Vulnerabilities > CVE-2018-17463
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Vulnerable Configurations
Exploit-Db
id | EDB-ID:48184 |
last seen | 2020-03-09 |
modified | 2020-03-09 |
published | 2020-03-09 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/48184 |
title | Google Chrome 67, 68 and 69 - Object.create Type Confusion (Metasploit) |
Metasploit
description | This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work. |
id | MSF:EXPLOIT/MULTI/BROWSER/CHROME_OBJECT_CREATE |
last seen | 2020-06-12 |
modified | 2020-02-14 |
published | 2019-09-30 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/chrome_object_create.rb |
title | Google Chrome 67, 68 and 69 Object.create exploit |
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1253.NASL description This update for Chromium to version 70.0.3538.67 fixes multiple issues. Security issues fixed (bsc#1112111) : - CVE-2018-17462: Sandbox escape in AppCache - CVE-2018-17463: Remote code execution in V8 - Heap buffer overflow in Little CMS in PDFium - CVE-2018-17464: URL spoof in Omnibox - CVE-2018-17465: Use after free in V8 - CVE-2018-17466: Memory corruption in Angle - CVE-2018-17467: URL spoof in Omnibox - CVE-2018-17468: Cross-origin URL disclosure in Blink - CVE-2018-17469: Heap buffer overflow in PDFium - CVE-2018-17470: Memory corruption in GPU Internals - CVE-2018-17471: Security UI occlusion in full screen mode - CVE-2018-17473: URL spoof in Omnibox - CVE-2018-17474: Use after free in Blink - CVE-2018-17475: URL spoof in Omnibox - CVE-2018-17476: Security UI occlusion in full screen mode - CVE-2018-5179: Lack of limits on update() in ServiceWorker - CVE-2018-17477: UI spoof in Extensions VAAPI hardware accelerated rendering is now enabled by default. This update contains the following packaging changes : - Use the system libusb-1.0 library - Use bundled harfbuzz library - Disable gnome-keyring to avoid crashes last seen 2020-06-05 modified 2018-10-25 plugin id 118386 published 2018-10-25 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118386 title openSUSE Security Update : Chromium (openSUSE-2018-1253) NASL family MacOS X Local Security Checks NASL id MACOSX_GOOGLE_CHROME_70_0_3538_67.NASL description The version of Google Chrome installed on the remote macOS host is prior to 70.0.3538.67. It is, therefore, affected by multiple vulnerabilities as noted in Google Chrome stable channel update release notes for 2018/10/16. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 118152 published 2018-10-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118152 title Google Chrome < 70.0.3538.67 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4330.NASL description Several vulnerabilities have been discovered in the chromium web browser. - CVE-2018-5179 Yannic Boneberger discovered an error in the ServiceWorker implementation. - CVE-2018-17462 Ned Williamson and Niklas Baumstark discovered a way to escape the sandbox. - CVE-2018-17463 Ned Williamson and Niklas Baumstark discovered a remote code execution issue in the v8 JavaScript library. - CVE-2018-17464 xisigr discovered a URL spoofing issue. - CVE-2018-17465 Lin Zuojian discovered a use-after-free issue in the v8 JavaScript library. - CVE-2018-17466 Omair discovered a memory corruption issue in the angle library. - CVE-2018-17467 Khalil Zhani discovered a URL spoofing issue. - CVE-2018-17468 Jams Lee discovered an information disclosure issue. - CVE-2018-17469 Zhen Zhou discovered a buffer overflow issue in the pdfium library. - CVE-2018-17470 Zhe Jin discovered a memory corruption issue in the GPU backend implementation. - CVE-2018-17471 Lnyas Zhang discovered an issue with the full screen user interface. - CVE-2018-17473 Khalil Zhani discovered a URL spoofing issue. - CVE-2018-17474 Zhe Jin discovered a use-after-free issue. - CVE-2018-17475 Vladimir Metnew discovered a URL spoofing issue. - CVE-2018-17476 Khalil Zhani discovered an issue with the full screen user interface. - CVE-2018-17477 Aaron Muir Hamilton discovered a user interface spoofing issue in the extensions pane. This update also fixes a buffer overflow in the embedded lcms library included with chromium. last seen 2020-03-17 modified 2018-11-05 plugin id 118719 published 2018-11-05 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118719 title Debian DSA-4330-1 : chromium-browser - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201811-10.NASL description The remote host is affected by the vulnerability described in GLSA-201811-10 (Chromium: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the referenced CVE identifiers and Google Chrome Releases for details. Impact : A remote attacker could execute arbitrary code, escalate privileges, cause a heap buffer overflow, obtain sensitive information, or spoof a URL. Workaround : There is no known workaround at this time. last seen 2020-03-18 modified 2018-11-26 plugin id 119130 published 2018-11-26 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119130 title GLSA-201811-10 : Chromium: Multiple vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-3004.NASL description An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Chromium is an open source web browser, powered by WebKit (Blink). This update upgrades Chromium to version 70.0.3538.67. Security Fix(es) : * chromium-browser: Sandbox escape in AppCache (CVE-2018-17462) * chromium-browser: Remote code execution in V8 (CVE-2018-17463) * chromium-browser: URL spoof in Omnibox (CVE-2018-17464) * chromium-browser: Use after free in V8 (CVE-2018-17465) * chromium-browser: Memory corruption in Angle (CVE-2018-17466) * lcms2: Integer overflow in AllocateDataSet() in cmscgats.c leading to heap-based buffer overflow (CVE-2018-16435) * chromium-browser: URL spoof in Omnibox (CVE-2018-17467) * chromium-browser: Cross-origin URL disclosure in Blink (CVE-2018-17468) * chromium-browser: Heap buffer overflow in PDFium (CVE-2018-17469) * chromium-browser: Memory corruption in GPU Internals (CVE-2018-17470) * chromium-browser: Security UI occlusion in full screen mode (CVE-2018-17471) * chromium-browser: URL spoof in Omnibox (CVE-2018-17473) * chromium-browser: Use after free in Blink (CVE-2018-17474) * chromium-browser: Lack of limits on update() in ServiceWorker (CVE-2018-5179) * chromium-browser: URL spoof in Omnibox (CVE-2018-17475) * chromium-browser: Security UI occlusion in full screen mode (CVE-2018-17476) * chromium-browser: UI spoof in Extensions (CVE-2018-17477) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-05-31 modified 2018-10-25 plugin id 118373 published 2018-10-25 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118373 title RHEL 6 : chromium-browser (RHSA-2018:3004) NASL family Windows NASL id GOOGLE_CHROME_70_0_3538_67.NASL description The version of Google Chrome installed on the remote Windows host is prior to 70.0.3538.67. It is, therefore, affected by multiple vulnerabilities as noted in Google Chrome stable channel update release notes for 2018/10/16. Please refer to the release notes for additional information. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 118153 published 2018-10-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118153 title Google Chrome < 70.0.3538.67 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2018-FD194A1F14.NASL description Security fix for CVE-2018-17478 CVE-2018-17479. Update to 70.0.3538.110. ---- Update to chromium 70.0.3538.77. Fixes CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-5179 CVE-2018-17477 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120933 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120933 title Fedora 28 : chromium (2018-fd194a1f14) NASL family Fedora Local Security Checks NASL id FEDORA_2018-34F7F68029.NASL description Update to chromium 70.0.3538.77. Fixes CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-5179 CVE-2018-17477 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120342 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120342 title Fedora 29 : chromium (2018-34f7f68029) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1208.NASL description This update for Chromium to version 70.0.3538.67 fixes multiple issues. Security issues fixed (bsc#1112111) : - CVE-2018-17462: Sandbox escape in AppCache - CVE-2018-17463: Remote code execution in V8 - Heap buffer overflow in Little CMS in PDFium - CVE-2018-17464: URL spoof in Omnibox - CVE-2018-17465: Use after free in V8 - CVE-2018-17466: Memory corruption in Angle - CVE-2018-17467: URL spoof in Omnibox - CVE-2018-17468: Cross-origin URL disclosure in Blink - CVE-2018-17469: Heap buffer overflow in PDFium - CVE-2018-17470: Memory corruption in GPU Internals - CVE-2018-17471: Security UI occlusion in full screen mode - CVE-2018-17473: URL spoof in Omnibox - CVE-2018-17474: Use after free in Blink - CVE-2018-17475: URL spoof in Omnibox - CVE-2018-17476: Security UI occlusion in full screen mode - CVE-2018-5179: Lack of limits on update() in ServiceWorker - CVE-2018-17477: UI spoof in Extensions VAAPI hardware accelerated rendering is now enabled by default. This update contains the following packaging changes : - Use the system libusb-1.0 library - Use bundled harfbuzz library - Disable gnome-keyring to avoid crashes last seen 2020-06-05 modified 2018-10-23 plugin id 118317 published 2018-10-23 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118317 title openSUSE Security Update : Chromium (openSUSE-2018-1208) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-712.NASL description This update for Chromium to version 70.0.3538.67 fixes multiple issues. Security issues fixed (bsc#1112111) : - CVE-2018-17462: Sandbox escape in AppCache - CVE-2018-17463: Remote code execution in V8 - Heap buffer overflow in Little CMS in PDFium - CVE-2018-17464: URL spoof in Omnibox - CVE-2018-17465: Use after free in V8 - CVE-2018-17466: Memory corruption in Angle - CVE-2018-17467: URL spoof in Omnibox - CVE-2018-17468: Cross-origin URL disclosure in Blink - CVE-2018-17469: Heap buffer overflow in PDFium - CVE-2018-17470: Memory corruption in GPU Internals - CVE-2018-17471: Security UI occlusion in full screen mode - CVE-2018-17473: URL spoof in Omnibox - CVE-2018-17474: Use after free in Blink - CVE-2018-17475: URL spoof in Omnibox - CVE-2018-17476: Security UI occlusion in full screen mode - CVE-2018-5179: Lack of limits on update() in ServiceWorker - CVE-2018-17477: UI spoof in Extensions VAAPI hardware accelerated rendering is now enabled by default. This update contains the following packaging changes : - Use the system libusb-1.0 library - Use bundled harfbuzz library - Disable gnome-keyring to avoid crashes last seen 2020-05-31 modified 2019-03-27 plugin id 123310 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123310 title openSUSE Security Update : Chromium (openSUSE-2019-712)
Packetstorm
data source | https://packetstormsecurity.com/files/download/156640/chrome_object_create.rb.txt |
id | PACKETSTORM:156640 |
last seen | 2020-03-06 |
published | 2020-03-05 |
reporter | saelo |
source | https://packetstormsecurity.com/files/156640/Google-Chrome-67-68-69-Object.create-Type-Confusion.html |
title | Google Chrome 67 / 68 / 69 Object.create Type Confusion |
Redhat
advisories |
| ||||
rpms |
|
References
- https://crbug.com/888923
- https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
- https://www.debian.org/security/2018/dsa-4330
- https://access.redhat.com/errata/RHSA-2018:3004
- http://www.securityfocus.com/bid/105666
- https://security.gentoo.org/glsa/201811-10
- http://packetstormsecurity.com/files/156640/Google-Chrome-67-68-69-Object.create-Type-Confusion.html