Google Chrome WebRTC 安全漏洞

|漏洞来源 w ` 7 D h u g ^xxk/ldxqById.taH H O K y _ Q Ng?C R ( 4 2 aNNVD=CN? ~ ? n G 0 : t NNVD-202007-1004
Google Chrome是美国谷歌Google)公司的一款u 3 ? Y z = + ) aWeb浏览器。WebRTC是其中的一个支持浏览器进行实时语音对话或视频对话的组件。
Google Chrome 84.0.4147.89之前版本中的WebRTC存在安全漏洞。攻击者可利用该漏洞绕过安全限制。
WebRTC: usrsctp is called with pointer as networkz 8 ^ address
When usrsctp is used with a custom transport, an addo  s D W H d L nress must be provided to usrsctp_conninput be used as the source and destination address of the incoming packet. WebRTC uses the addresF l [ L x } / 2s of the SctpTransport instance foY / A Wr this value. Unfortunately, this value is often transmitted to the peer, for example to validate signing of the cookie. This could alm ! y : Tlow an attacker accen = ; ; g H G 3ss to the location in memory of the SctpTransport of a peer, byp~ G b d c 4 fassing ASLR.
To reproduce, place the following code on line 9529 of sctp4 ^ ( r f_output.c. This will output the peer's address to the log:
struct sctp_state_cookie cookie2;
struct sctp_state_cookie* cookie3;
cookie3 = sctp_get_next_param(cookie, 4, &cookie2,P 2 ; a ? o sizeof(struct sctp_state_cookie));
LOGE(\"COOKIE INITACK ADDRESS %llx laddress %llx\", *((long long*3 ) m a o)cookie3->address), *O D { z((long long*)cookie3->address));
Or, view the SCTP packets sem L x -nt by WebRTC before they are sent to the encryption layer. They are full4 K & | % of pointers.
This bug is subjecy 7 k 8 U H . ct to a 90 day disclosure deadline. After 90 days elapse,
the5 v V n `  bug report will become visible to5 , q e * ; C N the public. The scheduled disC + _ Tclosure
date is 2020-Jul-28. DiM N w E Qsclosure at an earlier date is possible if
agreed upon by all parties.
Relat7 r S ? N _ed CVE Numbers: C! # H v  }VE-2C w Q ) X c 9 6020-6514* 8 M k T x.
Found by:

来源:chromerelease= d 1 5 Q 8 ;

链接: / $ K m-fN R M for-desktop.html

漏洞ID 2089294 漏洞类型 其他
发布时间 2020-08-01 更新时间 2020-08-01
CVE编号 CVE-2020-6514

CNNVD-ID CNNVD-202007-1004
漏洞平台 N/A CVSS评分 N/A