Title: CVE-2024-4761 漏洞分析与过程记录 · Issue #2 · hatereloading/hatereloading.github.io · GitHub
Open Graph Title: CVE-2024-4761 漏洞分析与过程记录 · Issue #2 · hatereloading/hatereloading.github.io
X Title: CVE-2024-4761 漏洞分析与过程记录 · Issue #2 · hatereloading/hatereloading.github.io
Description: author: @relooadin / X 2024-06-03 17:09:52 Shout out to @buptsb and @mistymntncop for their brilliant work. 漏洞信息 Chrome Releases: Stable Channel Update for Desktop (googleblog.com) CVE-2024-4761是V8越界写入漏洞,攻击者可以通过构造恶意代码达成渲染进程RCE(沙箱内)。谷歌在发布...
Open Graph Description: author: @relooadin / X 2024-06-03 17:09:52 Shout out to @buptsb and @mistymntncop for their brilliant work. 漏洞信息 Chrome Releases: Stable Channel Update for Desktop (googleblog.com) CVE-2024-4761是V8...
X Description: author: @relooadin / X 2024-06-03 17:09:52 Shout out to @buptsb and @mistymntncop for their brilliant work. 漏洞信息 Chrome Releases: Stable Channel Update for Desktop (googleblog.com) CVE-2024-4761是V8...
Opengraph URL: https://github.com/hatereloading/hatereloading.github.io/issues/2
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"CVE-2024-4761 漏洞分析与过程记录","articleBody":"author: [@relooadin / X](https://x.com/relooadin)\r\n2024-06-03 17:09:52\r\n**Shout out to [@buptsb](https://x.com/buptsb) and [@mistymntncop](https://x.com/mistymntncop) for their brilliant work.**\r\n\r\n# 漏洞信息\r\n[Chrome Releases: Stable Channel Update for Desktop (googleblog.com)](https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html)\r\nCVE-2024-4761是V8越界写入漏洞,攻击者可以通过构造恶意代码达成渲染进程RCE(沙箱内)。谷歌在发布的Chrome版本 124.0.6367.207 中修复了该漏洞。\r\ncommit:`[wasm-gc] Only normalize JSObject targets in SetOrCopyDataProperties`\r\n[[wasm-gc] Only normalize JSObject targets in SetOrCopyDataProperties (5527397) · Gerrit Code Review (googlesource.com)](https://chromium-review.googlesource.com/c/v8/v8/+/5527397)\r\n\r\n根据补丁信息及X上已公开的POC (作者: @buptdsb)可知,该漏洞是由 `SetOrCopyDataProperties` 函数在转换属性存储模式过程中校验不充分造成的越界写。\r\n\r\n\r\n# 关于补丁\r\n[[wasm-gc] Only normalize JSObject targets in SetOrCopyDataProperties (5527397) · Gerrit Code Review (googlesource.com)](https://chromium-review.googlesource.com/c/v8/v8/+/5527397)\r\n* 在 `JSReceiver::SetOrCopyDataProperties` 函数中\r\n* 当descriptor长度大于1020时,将快属性转化为慢属性。\r\n* 该补丁使非`JSObject`的对象无法进入泛化逻辑\r\n* 从标题来看重点针对`wasm-gc`对象\r\n\r\n简单地说就是新引入的`WasmObject` 对象不该进入`JSReceiver::SetOrCopyDataProperties`的 Normalize 逻辑。\r\n\r\n# POC分析\r\n\r\n会在这里崩溃\r\n\r\n\r\ninobject 个数计算\r\n\r\n\r\n\r\n[src/objects/map.h - v8/v8 - Git at Google (googlesource.com)](https://chromium.googlesource.com/v8/v8/+/70bd7cf0ef618621c16ae3f5ba2db614ac8ef996/src/objects/map.h)\r\n\r\n# OOB\r\ninobject被计算为4,前4个32bit被抹零,所以会进入 `GetRootForNonJSReceiver`\r\n\r\n\r\n\r\n\r\n\r\n\r\n# 重入JS\r\n在这里切回js\r\n\r\n\r\n截图来自:[CVE-2024-4761.js (github.com)](https://gist.github.com/mistymntncop/2cb449eb6aa30d35d1afd78a8b06bac2)\r\n很多与对象属性访问相关的历史漏洞(如CVE-2021-30551)都使用过“重入JS用户代码”的模式\r\n\r\n# 利用\r\n@buptsb 与 @mistymntncop 已公开利用方法:\r\n[CVE-2024-4947: v8 incorrect AccessInfo for module namespace object causes Maglev type confusion (buptsb.github.io)](https://buptsb.github.io/blog/post/CVE-2024-4947-%20v8%20incorrect%20AccessInfo%20for%20module%20namespace%20object%20causes%20Maglev%20type%20confusion.html)\r\n[CVE-2024-4761: v8 missing check of WasmObject type cast causes type confusion and OOB access (buptsb.github.io)](https://buptsb.github.io/blog/post/CVE-2024-4761-%20v8%20missing%20check%20of%20WasmObject%20type%20cast%20causes%20type%20confusion%20and%20OOB%20access.html)\r\n\r\n被清空0~0x10的wasm_array会被识别成字符串\r\n\r\n\r\ngc会把 0xf2000 00000000 当做map\r\nAs the `instance_type` is 0 for now, it’s `INTERNALIZED_TWO_BYTE_STRING_TYPE`,\r\nso we will call `CALL_APPLY(SeqTwoByteString)` to gc this object.\r\n\r\n\r\n\r\n\r\n越界写,把o.property's map覆盖为0\r\n\r\n\r\n随后GC,使 `o' property` 与 `arr1` 重叠,通过访问o的属性更改 `arr1` 的 `length`。\r\n\r\n\r\n\r\n\r\n\r\n# SeqTwoByteString \r\n双字节字符\r\n V8 的源代码中,有一个[方便查阅的列表](https://link.juejin.cn/?target=https%3A%2F%2Fgithub.com%2Fv8%2Fv8%2Fblob%2F941b945b%2Fsrc%2Fobjects%2Fobjects.h%23L134-L151 \"https://github.com/v8/v8/blob/941b945b/src/objects/objects.h#L134-L151\"),列出了它使用的所有字符串实现:\r\n 从 string.tq 一直往在追,SeqTwoByteString 的内存表示为:\r\n`map: Map | raw_hash_field: NameHash | length: int32 | chars[length]: char16`\r\n的形式\r\n\r\n**map为0的对象会被识别成 SeqTwoByteString**, 由于instance_type为0,即`*(base+8) = 0 `\r\n\r\n\r\n原因如下:[CVE-2024-4947: v8 incorrect AccessInfo for module namespace object causes Maglev type confusion (buptsb.github.io)](https://buptsb.github.io/blog/post/CVE-2024-4947-%20v8%20incorrect%20AccessInfo%20for%20module%20namespace%20object%20causes%20Maglev%20type%20confusion.html)\r\n\r\n\r\n\r\n源码参考:[string.tq - Chromium Code Search](https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/string.tq)\r\n\r\n\r\n# 总结\r\n1. wasm-gc对象在`SetOrCopyDataProperties`函数中被`normalize`时发生oob(被当做JSObject)\r\n2. 越界写的内容和范围: map_base+5 ~ map_base+4 范围内置零,对于Wasm Array,该对象后紧接着的一个32位会被越界置零。\r\n3. 利用 property array reallocates 布局内存,使一个fast property(`properties[0]=0`)紧随 Wasm Array\r\n4. 触发漏洞,**fast property 的 map被置0,利用getter重回JS用户态(避免崩溃)**\r\n5. 触发 GC ,fast property 被混淆为 `SeqTwoByteString`,可通过访问 fast property 越界写入相邻对象的内部数据。\r\n\r\n## 涉及知识点:\r\n1. fast property\r\n2. Object.assign\r\n4. normalize\r\n5. map layout\r\n7. getter / runtime call\r\n8. GC\r\n9. SeqTwoByteString\r\n\r\n其他:\r\n1. map layout 查询\r\n2. 通过 x.tq 查询对象布局\r\n3. 使用 --soft-abort 关闭 DCHECK\r\n\r\n# 完整利用\r\n需要绕过 heap sandbox\r\n具体方法可参考补丁中的回归测试文件,不赘述\r\n1. [[wasm][sandbox] Fix sandbox escapes via i32 high word (5494364) · Gerrit Code Review (googlesource.com)](https://chromium-review.googlesource.com/c/v8/v8/+/5494364)\r\n2. [[wasm][sandbox] Add WasmTrustedInstanceData::native_module (5529236) · Gerrit Code Review (googlesource.com)](https://chromium-review.googlesource.com/c/v8/v8/+/5529236)","author":{"url":"https://github.com/hatereloading","@type":"Person","name":"hatereloading"},"datePublished":"2024-08-09T09:52:00.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/2/hatereloading.github.io/issues/2"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:ddb76c07-2a7e-dc19-c6ec-b0af8038f90f |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C116:788CA:3C1DE9:52A85E:6A57CE3B |
| html-safe-nonce | 4203ab999858b0c4f568fcfabfb4dd41744be6202943f28344362eb3413b1fda |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDMTE2Ojc4OENBOjNDMURFOTo1MkE4NUU6NkE1N0NFM0IiLCJ2aXNpdG9yX2lkIjoiODIyOTgwNTA5MDcwNzg1Mjg1OSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | efdb905a5c6eb6b7bb616fe1c152f31ad713a941295b565efc990f42c69de292 |
| hovercard-subject-tag | issue:2457549709 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/hatereloading/hatereloading.github.io/2/issue_layout |
| twitter:image | https://opengraph.githubassets.com/3dffa4948ec11741f58a113449132288526628a249f8d641f0784f7bc0c20d98/hatereloading/hatereloading.github.io/issues/2 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/3dffa4948ec11741f58a113449132288526628a249f8d641f0784f7bc0c20d98/hatereloading/hatereloading.github.io/issues/2 |
| og:image:alt | author: @relooadin / X 2024-06-03 17:09:52 Shout out to @buptsb and @mistymntncop for their brilliant work. 漏洞信息 Chrome Releases: Stable Channel Update for Desktop (googleblog.com) CVE-2024-4761是V8... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | hatereloading |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5bf9f84655de1d0e9aa064cd3b2bc9703556c68ae53b94e21b872b7e9f1f7cc1 |
| turbo-cache-control | no-preview |
| go-import | github.com/hatereloading/hatereloading.github.io git https://github.com/hatereloading/hatereloading.github.io.git |
| octolytics-dimension-user_id | 85744934 |
| octolytics-dimension-user_login | hatereloading |
| octolytics-dimension-repository_id | 840244455 |
| octolytics-dimension-repository_nwo | hatereloading/hatereloading.github.io |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 840244455 |
| octolytics-dimension-repository_network_root_nwo | hatereloading/hatereloading.github.io |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | f76ee5bea8be15c2aede06f855f5c4c808f6eaf5 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width