Vulnerability in Chrome: RCE Exploitation Through Duplicate Object Properties

In March 2024, a researcher reported two critical vulnerabilities in Chrome’s JavaScript engine, v8, classified as CVE-2024-3833 and CVE-2024-3832. Both vulnerabilities, which allowed remote code execution (RCE) when visiting a malicious site, were fixed with the update to version 124.0.6367.60/.61 of the browser.

Specifically, vulnerability CVE-2024-3833 stemmed from an object corruption flaw that allowed for the creation of duplicate properties in v8 objects. This technique allowed for remote code execution in Chrome’s renderer sandbox through a single visit to a malicious site.

The researcher described how new features in Chrome are sometimes implemented as origin trial features before being made available to the general public. Web developers can sign up to test these features on their sites and provide feedback to Chrome. However, this process carries inherent security risks. A previous example of a similar vulnerability involved the handling of WebAssembly exceptions, reported as CVE-2021-30561. In that case, a type confusion could occur when creating duplicate exception properties in WebAssembly, also allowing for arbitrary code execution.

The new flaw, CVE-2024-3833, involved the integration of JavaScript promises into WebAssembly as an origin trial feature. The researcher outlined a method for generating duplicate properties in WebAssembly objects using this promises integration, similar to the mechanism exploited in CVE-2021-30561. By changing the global WebAssembly variable to a different object and then activating the origin trial, an object with duplicate properties could be created.

The researcher also explained how a previous hardening patch had prevented the direct creation of fast objects with duplicate properties. However, they detailed how they could leverage the flaw to create dictionary objects with duplicate properties and then turn them into fast objects.

Exploiting the vulnerability could result in an out-of-bounds (OOB) write to the PropertyArray of a specific v8 object. This type of OOB write allows for the reconfiguration of objects in v8’s memory, potentially leading to type confusion and providing out-of-bounds access.

Finally, the researcher noted that despite v8 now having a memory sandbox that isolates the v8 heap from the rest of the process memory, they were able to bypass this security measure. They manipulated the table of imported functions in WebAssembly instances to redirect execution to controlled memory locations, thus achieving arbitrary code execution.

This set of vulnerabilities highlights the risks and complexities involved in the implementation and testing of new browser features, underscoring the importance of security during software development.

Referrer: MiMub in Spanish

Scroll to Top
×