[CVE-2019-16078] Brave Browser AdBlock: Out-of-Bounds Read off by One Byte (Filter::matches)

Description

Brave Browser implements a built-in AdBlock component that can parse Adblock Plus filters (e.g. EasyList). The parser is implemented from Brave in native C++ code and was found to be vulnerable to an out-of-bounds (OOB) write of arbitrary size in memory.
Exploiting this vulnerability might allow an adversary writing to arbitrary memory address of Chrome’s privileged process since the AdBlock initialization is executed from the main process before delegating to sandboxed workers. This means, an adversary could utilize this vulnerabi
lity to execute malicious code from Chrome’s privileged process.

CVSS 3.0 Base Score

6.5 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Researcher

xen1thlabs software labs

POC

Not releasing for now

Disclosure Timeline

  • 19-Jun-2019 Notified vendor
  • 15-Aug-2019 Brave browser Android v1.2.0 released which resolves this
Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.