CVE-2019-5782
published 2019-02-19CVE-2019-5782: Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a…
PriorityP277high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
12.88%
95.8th percentile
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 72.0.3626.81-1 | 72.0.3626.81-1 |
| chromium | chromium | >= 0 < 72.0.3626.81-1 | 72.0.3626.81-1 |
| chromium | chromium | >= 0 < 72.0.3626.81-1 | 72.0.3626.81-1 |
| chromium | chromium | >= 0 < 72.0.3626.81-1 | 72.0.3626.81-1 |
| debian | chromium | < chromium 72.0.3626.81-1 (bookworm) | chromium 72.0.3626.81-1 (bookworm) |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 72.0.3626.81 | 72.0.3626.81 | |
| chrome | >= unspecified < 72.0.3626.81 | 72.0.3626.81 | |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
SC (2-byte marker prefix on encrypted C2 payloads)
- →dneSpy uses CreateMutex to check if agfSpy is already installed; presence of this mutex check can indicate active infection by either backdoor. ↗
- →dneSpy C2 registration requests include a victim ID parameter formatted as a 4-byte hex hash concatenated with the computer name (e.g., CC669737_WIN-RSG1AKRI2C4); hunt for HTTP requests with this 'id' parameter pattern. ↗
- →agfSpy C2 traffic can be identified by network payloads beginning with the 2-byte ASCII marker 'SC' followed by a 4-byte length field, XOR-encrypted with a multi-byte key. ↗
- →dneSpy C2 pivoting: the initial C2 server responds with a new domain/IP for next-stage C2; monitor for HTTP responses containing raw domain/IP strings used as redirect targets (not standard HTTP redirects). ↗
- →agfSpy sends a null-terminated 'END' message to the C2 server after completing command execution; this string in outbound TCP streams can serve as a network detection signature. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5pv8-cgh5-22f2: Incorrect optimization assumptions in V8 in Google Chrome prior to 72
ghsa_unreviewed·2022-05-13
CVE-2019-5782 [HIGH] CWE-125 GHSA-5pv8-cgh5-22f2: Incorrect optimization assumptions in V8 in Google Chrome prior to 72
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Project0
In-the-Wild Series: Chrome Exploits - Project Zero
project_zero·2021-01-01·CVSS 8.8
CVE-2017-5070 [HIGH] In-the-Wild Series: Chrome Exploits - Project Zero
This is part 3 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the introduction post.
Posted by Sergei Glazunov, Project Zero
## Introduction
As we continue the series on the watering hole attack discovered in early 2020, in this post we’ll look at the rest of the exploits used by the actor against Chrome. A timeline chart depicting the extracted exploits and affected browser versions is provided below. Different color shades represent different exploit versions.
All vulnerabilities used by the attacker are in V8, Chrome’s JavaScript engine; and more specifically, they are JIT compiler bugs. While classic C++ memory safety issues are still exploited in real-world attacks against we
Project0
Virtually Unlimited Memory: Escaping the Chrome Sandbox - Project Zero
project_zero·2019-04-01·CVSS 8.8
CVE-2019-5782 [HIGH] Virtually Unlimited Memory: Escaping the Chrome Sandbox - Project Zero
Posted by Mark Brand, Exploit Technique Archaeologist.
##
Introduction
After discovering a collection of possible sandbox escape vulnerabilities in Chrome, it seemed worthwhile to exploit one of these issues as a full-chain exploit together with a renderer vulnerability to get a better understanding of the mechanics required for a modern Chrome exploit. Considering the available bugs, the most likely appeared to be issue 1755, a use-after-free with parallels to classic Javascript engine callback bugs. This is a good candidate because of the high level of control the attacker has both over the lifetime of the free’d object, and over the timing of the later use of the object.
Apologies in advance for glossing over a lot of details about how the Mojo IPC mechanisms function - there’ll ho
OSV
CVE-2019-5782: Incorrect optimization assumptions in V8 in Google Chrome prior to 72
osv·2019-02-19·CVSS 8.8
CVE-2019-5782 [HIGH] CVE-2019-5782: Incorrect optimization assumptions in V8 in Google Chrome prior to 72
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
VulnCheck
Google Chrome Out-of-bounds Read
vulncheck·2019·CVSS 8.8
CVE-2019-5782 [HIGH] Google Chrome Out-of-bounds Read
Google Chrome Out-of-bounds Read
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Affected: Google Chrome
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://ti.qianxin.com/uploads/2024/02/02/dcc93e586f9028c68e7ab34c3326ff31.pdf
Red Hat
chromium-browser: Inappropriate implementation in V8
vendor_redhat·2019-01-29·CVSS 8.8
CVE-2019-5782 [HIGH] chromium-browser: Inappropriate implementation in V8
chromium-browser: Inappropriate implementation in V8
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Debian
CVE-2019-5782: chromium - Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 ...
vendor_debian·2019·CVSS 8.8
CVE-2019-5782 [HIGH] CVE-2019-5782: chromium - Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 ...
Incorrect optimization assumptions in V8 in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 72.0.3626.81-1)
bullseye: resolved (fixed in 72.0.3626.81-1)
forky: resolved (fixed in 72.0.3626.81-1)
sid: resolved (fixed in 72.0.3626.81-1)
trixie: resolved (fixed in 72.0.3626.81-1)
No detection rules found.
Trendmicro
Operation Earth Kitsune A Dance of Two New Backdoors
blogs_trendmicro·2020-10-28
Operation Earth Kitsune A Dance of Two New Backdoors
Cyber Threats
# Operation Earth Kitsune: A Dance of Two New Backdoors
We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers
By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang
2020/10/28
Read time: ( words)
Save to Folio
We recently published a research paper on Operation Earth Kitsune, a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following the
Trendmicro
Operation Earth Kitsune A Dance of Two New Backdoors
blogs_trendmicro·2020-10-28
Operation Earth Kitsune A Dance of Two New Backdoors
Minacce cyber
## Operation Earth Kitsune: A Dance of Two New Backdoors
We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers
By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang Oct 28, 2020 Read time: ( words)
Save to Folio
We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following t
Trendmicro
Operation Earth Kitsune A Dance of Two New Backdoors
blogs_trendmicro·2020-10-28
Operation Earth Kitsune A Dance of Two New Backdoors
Cyberbedrohungen
## Operation Earth Kitsune: A Dance of Two New Backdoors
We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers
By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang Oct 28, 2020 Read time: ( words)
Save to Folio
We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such followin
Trendmicro
Operation Earth Kitsune A Dance of Two New Backdoors
blogs_trendmicro·2020-10-28
Operation Earth Kitsune A Dance of Two New Backdoors
Cyber Threats
## Operation Earth Kitsune: A Dance of Two New Backdoors
We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers
By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang Oct 28, 2020 Read time: ( words)
Save to Folio
We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following t
Trendmicro
Operation Earth Kitsune A Dance of Two New Backdoors
blogs_trendmicro·2020-10-28
Operation Earth Kitsune A Dance of Two New Backdoors
Ciberamenazas
## Operation Earth Kitsune: A Dance of Two New Backdoors
We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers
By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang Oct 28, 2020 Read time: ( words)
Save to Folio
We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following t
Trendmicro
Operation Earth Kitsune A Dance of Two New Backdoors
blogs_trendmicro·2020-10-28
Operation Earth Kitsune A Dance of Two New Backdoors
Cyber Threats
## Operation Earth Kitsune: A Dance of Two New Backdoors
We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers
By: William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, John Zhang 2020/10/28 Read time: ( words)
Save to Folio
We recently published a research paper on Operation Earth Kitsune , a watering hole campaign aiming to steal information by compromising websites. Besides its heavy use of SLUB malware, we also uncovered two new espionage backdoors associated with the campaign: agfSpy and dneSpy, dubbed as such following the
Bugzilla
CVE-2019-5782 chromium-browser: Inappropriate implementation in V8
bugzilla·2019-01-30·CVSS 8.8
CVE-2019-5782 [HIGH] CVE-2019-5782 chromium-browser: Inappropriate implementation in V8
CVE-2019-5782 chromium-browser: Inappropriate implementation in V8
An inappropriate implementation flaw was found in the V8 component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=906043
External References:
https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-7 [bug 1670767]
Affects: fedora-all [bug 1670766]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2019:0309 https://access.redhat.com/errata/RHSA-2019:0309
http://www.securityfocus.com/bid/106767https://access.redhat.com/errata/RHSA-2019:0309https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.htmlhttps://crbug.com/906043https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JVFHYCJGMZQUKYSIE2BXE4NLEGFGUXU5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQOP53LXXPRGD4N5OBKGQTSMFXT32LF6/https://www.debian.org/security/2019/dsa-4395http://www.securityfocus.com/bid/106767https://access.redhat.com/errata/RHSA-2019:0309https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.htmlhttps://crbug.com/906043https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JVFHYCJGMZQUKYSIE2BXE4NLEGFGUXU5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQOP53LXXPRGD4N5OBKGQTSMFXT32LF6/https://www.debian.org/security/2019/dsa-4395
2019-02-19
Published
Exploited in the wild