Chrome 0 day漏洞分析：CVE-2019-5786技术文档<\/h1>

漏洞概述<\/h2>
CVE-2019-5786是Chrome浏览器中的一个高危0 day漏洞，存在于FileReader API中。该漏洞由谷歌漏洞分析组的Clement Lecigne发现并报告，已被发现在野外被利用攻击Windows 7 32位平台。漏洞可导致渲染器进程中的代码执行问题，并可能进一步破坏主机系统。<\/p>

漏洞技术分析<\/h2>

漏洞本质<\/h3>
该漏洞是一个引用计数问题，涉及对同一个底层ArrayBuffer的多次引用。具体表现为在FileReader API的实现中，对ArrayBuffer的不当处理可能导致use-after-free条件。<\/p>

受影响代码<\/h3>
漏洞主要存在于`FileReaderLoader<\/code>类的ArrayBufferResult<\/code>函数中，该函数负责在用户访问FileReader.result<\/code>成员时返回数据。<\/p>`

补丁对比<\/h3>
旧版本代码<\/strong>:<\/p>
DOMArrayBuffer*<\/span> ArrayBufferResult<\/span>() {
<\/span><\/span>  if<\/span> (array_buffer_result_)
<\/span><\/span>    return<\/span> array_buffer_result_;
<\/span><\/span>  
<\/span><\/span>  if<\/span> (finished_loading_) {
<\/span><\/span>    array_buffer_result_ =<\/span> DOMArrayBuffer::<\/span>Create(raw_data_-><\/span>ToArrayBuffer());
<\/span><\/span>    return<\/span> array_buffer_result_;
<\/span><\/span>  }
<\/span><\/span>  
<\/span><\/span>  return<\/span> DOMArrayBuffer::<\/span>Create(raw_data_-><\/span>ToArrayBuffer());
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>修补后版本<\/strong>:<\/p>
DOMArrayBuffer*<\/span> ArrayBufferResult<\/span>() {
<\/span><\/span>  if<\/span> (array_buffer_result_)
<\/span><\/span>    return<\/span> array_buffer_result_;
<\/span><\/span>  
<\/span><\/span>  if<\/span> (finished_loading_) {
<\/span><\/span>    array_buffer_result_ =<\/span> DOMArrayBuffer::<\/span>Create(raw_data_-><\/span>ToArrayBuffer());
<\/span><\/span>    return<\/span> array_buffer_result_;
<\/span><\/span>  }
<\/span><\/span>  
<\/span><\/span>  return<\/span> DOMArrayBuffer::<\/span>Create(
<\/span><\/span>      ArrayBuffer::<\/span>Create(raw_data_-><\/span>Data(), raw_data_-><\/span>ByteLength()));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键差异<\/h3>


在数据未完全加载时(finished_loading_<\/code>为false)，修补前版本直接使用raw_data_->ToArrayBuffer()<\/code>，而修补后版本使用ArrayBuffer::Create<\/code>创建新的缓冲区并复制数据。<\/p>
<\/li>

ArrayBufferBuilder::ToArrayBuffer()<\/code>会根据bytes_used_<\/code>的值返回包含数据副本的较小ArrayBuffer或直接返回缓冲区数据。<\/p>
<\/li>
<\/ol>
漏洞利用条件<\/h2>

需要在finished_loading<\/code>设置为true之前多次访问ArrayBufferBuilder::ToArrayBuffer()<\/code><\/li>
数据需要被完全读取<\/li>
多次调用ToArrayBuffer()<\/code>会增加引用计数，可能导致use-after-free问题<\/li>
<\/ol>
漏洞验证方法<\/h2>
测试代码示例<\/h3>
\/\/ 创建一个大Blob以强制触发多次progress事件
<\/span><\/span><\/span><\/span>const<\/span> blob<\/span> =<\/span> new<\/span> Blob<\/span>([new<\/span> Uint8Array<\/span>(1024<\/span> *<\/span> 1024<\/span> *<\/span> 10<\/span>)]); \/\/ 10MB数据
<\/span><\/span><\/span><\/span>const<\/span> reader<\/span> =<\/span> new<\/span> FileReader<\/span>();
<\/span><\/span>
<\/span><\/span>reader<\/span>.onprogress<\/span> =<\/span> function<\/span>(e<\/span>) {
<\/span><\/span>  \/\/ 多次访问result属性
<\/span><\/span><\/span><\/span>  const<\/span> buf1<\/span> =<\/span> reader<\/span>.result<\/span>;
<\/span><\/span>  const<\/span> buf2<\/span> =<\/span> reader<\/span>.result<\/span>;
<\/span><\/span>  
<\/span><\/span>  \/\/ 检查两个缓冲区是否相同
<\/span><\/span><\/span><\/span>  if<\/span> (buf1<\/span>.byteLength<\/span> ===<\/span> buf2<\/span>.byteLength<\/span>) {
<\/span><\/span>    \/\/ 创建视图修改底层数据
<\/span><\/span><\/span><\/span>    const<\/span> view1<\/span> =<\/span> new<\/span> Uint8Array<\/span>(buf1<\/span>);
<\/span><\/span>    const<\/span> view2<\/span> =<\/span> new<\/span> Uint8Array<\/span>(buf2<\/span>);
<\/span><\/span>    view1<\/span>[0<\/span>] =<\/span> 0x41<\/span>;
<\/span><\/span>    if<\/span> (view2<\/span>[0<\/span>] ===<\/span> 0x41<\/span>) {
<\/span><\/span>      console<\/span>.log<\/span>("Vulnerable!"<\/span>);
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>reader<\/span>.readAsArrayBuffer<\/span>(blob<\/span>);
<\/span><\/span><\/code><\/pre>调试方法<\/h3>

下载受影响版本的Chrome(如72.0.3626.119)<\/li>
附加调试器到渲染器进程(chrome_child.dll)<\/li>
在FileReaderLoader::ArrayBufferResult<\/code>函数设置断点<\/li>
观察ArrayBufferBuilder::ToArrayBuffer()<\/code>的调用情况<\/li>
<\/ol>
漏洞利用思路<\/h2>

引用计数溢出<\/strong>：通过多次调用ToArrayBuffer()<\/code>使引用计数接近最大值<\/li>
内存控制<\/strong>：利用释放的大缓冲区进行堆布局

在Windows 7 32位系统上更易实现，因为地址空间较小<\/li>
可能需要分配大量对象(约10k)来控制地址空间中的元数据<\/li>
<\/ul>
<\/li>
元数据破坏<\/strong>：通过控制释放的内存区域来破坏JavaScript对象元数据<\/li>
<\/ol>
后续攻击链<\/h2>
在实际攻击中，攻击者通常需要结合其他漏洞完成完整攻击链：<\/p>

首先利用此漏洞在渲染器进程中获取代码执行权限<\/li>
由于Chrome的沙箱限制，需要第二个漏洞逃离沙箱<\/li>
在网络发现的攻击中，攻击者使用了Windows内核漏洞(CVE-2019-0808)来逃离沙箱<\/li>
<\/ol>
防护措施<\/h2>

更新Chrome到最新版本(72.0.3626.121及以上已修复)<\/li>
启用Chrome的自动更新功能<\/li>
对于企业环境，可考虑部署应用防护解决方案<\/li>
<\/ol>
总结<\/h2>
CVE-2019-5786是一个典型的引用计数导致的use-after-free漏洞，展示了浏览器安全机制中的细微缺陷可能带来的严重后果。该漏洞的分析过程也体现了：<\/p>

通过补丁对比分析漏洞的技术价值<\/li>
现代浏览器复杂的安全机制和攻击面<\/li>
漏洞利用需要考虑操作系统特性和防御机制<\/li>
<\/ol>
参考资料<\/h2>

Chrome稳定版更新公告<\/a><\/li>
谷歌安全博客<\/a><\/li>
Chromium问题跟踪<\/a><\/li>
Chromium源代码<\/a><\/li>
相关内核漏洞分析<\/a><\/li>
<\/ol>

Chrome 0 day漏洞分析：CVE-2019-5786技术文档<\/h1>

漏洞技术分析<\/h2>

漏洞本质<\/h3> 该漏洞是一个引用计数问题，涉及对同一个底层ArrayBuffer的多次引用。具体表现为在FileReader API的实现中，对ArrayBuffer的不当处理可能导致use-after-free条件。<\/p>

受影响代码<\/h3> 漏洞主要存在于FileReaderLoader<\/code>类的ArrayBufferResult<\/code>函数中，该函数负责在用户访问FileReader.result<\/code>成员时返回数据。<\/p>

漏洞验证方法<\/h2>

参考资料<\/h2> Chrome稳定版更新公告<\/a><\/li> 谷歌安全博客<\/a><\/li> Chromium问题跟踪<\/a><\/li> Chromium源代码<\/a><\/li> 相关内核漏洞分析<\/a><\/li> <\/ol>

漏洞本质<\/h3>
该漏洞是一个引用计数问题，涉及对同一个底层ArrayBuffer的多次引用。具体表现为在FileReader API的实现中，对ArrayBuffer的不当处理可能导致use-after-free条件。<\/p>

受影响代码<\/h3>
漏洞主要存在于`FileReaderLoader<\/code>类的ArrayBufferResult<\/code>函数中，该函数负责在用户访问FileReader.result<\/code>成员时返回数据。<\/p>`

参考资料<\/h2>

Chrome稳定版更新公告<\/a><\/li>
谷歌安全博客<\/a><\/li>
Chromium问题跟踪<\/a><\/li>
Chromium源代码<\/a><\/li>
相关内核漏洞分析<\/a><\/li> <\/ol>