lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAnZqX_3UdpDwpxpMhRjS7JRs3AzwtnEOrhmqo4mHr_eCkCz3w@mail.gmail.com>
Date: Wed, 16 Aug 2017 10:34:02 +0300
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Chrome Turbofan Remote Code Execution
SSD Advisory – Chrome Turbofan Remote Code Execution
Full report: https://blogs.securiteam.com/index.php/archives/3379
Twitter account: @SecuriTeam_SSD <https://twitter.com/SecuriTeam_SSD>
Vulnerability Summary
The following advisory describes a type confusion vulnerability that leads
to remote code execution found in Chrome browser version 59.
Chrome browser is affected by a type confusion vulnerability. The
vulnerability results from incorrect optimization by the turbofan compiler,
which causes confusion between access to an object array and a value array,
and therefore allows to access objects as if they were values by reading
them as if they were values (thus receiving their in memory address) or
vice-versa to write values into an object array and thus being able to fake
objects completely.
Credit
An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
Google was informed of the vulnerability, and a ticket has been opened:
https://bugs.chromium.org/p/chromium/issues/detail?id=746946, because the
vulnerability stopped working in Chrome 60 – Google has no plan to address
it as a security advisory/patch.
--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514
Download attachment "SSD Advisory – Chrome Turbofan Remote Code Execution – SecuriTeam Blogs.pdf" of type "application/pdf" (273076 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists