An UAF bug exists in muon
Opened this issue · 2 comments
-
Operating system:
brave-v8.1.8-linux-x64.zip
Linux ubuntu 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
ubuntu 18.04 -
Steps to reproduce
r /path/to/demo.html
if you want to get to the function before 0x3799940, you can use the gdb script I uploaded.
- Basic info
[----------------------------------registers-----------------------------------]
RAX: 0x53582a30d8 --> 0x662f6567616d6912
RBX: 0x7fffffffd058 --> 0x0
RCX: 0x29 (')')
RDX: 0x140
RSI: 0x0
RDI: 0x7fffffffd058 --> 0x0
RBP: 0x7fffffffd040 --> 0x7fffffffd070 --> 0x7fffffffd090 --> 0x7fffffffd0d0 --> 0x7fffffffd130 --> 0x7fffffffd1c0 (--> ...)
RSP: 0x7fffffffd030 --> 0x3799940 (push rbp)
RIP: 0x2d41301 (mov rdx,QWORD PTR [rsi])
R8 : 0x0
R9 : 0x535730d570 --> 0x10000001e
R10: 0x53572a6cc0 --> 0x535730d570 --> 0x10000001e
R11: 0x0
R12: 0x6fc0430 --> 0x0
R13: 0x53570f3d30 --> 0x0
R14: 0x5357778960 --> 0x0
R15: 0x7fffffffd0e8 --> 0x4847dc ("PluginsLoaded")
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x2d412f8: add rax,0x38
0x2d412fc: test cl,0x1
0x2d412ff: je 0x2d41309
=> 0x2d41301: mov rdx,QWORD PTR [rsi]
0x2d41304: mov rcx,QWORD PTR [rdx+rcx*1-0x1]
0x2d41309: mov rdi,rbx
0x2d4130c: mov rdx,rax
0x2d4130f: call rcx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd030 --> 0x3799940 (push rbp)
0008| 0x7fffffffd038 --> 0x7fffffffd080 --> 0x0
0016| 0x7fffffffd040 --> 0x7fffffffd070 --> 0x7fffffffd090 --> 0x7fffffffd0d0 --> 0x7fffffffd130 --> 0x7fffffffd1c0 (--> ...)
0024| 0x7fffffffd048 --> 0x3799963 (lea rdi,[rbp-0x20])
0032| 0x7fffffffd050 --> 0x53582a30a0 --> 0xffffffff00000001
0040| 0x7fffffffd058 --> 0x0
0048| 0x7fffffffd060 --> 0x7fffffffd080 --> 0x0
0056| 0x7fffffffd068 --> 0x3ba29a0 (push rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000002d41301 in ?? ()
So the bug actually happens at the base::internal::Invoker<base::internal::BindState<void (*)>
when it tries to bind a callback function, which is the 0x2D412E0
_int64 __fastcall vuln(__int64 a1, struct_a2 *a2)
{
char *v3; // rcx
_QWORD *v4; // rsi
struct_a2 *v5; // rax
v3 = a2->pchar20;
v4 = (_QWORD *)(a2->qword28 + a2->qword30);
v5 = a2 + 1;
if ( (unsigned __int8)v3 & 1 )
v3 = *(char **)&v3[*v4 - 1];
((void (__fastcall *)(__int64, _QWORD *, struct_a2 *))v3)(a1, v4, v5);
return a1;
}
the obj it passed to this function has been freed before Invoker has been called, so that a2->qword28 + a2->qword30 is NULL. which caused a NULL pointer dereference eventually.
fuzz-1.zip
attached the poc html for the convenience of you
Thanks for reporting this. This repo was unofficially deprecated on Oct 5 when we started switching to https://github.com/brave/brave-browser/ and we are now actively migrating users off of it