0

I conducted tests on the vulnerabilities of 5 Chrome/Chromium JavaScript engines (V8) on three platforms (the list of vulnerabilities is as follows).

Without exception, the Android system failed to reach the stage of displaying the correct address (I used gdbserver + pwndbg to check if the data pointed to by the memory address was correct).

On the other hand, the addresses leaked by the "Windows" and "Debian" systems were all correct.

CVE:

  • CVE-2016-5198
  • CVE-2018-17463
  • CVE-2019-5782
  • CVE-2020-16040
  • CVE-2021_21220

One of the tests is as follows:

CVE-2016-5198

Android

environment:

  • VMware Workstation Pro 17.6.3
  • android-x86_64-7.1-r5.iso from fosshub
  • chrome Version: 54.0.2840.68 from link

Output:

  • ab_addr: 0x477081b31123000

  • func_addr: 0x477081b31123000

  • 0x0

  • After multiple repeated runs, ab_addr is always equal to func_addr, and the first 4 bytes of ab_addr remain unchanged without reinstalling chrome, while only the last 4 bytes change.

  • The memory data at the position 0x477081b31123000 - 1 is not the data of an ArrayBuffer.

  • The final output shellcode_addr is always 0x0.

The attached compressed file contains some detailed information from my test (including the specific versions of Chrome/Chromium used, download links, OS versions, etc.)

https://drive.google.com/file/d/1NuNADuXq0Pckfi15tYNEQByjszZrVi-T/view

I attempted to use Google search. Used the following several items

  • "v8" "Android" "exploit" OR "reproduce"
  • "v8" "Android" "exp" OR "rep"
  • Android v8 漏洞 复现
  • "Android" "v8" "address leak" mitigation OR protection

I found the following link. Its title is "Android Platform V8 Engine 'Issue 1793' Arbitrary Code Execution".

https://zhuanlan.zhihu.com/p/683584022

I tested this vulnerability. There were no surprises. The result was the same as the previous five vulnerabilities. Android failed to even correctly disclose the address. Windows and Debian, however, were able to do so.

However, neither the Google search results nor the text itself mentioned any protective measures related to the Android-specific "address leakage".

Is it true that Android does not have any protection code against Chrome/Chromium v8 address leakage?

So, what exactly is preventing the correct disclosure of the address information?

Improve this question
5
  • 1
    This is most likely due the fact that exploits are very (very) context sensitive. Exploits are hard to reproduce on a different OS using a different architecture. For example, the JIT surely produces different instruction sequences, the heap layout is definitively different, Android uses bionic instead of glibc or the MS CRT, chrome may have been compiled differently. You need to understand the exploit fully and single step the exploitation, seeing why and where an assumption is violated. Commented Aug 7 at 13:06
  • Does your device support memory tagging? Commented Aug 7 at 14:54
  • @SirMuffington The Android 7 version I used for the test does not support memory tagging. Commented Aug 8 at 2:44
  • Sorry, I forgot to provide the link to the compressed file that includes the process and results of the test. It has now been revised. Commented Aug 8 at 2:44
  • @MargaretBloom My tests are mostly conducted on x86_64. And as far as I know, the exploitation of these address leaks is cross-platform. Regarding examples of exploiting the v8 vulnerability on Android, I only found one result on Google search. After my examination, I did not find any information indicating that Android's address leakage vulnerability is different from that of other platforms. Commented Aug 8 at 2:57

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.