tags:v8type_confusionchromesbx original link: From object transition to RCE in the Chrome renderer newsletter link: exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More
Exploits Club Summary:
Be honest with usâŠis the last @mmolgtm write-up still in your backlog? Before you could even find the time to read about his last v8 bug and exploit, heâs already found and exploited another one. Makes you question your career path, doesnât it? Anyyyyways you can wipe away those tears with this sweet type-confusion blog post. As usual with his posts, we start with an overview of object map and map transitions in v8, so no major browser pre-reqs are required. After that, the post goes over the vulnerability which results in the confusion of a fast map and a dictionary map and discusses how that can be leveraged into arbitrary read/write within the v8 heap. Finally, the post rounds off with a V8 sandbox escape, courtesy of a type confusion in a Blink object via the arbitrary heap write. Donât worry, by the time you read this one he will have probably dropped a new GPU bug.