CVE-2023-3598 - How a Single HTML Page Can Hack Chrome (ANGLE Out of Bounds Exploit Explained)

_Chrome is the world’s most popular web browser, but even top software has bugs. Today, let’s break down a serious vulnerability that slipped into Chrome’s core graphics engine: an out-of-bounds read and write (CVE-2023-3598) in Google Chrome’s ANGLE component. We’ll dig into what happened, how it could be used in the wild, see some code, and help you actually understand how attackers could use a web page alone to take over a victim’s machine — all in plain English._

What Is CVE-2023-3598? (In Simple Terms)

CVE-2023-3598 is a security flaw discovered in Google Chrome, before version 114..5735.90. The weakness was found inside ANGLE, the graphics layer Chrome uses to talk with graphics hardware through OpenGL ES calls.

- What broke: _Memory safety_. An attacker could trick Chrome into reading or writing to memory outside of where it’s supposed to (an “out-of-bounds” attack).

How: By crafting a specific HTML page that triggers the buggy code in ANGLE.

- Impact: If successfully exploited, this bug could lead to heap corruption — allowing malicious code execution with the privileges of the user.

> Severity: High (as rated by the Chromium Project)

1. What Is ANGLE?

ANGLE (Almost Native Graphics Layer Engine) is a graphics translation layer — it lets Chrome and other apps efficiently use OpenGL ES commands regardless of the actual GPU. Almost any “fancy” website you open is running stuff through ANGLE!

### 2. What’s An Out-of-Bounds Read/Write?

Programs allocate memory for stuff they need (images, text, numbers, etc.). If the program reads or writes beyond the allocated space (“out of bounds”), it risks exposing data it shouldn’t — or corrupting memory, which can be twisted by hackers to run their code.

The Technical Details

Let’s get hands-on. The vulnerable code was inside ANGLE, usually triggered via advanced WebGL features. Attackers found a way to create an HTML page that, when opened, forces Chrome’s ANGLE code to miscalculate buffer sizes, leading to out-of-bounds memory access.

Typical Exploit Steps

1. Crafted HTML/JavaScript: A web page with innocent looking code.
2. Trigger out-of-bounds write/read: Usually by carefully initializing an oversized or undersized buffer in WebGL.

Example Vulnerable Pattern

Here’s a simplified and hypothetical code snippet similar to what was vulnerable (not the real Chrome code, but showing the general problem):

// Pseudocode - not actual Chrome source

void processBuffer(int* buffer, int length) {
    int localCopy[10];
    // Bad: does not check if length exceeds localCopy size!
    for (int i = ; i < length; i++) {
        localCopy[i] = buffer[i];
    }
    // ... further code working on localCopy ...
}

If length is greater than 10, this code writes beyond the localCopy array, causing “out-of-bounds” access — which is a major security bug.

Building a Proof-of-Concept (PoC)

Disclaimer: _Never run malicious code outside of secure testing environments!_

A PoC for this vulnerability can look like this, targeting the vulnerable ANGLE code via WebGL buffers and attributes:

<!-- Exploit HTML example (illustrative only) -->
<script>
  let gl = document.createElement('canvas').getContext('webgl');
  // Prepare a buffer that's bigger or smaller than Chrome expects
  let buffer = gl.createBuffer();
  gl.bindBuffer(gl.ARRAY_BUFFER, buffer);
  
  // Send more data than the buffer really is supposed to handle
  let overflowData = new Float32Array(100000); // Large, purposeful
  gl.bufferData(gl.ARRAY_BUFFER, overflowData, gl.STATIC_DRAW);

  // Set up attribute pointers that can go out-of-bounds
  gl.vertexAttribPointer(, 8, gl.FLOAT, false, , );
  gl.enableVertexAttribArray();
  
  // Trigger the rendering which will confuse ANGLE's buffer math
  gl.drawArrays(gl.TRIANGLE_STRIP, , 100000);
</script>

If exploited, this could corrupt heap memory, giving a determined attacker control.

Exploit Possibilities

- Remote code execution (RCE): Run attacker’s code on your computer, steal data, install malware.

References & Further Reading

- Google Chrome Release Notes 114..5735.90
- NVD entry for CVE-2023-3598
- Chromium Security Severity Ratings
- ANGLE Project
- Mitre CVE Record: CVE-2023-3598

In Closing

CVE-2023-3598 shows how even complex, hidden layers of software like ANGLE can be a target for attackers. All it takes is the right web page to open the door. Stay secure: keep your browser updated and be careful what you click!

If you want more deep dives into browser bugs (written in simple English!), let us know in the comments!

Timeline

Published on: 07/28/2023 21:15:14 UTC
Last modified on: 08/10/2023 03:16:07 UTC