cbcvebase.
CVE-2018-17463
published 2018-11-14

CVE-2018-17463: Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a…

PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
83.90%
99.7th percentile
Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
googlechrome< 70.0.3538.6770.0.3538.67
googlechrome>= unspecified < 70.0.3538.6470.0.3538.64
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://bugs.chromium.org/p/chromium/issues/detail?id=888923
  • The exploit triggers a type confusion between a PropertyArray and a NameDictionary via Object.create in Chrome's JIT compiler (V8). Monitor for JavaScript using Object.create in a tight loop (up to MAX_ITERATIONS = 100000) combined with property access patterns indicative of JIT abuse.
  • The exploit payload is executed within the rwx (read-write-execute) memory region of the sandboxed renderer process. Detection of rwx memory regions in Chrome renderer processes may indicate exploitation.
  • The Metasploit module serves the exploit as an HTML page with embedded JavaScript. The HTTP response includes specific cache-control headers: 'Cache-Control: no-cache, no-store, must-revalidate', 'Pragma: no-cache', 'Expires: 0'. These headers in combination with a Content-Type of text/html from a suspicious host may indicate exploit delivery.
  • The exploit uses a /print endpoint (via HTTP POST with body content) for debug output during exploitation. Observing POST requests to a /print URI path from a browser process may indicate active exploitation with debug mode enabled.
  • Affected Chrome versions are 67, 68, and 69 (prior to 70.0.3538.64). User-Agent strings containing these versions should be flagged when accessing suspicious URLs.
  • When combined with CVE-2019-1458 for sandbox escape (target 1), the exploit can only be triggered once and may cause a BSOD or system restart on vulnerable Windows 7 systems. Unexpected system restarts or BSODs on Windows 7 following browser activity may indicate exploitation.
  • ·Without the --no-sandbox flag (target 0), the exploit payload executes only within the sandboxed renderer process and cannot affect the host system. Full code execution on the host requires either --no-sandbox or a separate sandbox escape (CVE-2019-1458).
  • ·The sandbox escape via CVE-2019-1458 (target 1) only works on vulnerable versions of Windows (e.g. Windows 7) and the exploit can only be triggered once per session.
  • ·The exploit module targets only x86-64 architecture on Windows and macOS platforms.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.