An Indian security researcher Rajvardhan Agarwal has released a PoC (proof-of-concept) exploit code for a vulnerability that’s mainly impacting web browsers.
It is a remote code execution flaw in the V8 JavaScript and affects all Chromium-bases browsers apart from Google Chrome, such as MS Edge, Brave, and Opera.
This flaw was demonstrated at the Pwn2Own 2021 hacking contest and was initially discovered by Bruno Keith and Niklas Baumstark from Dataflow Security. The duo was awarded $100,000 for exploiting this flaw to run malicious code on Chrome and Edge.
About the Proof of Concept
Agarwal has shared a screenshot of the PoC HTML file and claims that it is associated with the JavaScript file. The researcher revealed that the file could be loaded in a Chrome-based browser for exploiting the security flaw, but the exploit works only when it is chained with another flaw to escape the browser’s sandbox protections.
SEE: Infostealer malware hits Firefox, Chrome, Yandex, Edge browser
Agarwal was able to launch the Windows calculator app through the exploit. He could design the PoC by reverse-engineering the Chromium team’s patch after the flaw was shared with the company.
Screenshot shared by Agarwal on his Twitter account:
Google has Fixed the Issue.
It is worth noting that Google has fixed the issue in the latest V8 version, but it hasn’t yet reached the stable channel. Therefore, many browsers are currently vulnerable to exploitation. Google may ship Chrome90 anytime now, and we aren’t sure if it will have a path for the V8 flaw.
Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.