Shulou(Shulou.com)06/01 Report--

This article shows you how to analyze Chrome V8 engine remote code execution vulnerabilities, the content is concise and easy to understand, can definitely make your eyes bright, through the detailed introduction of this article, I hope you can get something.

0x00 vulnerability background

2020-03-05, 360CERT monitoring found that details of a remote code execution vulnerability in Chrome have been made public on the Internet. The vulnerability number is CVE-2020-6418.

This vulnerability is a type obfuscation vulnerability in the Chrome V8 engine. A successful attack can lead to remote code execution.

0x01 risk rating

360CERT assesses the vulnerability

Assessment methods, threat levels, high risk areas are limited.

Google reports that the vulnerability has been used in the wild.

360CERT recommends that the majority of users update the Chrome software version in time. Do a good job of asset self-check / self-test / prevention to avoid attack.

0x02 vulnerability proof

This vulnerability also needs to cooperate with a Chrome sandbox escape vulnerability to fully control Chrome.

Only the effect of the vulnerability is demonstrated here

Chrome version 80.0.3987.116 running parameter-no-sandbox

0x03 affects version

Chrome < 80.0.3987.122

0x04 repair recommendation

Update Chrome to 80.0.3987.122 and make sure Chrome automatic update is on

Enter in the Chrome address bar

Software updates can be made by chrome://settings/help

0x05 product side solution 360Security Guard

In response to this vulnerability, windows users can automatically update and install the application through the 360 security guard, and users on other platforms can update vulnerable products according to the updated version of the product in the list of repair suggestions.

The above is how to analyze the remote code execution vulnerability of Chrome V8 engine. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.