Overview
A use-after-free vulnerability that allows out of bound access to memory, making it susceptible to arbitrary code execution during HTML rendering process. This poses a high risk to x86 Windows 7 systems due to the lack of mitigations added to later versions.
Details
Web applications can read the contents of raw data buffers using a blob object that specifies the data to be read. This can be done either by user action to upload a file on a pop-up, or generated blobs by a script. The attack is carried out by exploiting a use-after-free vulnerability that returns several references to the same ArrayBuffer. This ArrayBuffer can be freed and possibly overwritten with sprayed objects. Once the dangling pointer points to the sprayed ArrayBuffer reference, the memory is accessible to malicious JavaScript. The script can create an object using the FileReader() constructor. Two event handlers of this newly constructed object are used by the attacker: FileReader.onloadend is triggered when a reading operation is complete FileReader.onprogress is triggered while the blob content is being read. Because these reads are asynchronous, the onprogress event can be fired several times. This enables reading the contents even when the onloadend event ultimately results in a failure. This enables the attacker to run shellcode on vulnerable Windows x86 systems.
Affected Environments
Windows 7 x86 systems running Google Chrome prior to version 72.0.3626.121
Remediation
Upgrade to Google Chrome version 72.0.3626.121 or later
Prevention
Disable JavaScript in the Google Chrome browser Upgrade to Google Chrome version 72.0.3626.121 or later
Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
What is a WS vulnerability ID? 
