This story starts a couple of months ago, I don’t remember exactly why I started messing around with CEF applications, but I imagine it was sparked by a proof-of-concept of a V8 bug and I wanted to apply it. CEF is the Chromium Embedded Framework, its a toolkit that allows you to include Chromium views inside your own C++ applications. This is different than Electron as these are applications that merely include this framework and not wholly based on it.
CEF by default doesn’t enable Chromium’s sandbox, this is highily dangerous as any bug that compromises a render process is able to execute arbitrary code in that computer.
This brings us to a couple days ago, when I saw this tweet flash through my twitter timeline.
exploitation
This renewed my interest in CEF, here is when I came back to try and exploit: wallpaper_engine, the first thing I tried was loading the public exploit as a web wallpaper and ofcourse it failed first try, this was nothing new for me as I always had difficulty getting V8 exploits working on Windows, so I went ahead to Spotify’s CEF CDN and downloaded the version being used by wallpaper_engine i.e 83.0.4103.97 and tried to get it to work. After a lot of trial and error with x64dbg and other tools I finally discovered why it wasn’t working, Spotify’s builds had sandbox enabled…
After finally surpassing that embarrasing moment I attempted to debug wallpaper_engine with x64dbg, but when I went to attach a process it didn’t show up in the list, I was stupefied and the x64dbg wiki wasn’t helpful, but when looking at my task manager I saw the following process: webwallpaper32.exe, and then it hit me, I was trying to debug a 32 bit app with a 64 bit debugger…
Well, now I knew why the exploit wasn’t working you can’t just expect a 64 bit V8 exploit to work on a 32 bit build. I needed to port it to 32 bit, here is when I switched to linux to start my porting job as I am far better with that environment. Went ahead and checked out the V8 source code to the specific commit I was targeting. Compiled a release version and was off to the races.
There wasn’t much info on 32 bit V8 exploits that I could find, it was pretty much all trial and error with the great info from faraz.faith and the experience from LiveOverflow’s browser exploitation series.
conclusion
This bug is probably wormeable, by changing the infected user’s own workshop wallpapers, as the workshop autoupdates if your active wallpaper’s author gets infected it would basically autodownload and autorun on your computer.
This is why you should be extra careful when implementing CEF into your application and if you ever see any indication of CEF being used by an application you use daily there might be some bugs hidden.
timeline
23/04/2021Bug was reported25/04/2021Was fixed in the beta branch of Wallpaper Engine12/06/2021Fixed in Wallpaper Engine 1.6