Microsoft provides details of a code execution vulnerability in Chrome

Microsoft’s Offensive Security Research (OSR) team disclosed a remote code execution vulnerability in the Chrome web browser.

Microsoft’s Offensive Security Research (OSR) team has disclosed a remote code execution vulnerability in the Chrome web browser that was discovered by its experts.

The flaw, tracked as CVE-2017-5121, was addressed by Google last month with the release of Chrome 61, but the company has yet disclosed the details of the flaw .

Microsoft researchers have used the ExprGen fuzzer developed by themselves for testing their own Chakra javascript engine.

The analysis of the Chrome V8 open-source JavaScript engine revealed initially an information leak, but further analysis confirmed it was arbitrary code execution in the Chrome renderer process.

As you know, Google Chrome browser use a sandbox to restrict the execution environment of the web applications, this means that in order to escape the sandbox and take over the machine it is necessary to chain the flaw with a second vulnerability.

Microsoft operated without knowing the second vulnerability and discovered that executing arbitrary code within a renderer process can allow an attacker to bypass the Single Origin Policy (SOP), which is the mechanism in place to prevents a malicious script on one page from obtaining access to sensitive data on another web page.

“Each renderer is meant to be the brains behind one or more tabs—it takes care of parsing and interpreting HTML, JavaScript, and the like. The sandboxing model makes it so that these processes only have access to as little as they need to function. As such, a full persistent compromise of the victim’s system is not possible from the renderer without finding a secondary bug to escape that sandbox.” Microsoft wrote in a blog post. 

“With that in mind, we thought it would be interesting to examine what might be possible for an attacker to achieve without a secondary bug.”

Bypassing the SOP mechanism, an attacker can steal the saved password from any website by hijacking the PasswordAutofillAgent interface, inject arbitrary JavaScript into web pages via universal cross-site scripting (UXSS), and also silently navigate to any website, including the ones that embed crypto mining codes or host exploit kit.

“A better implementation of this kind of attack would be to look into how the renderer and browser processes communicate with each other and to directly simulate the relevant messages, but this shows that this kind of attack can be implemented with limited effort,” continues the blog post. “While the democratization of two-factor authentication mitigates the dangers of password theft, the ability to stealthily navigate anywhere as that user is much more troubling because it can allow an attacker to spoof the user’s identity on websites they’re already logged into.”

Microsoft criticized the way Google releases patches for Chrome through the open-source browser project Chromium. The source code changes that address the flaw are often available on GitHub before the actual patch is released to customers allowing threat actors to develop their own exploit codes.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – Chrome, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]