Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties

In the blog post, the author explores and exploits the CVE-2024-3833 vulnerability, an object corruption bug in the v8 JavaScript engine of Chrome. This bug, along with a similar one, CVE-2024-3832, allows remote code execution (RCE) within Chrome's renderer sandbox through a single visit to a malicious site. The exploit involves creating duplicate properties in v8 objects, similar to a previous vulnerability CVE-2021-30561, but with a new approach due to code hardening. The author transfers the duplicate properties into inconsistencies between an object's PropertyArray and its map, leading to an out-of-bounds (OOB) write, which is further exploited to create a type confusion between a JavaScript Object and Array. This type confusion allows the manipulation of array lengths and the creation of a standard OOB access in a JavaScript array, eventually enabling arbitrary read and write within the v8 heap. Despite the challenges posed by the recently introduced v8 heap sandbox, the author achieves code execution by overwriting jump targets of WebAssembly imported functions stored in the v8 heap, redirecting them to shell code locations.