0-day vulnerability in Chrome revealed through analysis of changes in the V8 engine

Researchers from Exodus Intelligence demonstrated a weak point in the process of fixing vulnerabilities in the Chrome/Chromium codebase. The problem stems from the fact that Google discloses that the changes made are related to security issues only after release, but
adds code to the repository to fix a vulnerability in the V8 engine before publishing the release. For some time, the fixes are tested and a window appears during which the vulnerability becomes fixed in the code base and is available for analysis, but the vulnerability remains unfixed on user systems.

While studying the changes made to the repository, researchers noticed something added on February 19 correction and within three days they were able to prepare exploit, affecting current releases of Chrome (the published exploit did not include components to bypass sandbox isolation). Google promptly released Chrome 80.0.3987.122 update, fixing the proposed exploit vulnerability (CVE-2020-6418). The vulnerability was originally identified by Google engineers and is caused by a problem with type handling in the JSCreate operation, which can be exploited through the Array.pop or Array.prototype.pop method. It is noteworthy that there was a similar problem fixed in Firefox last summer.

The researchers also noted the ease of creating exploits due to the inclusion of Chrome 80 mechanism packaging of signs (instead of storing the full 64-bit value, only the unique lower bits of the pointer are stored, which can significantly reduce heap memory consumption). For example, some head-of-heap data structures such as the built-in function table, native context objects, and root objects garbage collector are now allocated to predictable and writable packed addresses.

Interestingly, almost a year ago Exodus Intelligence was made a similar demonstration of the possibility of creating an exploit based on studying the public log of corrections in V8, but, apparently, the proper conclusions were not followed. In place of researchers
Exodus Intelligence could be attackers or intelligence agencies who, when creating an exploit, would have the opportunity to secretly exploit the vulnerability for days or even weeks before the next Chrome release is formed.

Source: opennet.ru