A critical security vulnerability identified as CVE-2024-5830 has been discovered in Chrome’s V8 JavaScript engine. The flaw, initially reported in May 2024 as bug 342456991.
The vulnerability is a type confusion bug that allows an attacker to execute arbitrary code within the Chrome renderer sandbox by simply getting a victim to visit a malicious website.
A type confusion bug within the V8 engine’s handling of object maps and transitions. Maps, or hidden classes, define the memory layout of objects and optimize property access.
A flaw in the map transition process can lead to incorrect handling of object properties, resulting in a deprecated map being unexpectedly updated to a dictionary map. This discrepancy can cause out-of-bounds (OOB) access, leading to potential exploitation.
Today, Man Yue Mo, a security researcher from the GitHub Security Lab, published a technical write-up; the vulnerability is triggered when V8 attempts to update the map (hidden class) of an object that has become deprecated due to type changes in the object’s properties.
In certain scenarios, this map update unexpectedly results in the object becoming a “dictionary” type rather than a “fast” type.This causes type confusion, as code that subsequently uses the updated map assumes it is dealing with a fast object, while in reality it is operating on a dictionary object.
An attacker can exploit this confusion to corrupt the internal fields of the dictionary object by carefully manipulating the object properties and layout in JavaScript.
Gaining Arbitrary Read/Write in V8 Heap
The researcher was able to leverage this corruption to construct a fake object within the V8 heap by then triggering a function that attempts to migrate the corrupted dictionary object back to a fast type, the fake object can be referenced, leading to out-of-bounds access to the fake object’s elements.
Using techniques to groom the heap memory layout and predict object addresses, this out-of-bounds access could be turned into an arbitrary read-and-write primitive within the V8 heap.
This is a powerful capability that allows the attacker to corrupt and manipulate objects and data structures inside the JavaScript engine.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Escaping the V8 Heap Sandbox
Modern versions of V8 employ a “heap sandbox” that isolates the JavaScript heap from other memory regions in the browser process, such as executable code pages.
This makes achieving code execution more challenging, even with an arbitrary read/write bug in the V8 heap.
However, the researcher found a way to bypass the heap sandbox by exploiting the interaction between V8 and Blink, the rendering engine of Chrome.
By corrupting “API objects” that serve as wrappers in V8 for DOM objects allocated by Blink, the researcher was able to cause type confusion in the Blink objects themselves.
In particular, by treating a DOMRect object as a DOMTypedArray, the researcher overwrote the typed array’s backing store pointer.
This provided an arbitrary read/write primitive to the entire Chrome renderer process memory, outside the V8 sandbox.
From there, well-known techniques could be used to locate and corrupt function pointers or JIT-compiled code to gain execution of arbitrary native code.
CVE-2024-5830 – Patch
Google has patched this vulnerability in V8 and released fixed versions of Chrome in late July 2024. The researcher praised Google for their quick response and professional issue handling.
This vulnerability is notable for its severity and the novel techniques demonstrated to escape Chrome’s heap isolation mechanisms.
It underscores the ongoing security challenges in complex codebases like web browsers and the importance of continuing research into hardening and mitigation techniques.
Easily analyze emerging malware with ANY.RUN interactive online sandbox - Try 14 Days Free Trial