CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary code by exploiting improper side-effect modeling in TurboFan’s JSCreateObject operation.

This analysis highlights the tools and methodologies used to exploit this vulnerability.

1. Environment Setup And Debugging Tools

  • V8’s d8 Shell: The exploit relied on Chrome’s d8 debug shell to test JavaScript snippets, inspect object memory layouts, and trigger JIT optimizations.
    • Flags like --allow-natives-syntax enabled runtime functions (e.g., %DebugPrint) to analyze object maps and properties.
  • Turbolizer: This visualization tool mapped TurboFan’s intermediate representation (IR) during optimization phases. It helped identify redundant CheckMap node elimination, which led to type confusion.

2. Memory Analysis And Primitive Development

  • WinDbg: Critical for low-level debugging, WinDbg inspected heap objects (e.g., FixedArray vs. NameDictionary) to validate memory corruption.
    • Breakpoints on V8 runtime functions (e.g., Runtime_DebugPrint) tracked object transitions during Object.create operations.
  • addrOf and fakeObj Primitives:
    • addrOf: Leaked object addresses by confusing a property’s double value with an object pointer.
    • fakeObj: Wrote controlled data to memory by exploiting overlapping properties in optimized code.
      These primitives used Float64Array and BigUint64Array to convert between doubles and 64-bit integers.

3. Gaining Arbitrary Read/Write

  • ArrayBuffer Corruption: By corrupting an ArrayBuffer’s backing_store pointer, attackers redirected memory accesses. A second ArrayBuffer allowed arbitrary read/write via TypedArray views, enabling manipulation of V8 heap structures.

4. Bypassing NX With WebAssembly

  • WebAssembly (Wasm): A Wasm instance’s RWX (read-write-execute) memory region was leveraged to execute shellcode. The exploit:
    1. Leaked the Wasm instance’s jump table address via memory.read64.
    2. Wrote shellcode (e.g., a calc.exe payload) into the RWX region using memory.write.
    3. Invoked the Wasm function to trigger execution.

5. Patch-Gapping And Mitigation Evasion

The exploit demonstrated patch-gapping—using public vulnerability details to target unpatched systems. Tools like git analyzed V8’s source history to reverse-engineer fixes and identify trigger conditions.

Exploiting CVE-2018-17463 required a blend of compiler analysis (Turbolizer), memory forensics (WinDbg), and precise control over V8’s heap (via addrOf/fakeObj).

WebAssembly’s RWX regions provided the final code execution vector. This case underscores the importance of side-effect modeling in JIT compilers and the role of memory-safe languages in mitigating such issues.

For defenders, tools like V8’s sandbox and pointer compression (later mitigations) highlight ongoing efforts to harden browser engines against similar exploits.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here