CVE-2016-9651
published 2019-01-09CVE-2016-9651: A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary…
PriorityP262high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
11.18%
95.4th percentile
A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome | < 55.0.2883.75 | 55.0.2883.75 | |
| chrome | >= unspecified < 55.0.2883.75 | 55.0.2883.75 | |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46
- →Exploit uses a Web Worker spawned from a Blob URL (URL.createObjectURL with application/javascript Blob) to run the exploit payload in a worker thread, repeatedly retrying on failure. Detect creation of Blob-based Worker URLs containing exploit code patterns. ↗
- →Exploit abuses V8 private property access to achieve out-of-bounds read/write via a crafted HTML page. Look for JavaScript that manipulates TypedArray (Uint32Array, Float64Array) buffers with very large lengths (e.g., 0xfffffffc) to achieve memory corruption. ↗
- →Exploit targets Google Chrome on Android (chrome.apk) and attempts to install a malicious APK via an Android intent URI. Monitor for Android intent:// scheme navigations from browser contexts. ↗
- →Exploit attributed to 360 Alpha Team, originally demonstrated at Pwnfest 2016. Source code hosted at https://github.com/secmob/pwnfest2016/ ↗
- ·Vulnerability affects Google Chrome versions prior to 55.0.2883.75 only. Systems running Chrome 55.0.2883.75 or later are not affected. ↗
- ·The exploit achieves code execution inside the Chrome sandbox only; a separate sandbox escape would be required for full system compromise. ↗
- ·The exploit uses a brute-force heap feng-shui loop with retry logic (up to 150 iterations) and may hang; a watchdog timer terminates and restarts the worker thread every 10 seconds if no progress is detected. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Oxide vulnerabilities
vendor_ubuntu·2016-12-09·CVSS 6.1
CVE-2016-5204 [MEDIUM] Oxide vulnerabilities
Title: Oxide vulnerabilities
Summary: Several security issues were fixed in Oxide.
Multiple vulnerabilities were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
read uninitialized memory, obtain sensitive information, spoof the
webview URL, bypass same origin restrictions, cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-5204,
CVE-2016-5205, CVE-2016-5207, CVE-2016-5208, CVE-2016-5209, CVE-2016-5212,
CVE-2016-5215, CVE-2016-5222, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226,
CVE-2016-9650, CVE-2016-9652)
Multiple vulnerabilities were discovered in V8. If a user were tricked in
to opening a specially crafted website, an a
Red Hat
chromium-browser: private property access in v8
vendor_redhat·2016-12-01·CVSS 8.8
CVE-2016-9651 [HIGH] chromium-browser: private property access in v8
chromium-browser: private property access in v8
A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
GHSA
GHSA-wp7w-fjvj-wrv2: A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55
ghsa_unreviewed·2022-05-14
CVE-2016-9651 [HIGH] CWE-94 GHSA-wp7w-fjvj-wrv2: A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55
A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
OSV
oxide-qt vulnerabilities
osv·2016-12-09·CVSS 6.1
CVE-2016-5204 [MEDIUM] oxide-qt vulnerabilities
oxide-qt vulnerabilities
Multiple vulnerabilities were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
read uninitialized memory, obtain sensitive information, spoof the
webview URL, bypass same origin restrictions, cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-5204,
CVE-2016-5205, CVE-2016-5207, CVE-2016-5208, CVE-2016-5209, CVE-2016-5212,
CVE-2016-5215, CVE-2016-5222, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226,
CVE-2016-9650, CVE-2016-9652)
Multiple vulnerabilities were discovered in V8. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to obtain sensitive
OSV
CVE-2016-9651: A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55
osv·2016-12-06·CVSS 8.8
CVE-2016-9651 [HIGH] CVE-2016-9651: A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55
A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
No detection rules found.
Bugzilla
chromium: various flaws [fedora-all]
bugzilla·2016-12-02·CVSS 8.8
[HIGH] chromium: various flaws [fedora-all]
chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has b
Bugzilla
CVE-2016-9651 chromium-browser: private property access in v8
bugzilla·2016-12-02·CVSS 8.8
CVE-2016-9651 [HIGH] CVE-2016-9651 chromium-browser: private property access in v8
CVE-2016-9651 chromium-browser: private property access in v8
A private property access flaw was found in the V8 component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=664411
External References:
https://googlechromereleases.blogspot.com/2016/12/stable-channel-update-for-desktop.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: fedora-all [bug 1400883]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2016:2919 https://rhn.redhat.com/errata/RHSA-2016-2919.html
http://rhn.redhat.com/errata/RHSA-2016-2919.htmlhttp://www.securityfocus.com/bid/94633https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop.htmlhttps://crbug.com/664411https://security.gentoo.org/glsa/201612-11https://www.exploit-db.com/exploits/42175/http://rhn.redhat.com/errata/RHSA-2016-2919.htmlhttp://www.securityfocus.com/bid/94633https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop.htmlhttps://crbug.com/664411https://security.gentoo.org/glsa/201612-11https://www.exploit-db.com/exploits/42175/
2019-01-09
Published