Мануал/Книга [BlackHat USA 2024] Super Hat Trick: Exploit Chrome and Firefox Four Times

[weaver]

Description

With updates to the JS standard and requirements for higher runtime efficiency, Google's JS engine V8 has implemented newer features such as built-in functions like JSSet.Union and the Turboshaft mid-tier compiler. Firefox's JS engine SpiderMonkey has also implemented the WebAssembly Garbage Collection specification and the corresponding JIT optimization code.

Our research focuses on the runtime and JIT parts of the V8 engine, and through in-depth exploration of the new JSSet built-in function implementation and Turboshaft, we disclosed two stable and reliable RCE vulnerabilities. Additionally, in our investigation of SpiderMonkey's wasm gc implementation, we discovered another two RCE vulnerabilities, highlighting our success in vulnerability discovery.

In this talk, we will summarize our methodology and combine it with the four RCE vulnerabilities we discovered. We will introduce the mechanisms of the new attack surface and describe the root causes of the vulnerabilities. From this analysis, we aim to outline four classic vulnerability patterns that exist in JS engines, assisting the open-source community in better identifying these issues.

Finally, we will review the exploitation techniques for these vulnerabilities and provide stable exploitation strategies, aiming to enhance the defense depth of both Google and Mozilla. This talk will conclude with a demonstration of the RCE vulnerabilities.

blackhat.com/us-24/briefings/schedule/#super-hat-trick-exploit-chrome-and-firefox-four-times-40037

slides

http://i.blackhat.com/BH-US-24/Pres...uper-Hat-Trick-Exploit-Chrome-and-Firefox.pdf

whitepaper

http://i.blackhat.com/BH-US-24/Presentations/US24-Xiao-Super-Hat-Trick-Exploit-Chrome-and-Firefox-Four-Times-wp.pdf