We were analyzing an in-the-wild V8 vulnerability, CVE-2023–2033. Once we exploited the bug, it was not difficult to get typical exploit primitives

A Deep Dive into V8 Sandbox Escape Technique Used in In-The-Wild Exploit

submited by
Style Pass
2024-11-13 00:30:07

We were analyzing an in-the-wild V8 vulnerability, CVE-2023–2033. Once we exploited the bug, it was not difficult to get typical exploit primitives such as addrof, read and write in V8 heap. The problem is that we need to escape the V8 sandbox in order to get code execution.

One day we happened to read a tweet from @zh1x1an1221. He managed to pop a calculator by exploiting CVE-2023–3079, another in-the-wild vulnerability, which means that he bypassed the sandbox. In the tweet, he mentioned a sandbox-related patch commit he used to escape the sandbox. It seemed that the commit sandboxified a raw pointer in a WebAssembly object which had been abused to get V8 sandbox bypass. The commit was worth taking a look since raw pointers in the V8 heap always had been the sources of the V8 sandbox escape.

In this blog post, We will share the details of how we achieved arbitrary write and code execution primitives using a raw pointer in WasmIndirectFunctionTable object. We will not deal with CVE-2023-2033, as there are already many detailed writeups about it. The following will be brief patch analyses related to the sandbox bypass.

Leave a Comment