2025-08-11 –, Cassiopeia
Language: English
When embedded into JavaScript, WebAssembly modules can be "sandboxed" by defining a limited set of imports. It turns out that an obscure "feature" allows us to craft an exploit which bypasses this barrier, enabling us to run arbitrary JavaScript code from within a malicious WASM module. All within spec... by accident?
When talking about WebAssembly, the word "sandbox" comes up often: modules are isolated from eachother, and from the host runtime.
Hence, it is perfectly safe to run untrusted WASM modules (e.g. plugins) in a web-app: the module's interfaces can be limited, making it such that any malicious code has no way of escaping.
... is what I thought.
In this talk I will show how a sneaky specification detail allows us to program a JavaScript version of a weird machine, to eventually escape from WebAssembly into running arbitrary JavaScript code. This trick is fully in-spec and requires no actual browser exploitation (we don't break that sandbox). Hence, this talk should be accessible for anyone with a basic JavaScript understanding. No WebAssembly experience is required: I will cover everything required to understand the exploit.
Thomas is lead security analyst at Codean Labs where he focuses on application security evaluations and research. There, the urge to dive way to deep into dependencies has lately resulted in CVEs such as CVE-2024-4367 (Arbitrary JavaScript execution in PDF.js) and CVE-2024-29510 (Ghostscript RCE using format strings).
Outside of work, he likes to tinker with software and hardware, resulting in less "useful" hacks. You may have seen "Tetris in a PDF" or "Doom on a payment terminal".