Experts Reveal Details and PoC on Chrome CVE-2024-0517 RCE Flaw
Technical details and proof-of-concept (PoC) have emerged about a now-patched security flaw, CVE-2024-0517, in Google Chrome that could be exploited by threat actors to achieve remote code execution.
CVE-2024-0517 has been found by security researcher Toan (suto) Pham of Qrious Secure as an out-of-bounds write in V8 that Google patched this month. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.
At the heart of this security flaw is an out-of-bounds write in V8, Chrome’s powerful JavaScript engine, which, if exploited, could allow threat actors to execute arbitrary code on the victim’s system. This particular vulnerability arises from a nuanced bug within V8’s Maglev compiler, specifically in its handling of class compilation that includes parent classes.
The vulnerability’s genesis is traced to the `VisitFindNonDefaultConstructorOrConstructMaglev` function, designed to optimize class creation when a parent class is involved. The flaw is triggered when compiling a class with a `new.target` reference, a meta-property in JavaScript that’s pivotal for constructors. The misuse of `Reflect.construct` to target `ClassBug` with `ClassParent` as `new.target` sets the stage for this vulnerability, culminating in a dangerous out-of-bounds write scenario.
The exploitation of CVE-2024-0517 is a masterclass in precision and understanding of Chrome’s inner workings. It begins with triggering the vulnerability to direct an allocation to be a FoldedAllocation, followed by a meticulously timed garbage collection cycle. This preparation phase is crucial for positioning objects within the V8 heap in such a manner that allows for the overwriting of adjacent array maps.
From there, the exploit journey involves the identification of the corrupted array object, setting the stage for the creation of read and write primitives. The introduction of two WebAssembly (wasm) instances, one harboring shellcode for arbitrary writes and the other poised to execute the final payload, showcases the exploit’s sophistication.
The gravity of CVE-2024-0517 was further underscored by a video demonstration published by researchers Javier Jimenez and Vignesh Rao from Exodus Intelligence, showing the exploit’s successful execution on Chrome version 120.0.6099.71 on Linux. The PoC for CVE-2024-0517 highlighted the vulnerability’s real-world implications.
In response to this discovery, Google has swiftly acted to patch this vulnerability, urging users to upgrade their Chrome browsers to the specified versions for Windows (version 120.0.6099.224/225), macOS (version 120.0.6099.234 ), and Linux (version 120.0.6099.224).
