module
Google Chrome 67, 68 and 69 Object.create exploit
| Disclosed |
|---|
| Sep 25, 2018 |
Disclosed
Sep 25, 2018
Description
This modules exploits a type confusion in Google Chromes JIT compiler.
The Object.create operation can be used to cause a type confusion between a
PropertyArray and a NameDictionary.
The payload is executed within the rwx region of the sandboxed renderer
process.
This module can target the renderer process (target 0), but Google
Chrome must be launched with the --no-sandbox flag for the payload to
execute successfully.
Alternatively, this module can use CVE-2019-1458 to escape the renderer
sandbox (target 1). This will only work on vulnerable versions of
Windows (e.g Windows 7) and the exploit can only be triggered once.
Additionally the exploit can cause the target machine to restart
when the session is terminated. A BSOD is also likely to occur when
the system is shut down or rebooted.
The Object.create operation can be used to cause a type confusion between a
PropertyArray and a NameDictionary.
The payload is executed within the rwx region of the sandboxed renderer
process.
This module can target the renderer process (target 0), but Google
Chrome must be launched with the --no-sandbox flag for the payload to
execute successfully.
Alternatively, this module can use CVE-2019-1458 to escape the renderer
sandbox (target 1). This will only work on vulnerable versions of
Windows (e.g Windows 7) and the exploit can only be triggered once.
Additionally the exploit can cause the target machine to restart
when the session is terminated. A BSOD is also likely to occur when
the system is shut down or rebooted.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.