News

Liquid chrome. How the use after free bug works in the Blink engine

Security Parrot Editorial Team

Exploring a Chrome Browser Vulnerability

In January 2021, the latest version of the Chrome browser was released. It fixed 16 vulnerabilities, one of which we will analyze today in order to understand the mechanism for the occurrence of such bugs and the methods of exploitation with which an attacker can attack a machine left without updates.
The version of Chrome we are talking about is 87.0.4280.141. And the patched vulnerability we are interested in is CVE-2021-21112. It concerns the compression streams component in the Blink browser engine and works on the principle of use after free. The bug was reported by researcher YoungJoo Lee (@ashuu_lee) of Raon Whitehat in November 2020 via bugs.chromium.org, report number 1151298.

Blink is the browser engine that powers Chrome. It is responsible for rendering webpages and providing web developers with useful features. And compression streams are the same web streams, but for the convenience of web developers, they are transmitted with compression. In order not to have to pull dependencies like zlib behind the project, the creators of Chrome decided to integrate the gzip and deflate compression formats into the Blink engine.
In fact, this is a convenient wrapper that transforms the stream with the default data transformation algorithm (either gzip or deflate). A transforming stream is an object containing two streams: readable (readable) and writable (writable). And between them is a transformer that applies the given algorithm to the data passing between them.

Setting Up the Test Bench

To reproduce the vulnerability, you will need a test bench consisting of a virtual machine and a vulnerable version of Chrome. The finished virtual machine can be downloaded from osboxes.org. The site provides virtual machine images for both VirtualBox and VMware.
I will be using the Xubuntu 20 image for VirtualBox. The reader is free to choose any distribution. Launching the machines well, let’s update:
sudo apt update && sudo apt upgrade -y
Now we need a vulnerable version of the browser.
A vulnerable version of Chrome compiled with ASan (AddressSanitizer) can be downloaded from googleapis.com. The vulnerability report indicates the name of the required build, namely the asan-linux-release-812852 build. Unpack the archive:
unzip asan-linux-release-812852.zip
A ready-made build will save a lot of time, as building a browser takes time, especially if the machine is not very powerful.
AddressSanitizer is a memory error detector. It provides compile-time instrumentation and a runtime library. You can read more about it on the Clang website.
Now we have a virtual machine ready and the necessary build of Chrome has been downloaded. In addition to them, we will need Python 3 and LLVM. Usually, the ASan sanitizer log looks unreadable because it only lists addresses and offsets. The llvm-symbolizer utility, which is installed with LLVM, will help you figure it out. It reads the log and displays the source code of the functions and lines of code that caused the error.

Share this Article
Exit mobile version
Lost your password?