{"uuid": "7562616a-ba41-45df-89b4-7ae0f8594851", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-3723", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/2501", "content": "\ud83d\udd25Chrome heap buffer overflow in validating command decoder(CVE-2022-4135) \nHeap BoF/OOB access in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a SBX via a crafted HTML page.\n\n\ud83d\udee1Patch CL\n\nExploit strategy:\nThe vulnerability immediately provides an attacker with an extremely powerful exploitation primitive -- a non-linear BoF with a controlled offset.\n\nExploit flow:\nThe exploit abuses the command buffer and GLES2 APIs for memory manipulation. A corrupted memory bucket is used to first leak data from the GPU process and break ASLR, and then, when the ROP chain is ready, hijack the control flow.\n\nreproduce:\n\n    canvas = document.createElement(\"canvas\");\n    document.documentElement.appendChild(canvas);\n    context = canvas.getContext(\"webgl2\");\n    context.blendColor(0, 0, 0, 0);\n\n\n\u26a0\ufe0fPart of an exploit chain: CVE-2022-4135 + CVE-2022-3723", "creation_timestamp": "2023-02-02T23:49:12.000000Z"}