Cyber security

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on a suite of specialized tools to analyze and weaponize the flaw.

This vulnerability stemmed from improper side-effect modeling in TurboFan’s JSCreateObject operation, allowing attackers to corrupt memory via redundancy elimination during JIT compilation. Below are key tools and techniques used in its exploitation:

1. d8 (V8 Debug Shell)

The d8 shell is essential for testing JavaScript execution in V8. It enables direct interaction with V8’s internals, such as triggering JIT optimizations and inspecting objects via commands like %DebugPrint and %OptimizeFunctionOnNextCall.

Researchers used d8 to validate the bug, generate proof-of-concept (PoC) scripts, and observe memory layout changes after triggering the type confusion.

2. Turbolizer

Turbolizer, a visualization tool for V8’s TurboFan compiler, was critical for analyzing intermediate representation (IR) graphs.

By running V8 with the --trace-turbo flag, researchers exported optimization phases to identify where CheckMap nodes were erroneously eliminated, confirming the root cause of the vulnerability.

3. WinDbg

For low-level memory inspection and debugging on Windows, WinDbg was used to:

  • Examine heap structures (e.g., FixedArray vs. NameDictionary).
  • Validate object addresses and pointer tagging.
  • Trace WebAssembly (Wasm) RWX memory regions for shellcode injection.

4. Patch Gapping via Git

Reverse-engineering the fix commit (52a9e67) in V8’s Git history revealed the flawed kNoWrite flag.

Researchers checked out the vulnerable commit (568979f) and rebuilt V8 using Visual Studio 2019 with legacy SDKs to replicate the 2018 environment.

5. Exploit Primitives: addrOf And fakeObj

These primitives were crafted using type confusion:

  • addrOf leaks object addresses by forcing V8 to misinterpret a pointer as a double.
  • fakeObj writes controlled data to specific memory locations by corrupting property arrays.

6. WebAssembly (Wasm)

To bypass NX protections, researchers compiled a Wasm module to generate RWX memory. By leaking the Wasm instance’s jump_table_start address and overwriting it with shellcode (via ArrayBuffer corruption), arbitrary code execution was achieved.

7. Build Tools

  • GN/Ninja: Configured V8 builds.
  • Visual Studio: Compiled patched V8 versions with debug symbols.

The exploitation of CVE-2018-17463 highlights the interplay of compiler analysis, memory manipulation, and environment replication.

Tools like d8, Turbolizer, and WinDbg provided visibility into V8’s internals, while patch gapping and Wasm abuse demonstrated advanced browser exploitation techniques.

Mastery of these tools is crucial for both offensive research and defensive hardening of JavaScript engines.1

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

49 minutes ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

3 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

4 hours ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

4 hours ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

4 hours ago

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

1 day ago