v8ctf bounty again because I have absolutely no idea how to achieve v8 sbx escape...🥹
3
20
107
My detailed writeup about it:
CVE-2024-4761: ITW v8 type confusion of WasmObjects causes oob read/writes inside of sandbox PoC, from
@mistymntncop
It's a shock for me that we could oob just through writing zeros...🤪
2
41
121
3
33
93
PoC of v8 CVE-2024-3159: enumcache oob v2.0
It's related to CVE-2023-4427.
As a security researcher who has long been aware of the potential bugs in MapUpdater and enumcache, I should reflect on my careless code review and outdated workflow.
6
22
93
Single line of code worth $10000, yet another v8 WasmObject type cast cve?
2
8
90
A quick note about CVE-2024-3832: Object corruption on wasm functions installation.
Status: no PoC, hole heak / object corruption
3
12
71
My reading notes to CVE-2023-4069, about how v8 Construct works and JSFunction's initial_map.
In this post I'll use CVE-2023-4069, a type confusion bug in the Maglev JIT compiler of Chrome that I reported in July, to gain RCE in the Chrome renderer sandbox:
5
103
316
3
11
67
Some quick notes about the CVE-2023-3079(V8 type confusion), no PoC yet.
2
15
66
Blog about issue-339736513: [v8ctf M125] v8 missing check of WasmObject type causing IC type confusion and OOB access
Shout out to
@mistymntncop
, i can't believe the poly IC technique from CVE-2023-3079 is still alive😅
3
15
68
Yet another v8 sandbox escape case, should i call the fix timeline "defensive fixing?"🤓
🤔
[334120897][wasm][sandbox]In-sandbox corruption could cause i64 values to be passed to functions expecting an i32 -> SBX:
Regress test:
./d8 --wasm-staging --sandbox-testing regress-334120897.js
0
2
24
1
8
56
v8 sandbox escape with GSAB lengh-tracking integer underflow🧎
1
6
55
My readings notes about v8 CVE-2021-37991: Potential race condition during concurrent JIT compilation
Here are the slides for our talk, 'Find and exploit race condition bugs in modern JS engines' at
#Zer0Con2023
. Thanks
@POC_Crew
for a great conference!
2
88
209
2
9
53
My reading notes about v8 CVE-2023-4355: Dangling FixedArray pointers in Torque lead to memory corruption
0
12
48
My writeup about CVE-2023-6702: v8 type confusion when capturing async stack traces in promise contexts
My previous writeup about another Promise-related vuln CVE-2023-4355
1
9
49
I watched
@alisaesage
's great video on
#PhDays2023
last year and began my journey on to v8 sec, it's great to be a tiny part of the talk 🫡
@alisaesage
, thank you so much for the talk at
#hitbxphdays
.
In fact,
@buptsb
,
@mistymntncop
,
@wwkenwong
, and I are excited to watching on your talk together. The deep dive part is the greatest part which also links up ECMA specification to check out internal JSE function.
3
8
46
0
6
49
CVE-2024-3832 must be a new way to corrupt jsobject in the runtime🧐
0
9
49
My reading notes about v8 issue:1423610: Maglev missing writer barrier due to Phi node untagging.
2
5
44
[$25000][342456991] High CVE-2024-5830: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-05-24
[342456991][map] Don't update maps in PrepareForDataProperty because we might update to a dictionary map.
0
0
4
1
6
45
Reading some greate articles about TurboFan, seems like most writeups are written before 2022...
0
9
41
its sad these great presentations hosted in Blackhat or Github are not indexed and can't be searched from anywhere
2
6
40
My reading notes about this bug (CVE? chrome:1472121), CloneObjectIC type confusion
1
5
40
Some notes about CVE-2024-3156: invalid address in CodePointerTableEntry after GC
0
8
38
My reading notes about CVE-2023-4427 🫡
Oh Cool. Glazunov released a writeup on CVE-2023-4427 on packetstorm.
3
13
78
2
10
36
2024-0519(?)
2023-6702()
1509576(has regress )
2024-0517()
2024-3159(✅)
2024-2887(✅)
2024-3914(?)
2024-1939(?)
2024-4761(✅)
2024-4947(✅)
2024-5274(?)
339736513(✅)
Thanks to events like Pwn2Own or our V8CTF (~= exploit bounty program), we now have more data about the types of bugs exploited in V8. Based on that, we've gathered some basic statistics:
4
61
223
1
5
35
CVE-2022-3652(issue:1369871)
Here are the slides for our talk, 'Find and exploit race condition bugs in modern JS engines' at
#Zer0Con2023
. Thanks
@POC_Crew
for a great conference!
2
88
209
1
5
31
WasmObject is a devil released by the v8 type system, if i had realized this a month ago then this tweet would have been sent from my Lamborghini's dashboard🤣😇
2
0
29
Weird situation in CVE-2024-0517, Maglev has an more aggressive memory optimization than Turbofan, TF calls into `FastNewObject` builtin but ML uses `AllocateRaw` and do allocation folding.
1
0
29
v8 has a 4-tiers stack just like JSC:
Ignition(interpreter)
Sparkplug(single-pass non-optimizing baseline compiler)
TurboProp(a subset of TurboFan, deprecated for now)
Maglev(a mid-tier minimal SSA-based optimising compiler)
TurboFan(heavyweight, top-notch optimizing compiler)
1
1
25
To understand v8 map updater/transitions, the 3000 loc test file `cctest/test-field-type-tracking.cc` is a must read
1
2
25
I have been breadth-first search through v8 codebase towarding CVE-2024-0519 for more than 72h (including sleep), the problem for me as an inexperienced researcher is how depth should i go before switching into next branch, and when to give up the whole process
3
3
22
This quick doc only demonstrates the d8 crash without the real oob write, i just publish it without noticing that this is an v8 ITW vuln. Apologize for my carelessness 🥹
1
3
20
To those who report fuzzer crashes immediately without even looking at a single line of source code, just take a glance and your bounty will get doubled...
3
3
19
Samuel's pre is wonderful, I'm shocked that the color palette in the pics are (kind of) consistent
0
3
17
you guys don't read zh-cn can't understand many interesting points inside the leakage chat history... and i can't write a post about it even though there is almost nothing sensitive inside 🤫
1
0
13
Interesting discussion on the security severity of a v8 arbitrary read🧐
0
4
16
So these guys all know how to bypass the latest v8 sbx?
2
0
14
The /src/wasm folder's code style seems quite different compared to v8
This looks like a candidate for Chrome v8 0day bug used by
@_manfp
in his Pwn2Own 2024 exploit (CVE-2024-2887, just patched in Chrome stable 123.0.6312.86/.87)
wasm module decoder had a missing check of type section size in a branch of DecodeTypeSection, easy to spot manually:
1
18
115
0
0
13
Lots of "1st order logic"(traditional memory corruption) bugs got reported, maybe the ClusterFuzz would randomly modify js objects fields?
1
1
13
THE Hole-new-world writeup
1
2
10
Reviewed dozen of v8 sbx issues since 2024, but no usable exp/poc/writup found🧐
3
0
12
Previously property `stack` is a `native accessor`(AccessInfo), whose getter would be called during Object.defineProperty(makes `Error.prepareStackTrace()` a toValue/toString alike side-effects function call), now its a `JavaScript accessor`(AccessPair).
Correction to my last post. The author of the hole exploitation writeup was
@h0meb0dysj
. You can find another version of the writeup on his personal blog (Korean). Good stuff!
1
21
92
4
2
12
diving into these two cves for last 48 hours, dead inside🤡
@ajxchapman
@buptdsb
@_tsuro
oh man, if this person's entry is either CVE-2024-4947 or CVE-2024-4761 i'll be seriously impressed. Both very weak primitives, not particularly easy to work with. I guess CVE-2024-4947 is showing more promise for the moment...
2
0
5
2
0
12
Tried to inspect why the symbol is not hightlighted, to understand the obfuscated js code is just like v8 source code which demands a lot of imagination...
The cross ref system of Chromium has been broken for about dozon of months, I think they don't actually use it internally so nobody has even noticed that for so long...
5
0
10
1
1
11
The cross ref system of Chromium has been broken for about dozon of months, I think they don't actually use it internally so nobody has even noticed that for so long...
5
0
10
I think I have checked this line before during code review, since the comments seems like bad shit could happen
1
0
9
Its quite challenging for me to digest all these backend vulns in ML/TF, and I doubt if anyone could find these vulns through methods other than fuzzing?
0
1
9
Some docs:
Mid-Tier Compiler Investigation
TurboProp Mid-Tier Compiler
Sparkplug
Maglev
1
0
8
I can't find a combination in turbofan but it seems promsing
1
0
7
Built-in proxy server named "ip protection" landed in Chrome Canary
1
0
6
What a silly bug...
Patch candidate for Chrome v8 Use-after-free to RCE bug (CVE-2024-3914) exploited by
@0x10n
at Pwn2Own 2024 Vancouver against both Chrome and Microsoft Edge. Patched in Chrome 124.0.6367.60/.61
This is not "quite" v8 - it's kinda blink reachable from v8. Classic array neutering
1
25
107
1
0
6
Start looking into CVE-2024-2887, seems like a wasm type confusion?
1
0
6
No users take `map->UnusedPropertyFields()` as iteration boundary, its okay for the PropertyArray to be a little bit larger.
Fast deletion migrate recv to its parent map, the recv may have just extended the property array size but the `unused property fields` in parent map is 0. But it seems like harmless.
0
0
3
2
1
5
Depending on `ArrayIteratorProtector` in `FindNonDefaultConstructor`, weird looking
0
0
4
Maybe there could exists some inconsistencies between jsobject and its map after fast-deletion
0
0
5
8 minutes to index latest v8 with `clangd -j=16`, i dont know if it support `iceccd` since i use that to build v8 through a little build farm of 3 machines.
1
0
4
But i'm not clear how these mem corruption could be utilized and write to the v8 sbx space
0
0
4
@sampriti0
Yeah, i found the LLM based chatbots are only useful if you know the correct answer, and that's a little bit ironic.
0
0
4
80 days since CVE-2024-0519 got patched, still no clues?
1
0
4
This issue is due to a incomplete fix to CloneObjectIC that I mentioned in my reading notes: , which is used by the first v8ctf commit.
The condition function is still dog shit for now, but it works...
To those who report fuzzer crashes immediately without even looking at a single line of source code, just take a glance and your bounty will get doubled...
3
3
19
1
0
4