Xion
@0x10n
CMU CSD PhD student / 2024 Top#0 Chrome VRP Researcher / Winner of Pwn2Own Vancouver '24, TyphoonPWN '24/'25, DEFCON 31 CTF, ... / PPP, KAIST GoN '18, @zer0pts
🤔 [$55000](CVE-2024-12692)[382291459][wasm]Type Confusion in V8(comparison of canonical struct types) "Compare fields, including a check that the size is the same and compare mutabilities, skipping the check for the size" chromereleases.googleblog.com/2024/12/stable… chromium-review.googlesource.com/c/v8/v8/+/6074… @0x10n
[379612177][wasm]Remove relative type indexes from canonical types chromium-review.googlesource.com/c/v8/v8/+/6035…
(CVE-2024-9122)[365802567][$55000][wasm]WASM type confusion due to imported tag signature subtyping is now open with PoC and exploit(pops calc from a '--no-sandbox' renderer): issues.chromium.org/issues/3658025… @0x10n
(CVE-2024-9122)[365802567][wasm]Type Confusion in V8 @0x10n
Congrats to everyone! Honored to take the first place :)
📯 Announcing the top 20 Chrome VRP researchers for 2024: crbug.com/386306231 📯 Congratulations to everyone on the list! Many thanks and much gratitude to our entire Chrome VRP researcher community and helping us make Chrome Browser & Chromium more secure for all users! 🎊
📯 Announcing the top 20 Chrome VRP researchers for 2024: crbug.com/386306231 📯 Congratulations to everyone on the list! Many thanks and much gratitude to our entire Chrome VRP researcher community and helping us make Chrome Browser & Chromium more secure for all users! 🎊
Uploaded my slides from POC2024. I'll soon be giving a slightly shorter version of the same talk on CODE BLUE 2024 too. github.com/leesh3288/talk…
I'm giving a talk on POC2024 (Nov. 7, Korea) and CODE BLUE 2024 (Nov. 14, Japan) on my VR adventures on Wasm engines in browsers (mostly Chrome). Unfortunately I can't talk about ~10 recent bugs, but there still will be several others and a whopping 10 v8sbx bypasses to share :)
The Chrome RCE has been verified! The disclosure process with the vendor is now in progress. Kudos on a sharp discovery #TyphoonCon25
I guess v8sbx bypass reports does not require reproducers for VRP? Which I thought wouldn't even be a valid report as in g.co/chrome/vrp/#v8… 🤔 e.g. crbug.com/390568183 vs crbug.com/390816209 which I had it early in my stash, only to dup with a report w/o a repro 🤦
Sure, renderer exploits are fun, but have you tried adding hash collision constraints to it? crbug.com/381696874 crbug.com/382291459
I’m very excited to announce that we at V8 Security have finally published our first version of Fuzzilli that understands Wasm! Go check it out at github.com/googleprojectz…. While we still have a way to go in improving it, we think it shows a promising approach!
Type confusion due to improper WASM module size check in `AsyncStreamingDecoder` (reward: $55000) crbug.com/368241697
(CVE-2024-6779)[351327767][wasm][multi-memory]Wasm OOB memory access due to cached memory index confusion with multi-memory is now open with PoCs and exploit issues.chromium.org/issues/3513277… @0x10n P.S. I thank Seunghyun Lee for the analysis and recommend reading his great writeup.
(CVE-2024-6779)[351327767][wasm][multi-memory]wrong cast of memory index(static_cast<uint8_t>(cached_memory_index_)) -> OOB memory access chromium-review.googlesource.com/c/v8/v8/+/5695… Multi-memory proposal: github.com/WebAssembly/mu… x.com/0x10n/status/1… @0x10n
