New Video from @BlackHatOfficialYT Highlights Browser Vulnerabilities

In this video, Jan, a master's student at the University of Chinei, and his partner McK Saka, a security researcher at the 360 Research Institute, present a series of vulnerabilities discovered in the Chrome and Firefox browsers. They primarily focus on hunting for vulnerabilities in browsers, particularly Chrome, and are active contributors to the Chrome and Facebook vulnerability reward programs. The first part of the presentation focuses on a hidden vulnerability in the logic supporting the JavaScript proposal, which was identified just before its inclusion in the release version of Chrome. This vulnerability, which earned $116,000, allows for remote code execution through type confusion exploitation. Jan and McK Saka explain that this vulnerability is related to a new JavaScript proposal introduced by TC39, which adds useful methods like union and intersection for sets. However, the implementation of this feature in Chrome's V8 engine introduces a type confusion vulnerability. They demonstrate how this vulnerability can be exploited by creating fake objects to read and write to arbitrary addresses in the V8 heap, enabling remote code execution. The second part of the presentation addresses a vulnerability due to a type assumption in code optimization. They explain the concept of "stable map dependency," which is a type check performed before optimizing a function. This check can be bypassed by changing the types of primitives without triggering an optimization bailout, leading to type confusion. They show how this vulnerability can be exploited to read arbitrary addresses in the V8 heap, allowing for the leakage of sensitive information. The third part of the presentation focuses on a vulnerability in Firefox related to the implementation of WebAssembly garbage collection. This vulnerability allows for controllable out-of-bounds reads and writes, which can be exploited to achieve remote code execution. They explain how the improper initialization of array types in WebAssembly allows for the creation of arrays with controllable sizes, which can be used for out-of-bounds reads and writes. Finally, they demonstrate two remote code execution exploits, one in Chrome and the other in Firefox, by running proof-of-concepts that launch calculators, thus proving the exploitability of the discovered vulnerabilities. This video provides a fascinating insight into modern browser vulnerabilities and the advanced techniques used to exploit them. The information presented can be applied in real-world security scenarios to identify and fix vulnerabilities before they are exploited by malicious actors.