当前位置:首页 > 报告详情

王楠与肖正航与郭学浩与戴秦润_超级帽子戏法四次利用Chrome和Firefox.pdf

上传人: 张** 编号:175479 2024-09-13 64页 5.19MB

1、#BHUSA BlackHatEventsSuper Hat TrickExploit Chrome and Firefox Four TimesNan Wang,Zhenghang Xiao#BHUSA BlackHatEventsAbout usNan Wang eternalsakura13 Security researcher at 360 Vulnerability Research Institute Focusing on hunting Chrome vulnerabilities Chrome VRP top 10 researcher in 2021/2022/2023

2、Facebook Top 2 whitehat hacker in 2023 Speaker of BlackHat USA 2023/BlackHat Asia 2023Zhenghang XiaoKipreyyy Individual security researcher First-year Masters candidate at NISL Lab,Tsinghua University Focusing on browser security and fuzzing Chrome VRP top researcher#3 in 2023 Credited by Facebook,G

3、oogle,etc.Speaker of BlackHat USA 2023#BHUSA BlackHatEventsAbout us 360 Vulnerability Research InstituteAccumulated more than 3,000 CVEsWon the highest bug bounty in history from Microsoft,Google and AppleSuccessful pwner of several Pwn2Own and Tianfu Cup eventshttps:/ BlackHatEventsAgenda1.Callback

4、 issue in runtime support2.Incorrect Assumption on JS Map3.Initialization Flaw in WebAssembly Instances4.Integer Overflow in WebAssembly JIT#BHUSA BlackHatEventsCallback issue in runtime supporthttps:/ BlackHatEventsBackgroundThe JavaScript Set was introduced to the language in the ES2015 spec.Incom

5、plete functionality(add/clear/delete/has).#BHUSA BlackHatEventsBackgroundThe JavaScript Set was introduced to the language in the ES2015 spec.Incomplete functionality(add/clear/delete/has).How to operate on or compare more than one set before?#BHUSA BlackHatEventsBackgroundThe JavaScript Set was int

6、roduced to the language in the ES2015 spec.Incomplete functionality(add/clear/delete/has).How to operate on or compare more than one set before?write your own functions#BHUSA BlackHatEventsBackgroundHow to operate on or compare more than one set now?Write your own functionsobsoletedNew Proposal!Stag

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要介绍了四个Chrome和Firefox的漏洞利用技巧,由360 Vulnerability Research Institute的研究员Nan Wang和Zhenghang Xiao提出。 1. Callback issue in runtime support:通过操作JavaScript Set的回调函数,可以触发内存泄漏,进而导致任意代码执行。 2. Incorrect Assumption on JS Map:通过利用V8引擎的稳定映射依赖性,可以实现类型混淆,导致任意代码执行。 3. Initialization Flaw in WebAssembly Instances:通过在WebAssembly实例化过程中未正确初始化类型定义,可以实现任意读写操作。 4. Integer Overflow in WebAssembly JIT:通过利用WebAssembly JIT优化中的整数溢出检查漏洞,可以实现任意代码执行。 这些漏洞利用技巧展示了浏览器安全领域的重要问题,并提供了相应的修复建议。
如何利用回调问题在Chrome和Firefox中实现四次攻击? 稳定地图依赖关系在优化/去优化中如何工作? 如何通过WebAssembly实例初始化中的缺陷实现任意读写?
客服
商务合作
小程序
服务号
折叠