![]() ![]() If the deleted AudioHandler in the previous point was replaced by another valid AudioHandler so that the virtual function calls did not crash, then ProcessIfNecessary will return to the calling AudioNodeOutput::Pull.Depending on the outcome of InputsAreSilent, the virtual function PropagatesSilence or Process will be called. Void AudioNode :: Dispose () Īt this point, AudioHandler is already free’d. Each node in the graph represents some processing that will be done to the result of the previous node. This is basically a graph that joins an audio source with a destination. Let’s first review a few concepts that are crucial to the understanding of the vulnerability and the exploit. Some of the basic concepts behind the WebAudio API can also be found here. As explained in that post, our exploit targets the 64 bit Chrome binary, but the same primitives are also available to 32 bit binaries, so it should be adaptable to the 32 bit binary with changes in object layout and heap spraying.Īs with my previous post on WebAudio exploitation, I’ll assume the readers to be familiar with some of the basics covered in my other post on Chrome UAF exploitation. In order to escalate privilege to those of an Android App and to be able to launch the kernel exploit, this vulnerability needs to be used in tandem with the sandbox escape vulnerability 1125614 ( GHSL-2020-165), which is detailed in another post. The exploit in this bug will allow me to gain remote code execution in the renderer process of Chrome, which is implemented as an isolated-process in Android and has significantly less privilege than Chrome itself, which has the full privilege of an Android App. 30 of Chrome because the sandbox escape bug only affected version 86 of Chrome in beta. This vulnerability affected much of the stable version 85 of Chrome, but for the purpose of this exploit, I’ll use the beta version. More details about the bug can be found in GHSL-2020-167. I was told that it was a duplicate of 1115901, although no fix was in place when I reported the bug. This is a bug collision that I reported in September 2020 as 1125635. In this post I’ll go through the exploitation of CVE-2020-15972, a use-after-free in the WebAudio component of Chrome. The first part of the series about the kernel exploit can be found here and the second part about Chrome sandbox escape here. This is the last post of a series in which I exploit three bugs that can be used to form an exploit chain from visiting a malicious website in the beta version of Chrome 86 to gain arbitrary code execution in the Android kernel. MaOne day short of a full chain: Part 3 - Chrome renderer RCE Man Yue Mo ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |