An UAF bug exists in muon

[l0kihardt]

• Operating system:
  brave-v8.1.8-linux-x64.zip
  Linux ubuntu 4.15.0-36-generic Added npm task for copying on Windows; updated docs #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  ubuntu 18.04

• Steps to reproduce
  r /path/to/demo.html

if you want to get to the function before 0x3799940, you can use the gdb script I uploaded.

• Basic info

[----------------------------------registers-----------------------------------]
RAX: 0x53582a30d8 --> 0x662f6567616d6912 
RBX: 0x7fffffffd058 --> 0x0 
RCX: 0x29 (')')
RDX: 0x140 
RSI: 0x0 
RDI: 0x7fffffffd058 --> 0x0 
RBP: 0x7fffffffd040 --> 0x7fffffffd070 --> 0x7fffffffd090 --> 0x7fffffffd0d0 --> 0x7fffffffd130 --> 0x7fffffffd1c0 (--> ...)
RSP: 0x7fffffffd030 --> 0x3799940 (push   rbp)
RIP: 0x2d41301 (mov    rdx,QWORD PTR [rsi])
R8 : 0x0 
R9 : 0x535730d570 --> 0x10000001e 
R10: 0x53572a6cc0 --> 0x535730d570 --> 0x10000001e 
R11: 0x0 
R12: 0x6fc0430 --> 0x0 
R13: 0x53570f3d30 --> 0x0 
R14: 0x5357778960 --> 0x0 
R15: 0x7fffffffd0e8 --> 0x4847dc ("PluginsLoaded")
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x2d412f8:   add    rax,0x38
   0x2d412fc:   test   cl,0x1
   0x2d412ff:   je     0x2d41309
=> 0x2d41301:   mov    rdx,QWORD PTR [rsi]
   0x2d41304:   mov    rcx,QWORD PTR [rdx+rcx*1-0x1]
   0x2d41309:   mov    rdi,rbx
   0x2d4130c:   mov    rdx,rax
   0x2d4130f:   call   rcx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd030 --> 0x3799940 (push   rbp)
0008| 0x7fffffffd038 --> 0x7fffffffd080 --> 0x0 
0016| 0x7fffffffd040 --> 0x7fffffffd070 --> 0x7fffffffd090 --> 0x7fffffffd0d0 --> 0x7fffffffd130 --> 0x7fffffffd1c0 (--> ...)
0024| 0x7fffffffd048 --> 0x3799963 (lea    rdi,[rbp-0x20])
0032| 0x7fffffffd050 --> 0x53582a30a0 --> 0xffffffff00000001 
0040| 0x7fffffffd058 --> 0x0 
0048| 0x7fffffffd060 --> 0x7fffffffd080 --> 0x0 
0056| 0x7fffffffd068 --> 0x3ba29a0 (push   rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000002d41301 in ?? ()

So the bug actually happens at the base::internal::Invoker<base::internal::BindState<void (*)>
when it tries to bind a callback function, which is the 0x2D412E0

_int64 __fastcall vuln(__int64 a1, struct_a2 *a2)
{
  char *v3; // rcx
  _QWORD *v4; // rsi
  struct_a2 *v5; // rax

  v3 = a2->pchar20;
  v4 = (_QWORD *)(a2->qword28 + a2->qword30);
  v5 = a2 + 1;
  if ( (unsigned __int8)v3 & 1 )
    v3 = *(char **)&v3[*v4 - 1];
  ((void (__fastcall *)(__int64, _QWORD *, struct_a2 *))v3)(a1, v4, v5);
  return a1;
}

the obj it passed to this function has been freed before Invoker has been called, so that a2->qword28 + a2->qword30 is NULL. which caused a NULL pointer dereference eventually.

[l0kihardt]

fuzz-1.zip
attached the poc html for the convenience of you

[diracdeltas]

Thanks for reporting this. This repo was unofficially deprecated on Oct 5 when we started switching to https://github.com/brave/brave-browser/ and we are now actively migrating users off of it