CVE CyberSecurity Database News

CVE-2023-1529 - Out-of-Bounds Memory Access in WebHID (Google Chrome) – How Heap Corruption Was Exploited by Malicious Devices

Poster -

Published: June 2024  
Severity: High  
Affected Software: Google Chrome (before 111..5563.110)

Summary

CVE-2023-1529 is a critical security vulnerability that was found in the Chrome browser’s WebHID API implementation. This flaw allowed attackers to exploit an "out-of-bounds memory access" vulnerability, which could then be used to corrupt the heap memory of the browser. In simpler language, attackers could make Chrome act unpredictably or even execute malicious code, just by getting a user to connect a rogue Human Interface Device (HID).

Let’s break down exactly how this bug works, its probable attack scenarios (including code), and share references for those who want to dig deeper.

1. What is WebHID?

WebHID is a JavaScript API that allows web pages to communicate with external devices like gamepads, keyboards, and other HID devices. This makes using browsers much more flexible, but it also opens up new risks, especially if this communication isn’t handled securely in the browser’s code.

References

- Introduction to WebHID (Google Developers)
- Chrome WebHID API Docs

2. What Went Wrong? The Vulnerability

The bug in Chrome’s WebHID existed because it didn’t properly check the size or bounds of data provided by connected HID devices. If a malicious device sent specially crafted data, Chrome could read or write memory outside of intended limits – a classic out-of-bounds access. In the context of heap memory (where variables and data are stored while the browser runs), this can lead to:

Abstract user data theft or privilege escalation.

Google tagged this as a high-severity issue and fixed it in version 111..5563.110.

Attacker creates a malicious USB HID device.

This device sends intentionally malformed data via the HID protocol – for instance, by declaring invalid lengths or report descriptors.

User connects device to Chrome-enabled computer.

The user might visit a site that uses WebHID to interact with the device, or even just have Chrome running with WebHID permissions.

Chrome reads device data using WebHID.

Due to missing bounds checks, the browser code reads more bytes than it’s supposed to, causing a buffer over-read or over-write in heap memory.

Heap corrupts, attacker’s code runs (in a worst-case scenario).

The attacker can leverage this to run arbitrary code (remote code execution) or just crash Chrome, depending on the payload.

Simple Code Example

Here’s a JavaScript snippet showing how Chrome pages can access HID devices (not malicious, just illustrative). The attack happens on the device side, but this is the web-facing usage:

async function getHIDDevice() {
  const filters = [{ vendorId: x1234 }]; // Attacker sets malicious device VID
  const devices = await navigator.hid.requestDevice({ filters });
  if (devices.length > ) {
    await devices[].open();
    // Read report from the device
    const report = await devices[].receiveReport(, 64);
    console.log(new Uint8Array(report.data.buffer));
    // Malicious device returns too much or malformed data here
  }
}
getHIDDevice();

Key Point:
If the HID device returns more data than expected, and Chrome doesn’t check the bounds, that’s when the out-of-bounds access happens.

Class: Out-of-bounds memory access (heap)

- Vector: USB HID device with malicious descriptors/reports

Patched in: Chrome 111..5563.110

The crux of the vulnerability lay in how Chrome’s internal C++ code handled USB report data. A simplified C++ pseudo-code is:

void readHIDReport(char* buffer, size_t length) {
    char localBuffer[64];
    memcpy(localBuffer, buffer, length); // No size check =>
    // length could be > 64, causing overflow => heap corruption
}

In practice, Chrome’s actual code is more complex, but the principle is the same: if the device sends more data than the buffer expects, memory outside the allowed area is overwritten.

Update Chrome Immediately:

If you’re using Chrome version prior to 111..5563.110, update NOW. Chrome Stable Download

6. References

- Chromium Security Bug 1410122 (CVE-2023-1529)

_(Public details may be limited until more disclosure)_

- Google Chrome Releases (security advisories)
- NIST NVD Entry for CVE-2023-1529

7. Conclusion

CVE-2023-1529 is a reminder that modern browser APIs, while powerful, add new attack surfaces attackers can exploit. By simply plugging in a booby-trapped USB device, users could fall victim to severe attacks – without any software install or obvious download.

Limit permission grants for sensitive APIs (like WebHID).

If you’re a developer: Always assume data from external devices (even from USB) can be malicious. Enforce strict size checks and data validation in native code and APIs.

Timeline

Published on: 03/21/2023 21:15:00 UTC
Last modified on: 04/15/2023 04:16:00 UTC