GHSL-2024-070: Remote Code Execution (RCE) in Chromium - CVE-2024-3833

Coordinated Disclosure Timeline

2024-03-27: Issue reported to Chromium security team as 331383939
2024-04-16: Issue fixed in version 124.0.6367.60/.61 as CVE-2024-3833

Summary

Opening a malicious website in affected versions of Chrome can lead to object corruption that can be exploited to gain code execution in Chrome’s renderer.

Project

Chromium

Tested Version

Chromium version 123.0.6312.58

Details

JS object corruption in WasmJs::InstallTypeReflection (`GHSL-2024-070`)

In InstallConditionalFeatures, a check is in place to check that the WebAssembly object does not contain the Function property to avoid adding duplicate properties in the object:

void WasmJs::InstallConditionalFeatures(Isolate* isolate,
                                        Handle<NativeContext> context) {
    ...
    // Install Wasm type reflection features (if not already done).
    Handle<String> function_string = v8_str(isolate, "Function");
    if (!JSObject::HasRealNamedProperty(isolate, webassembly, function_string)
             .FromMaybe(true)) {
      InstallTypeReflection(isolate, context);
    }
  }
}

However, InstallTypeReflection also adds properties in various other objects, and those are not checked:

void WasmJs::InstallTypeReflection(Isolate* isolate,
                                   Handle<NativeContext> context) {
  Handle<JSObject> webassembly(context->wasm_webassembly_object(), isolate);

#define INSTANCE_PROTO_HANDLE(Name) \
  handle(JSObject::cast(context->Name()->instance_prototype()), isolate)
  InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_table_constructor), "type",
              WebAssemblyTableType, 0, false, NONE,
              SideEffectType::kHasNoSideEffect);
  InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_memory_constructor), "type",
              WebAssemblyMemoryType, 0, false, NONE,
              SideEffectType::kHasNoSideEffect);
  InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_global_constructor), "type",
              WebAssemblyGlobalType, 0, false, NONE,
              SideEffectType::kHasNoSideEffect);
  InstallFunc(isolate, INSTANCE_PROTO_HANDLE(wasm_tag_constructor), "type",
              WebAssemblyTagType, 0);
#undef INSTANCE_PROTO_HANDLE
...

In the above, the type property is added to the prototype of wasm_table_constructor etc., without checking that the properties already exists. This leads to issues like 40056206 where duplicate properties are installed on objects.

Impact

This issue can be exploited to gain RCE in Chrome renderer.

CVE

CVE-2024-3833

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-070 in any communication regarding this issue.