Exploitation Tools

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary code by exploiting improper side-effect modeling in TurboFan’s JSCreateObject operation.

This analysis highlights the tools and methodologies used to exploit this vulnerability.

1. Environment Setup And Debugging Tools

  • V8’s d8 Shell: The exploit relied on Chrome’s d8 debug shell to test JavaScript snippets, inspect object memory layouts, and trigger JIT optimizations.
    • Flags like --allow-natives-syntax enabled runtime functions (e.g., %DebugPrint) to analyze object maps and properties.
  • Turbolizer: This visualization tool mapped TurboFan’s intermediate representation (IR) during optimization phases. It helped identify redundant CheckMap node elimination, which led to type confusion.

2. Memory Analysis And Primitive Development

  • WinDbg: Critical for low-level debugging, WinDbg inspected heap objects (e.g., FixedArray vs. NameDictionary) to validate memory corruption.
    • Breakpoints on V8 runtime functions (e.g., Runtime_DebugPrint) tracked object transitions during Object.create operations.
  • addrOf and fakeObj Primitives:
    • addrOf: Leaked object addresses by confusing a property’s double value with an object pointer.
    • fakeObj: Wrote controlled data to memory by exploiting overlapping properties in optimized code.
      These primitives used Float64Array and BigUint64Array to convert between doubles and 64-bit integers.

3. Gaining Arbitrary Read/Write

  • ArrayBuffer Corruption: By corrupting an ArrayBuffer’s backing_store pointer, attackers redirected memory accesses. A second ArrayBuffer allowed arbitrary read/write via TypedArray views, enabling manipulation of V8 heap structures.

4. Bypassing NX With WebAssembly

  • WebAssembly (Wasm): A Wasm instance’s RWX (read-write-execute) memory region was leveraged to execute shellcode. The exploit:
    1. Leaked the Wasm instance’s jump table address via memory.read64.
    2. Wrote shellcode (e.g., a calc.exe payload) into the RWX region using memory.write.
    3. Invoked the Wasm function to trigger execution.

5. Patch-Gapping And Mitigation Evasion

The exploit demonstrated patch-gapping—using public vulnerability details to target unpatched systems. Tools like git analyzed V8’s source history to reverse-engineer fixes and identify trigger conditions.

Exploiting CVE-2018-17463 required a blend of compiler analysis (Turbolizer), memory forensics (WinDbg), and precise control over V8’s heap (via addrOf/fakeObj).

WebAssembly’s RWX regions provided the final code execution vector. This case underscores the importance of side-effect modeling in JIT compilers and the role of memory-safe languages in mitigating such issues.

For defenders, tools like V8’s sandbox and pointer compression (later mitigations) highlight ongoing efforts to harden browser engines against similar exploits.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

4 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

6 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

8 hours ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

8 hours ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

8 hours ago

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

1 day ago