The Hat Trick: Exploit Chrome Twice from Runtime to JIT

Exploit Chrome twice from runtime to JIT: a complex vulnerability in V8 JavaScript engine, involving promise.any and Maglev graph, allowing remote code execution.

Key takeaways
  • V8 JavaScript engine has a complex architecture and is prone to exploitation due to its flexibility.
  • A vulnerability in the V8 runtime environment was discovered, allowing for remote code execution.
  • The vulnerability is related to the incorrect implementation of the new JavaScript engine in the V8 runtime environment.
  • The Maglev graph is a compilation mechanism in V8 that generates optimized code.
  • The promise.any function is used to handle a collection of promises, and it has a vulnerability that allows for out-of-bound operations.
  • The promise.any function does not use undefined as a placeholder when iterating over new inputs, which can lead to performance overhead.
  • The vulnerability is exploited by manipulating the heap layout and using garbage collection to manipulate the heap space efficiently.
  • The vulnerability is related to the float_box node, which can lead to performance overhead.
  • The exploit uses a combination of promise.any and Maglev to achieve remote code execution.
  • The vulnerability is difficult to detect because it relies on a specific scenario and requires special attention.
  • The vulnerability was demonstrated in a proof-of-concept code.
  • The vulnerability is related to the errors array, which is used to store values that are not null or undefined.
  • The error handling in promise.any is not properly implemented, which allows for exploitation.
  • The vulnerability is related to the way promise.any handles rejected promises, which allows for out-of-bound operations.
  • The vulnerability can be exploited by using a combination of promise.any and Maglev to achieve remote code execution.
  • The vulnerability is difficult to detect because it relies on a specific scenario and requires special attention.
  • The vulnerability was demonstrated in a proof-of-concept code, which shows how to exploit the vulnerability.
  • The vulnerability is related to the garbage collector, which can lead to memory corruption.
  • The exploit uses a combination of promise.any and Maglev to achieve remote code execution.

More talks

How hacking works - Web edition - Espen Sande-Larsen - NDC London 2024

SAINTCON 2024 - Day 3 - Livestream

SAINTCON 2023 - Morgan Thomas - Becoming A Space Pirate

A Glimpse Into The Protocol: Fuzz Windows RDP Client For Fun And Profit

Over the Air, Under the Radar: Attacking and Securing the Pixel Modem

Listening as Leadership: Inclusive and Equitable Practices that Strengthen Diverse Teams

The Hole in Sandbox: Escape Modern Web-Based App Sandbox From Site-Isolation Perspective

Chris Laffra - PyScript - Python in the browser