Menu

Improved exploit search engine. Try it out

"Google Chrome < M72 - FileWriterImpl Use-After-Free"

Author

"Google Security Research"

Platform

multiple

Release date

2019-03-01

Release Date Title Type Platform Author
2019-04-22 "ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-04-22 "Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)" dos multiple "Bogdan Kurinnoy"
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
2019-04-18 "Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)" dos multiple "Fakhri Zulkifli"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-09 "Apache Axis 1.4 - Remote Code Execution" remote multiple "David Yesland"
2019-04-08 "QNAP Netatalk < 3.1.12 - Authentication Bypass" remote multiple muts
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
2019-04-03 "Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion" dos multiple "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion" dos multiple "Google Security Research"
2019-04-03 "WebKitGTK+ - 'ThreadedCompositor' Race Condition" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check" dos multiple "Google Security Research"
2019-04-03 "iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion" dos multiple "Google Security Research"
2019-04-03 "SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)" dos multiple "Google Security Research"
2019-03-28 "Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)" remote multiple Metasploit
2019-03-26 "Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR" dos multiple "Google Security Research"
2019-03-26 "Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow" dos multiple xuechiyaobai
2019-03-25 "Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting" webapps multiple "Ozer Goker"
2019-03-21 "Rails 5.2.1 - Arbitrary File Content Disclosure" webapps multiple NotoriousRebel
2019-03-19 "Google Chrome < M73 - FileSystemOperationRunner Use-After-Free" dos multiple "Google Security Research"
2019-03-19 "Google Chrome < M73 - MidiManagerWin Use-After-Free" dos multiple "Google Security Research"
2019-03-19 "Google Chrome < M73 - Data Race in ExtensionsGuestViewMessageFilter" dos multiple "Google Security Research"
2019-03-19 "Google Chrome < M73 - Double-Destruction Race in StoragePartitionService" dos multiple "Google Security Research"
2019-03-18 "BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)" remote multiple Metasploit
2019-03-15 "NetData 1.13.0 - HTML Injection" webapps multiple s4vitar
2019-03-14 "Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution" remote multiple sud0woodo
Release Date Title Type Platform Author
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV LuafvCopyShortName Arbitrary Short Name Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cross Process Handle Duplication Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation" local windows "Google Security Research"
2019-04-16 "Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation" local windows "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
2019-04-03 "Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion" dos multiple "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion" dos multiple "Google Security Research"
2019-04-03 "WebKitGTK+ - 'ThreadedCompositor' Race Condition" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check" dos multiple "Google Security Research"
2019-04-03 "iOS < 12.2 / macOS < 10.14.4 XNU - pidversion Increment During execve is Unsafe" dos multiple "Google Security Research"
2019-04-03 "WebKit JavaScriptCore - 'createRegExpMatchesArray' Type Confusion" dos multiple "Google Security Research"
2019-04-03 "SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)" dos multiple "Google Security Research"
2019-03-28 "gnutls 3.6.6 - 'verify_crt()' Use-After-Free" dos linux "Google Security Research"
2019-03-26 "Spidermonkey - IonMonkey Type Inference is Incorrect for Constructors Entered via OSR" dos multiple "Google Security Research"
2019-03-25 "VMware Workstation 14.1.5 / VMware Player 15 - Host VMX Process COM Class Hijack Privilege Escalation" local windows "Google Security Research"
2019-03-25 "VMware Workstation 14.1.5 / VMware Player 15.0.2 - Host VMX Process Impersonation Hijack Privilege Escalation" local windows "Google Security Research"
2019-03-22 "snap - seccomp BBlacklist for TIOCSTI can be Circumvented" dos linux "Google Security Research"
2019-03-19 "Google Chrome < M73 - FileSystemOperationRunner Use-After-Free" dos multiple "Google Security Research"
2019-03-19 "Google Chrome < M73 - MidiManagerWin Use-After-Free" dos multiple "Google Security Research"
2019-03-19 "Microsoft Edge - Flash click2play Bypass with CObjectElement::FinalCreateObject" dos windows "Google Security Research"
2019-03-19 "Microsoft VBScript - VbsErase Memory Corruption" dos windows "Google Security Research"
2019-03-19 "Microsoft Internet Explorer 11 - VBScript Execution Policy Bypass in MSHTML" dos windows "Google Security Research"
2019-03-19 "Google Chrome < M73 - Data Race in ExtensionsGuestViewMessageFilter" dos multiple "Google Security Research"
2019-03-19 "Google Chrome < M73 - Double-Destruction Race in StoragePartitionService" dos multiple "Google Security Research"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46475/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46475/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46475/40930/google-chrome-m72-filewriterimpl-use-after-free/download/", "exploit_id": "46475", "exploit_description": "\"Google Chrome < M72 - FileWriterImpl Use-After-Free\"", "exploit_date": "2019-03-01", "exploit_author": "\"Google Security Research\"", "exploit_type": "dos", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
There's a use-after-free in the implementation of the FileWriter component of the mojo bindings for the filesystem API.

The browser-process side of this API is defined in https://cs.chromium.org/chromium/src/third_party/blink/public/mojom/filesystem/file_writer.mojom?type=cs&sq=package:chromium&g=0

The method we are interested in is the Write method - this takes a parameter of type blink.mojom.Blob. The implementation of this method is as follows:

void FileWriterImpl::Write(uint64_t position,
                           blink::mojom::BlobPtr blob,
                           WriteCallback callback) {
  blob_context_->GetBlobDataFromBlobPtr(
      std::move(blob),
      base::BindOnce(&FileWriterImpl::DoWrite, base::Unretained(this),
                     std::move(callback), position));
}

Note that the last argument to GetBlobDataFromBlobPtr is a callback object bound to base::Unretained(this).

And the implementation of GetBlobDataFromBlobPtr:

void BlobStorageContext::GetBlobDataFromBlobPtr(
    blink::mojom::BlobPtr blob,
    base::OnceCallback<void(std::unique_ptr<BlobDataHandle>)> callback) {
  DCHECK(blob);
  blink::mojom::Blob* raw_blob = blob.get();
  raw_blob->GetInternalUUID(mojo::WrapCallbackWithDefaultInvokeIfNotRun(
      base::BindOnce(
          [](blink::mojom::BlobPtr, base::WeakPtr<BlobStorageContext> context,
             base::OnceCallback<void(std::unique_ptr<BlobDataHandle>)> callback,
             const std::string& uuid) {
            if (!context || uuid.empty()) {
              std::move(callback).Run(nullptr);
              return;
            }
            std::move(callback).Run(context->GetBlobDataFromUUID(uuid));
          },
          std::move(blob), AsWeakPtr(), std::move(callback)),
      ""));
}

However, the call to GetInternalUUID is a mojo interface method; and if the renderer instead of providing a handle to a browser-process-hosted Blob object instead provides a handle to a renderer-hosted Blob implementation, then during this call into the renderer we can destroy the renderer handle to the FileWriter, triggering the immediate destruction of the FileWriterImpl. When the callback is then subsequently called after GetInternalUUID returns, the base::Unretained reference to the stale object will be used.


To reproduce you need a local build of chrome; run the attached script 

$ python ./copy_mojo_js_bindings.py /path/to/chrome/.../out/Asan/gen
$ python -m SimpleHTTPServer&
$ out/Asan/chrome --enable-blink-features=MojoJS --user-data-dir=/tmp/nonexist 'http://localhost:8000/file_writer.html' 

Note that this is *not* a renderer bug; it's a browser process bug that's reachable from the renderer. The attached poc is using the MojoJS bindings to trigger the issue, but a compromised renderer could perform the same actions without any special settings.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46475.zip