Menu

Improved exploit search engine. Try it out

"Google Chrome < M72 - FileWriterImpl Use-After-Free"

Author

"Google Security Research"

Platform

multiple

Release date

2019-03-01

Release Date Title Type Platform Author
2019-07-12 "Xymon 4.3.25 - useradm Command Execution (Metasploit)" remote multiple Metasploit
2019-07-10 "Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access" dos multiple "Google Security Research"
2019-07-09 "Firefox 67.0.4 - Denial of Service" dos multiple "Tejas Ajay Naik"
2019-07-03 "Symantec DLP 15.5 MP1 - Cross-Site Scripting" webapps multiple "Chapman Schleiss"
2019-07-01 "CyberPanel 1.8.4 - Cross-Site Request Forgery" webapps multiple "Bilgi Birikim Sistemleri"
2019-07-01 "Sahi pro 8.x - Directory Traversal" webapps multiple "Alexander Bluestein"
2019-07-01 "SAP Crystal Reports - Information Disclosure" webapps multiple "Mohamed M.Fouad"
2019-07-01 "Varient 1.6.1 - SQL Injection" webapps multiple "Mehmet EMIROGLU"
2019-06-26 "Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion" dos multiple "Google Security Research"
2019-06-24 "GrandNode 4.40 - Path Traversal / Arbitrary File Download" webapps multiple "Corey Robinson"
2019-06-25 "SuperDoctor5 - 'NRPE' Remote Code Execution" remote multiple "Simon Gurney"
2019-06-18 "Sahi pro 8.x - Cross-Site Scripting" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 8.x - SQL Injection" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 7.x/8.x - Directory Traversal" webapps multiple "Goutham Madhwaraj"
2019-06-17 "RedwoodHQ 2.5.5 - Authentication Bypass" webapps multiple EthicalHCOP
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - Type Confusion" dos multiple "X41 D-Sec GmbH"
2019-06-05 "Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free" dos multiple "Google Security Research"
2019-05-28 "Phraseanet < 4.0.7 - Cross-Site Scripting" webapps multiple "Krzysztof Szulski"
2019-05-27 "Deltek Maconomy 2.2.5 - Local File Inclusion" webapps multiple JameelNabbo
2019-05-29 "Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation" dos multiple "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script" dos multiple "Google Security Research"
2019-05-22 "Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting" webapps multiple Vingroup
2019-05-22 "Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions" webapps multiple Vingroup
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-07-17 "Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME" local linux "Google Security Research"
2019-07-12 "Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation" local windows "Google Security Research"
2019-07-12 "Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Multiple Bugs in OpenType Font Handling Related to the _post_ Table" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Out-of-Bounds Read in OpenType Font Handling Due to Undefined FontName Index" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow Due to Integer Overflow in readTTCDirectory" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readEncoding" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Interpreter Stack Underflow in OpenType Font Handling Due to Missing CHKUFLOW" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Use of Uninitialized Memory While Freeing Resources in var_loadavar" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack-Based Buffer Overflow in do_set_weight_vector_cube for Large nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth" dos windows "Google Security Research"
2019-07-10 "Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth" dos windows "Google Security Research"
2019-07-10 "Mozilla Spidermonkey - Unboxed Objects Uninitialized Memory Access" dos multiple "Google Security Research"
2019-07-10 "Microsoft Windows - Font Subsetting DLL Heap-Based Out-of-Bounds Read in MergeFonts" dos windows "Google Security Research"
2019-06-26 "Mozilla Spidermonkey - IonMonkey 'Array.prototype.pop' Type Confusion" dos multiple "Google Security Research"
2019-06-24 "Microsoft Windows Font Cache Service - Insecure Sections Privilege Escalation" dos windows "Google Security Research"
2019-06-24 "Microsoft Windows - 'CmpAddRemoveContainerToCLFSLog' Arbitrary File/Directory Creation" dos windows "Google Security Research"
2019-06-20 "Linux - Use-After-Free via race Between modify_ldt() and #BR Exception" dos linux "Google Security Research"
2019-06-05 "Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free" dos multiple "Google Security Research"
2019-05-29 "Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL" dos android "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46475/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46475/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46475/40930/google-chrome-m72-filewriterimpl-use-after-free/download/", "exploit_id": "46475", "exploit_description": "\"Google Chrome < M72 - FileWriterImpl Use-After-Free\"", "exploit_date": "2019-03-01", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

blog comments powered by Disqus

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
There's a use-after-free in the implementation of the FileWriter component of the mojo bindings for the filesystem API.

The browser-process side of this API is defined in https://cs.chromium.org/chromium/src/third_party/blink/public/mojom/filesystem/file_writer.mojom?type=cs&sq=package:chromium&g=0

The method we are interested in is the Write method - this takes a parameter of type blink.mojom.Blob. The implementation of this method is as follows:

void FileWriterImpl::Write(uint64_t position,
                           blink::mojom::BlobPtr blob,
                           WriteCallback callback) {
  blob_context_->GetBlobDataFromBlobPtr(
      std::move(blob),
      base::BindOnce(&FileWriterImpl::DoWrite, base::Unretained(this),
                     std::move(callback), position));
}

Note that the last argument to GetBlobDataFromBlobPtr is a callback object bound to base::Unretained(this).

And the implementation of GetBlobDataFromBlobPtr:

void BlobStorageContext::GetBlobDataFromBlobPtr(
    blink::mojom::BlobPtr blob,
    base::OnceCallback<void(std::unique_ptr<BlobDataHandle>)> callback) {
  DCHECK(blob);
  blink::mojom::Blob* raw_blob = blob.get();
  raw_blob->GetInternalUUID(mojo::WrapCallbackWithDefaultInvokeIfNotRun(
      base::BindOnce(
          [](blink::mojom::BlobPtr, base::WeakPtr<BlobStorageContext> context,
             base::OnceCallback<void(std::unique_ptr<BlobDataHandle>)> callback,
             const std::string& uuid) {
            if (!context || uuid.empty()) {
              std::move(callback).Run(nullptr);
              return;
            }
            std::move(callback).Run(context->GetBlobDataFromUUID(uuid));
          },
          std::move(blob), AsWeakPtr(), std::move(callback)),
      ""));
}

However, the call to GetInternalUUID is a mojo interface method; and if the renderer instead of providing a handle to a browser-process-hosted Blob object instead provides a handle to a renderer-hosted Blob implementation, then during this call into the renderer we can destroy the renderer handle to the FileWriter, triggering the immediate destruction of the FileWriterImpl. When the callback is then subsequently called after GetInternalUUID returns, the base::Unretained reference to the stale object will be used.


To reproduce you need a local build of chrome; run the attached script 

$ python ./copy_mojo_js_bindings.py /path/to/chrome/.../out/Asan/gen
$ python -m SimpleHTTPServer&
$ out/Asan/chrome --enable-blink-features=MojoJS --user-data-dir=/tmp/nonexist 'http://localhost:8000/file_writer.html' 

Note that this is *not* a renderer bug; it's a browser process bug that's reachable from the renderer. The attached poc is using the MojoJS bindings to trigger the issue, but a compromised renderer could perform the same actions without any special settings.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46475.zip