当前位置:首页 > 报告详情

王楠与肖正航与郭学浩与戴秦润_超级帽子戏法四次利用Chrome和Firefox_WP.pdf

上传人: 张** 编号:175544 2024-09-13 30页 915.34KB

1、White Paper(Super Hat Trick:Exploit Chrome and Firefox Four Times)1White Paper(Super Hat Trick:Exploit Chrome and Firefox Four Times)BackgroundWith the widespread use of the JavaScript language,JavaScript engines are becoming increasingly feature-rich.There are various JavaScript engines,such as V8

2、used by Google Chrome and SpiderMonkey used by Firefox.From runtime support to compilation optimization,they add a lot of new code,but with it comes a bunch of hidden security issues.We have once again identified four high-risk vulnerabilities in these new implementations:one is related to a classic

3、 callback issue within the new runtime support implementations,another is related to type confusion caused by missing type checking in the compilation optimization,and BackgroundCallback issue in runtime supportBackgroundRoot cause analysisHow to exploitIncorrect Assumption on JS MapBackgroundRoot c

4、ause analysisHow to exploitInitialization Flaw in WebAssembly InstancesBackgroundRoot cause analysisHow to exploitInteger Overflow in WebAssembly JITBackgroundRoot cause analysisHow to exploitConclusionsWhite Paper(Super Hat Trick:Exploit Chrome and Firefox Four Times)2the remaining two are related

5、to wasm gc issuesimproper initialization order and integer overflow,resulting in controllable out-of-bounds read/write.Callback issue in runtime supportBackgroundThe first part is a callback issue,which is hidden in the runtime support code logic,and is related to a new Javascript proposal.Before di

6、ve deeper into the root causes of vulnerability,lets first have a brief understanding of the background knowledge.In 2015,a new data structure Set,was introduced into the Javascript,to make the developer more easier to code.However,as you can see,the functions available in this Set structure are ver

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要介绍了在Chrome和Firefox中发现的四个高风险漏洞。 1. 第一个漏洞是关于在运行时支持代码逻辑中的回调问题,与新的JavaScript提案有关。当V8尝试获取Set对象中“size”属性的值时,会触发用户定义的回调函数,但V8没有考虑到GetSetRecord函数的副作用,可能导致之前获取的指针变得过时。 2. 第二个漏洞是关于在代码优化中由于错误的假设而缺少类型检查导致的类型混淆。由于无法检测到类型转换,V8无法及时发现函数被传递了未预期的类型,从而导致类型混淆。 3. 第三个漏洞是关于WebAssembly实例初始化中的初始化缺陷。在初始化数组时,由于类型尚未初始化,所有typeDefData成员都是0,导致elementTypeSize也为0,从而导致数组总大小计算为0,允许进行越界读写。 4. 第四个漏洞是关于WebAssembly JIT中的整数溢出问题。在创建数组时,由于使用了有符号乘法溢出检查,某些特殊值可以绕过这个检查,导致数组分配时发生整数溢出。 这些漏洞的发现和利用展示了在JavaScript引擎中寻找和利用漏洞的方法,以及如何通过深入分析代码的根因来发现和利用这些漏洞。
"如何利用回调漏洞实现远程代码执行?" "如何通过类型混淆漏洞泄露V8堆地址?" "如何将数组越界读写转换为任意读写?"
客服
商务合作
小程序
服务号
折叠