lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Aug 2017 10:34:02 +0300
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Chrome Turbofan Remote Code Execution

SSD Advisory – Chrome Turbofan Remote Code Execution

Full report: https://blogs.securiteam.com/index.php/archives/3379
Twitter account: @SecuriTeam_SSD <https://twitter.com/SecuriTeam_SSD>

Vulnerability Summary

The following advisory describes a type confusion vulnerability that leads
to remote code execution found in Chrome browser version 59.

Chrome browser is affected by a type confusion vulnerability. The
vulnerability results from incorrect optimization by the turbofan compiler,
which causes confusion between access to an object array and a value array,
and therefore allows to access objects as if they were values by reading
them as if they were values (thus receiving their in memory address) or
vice-versa to write values into an object array and thus being able to fake
objects completely.

Credit

An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response

Google was informed of the vulnerability, and a ticket has been opened:
https://bugs.chromium.org/p/chromium/issues/detail?id=746946, because the
vulnerability stopped working in Chrome 60 – Google has no plan to address
it as a security advisory/patch.
--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Download attachment "SSD Advisory – Chrome Turbofan Remote Code Execution – SecuriTeam Blogs.pdf" of type "application/pdf" (273076 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists