■ ■ ■ ■ ■ ■
0day-RCAs/2022/CVE-2022-1096.md
| | 1 | + | # CVE-2022-1096: Chrome Type Confusion in Property Access Interceptor |
| | 2 | + | |
| | 3 | + | ## The Basics |
| | 4 | + | |
| | 5 | + | **Disclosure or Patch Date:** 25 March 2022 |
| | 6 | + | |
| | 7 | + | **Product:** Google Chromium |
| | 8 | + | |
| | 9 | + | **Advisory:** https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html |
| | 10 | + | |
| | 11 | + | **Affected Versions:** pre 99.0.4844.84 |
| | 12 | + | |
| | 13 | + | **First Patched Version:** 99.0.4844.84 |
| | 14 | + | |
| | 15 | + | **Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1309225 |
| | 16 | + | |
| | 17 | + | **Patch CL:** https://chromium.googlesource.com/v8/v8/+/0981e91a4f8692af337e2588562ad1504f4bffdc |
| | 18 | + | |
| | 19 | + | **Bug-Introducing CL:** N/A |
| | 20 | + | |
| | 21 | + | **Reporter(s):** Anonymous |
| | 22 | + | |
| | 23 | + | ## The Code |
| | 24 | + | |
| | 25 | + | **Proof-of-concept:** |
| | 26 | + | |
| | 27 | + | ``` |
| | 28 | + | style = document.createElement('p').style; |
| | 29 | + | style.prop = { toString: () => { |
| | 30 | + | style.prop = 1; |
| | 31 | + | }}; |
| | 32 | + | ``` |
| | 33 | + | |
| | 34 | + | **Exploit sample:** N/A |
| | 35 | + | |
| | 36 | + | **Access to the exploit sample?** No |
| | 37 | + | |
| | 38 | + | |
| | 39 | + | ## The Vulnerability |
| | 40 | + | |
| | 41 | + | **Bug class:** Logic/design issue |
| | 42 | + | |
| | 43 | + | **Vulnerability details:** |
| | 44 | + | |
| | 45 | + | This vulnerability can be triggered through property access interceptor for `CSSStyleDeclaration` objects. The property access interceptor is a method that runs anytime that a property of the object is accessed. The interceptor can lead to user JavaScript execution *during* the property assignment process. For CVE-2022-1096 specifically, if the object doesn't have a property with the specified name, it can be added during the user JavaScript execution in the interceptor. The vulnerability itself is in the property access interceptor support in V8. The issue is that the interceptor doesn't re-check the status of the property after the user's JavaScript runs; the execution continues as if the property still doesn't exist. The property is then added to the object a second time leading to a corrupted object, which was then used to gain remote code execution. |
| | 46 | + | |
| | 47 | + | The vulnerability is the same as 2021 in-the-wild 0-day, [CVE-2021-30551](../2021/CVE-2021-30551.md), just accessed differently. The code path patched for CVE-2021-30551 was only if the property was in the object's prototype chain. This time the vulnerability was exploited using a property that is directly owned by the object rather than in its prototype chain. |
| | 48 | + | |
| | 49 | + | |
| | 50 | + | **Patch analysis:** |
| | 51 | + | |
| | 52 | + | To fix [CVE-2021-30551](../2021/CVE-2021-30551.md) in 2021, the `SetSuperProperty` call was added after the interceptor (and user JavaScript) would run in `SetPropertyInternal`. `SetSuperProperty` can correctly handle if the object and property state has changed due to user JavaScript running. To patch, CVE-2022-1096, the `SetSuperProperty` call was moved in order to be called in both cases in `SetPropertyInternal`: when the property is directly owned by the object and when the property is in the object's prototype chain, rather than just when the object is in the object's prototype chain. |
| | 53 | + | |
| | 54 | + | This fix was insufficient though. `SetPropertyInternal` is only used when something is being directly assigned to a property like in the syntax: `obj.prop = x`. A different function, `DefineOwnPropertyIgnoreAttributes` is called when a property is assigned to a value using `Object.defineProperty` instead. This was fixed as [CVE-2022-1232](https://bugs.chromium.org/p/project-zero/issues/detail?id=2280). |
| | 55 | + | |
| | 56 | + | |
| | 57 | + | **Thoughts on how this vuln might have been found _(fuzzing, code auditing, variant analysis, etc.)_:** |
| | 58 | + | |
| | 59 | + | Since the same root cause bug was discovered as exploited in-the-wild in 2021, it seems likely that this vulnerability was found via variant analysis. When looking at the patch for [CVE-2021-30551](../2021/CVE-2021-30551.md) it's clear that the fix only covered one of the "if/else" branches in `SetPropertyInternal`. So it seems reasonable to search to see if the same vulnerability could be exploited via the other "if/else" branch, which is what happened here. |
| | 60 | + | |
| | 61 | + | **(Historical/present/future) context of bug:** |
| | 62 | + | |
| | 63 | + | * [CVE-2016-5128]() - Security researcher reported bug in the property access interceptor for `HTMLEmbedElement` |
| | 64 | + | * [CVE-2021-30551](../2021/CVE-2021-30551.md) - 2021 in-the-wild 0-day in property access interceptor for `HTMLEmbedElement` |
| | 65 | + | * CVE-2022-1096 (this bug) - 2022 in-the-wild 0-day in property access interceptor for `CSSStyleDeclaration`. Exploiting same root cause bug as CVE-2021-30551 |
| | 66 | + | * [CVE-2022-1232](https://bugs.chromium.org/p/project-zero/issues/detail?id=2280) - CVE-2022-1096 was incompletely fixed. This patched a variant. |
| | 67 | + | ## The Exploit |
| | 68 | + | |
| | 69 | + | (The terms *exploit primitive*, *exploit strategy*, *exploit technique*, and *exploit flow* are [defined here](https://googleprojectzero.blogspot.com/2020/06/a-survey-of-recent-ios-kernel-exploits.html).) |
| | 70 | + | |
| | 71 | + | **Exploit strategy (or strategies):** Unknown because I didn't have access to the exploit, but likely the same as [CVE-2021-30551](../2021/CVE-2021-30551.md). |
| | 72 | + | |
| | 73 | + | **Exploit flow:** |
| | 74 | + | |
| | 75 | + | **Known cases of the same exploit flow:** |
| | 76 | + | |
| | 77 | + | **Part of an exploit chain?** |
| | 78 | + | |
| | 79 | + | ## The Next Steps |
| | 80 | + | |
| | 81 | + | ### Variant analysis |
| | 82 | + | |
| | 83 | + | **Areas/approach for variant analysis (and why):** |
| | 84 | + | |
| | 85 | + | * Checking other object types to see if they follow different property access interceptor paths |
| | 86 | + | * Check other browsers for similar issues |
| | 87 | + | |
| | 88 | + | **Found variants:** N/A |
| | 89 | + | |
| | 90 | + | ### Structural improvements |
| | 91 | + | |
| | 92 | + | What are structural improvements such as ways to kill the bug class, prevent the introduction of this vulnerability, mitigate the exploit flow, make this type of vulnerability harder to exploit, etc.? |
| | 93 | + | |
| | 94 | + | **Ideas to kill the bug class:** |
| | 95 | + | |
| | 96 | + | The ability to run user scripts that may synchronously modify the process state at an unexpected time is a fundamental problem in any software with scripting capabilities, especially web browsers. Chrome mitigates this bug class by putting DisallowJavascriptExecution scope objects in critical parts of the browser to block user JavaScript execution. The main challenge with this approach is to proactively identify all those critical parts. |
| | 97 | + | |
| | 98 | + | **Ideas to mitigate the exploit flow:** N/A |
| | 99 | + | |
| | 100 | + | **Other potential improvements:** |
| | 101 | + | |
| | 102 | + | ### 0-day detection methods |
| | 103 | + | |
| | 104 | + | What are potential detection methods for similar 0-days? Meaning are there any ideas of how this exploit or similar exploits could be detected **as a 0-day**? |
| | 105 | + | |
| | 106 | + | ## Other References |
| | 107 | + | |
| | 108 | + | * [2022 0-day In-the-Wild Exploitation...so far](https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html) - Project Zero blog and FIRSTCon presentation that use this vulnerability as a case study |
| | 109 | + | |
Maddie Stone
committed
2 years ago
1 parent e9d68dac