CVE-2018-17463
published 2018-11-14CVE-2018-17463: Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a…
PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
83.90%
99.7th percentile
Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| chrome | < 70.0.3538.67 | 70.0.3538.67 | |
| chrome | >= unspecified < 70.0.3538.64 | 70.0.3538.64 | |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit triggers a type confusion between a PropertyArray and a NameDictionary via Object.create in Chrome's JIT compiler (V8). Monitor for JavaScript using Object.create in a tight loop (up to MAX_ITERATIONS = 100000) combined with property access patterns indicative of JIT abuse. ↗
- →The exploit payload is executed within the rwx (read-write-execute) memory region of the sandboxed renderer process. Detection of rwx memory regions in Chrome renderer processes may indicate exploitation. ↗
- →The Metasploit module serves the exploit as an HTML page with embedded JavaScript. The HTTP response includes specific cache-control headers: 'Cache-Control: no-cache, no-store, must-revalidate', 'Pragma: no-cache', 'Expires: 0'. These headers in combination with a Content-Type of text/html from a suspicious host may indicate exploit delivery. ↗
- →The exploit uses a /print endpoint (via HTTP POST with body content) for debug output during exploitation. Observing POST requests to a /print URI path from a browser process may indicate active exploitation with debug mode enabled. ↗
- →Affected Chrome versions are 67, 68, and 69 (prior to 70.0.3538.64). User-Agent strings containing these versions should be flagged when accessing suspicious URLs. ↗
- →When combined with CVE-2019-1458 for sandbox escape (target 1), the exploit can only be triggered once and may cause a BSOD or system restart on vulnerable Windows 7 systems. Unexpected system restarts or BSODs on Windows 7 following browser activity may indicate exploitation. ↗
- ·Without the --no-sandbox flag (target 0), the exploit payload executes only within the sandboxed renderer process and cannot affect the host system. Full code execution on the host requires either --no-sandbox or a separate sandbox escape (CVE-2019-1458). ↗
- ·The sandbox escape via CVE-2019-1458 (target 1) only works on vulnerable versions of Windows (e.g. Windows 7) and the exploit can only be triggered once per session. ↗
- ·The exploit module targets only x86-64 architecture on Windows and macOS platforms. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jjm4-89hr-gf27: Incorrect side effect annotation in V8 in Google Chrome prior to 70
ghsa_unreviewed·2022-05-13
CVE-2018-17463 [HIGH] GHSA-jjm4-89hr-gf27: Incorrect side effect annotation in V8 in Google Chrome prior to 70
Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Project0
JSC Exploits - Project Zero
project_zero·2019-08-01
CVE-2017-2505 JSC Exploits - Project Zero
Posted by Samuel Groß, Project Zero
In this post, we will take a look at the WebKit exploits used to gain an initial foothold onto the iOS device and stage the privilege escalation exploits. All exploits here achieve shellcode execution inside the sandboxed renderer process (WebContent) on iOS. Although Chrome on iOS would have also been vulnerable to these initial browser exploits, they were only used by the attacker to target Safari and iPhones.
After some general discussion, this post first provides a short walkthrough of each of the exploited WebKit bugs and how the attackers construct a memory read/write primitive from them, followed by an overview of the techniques used to gain shellcode execution and how they bypassed existing JIT code injection mitigations, namely the “bulletpr
OSV
CVE-2018-17463: Incorrect side effect annotation in V8 in Google Chrome prior to 70
osv·2018-11-14·CVSS 8.8
CVE-2018-17463 [HIGH] CVE-2018-17463: Incorrect side effect annotation in V8 in Google Chrome prior to 70
Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
VulnCheck
Google Chromium V8 Remote Code Execution Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-17463 [HIGH] Google Chromium V8 Remote Code Execution Vulnerability
Google Chromium V8 Remote Code Execution Vulnerability
Google Chromium V8 Engine contains an unspecified vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.securelayer7.net/polyfill-supply-chain-attack/; https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html
Exploit PoC: https
Project0
Project Zero RCA: CVE-2019-11707: IonMonkey Type Confusion in Array.Pop
project_zero·CVSS 8.8
CVE-2019-11707 [HIGH] Project Zero RCA: CVE-2019-11707: IonMonkey Type Confusion in Array.Pop
# CVE-2019-11707: IonMonkey Type Confusion in Array.Pop
*Samuel Groß, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-07-27)*
## The Basics
**Disclosure or Patch Date:** 18 June 2019
**Product:** Mozilla Firefox
**Advisory:** https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
**Affected Versions:** Firefox 67.0.2, likely earlier versions
**First Patched Version:** Firefox 67.0.3 and Firefox ESR 60.7.1
**Issue/Bug Report:**
* Project Zero issue: https://bugs.chromium.org/p/project-zero/issues/detail?id=1820
* Firefox issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
**Patch CL:** https://hg.mozilla.org/releases/mozilla-beta/rev/109cefe117fbdd1764097e06796960082f4fee4e
**Bug-Introducing CL:** Unkno
CISA
Google Chromium V8 Remote Code Execution Vulnerability
cisa·2022-06-08·CVSS 8.8
CVE-2018-17463 [HIGH] Google Chromium V8 Remote Code Execution Vulnerability
Vulnerability: Google Chromium V8 Remote Code Execution Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains an unspecified vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-17463
Remediation Due Date: 2022-06-22
Red Hat
chromium-browser: Remote code execution in V8
vendor_redhat·2018-10-16·CVSS 8.8
CVE-2018-17463 [HIGH] chromium-browser: Remote code execution in V8
chromium-browser: Remote code execution in V8
Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
No detection rules found.
Exploit-DB
Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)
exploitdb·2020-03-09
CVE-2018-17463 Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)
Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Google Chrome 67, 68 and 69 Object.create exploit',
'Description' => %q{
This modules exploits a type confusion in Google Chromes JIT compiler.
The Object.create operation can be used to cause a type confusion between a
PropertyArray and a NameDictionary.
The payload is executed within the rwx region of the sandboxed renderer
process, so the browser must be run with the --no-sandbox option for the
payload to work.
},
'License' => MSF_LICENSE,
'Author' => [
'saelo', # discovery and exploit
'timwr', # metasploit module
],
'References' => [
['CVE', '2018-1
Metasploit
Google Chrome 67, 68 and 69 Object.create exploit
metasploit·CVSS 7.8
[HIGH] Google Chrome 67, 68 and 69 Object.create exploit
Google Chrome 67, 68 and 69 Object.create exploit
This modules exploits a type confusion in Google Chromes JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process. This module can target the renderer process (target 0), but Google Chrome must be launched with the --no-sandbox flag for the payload to execute successfully. Alternatively, this module can use CVE-2019-1458 to escape the renderer sandbox (target 1). This will only work on vulnerable versions of Windows (e.g Windows 7) and the exploit can only be triggered once. Additionally the exploit can cause the target machine to restart when the session is terminated. A BSOD is also likely t
Bugzilla
CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2
bugzilla·2018-10-17·CVSS 5.5
CVE-2018-16435 [MEDIUM] CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2
CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2018-17475 ... chromium: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-l
Bugzilla
CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2
bugzilla·2018-10-17·CVSS 5.5
CVE-2018-16435 [MEDIUM] CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2
CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2018-17475 ... chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the releva
Bugzilla
CVE-2018-17463 chromium-browser: Remote code execution in V8
bugzilla·2018-10-17·CVSS 8.8
CVE-2018-17463 [HIGH] CVE-2018-17463 chromium-browser: Remote code execution in V8
CVE-2018-17463 chromium-browser: Remote code execution in V8
A remote code execution flaw was found in the V8 component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=888923
External References:
https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-7 [bug 1640122]
Affects: fedora-all [bug 1640121]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2018:3004 https://access.redhat.com/errata/RHSA-2018:3004
Trendmicro
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
blogs_trendmicro·2024-12-05
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Ciberamenazas
## MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance.
By: Joseph C Chen, Daniel Lunghi Dec 05, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers investigated a group named Earth Minotaur that used the MOONSHINE exploit kit in the wild. MOONSHINE, which has over 55 servers identified as of 2024, has been updated with more exploits and functions compared to its previous version reported in 2019.
MOONSHINE exploit kit targets vulnerabilities in instant messaging apps on Android devices, primari
Trendmicro
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
blogs_trendmicro·2024-12-05
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Cyber Threats
# MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance.
By: Joseph C Chen, Daniel Lunghi
2024/12/05
Read time: ( words)
Save to Folio
#### Summary
- Trend Micro researchers investigated a group named Earth Minotaur that used the MOONSHINE exploit kit in the wild. MOONSHINE, which has over 55 servers identified as of 2024, has been updated with more exploits and functions compared to its previous version reported in 2019.
- MOONSHINE exploit kit targets vulnerabilities in instant messaging apps on Android devices, prim
Trendmicro
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
blogs_trendmicro·2024-12-05
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Cyber Threats
## MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance.
By: Joseph C Chen, Daniel Lunghi 2024/12/05 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers investigated a group named Earth Minotaur that used the MOONSHINE exploit kit in the wild. MOONSHINE, which has over 55 servers identified as of 2024, has been updated with more exploits and functions compared to its previous version reported in 2019.
MOONSHINE exploit kit targets vulnerabilities in instant messaging apps on Android devices, primarily
Trendmicro
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
blogs_trendmicro·2024-12-05
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Cyberbedrohungen
## MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance.
By: Joseph C Chen, Daniel Lunghi Dec 05, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers investigated a group named Earth Minotaur that used the MOONSHINE exploit kit in the wild. MOONSHINE, which has over 55 servers identified as of 2024, has been updated with more exploits and functions compared to its previous version reported in 2019.
MOONSHINE exploit kit targets vulnerabilities in instant messaging apps on Android devices, prim
Trendmicro
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
blogs_trendmicro·2024-12-05
MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Cyber Threats
## MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks
Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance.
By: Joseph C Chen, Daniel Lunghi Dec 05, 2024 Read time: ( words)
Save to Folio
## Summary
Trend Micro researchers investigated a group named Earth Minotaur that used the MOONSHINE exploit kit in the wild. MOONSHINE, which has over 55 servers identified as of 2024, has been updated with more exploits and functions compared to its previous version reported in 2019.
MOONSHINE exploit kit targets vulnerabilities in instant messaging apps on Android devices, primari
http://packetstormsecurity.com/files/156640/Google-Chrome-67-68-69-Object.create-Type-Confusion.htmlhttp://www.securityfocus.com/bid/105666https://access.redhat.com/errata/RHSA-2018:3004https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.htmlhttps://crbug.com/888923https://security.gentoo.org/glsa/201811-10https://www.debian.org/security/2018/dsa-4330http://packetstormsecurity.com/files/156640/Google-Chrome-67-68-69-Object.create-Type-Confusion.htmlhttp://www.securityfocus.com/bid/105666https://access.redhat.com/errata/RHSA-2018:3004https://chromereleases.googleblog.com/2018/10/stable-channel-update-for-desktop.htmlhttps://crbug.com/888923https://security.gentoo.org/glsa/201811-10https://www.debian.org/security/2018/dsa-4330https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-17463
2018-11-14
Published
2022-06-08
Added to CISA KEV
Exploited in the wild