Twenty Year Anniversary

Chrome Blink SpeechRecognitionController Use-After-Free

Chrome Blink SpeechRecognitionController Use-After-Free
Posted Nov 23, 2016
Authored by SkyLined

A specially crafted web-page can cause the blink rendering engine used by Google Chrome and Chromium to continue to use a speech recognition API object after the memory block that contained the object has been freed. An attacker can force the code to read a pointer from the freed memory and use this to call a function, allowing arbitrary code execution. Google Chrome version 39.0 is affected.

tags | exploit, web, arbitrary, code execution
advisories | CVE-2015-1251
MD5 | 58cecd42033cec65bf344dd36af29db5

Chrome Blink SpeechRecognitionController Use-After-Free

Change Mirror Download
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
seventeenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161123001.html. There you can find a repro
that triggered this issue, snippets from the vulnerable source and more
details in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Chrome blink SpeechRecognitionController use-after-free
=======================================================
(Chromium 455857, CVE-2015-1251)

Synopsis
--------
A specially crafted web-page can cause the blink rendering engine used
by Google Chrome and Chromium to continue to use a speech recognition
API object after the memory block that contained the object has been
freed. An attacker can force the code to read a pointer from the freed
memory and use this to call a function, allowing arbitrary code execution.

Known affected software and attack vectors
------------------------------------------
+ Google Chrome 39.0

An attacker would need to get a target user to open a specially
crafted webpage. Disabling Javascript should prevent an attacker from
triggering the vulnerable code path.

Description
-----------
Creating a `webkitSpeechRecognition` Javascript object in a popup window
before closing the popup frees a C++ object used internally by the
speech recognition API code but leaves a dangling pointer to the freed
memory in another C++ object. When the `start()` Javascript method is
called, this dangling pointer is used to try to read a function pointer
from a virtual function table and call that function. An attacker has
ample time to groom the heap between the free and re-use in order to
control the function pointer used by the code, allowing arbitrary code
execution.

Exploit
-------
An attacker looking to exploit this issue is going to want to try and
control the contents of the freed memory, before getting the code to use
the dangling pointer to call a virtual function. Doing so would allow an
attacker to execute arbitrary code. This is made possible because steps
5 and 6 can both be triggered at a time of the attackers choosing,
giving the attacker the ability to free the memory in step 5 whenever
this is convenient and attempt to reallocate and fill it with any data
before executing step 6. This should allow an attacker to create a fake
`vftable` pointer and gain arbitrary code execution. In order to develop
a working exploit, existing mitigations will need to be bypassed, most
significantly ASLR and DEP. As this vulnerability by itself does not
appear to allow bypassing these mitigations, I did not develop a working
exploit for it.

Time-line
---------
* November 2014: This vulnerability was found through fuzzing.
* December 2014: This vulnerability was submitted to ZDI and iDefense.
* January 2015: This vulnerability was acquired by ZDI.
* February 2015: This vulnerability was fixed in revision 190993.
* May 2015: This vulnerability was addressed by Google in
Chrome 43.0.2357.65.
* November 2016: Details of this issue are released.

Cheers,

SkyLined


Repro.html

<html>
<head>
<script>
oAWindow = window.open();
oAWebkitASpeechARecognition = new oAWindow.webkitASpeechARecognition();
oAWindow.close();
setAInterval(function(){
if (oAWindow.closed) {
oAWebkitASpeechARecognition.start();
}
}, 10);
</script>
</head>
</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    14 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close