CVE-2019-5825
published 2019-11-25CVE-2019-5825: Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…
PriorityP180medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
55.93%
98.9th percentile
Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 75.0.3770.80-1 | 75.0.3770.80-1 |
| chromium | chromium | >= 0 < 75.0.3770.80-1 | 75.0.3770.80-1 |
| chromium | chromium | >= 0 < 75.0.3770.80-1 | 75.0.3770.80-1 |
| chromium | chromium | >= 0 < 75.0.3770.80-1 | 75.0.3770.80-1 |
| debian | chromium | < chromium 75.0.3770.80-1 (bookworm) | chromium 75.0.3770.80-1 (bookworm) |
| chrome | < 73.0.3683.86 | 73.0.3683.86 | |
| chrome | >= unspecified < 73.0.3683.86 | 73.0.3683.86 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb
- →The exploit targets Chrome 73.0.3683.86 (64-bit) specifically; alert on User-Agent strings advertising this exact version being served exploit content. ↗
- →Exploit delivery uses HTTP response headers 'Cache-Control: no-cache, no-store, must-revalidate', 'Pragma: no-cache', 'Expires: 0' with Content-Type text/html — look for this combination on pages serving JavaScript exploits. ↗
- →The exploit uses WebAssembly to allocate an RWX memory region and writes shellcode into it; detect WebAssembly instantiation (WebAssembly.Instance/WebAssembly.Module) combined with typed array (BigUint64Array) manipulation in the same script context. ↗
- →The exploit corrupts the length of a packed float array via Array.map callback to achieve out-of-bounds read/write; look for Array.map callbacks that allocate new typed arrays (BigUint64Array) and float arrays on index 0. ↗
- →The exploit uses a known WebAssembly bytecode stub (magic bytes 0x00 0x61 0x73 0x6d) with a specific module structure; the exact byte sequence in bc[] can be used as a network or memory signature. ↗
- →The Metasploit module exposes a /print endpoint for debug output; a URI path matching /print$ on a browser exploit server may indicate active exploitation or testing. ↗
- →The exploit triggers page reload on failure via location.reload(); repeated rapid page reloads from a Chrome 73 UA to the same exploit URI may indicate exploitation retries. ↗
- →The exploit reads the RWX page address at a fixed offset from the WasmInstance object (instance + 0xf8); this specific offset is version-fingerprinted to Chrome/73.0.3683.86 and can be used to distinguish targeted exploitation from generic WebAssembly use. ↗
- ·The exploit only works when Chrome is launched with --no-sandbox; exploitation against default sandboxed Chrome installations will fail at payload execution stage. ↗
- ·The exploit is architecture-specific (x86_64 only) and platform-limited to Windows and macOS; Linux and 32-bit targets are not supported by this module. ↗
- ·The RWX memory offset used to locate the WebAssembly code page is hardcoded for Chrome 73.0.3683.86; different Chrome versions require different offsets and the exploit will not work against patched or other versions. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Google Chromium V8 Out-of-Bounds Write Vulnerability
cisa·2022-06-08·CVSS 6.5
CVE-2019-5825 [MEDIUM] CWE-787 Google Chromium V8 Out-of-Bounds Write Vulnerability
Vulnerability: Google Chromium V8 Out-of-Bounds Write Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-5825
Remediation Due Date: 2022-06-22
Red Hat
chromium-browser: Out-of-bounds write in V8
vendor_redhat·2019-04-30·CVSS 6.5
CVE-2019-5825 [MEDIUM] chromium-browser: Out-of-bounds write in V8
chromium-browser: Out-of-bounds write in V8
Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Debian
CVE-2019-5825: chromium - Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed...
vendor_debian·2019·CVSS 6.5
CVE-2019-5825 [MEDIUM] CVE-2019-5825: chromium - Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed...
Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 75.0.3770.80-1)
bullseye: resolved (fixed in 75.0.3770.80-1)
forky: resolved (fixed in 75.0.3770.80-1)
sid: resolved (fixed in 75.0.3770.80-1)
trixie: resolved (fixed in 75.0.3770.80-1)
GHSA
GHSA-3xc7-8f3r-h948: Out of bounds write in JavaScript in Google Chrome prior to 73
ghsa_unreviewed·2022-05-24
CVE-2019-5825 [MEDIUM] CWE-787 GHSA-3xc7-8f3r-h948: Out of bounds write in JavaScript in Google Chrome prior to 73
Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
OSV
CVE-2019-5825: Out of bounds write in JavaScript in Google Chrome prior to 73
osv·2019-11-25·CVSS 6.5
CVE-2019-5825 [MEDIUM] CVE-2019-5825: Out of bounds write in JavaScript in Google Chrome prior to 73
Out of bounds write in JavaScript in Google Chrome prior to 73.0.3683.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
VulnCheck
Google Chromium V8 Out-of-Bounds Write Vulnerability
vulncheck·2019·CVSS 6.5
CVE-2019-5825 [MEDIUM] CWE-787 Google Chromium V8 Out-of-Bounds Write Vulnerability
Google Chromium V8 Out-of-Bounds Write Vulnerability
Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/0b54c4eee1ca
Remediation Due: 2022-06-22
No detection rules found.
Exploit-DB
Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)
exploitdb·2020-03-09
CVE-2019-5825 Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)
Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Google Chrome 72 and 73 Array.map exploit',
'Description' => %q{
This module exploits an issue in Chrome 73.0.3683.86 (64 bit).
The exploit corrupts the length of a float in order to modify the backing store
of a typed array. The typed array can then be used to read and write arbitrary
memory. The exploit then uses WebAssembly in order to allocate a region of RWX
memory, which is then replaced with the payload.
The payload is executed within the sandboxed renderer process, so the browser
must be run with the --no-sandbox option for the payload to work corr
Metasploit
Google Chrome 72 and 73 Array.map exploit
metasploit
Google Chrome 72 and 73 Array.map exploit
Google Chrome 72 and 73 Array.map exploit
This module exploits an issue in Chrome 73.0.3683.86 (64 bit). The exploit corrupts the length of a float in order to modify the backing store of a typed array. The typed array can then be used to read and write arbitrary memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload. The payload is executed within the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work correctly.
Bugzilla
CVE-2019-5825 chromium-browser: Out-of-bounds write in V8
bugzilla·2019-05-07·CVSS 6.5
CVE-2019-5825 [MEDIUM] CVE-2019-5825 chromium-browser: Out-of-bounds write in V8
CVE-2019-5825 chromium-browser: Out-of-bounds write in V8
An out-of-bounds write flaw was found in the V8 component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=941743
External References:
https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-7 [bug 1707252]
Affects: fedora-all [bug 1707251]
---
As per chromium advisory:
https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html
this issue was already addressed via "chromium 74.0.3729.108".
This issue was addressed in Red Hat Enterprise Linux 6 via: https://access.redhat.com/errata/RHSA-2019:1021
Bugzilla
CVE-2019-5825 CVE-2019-5826 chromium: various flaws [fedora-all]
bugzilla·2019-05-07·CVSS 6.5
CVE-2019-5825 [MEDIUM] CVE-2019-5825 CVE-2019-5826 chromium: various flaws [fedora-all]
CVE-2019-5825 CVE-2019-5826 chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. W
Bugzilla
CVE-2019-5825 CVE-2019-5826 chromium: various flaws [epel-7]
bugzilla·2019-05-07·CVSS 6.5
CVE-2019-5825 [MEDIUM] CVE-2019-5825 CVE-2019-5826 chromium: various flaws [epel-7]
CVE-2019-5825 CVE-2019-5826 chromium: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update' reques
http://packetstormsecurity.com/files/156641/Google-Chrome-72-73-Array.map-Corruption.htmlhttps://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.htmlhttps://crbug.com/941743http://packetstormsecurity.com/files/156641/Google-Chrome-72-73-Array.map-Corruption.htmlhttps://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.htmlhttps://crbug.com/941743https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5825
2019-11-25
Published
2022-06-08
Added to CISA KEV
Exploited in the wild