Google Chrome WebRTC addIceCandidate use after free vulnerability
We discussed this vulnerability during Episode 102 on 23 November 2021
A use-after-free in AddIceCandidate()
for adding Interactive Connection Establishment candidates when starting a WebRTC session. The problem is, it’s possible to setup a Promise
that can call setLocalDescription()
, which will mark part of the local description memory for collection by the garbage collector. That memory is used by the AddIceCandidate()
function. Therefore, if you can trigger garbage collection after the promise runs but before AddIceCandidate()
executes, you can trigger a use-after-free which can be taken to code execution.