BugTraq
CVE-2015-1251: Chrome blink Speech­Recognition­Controller use-after-free details Nov 23 2016 09:21AM
Berend-Jan Wever (berendj nwever nl)
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
seventeenth entry in that series. Unfortunately I won't be able to
publish everything within one month at the current rate, so I may
continue to publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161123001.html. There you can find a repro
that triggered this issue, snippets from the vulnerable source and more
details in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Chrome blink SpeechRecognitionController use-after-free
=======================================================
(Chromium 455857, CVE-2015-1251)

Synopsis
--------
A specially crafted web-page can cause the blink rendering engine used
by Google Chrome and Chromium to continue to use a speech recognition
API object after the memory block that contained the object has been
freed. An attacker can force the code to read a pointer from the freed
memory and use this to call a function, allowing arbitrary code execution.

Known affected software and attack vectors
------------------------------------------
+ Google Chrome 39.0

An attacker would need to get a target user to open a specially
crafted webpage. Disabling Javascript should prevent an attacker from
triggering the vulnerable code path.

Description
-----------
Creating a `webkitSpeechRecognition` Javascript object in a popup window
before closing the popup frees a C++ object used internally by the
speech recognition API code but leaves a dangling pointer to the freed
memory in another C++ object. When the `start()` Javascript method is
called, this dangling pointer is used to try to read a function pointer
from a virtual function table and call that function. An attacker has
ample time to groom the heap between the free and re-use in order to
control the function pointer used by the code, allowing arbitrary code
execution.

Exploit
-------
An attacker looking to exploit this issue is going to want to try and
control the contents of the freed memory, before getting the code to use
the dangling pointer to call a virtual function. Doing so would allow an
attacker to execute arbitrary code. This is made possible because steps
5 and 6 can both be triggered at a time of the attackers choosing,
giving the attacker the ability to free the memory in step 5 whenever
this is convenient and attempt to reallocate and fill it with any data
before executing step 6. This should allow an attacker to create a fake
`vftable` pointer and gain arbitrary code execution. In order to develop
a working exploit, existing mitigations will need to be bypassed, most
significantly ASLR and DEP. As this vulnerability by itself does not
appear to allow bypassing these mitigations, I did not develop a working
exploit for it.

Time-line
---------
* November 2014: This vulnerability was found through fuzzing.
* December 2014: This vulnerability was submitted to ZDI and iDefense.
* January 2015: This vulnerability was acquired by ZDI.
* February 2015: This vulnerability was fixed in revision 190993.
* May 2015: This vulnerability was addressed by Google in
Chrome 43.0.2357.65.
* November 2016: Details of this issue are released.

Cheers,

SkyLined
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFeg3+kBEACfJ83XEx+3CXfc2pyDlZ5+DFSvhdvbSvemqEckOtrQxTYOmH/8
6WrX2B7K6eyolLCIQMi0FjXK5hjJJFYTMrhoa7pP9V9PD2f4TI+tZv+g0D8wDVam
wYsZrFB6NwzyUaBykjj4chYxxzUxTwagwCxvrGNY871tiVWV5eR3TrKRcsFwzN53
G3lhAT974YRCIBMuA6y+3Jrd8hgfODWUtYsH4WPhaLJRr9qaatN+Fnpk+rb9X62C
EqcVXhgNeIz1j/K3I3XoHqMThNu5zbv7uQrp2j+/0fZjKXxZ7HZhTKzIFTrJkrTA
jQ34iq0qgXmLltpKtOLJKhPQPb8J/N0MxOOTa34BDeSiqwlcRzkl7lYTIl7hvvCn
lSRbu+PoAW0GrD17RAA9FQoqdDDiNLHlXnjx7Jg/Tchq1EF70hKzMojcwyjPilty
HJRtPq/sZEdjwEuA5fM+3cmkmRWZYXmn93rB2KTNlGXo+7II6eXx1E6iw7MBzhV5
+mB9A/6FLPhb6TY7TrWOKC65uEtYjHArcb2WeB7/6g9r0nPcBzFiXt35U+YdbmiH
Qt4L5aivYI3WNwQh391Q8QH8i1C0DTI0TCoinzBHzySJfiQ5IP8BUmPIKJWxSeiF
Od5Fv3bz7S7DihtP+i7XyChoHVAleu9tk4/kIQlJ/PPbBpRAYFhQKwSX3QARAQAB
tCRCZXJlbmQtSmFuIFdldmVyIDxiZXJlbmRqQG53ZXZlci5ubD6JAj8EEwEIACkF
Aleg3+kCGw8FCQIDCbcHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCdHa2I
JVfFqn6TD/0aQmgvFcwoAOn52NujoEgl5LxdvcrPgDaZK10kuolsA2u/IaB4J3yY
c2Z8kTfGOg5ObCBHlq6B9qYn3ptr+C0ICuYENIVoHdcBgdK9JXscRWrOU8JI69mj
gmsKNLei+AuBGGC7LJOV6JNqYkVieukkFQkv17pvFl63GqNcVkwEXIzzeGOHYHqA
dvPR7xTZu+dA2olB2BVC9XsWJpsxJqzuX8L3wOEn1EFAhlbeSlBo2kXB04DnjUXU
qHa9M2PZ4q0xWmD+iAThTdyoB+FvSvn6+ThFhig99dOsx8ZLS/QRwMoq1qgN1Nst
YFZgCUuGqwR7d0Dr8/Vb1qzQmIPtn/JCjbFNuIssGRA3tDVwTvEmgfAhpVApuS8f
bNWGV2fQmEfLShqXOI/GfEYt8ltoozKKTYRiXt7oqsrLGWjXJ6SZAYcFHOCc9CbC
TukyDyndVIWAwJRSr9SHKyokElnJBeiGW9rMwITW4BRf7YfXNwHHOFW95esbNIEF
sL37BfzBoTNDUShajB8kVKJv0LE5OZArsQfz2yBXoU2AyvGEvbYdt0q53+FwGzX/
EtqkcFYqwKkxurjn8Nkk4x4hjoiUmXHj45G/MgwLxY8Skf6RvBr0eu4Mh7FxoTRP
LX5hIpGbCO3umoGbHNGkJcEw5S9oIQdb3ysf5HVLi7Pw6AIfJZWSfIkBHAQQAQgA
BgUCV6S2FwAKCRBf2KWWmuk+Yng/B/0f/nSDAnmXAiZ2HPi/ujfAEzFPWmahZJVv
Ih9DjuRUV6vk1B9Sh+yiPPZ3FfqOzVE0n6Eh1Kggs6MwQCWv+NfC0KE6rQwxjMce
+eOAf9dbVQ8h6H4yGyIyb4f0tJFRyGpOK8zlKwjvPj2gvTZFjcc1PaZ7cIeuwheB
Ijtw9DQWIoQoFFHZkLHxmNo8IT+r7lB19rVWoh1pu/zfuC+xjQLCpzexafFGY3TT
Fz7YdO14F61sJjrf++9twRi7RoHWGnAcFCZynG6x4jyog1u9iKMK2T2nV5yyQg21
yhw4zEV1pKDwUdHK+TwmtyD5c6oL3IjNDWaHn0aejKgfEiiLUBLe
=anIL
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYNV+bAAoJEJ0drYglV8WqmCAP/3kOpm5ufutKU8EqupZKip+J
LsOyG9qdE0Js5Y6VPXRAPsafxIaQ2/M4DYvSM94Luv98Rgom+wlrnrrmWQTTnOMT
X/+yRUHTlzPUDGgnpENelPXkE/JJDxQy/7cnnGgNcp8JjU5fKuJQtY4KQRUTQiKk
pnH0JGJ9e1rVWIjWgSX183mC+luPOmRQjbaol+9cb9si9Jef7uBvuvVwiZggco4x
Cz3w5YvI4mDt2EMVjEj5KENKYtmfaRtFg5qqhg2wls5l3w2rVLsdLtFzNbDsn8cJ
4oNa/HEoOh7ipKo8aOtX4meX0RqpeyXnrmImEbybpkf0SrhJ7K/gk3Mw6OhtCVZ5
thz01gaNmlSs8fheMgs+xj5VTOzsDsoCEY2dwZ4Aq0BF19LzCfEcHQuySOOUslwv
THacC4DlupmJRV+tig/vREYzfwaz66mWa+X6e8gXyMC/RRo2APu71JSqQYHqZXjf
35WQbQL9N3hrul+T/mwbE8mGWVU8xxNTi8YrMB1n2RgSv52+rnTU2vIEWqCRt5Ki
KaFeucd1t1Qc3cLpTgZS+z47QYhdl61Vloe4DcIig8ei5ueIUEiP84dj47a9PNr7
4Y0muUagB/X7AHULvMuFBMHIYtn7LtRQ9r4Mtwjt+8p22Qaf4zMk4kAlSC6tLyGk
CN8fGyo22V0+Eek989H4
=CoA0
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus