SSD Advisory – Chrome Turbofan Remote Code Execution

[Maor Shwartz <maors () beyondsecurity com>]

SSD Advisory – Chrome Turbofan Remote Code Execution

Full report: https://blogs.securiteam.com/index.php/archives/3379
Twitter account: @SecuriTeam_SSD <https://twitter.com/SecuriTeam_SSD>

Vulnerability Summary

The following advisory describes a type confusion vulnerability that leads
to remote code execution found in Chrome browser version 59.

Chrome browser is affected by a type confusion vulnerability. The
vulnerability results from incorrect optimization by the turbofan compiler,
which causes confusion between access to an object array and a value array,
and therefore allows to access objects as if they were values by reading
them as if they were values (thus receiving their in memory address) or
vice-versa to write values into an object array and thus being able to fake
objects completely.

Credit

An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response

Google was informed of the vulnerability, and a ticket has been opened:
https://bugs.chromium.org/p/chromium/issues/detail?id=746946, because the
vulnerability stopped working in Chrome 60 – Google has no plan to address
it as a security advisory/patch.
--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Attachment: SSD Advisory – Chrome Turbofan Remote Code Execution – SecuriTeam Blogs.pdf
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/