Understanding the Type Confusion Vulnerability

In early June 2023, a zero-day, exploited in the wild, emerged regarding Google Chrome, Microsoft Edge, and many more Chromium-based browsers, exposing countless users to potential risks. The root of the problem was a Type Confusion bug in the V8 JavaScript engine, which forms a crucial component of both browsers. Attackers could exploit heap corruption through this bug by specifically crafting an HTML page to cause the bug. Clement Lecigne, a member of Google’s Threat Analysis Group (TAG), brought attention to this severe flaw on June 1, 2023, highlighting its significant dangers to users’ data and overall system integrity.

According to the National Institute of Standards and Technology (NIST), the bug, identified as CVE-2023-3079, could be leveraged by an attacker to exploit heap corruption in versions preceding Google Chrome 114.0.5735.110. Although some time has passed since the discovery, we assume our readers have diligently applied the necessary patches. Nonetheless, let us now delve into the specifics of Type Confusion and its implications.

Type Confusion Explained

Type Confusion occurs when accessing a resource with an incompatible type, leading to logical errors and type-related issues. This vulnerability is particularly prevalent in languages like C and C++ that lack memory safety mechanisms, as the accessed resource may not possess the expected properties. The lack of clearly defined expected types can result in unexpected behavior and security risks.

Beyond C and C++

While Type Confusion is commonly associated with unions in C, it is important to note that this vulnerability can manifest in any application that interprets the same variable or memory location differently. Other languages, such as PHP and Perl, may also experience errors and vulnerabilities due to type confusion. For example, PHP applications may encounter issues when providing array parameters instead of expected scalar values, while Perl’s automatic variable conversions can introduce unexpected behavior.

Understanding Type Confusion with a Code Example

#include 
using namespace std;


class Base {}; // Parent Class

class Execute: public Base {   // Child of Base Class
public:
    virtual void exec(const char *program) 
    {
        system(program);
    }
};

class Greeter: public Base {   // Child of Base Class
public:
    virtual void sayHi(const char *str) 
    {
        cout << str << endl;
    }

};


int main() {

    Base *b1 = new Greeter();
    Base *b2 = new Execute();
    Greeter *g;

    g = static_cast(b1); // Safe Casting to the same type "Greeter"
    g->sayHi("Greeter says hi!"); // String passed to sayHi() function

    g = static_cast(b2); // Unsafe Casting to sibling class "Execute"
    g->sayHi("/usr/bin/xcalc"); // String passed to exec() function 
                                    // which will turn into a command to execute calculator

    delete b1;
    delete b2;
    return 0;
}

Source: https://stackoverflow.com/questions/66523086/type-confusion-in-c

We have two classes, Base, Execute, and Greeter, where both Execute and Greeter inherit from Base.

In the main() function, we create two objects using the base class pointer Base*. b1 points to a Greeter object, and b2 points to an Execute object.
We then declare a Greeter* pointer g to be used for type casting.
The first casting operation is g = static_cast(b1);, which casts b1 (a Base* pointing to a Greeter object) to a Greeter*. This is a safe cast because the object being pointed to by b1 is indeed a Greeter object. Therefore, g is now a valid pointer to a Greeter object.
Next, we call g->sayHi(“Greeter says hi!”);, which correctly invokes the sayHi() function of the Greeter class. This prints the message “Greeter says hi!” to the console.
The potential type confusion arises in the second casting operation, g = static_cast(b2);. Here, we are attempting to cast b2 (a Base* pointing to an Execute object) to a Greeter*. This is an unsafe cast because b2 is not pointing to a Greeter object.
The consequences of this unsafe cast can result in undefined behavior. One possible outcome is that the virtual function table (vtable) of Execute and Greeter may have the same index for their respective virtual functions (exec() and sayHi()). As a result, the code g->sayHi(“/usr/bin/xcalc”); may actually call Execute::exec(), treating the Execute object as if it were a Greeter object. This can lead to unexpected behavior or even a crash.

It’s important to note that the behavior in this type confusion scenario is undefined, meaning it can vary depending on the compiler, optimization settings, and other factors. The code may produce different results or exhibit different behaviors on different systems or compiler versions.

Exploitation and Mitigation

Although it is not publicly known how it is exactly exploited, since Google has acknowledged the active exploitation of CVE-2023-3079 in the wild, elevating the danger of the vulnerability. However, it should also be added that this vulnerability was not the first bug in V8 Engine; it was also used as an attack vector for a zero-day vulnerability affecting Chrome in 2022, so it can be said that inherent problems should be resolved, mainly repeating vulnerabilities like the mentioned bug.

To mitigate Type Confusion vulnerabilities, software developers must carefully validate and sanitize user inputs, perform proper type checks, and ensure memory access is controlled and secure. For users, keeping software and browsers up to date with the latest security patches is crucial to prevent known vulnerabilities from being exploited.

Leveraging SOCRadar for Vulnerability Intelligence

Type Confusion zero-day exploits affecting many browsers have once again brought the importance of vulnerability intelligence and patch management to the forefront. Regularly updating browsers and promptly applying security patches are essential practices to mitigate the risks associated with such exploits.

SOCRadar’s Vulnerability Intelligence service offers comprehensive and detailed information about vulnerabilities, empowering you to stay well-informed about the latest trends in exploitation. With this valuable insight, you gain visibility into vulnerabilities that may impact your organization’s security. By leveraging SOCRadar’s Vulnerability Intelligence, you can prioritize your patching efforts effectively. This means you can focus on addressing vulnerabilities that pose the highest risk to your systems and assets, ensuring that your resources are allocated efficiently.

*Vulnerability Intelligence module on SOCRadar platform*

Moreover, having access to up-to-date information about vulnerabilities enhances the overall security posture of your organization. It enables you to proactively identify and remediate weaknesses before they can be exploited by malicious actors, reducing the potential impact of cyber threats.