CVE-2021-38003 is a vulnerability that exists in the V8 Javascript engine. The vulnerability affects the Chrome browser before the stable version 95.0.4638.69, and was disclosed in October 2021 in google’s chrome release blog, while the bug report was made public in February 2022.
The vulnerability will cause a special value in V8 called TheHole being leaked to the script. This can lead to a renderer RCE in a Chromium-based browser and has been used in the wild.
In this post, I will discuss the root cause of the vulnerability and how I exploited the bug and achieved RCE on a vulnerable version of the Chromium browser.
The vulnerability happens when V8 tries to handle the exception in JSON.stringify(). As mentioned in the bug report, when an exception is raised inside a built-in function, the corresponding Isolate’s pending_exception member is set. After that, invoking code will jump into V8’s exception handling machinery where the pending_exception member is fetched from the active isolate and the currently active JavaScript exception handler invoked with it.
Note that when no exception is pending, the pending_exception member is set to the special value TheHole, meaning if it tries to fetch an exception from an empty pending_exception, it will cause the TheHole value to be leaked to the script, which is what happens in this vulnerability.
Video PoC
Read the Full Blogpost here
GIPHY App Key not set. Please check settings