Research/Browser thumbnail list Issue 1473631 (Type Confusion in Harmony Set Methods) Introduction Issue 1473631은 JavaScript ES6 Harmony의 Set method들에서 발생하는 버그로, type confusion을 이용하여 arbitrary code execution이 가능한 취약점입니다. Environment Setting # install depot_tools cd ~ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git export PATH=$HOME/depot_tools:$PATH echo -e '\nexport PATH=$HOME/depot_tools:$PATH' >> ~/.zshrc # get V8 cd ~ mkdir V8 cd V8 fetch v8 cd v8 g.. CVE-2024-0517 (Out of Bounds Write in V8) Introduction CVE-2024-0517은 Maglev가 derived constructor를 컴파일하는 과정에서 allocation folding을 처리할 때 발생하는 버그로, out of bounds write를 이용하여 arbitrary code execution이 가능한 취약점입니다. Environment Setting # install depot_tools cd ~ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git export PATH=$HOME/depot_tools:$PATH echo 'export PATH=$HOME/depot_tools:$PATH' >> ~/.zshrc # get V8 cd ~ mkd.. CVE-2021-30551 (Type confusion in V8 in Google Chrome) Introduction CVE-2021-30551은 property interceptor가 JavaScript의 asynchronous task를 고려하지 않아 발생하는 버그로, type confusion을 이용하여 arbitrary code execution이 가능한 취약점입니다. Environment Setting Install Depot_tools Chromium 빌드를 위해 depot_tools를 설치합니다. cd ~ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git export PATH=$PWD/depot_tools:$PATH Download Chromium source code Chromium 소스 코드를 다운.. Issue-1472121 : Exploit out-of-bound CloneObjectIC type confusion Environment Setting Install depot_tools cd ~ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git export PATH=~/depot_tools:$PATH Get V8 source code mkdir v8 cd v8 fetch v8 cd v8 git checkout 25b1011e80f gclient sync -D Install build dependencies ./build/install-build-deps.sh Build V8 gn gen out/debug --args="v8_no_inline=true v8_optimized_debug=false is_component_build=fal.. CVE-2023-4427 PoC : Out of bounds memory access in V8. Introduction Sergei Glazunov of Google Project Zero에 의해 제보된 취약점으로 For-in 최적화 과정에서 발생하는 oob 취약점을 분석한 내용입니다. update The Stable and Extended stable channels has been updated to 116.0.5845.110 for Mac and Linux and 116.0.5845.110/.111 for Windows, which will roll out over the coming days/weeks. A full list of changes in this build is available in the log. Environment Setting Install depot_tools cd ~.. CVE-2023-4069 (Type confusion in VisitFindNonDefaultConstructorOrConstruct of Maglev) Environment Setting Install depot_tools cd ~ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git export PATH=~/depot_tools:$PATH Get V8 source code mkdir v8 cd v8 fetch v8 cd v8 git checkout 7f22404388ef0eb9383f189c1b0a85b5ea93b079 gclient sync -D Install build dependencies ./build/install-build-deps.sh Build V8 gn gen out/debug --args="v8_no_inline=true v8_optimized_debug.. Chrome V8 Hole Exploit Prerequisite Knowledge Hole Object V8에서 hole은 빈 공간을 나타내는 객체로써, oddball type으로 사용자가 직접 컨트롤할 수 없는 객체입니다. /* v8/src/compiler/js-call-reducer.cc */ // The contract is that we don't leak "the hole" into "user JavaScript", // so we must rename the {element} here to explicitly exclude "the hole" // from the type of {element}. 만약 hole 객체에 접근하게 된다면 사용자는 undefined로 변환된 데이터만 확인할 수 있습니다. d8> %DebugPrint(%Th.. CVE-2023-3079 (Bug in the handling of the arguments object) Environment Setting Install depot_tools cd ~ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git export PATH=~/depot_tools:$PATH Get V8 source code mkdir v8 cd v8 fetch v8 cd v8 git checkout 4217c51611830d98d7fd7b8c922571942a87ad2e gclient sync -D Install build dependencies ./build/install-build-deps.sh Build V8 gn gen out/debug --args="v8_no_inline=true v8_optimized_debug.. 이전 1 2 다음
