Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on a suite of specialized tools to analyze and weaponize the flaw.

This vulnerability stemmed from improper side-effect modeling in TurboFan’s JSCreateObject operation, allowing attackers to corrupt memory via redundancy elimination during JIT compilation. Below are key tools and techniques used in its exploitation:

1. d8 (V8 Debug Shell)

The d8 shell is essential for testing JavaScript execution in V8. It enables direct interaction with V8’s internals, such as triggering JIT optimizations and inspecting objects via commands like %DebugPrint and %OptimizeFunctionOnNextCall.

Researchers used d8 to validate the bug, generate proof-of-concept (PoC) scripts, and observe memory layout changes after triggering the type confusion.

2. Turbolizer

Turbolizer, a visualization tool for V8’s TurboFan compiler, was critical for analyzing intermediate representation (IR) graphs.

By running V8 with the --trace-turbo flag, researchers exported optimization phases to identify where CheckMap nodes were erroneously eliminated, confirming the root cause of the vulnerability.

3. WinDbg

For low-level memory inspection and debugging on Windows, WinDbg was used to:

• Examine heap structures (e.g., FixedArray vs. NameDictionary).
• Validate object addresses and pointer tagging.
• Trace WebAssembly (Wasm) RWX memory regions for shellcode injection.

4. Patch Gapping via Git

Reverse-engineering the fix commit (52a9e67) in V8’s Git history revealed the flawed kNoWrite flag.

Researchers checked out the vulnerable commit (568979f) and rebuilt V8 using Visual Studio 2019 with legacy SDKs to replicate the 2018 environment.

5. Exploit Primitives: addrOf And fakeObj

These primitives were crafted using type confusion:

• addrOf leaks object addresses by forcing V8 to misinterpret a pointer as a double.
• fakeObj writes controlled data to specific memory locations by corrupting property arrays.

6. WebAssembly (Wasm)

To bypass NX protections, researchers compiled a Wasm module to generate RWX memory. By leaking the Wasm instance’s jump_table_start address and overwriting it with shellcode (via ArrayBuffer corruption), arbitrary code execution was achieved.

7. Build Tools

• GN/Ninja: Configured V8 builds.
• Visual Studio: Compiled patched V8 versions with debug symbols.

The exploitation of CVE-2018-17463 highlights the interplay of compiler analysis, memory manipulation, and environment replication.

Tools like d8, Turbolizer, and WinDbg provided visibility into V8’s internals, while patch gapping and Wasm abuse demonstrated advanced browser exploitation techniques.

Mastery of these tools is crucial for both offensive research and defensive hardening of JavaScript engines.1