GHSL-2024-070: Remote Code Execution (RCE) in Chromium – CVE-2024-3833

Coordinated Disclosure Timeline

  • 2024-03-27: Issue reported to Chromium security team as 331383939
    2024 年 3 月 27 日:向 Chromium 安全团队报告的问题为 331383939
  • 2024-04-16: Issue fixed in version 124.0.6367.60/.61 as CVE-2024-3833
    2024 年 4 月 16 日:在版本 124.0.6367.60/.61 中作为 CVE-2024-3833 修复的问题

Summary 总结

Opening a malicious website in affected versions of Chrome can lead to object corruption that can be exploited to gain code execution in Chrome’s renderer.
在受影响的 Chrome 版本中打开恶意网站可能会导致对象损坏,可利用这些损坏在 Chrome 渲染器中执行代码。

Project 项目


Tested Version 测试版本

Chromium version 123.0.6312.58
Chromium 版本 123.0.6312.58


JS object corruption in WasmJs::InstallTypeReflection (GHSL-2024-070)
WasmJs::InstallTypeReflection 中的 JS 对象损坏 ( GHSL-2024-070 )

In InstallConditionalFeatures, a check is in place to check that the WebAssembly object does not contain the Function property to avoid adding duplicate properties in the object:
在 InstallConditionalFeatures 中,检查 WebAssembly 对象是否不包含该 Function 属性,以避免在对象中添加重复的属性:

void WasmJs::InstallConditionalFeatures(Isolate* isolate,
                                        Handle<NativeContext> context) {
    // Install Wasm type reflection features (if not already done).
    Handle<String> function_string = v8_str(isolate, "Function");
    if (!JSObject::HasRealNamedProperty(isolate, webassembly, function_string)
             .FromMaybe(true)) {
      InstallTypeReflection(isolate, context);

However, InstallTypeReflection also adds properties in various other objects, and those are not checked:
但是, InstallTypeReflection 还会在各种其他对象中添加属性,并且这些属性不会被选中:

void WasmJs::InstallTypeReflection(Isolate* isolate,
                                   Handle<NativeContext> context) {
  Handle<JSObject> webassembly(context->wasm_webassembly_object(), isolate);

  handle(JSObject::cast(context->Name()->instance_prototype()), isolate)
  InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_table_constructor), "type",
              WebAssemblyTableType, 0, false, NONE,
  InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_memory_constructor), "type",
              WebAssemblyMemoryType, 0, false, NONE,
  InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_global_constructor), "type",
              WebAssemblyGlobalType, 0, false, NONE,
  InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_tag_constructor), "type",
              WebAssemblyTagType, 0);

In the above, the type property is added to the prototype of wasm_table_constructor etc., without checking that the properties already exists. This leads to issues like 40056206 where duplicate properties are installed on objects.
在上面, type 该属性被添加到 prototype of wasm_table_constructor 等中,而不检查这些属性是否已存在。这会导致在对象上安装重复属性的40056206等问题。

Impact 冲击

This issue can be exploited to gain RCE in Chrome renderer.
可利用此问题在 Chrome 渲染器中获取 RCE。


  • CVE-2024-3833

Credit 信用

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
此问题由 GHSL 团队成员 @m-y-mo (Man Yue Mo) 发现并报告。

原文始发于Man Yue MoGHSL-2024-070: Remote Code Execution (RCE) in Chromium – CVE-2024-3833

版权声明:admin 发表于 2024年7月8日 下午10:53。
转载请注明:GHSL-2024-070: Remote Code Execution (RCE) in Chromium – CVE-2024-3833 | CTF导航