module
Google Chrome 67, 68 and 69 Object.create exploit
| Disclosed |
|---|
| Sep 25, 2018 |
Disclosed
Sep 25, 2018
Description
This modules exploits a type confusion in Google Chromes JIT compiler.
The Object.create operation can be used to cause a type confusion between a
PropertyArray and a NameDictionary.
The payload is executed within the rwx region of the sandboxed renderer
process.
This module can target the renderer process (target 0), but Google
Chrome must be launched with the --no-sandbox flag for the payload to
execute successfully.
Alternatively, this module can use CVE-2019-1458 to escape the renderer
sandbox (target 1). This will only work on vulnerable versions of
Windows (e.g Windows 7) and the exploit can only be triggered once.
Additionally the exploit can cause the target machine to restart
when the session is terminated. A BSOD is also likely to occur when
the system is shut down or rebooted.
The Object.create operation can be used to cause a type confusion between a
PropertyArray and a NameDictionary.
The payload is executed within the rwx region of the sandboxed renderer
process.
This module can target the renderer process (target 0), but Google
Chrome must be launched with the --no-sandbox flag for the payload to
execute successfully.
Alternatively, this module can use CVE-2019-1458 to escape the renderer
sandbox (target 1). This will only work on vulnerable versions of
Windows (e.g Windows 7) and the exploit can only be triggered once.
Additionally the exploit can cause the target machine to restart
when the session is terminated. A BSOD is also likely to occur when
the system is shut down or rebooted.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.