This whitepaper goes into detail on how to leverage a Chrome Browser use-after-free vulnerability in FileReader with Metasploit.
426daf836d595f934234e05cd94b8dc830e5e8415fdebf4f297113f87753387cThis exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.
60039dc761905e4a2ed93286404ec19777dfd73ef434ef8a80431ab28e2ebbc1Gentoo Linux Security Advisory 201903-23 - Multiple vulnerabilities have been found in Chromium, the worst of which could result in the remote execution of code. Versions less than 73.0.3683.75 are affected.
0d758e392119bc08e7cd6fc9d8eb0febf9dc6149e7e5fd26f8a4b2a5e96d918fDebian Linux Security Advisory 4404-1 - Clement Lecigne discovered a use-after-free issue in chromium's file reader implementation. A maliciously crafted file could be used to remotely execute arbitrary code because of this problem.
8f90590a0d9134bb918684d8b431f13960f3247bb429356abdc11b14c5ef01a5Red Hat Security Advisory 2019-0481-01 - Chromium is an open-source web browser, powered by WebKit. This update upgrades Chromium to version 72.0.3626.121. Issues addressed include a use-after-free vulnerability.
3945ba5b4ef3b8be100a9c3e58657eb27ff509e67c2daf8e5c77aa7cae009bcb
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed