CVE-2021-33972

Vulnerability

A buffer overflow vulnerability exists in Qihoo 360 Safe Browser version 13.0.2170.0. The bug resides in an unspecified component of the browser, reachable without special configuration. The vulnerability allows an attacker to corrupt memory beyond the bounds of a buffer, leading to code execution. The affected version is 13.0.2170.0, though similar issues may exist in earlier versions such as 12.3.1611.0 as indicated by the exploit author [1].

Exploitation

An attacker does not require authentication or special network access; exploitation can be triggered by a victim visiting a malicious webpage or opening a crafted file. The exploit author demonstrates a working proof of concept for remote code execution with sandbox escape, implying that the attacker can achieve arbitrary code execution within the browser's sandbox and then break out to the underlying operating system. The exact sequence of steps is not publicly disclosed due to vendor confidentiality [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the browser, potentially leading to full system compromise. The sandbox escape aspect means the attacker can bypass security boundaries intended to isolate the browser process, resulting in a high-impact breach of confidentiality, integrity, and availability [1].

Mitigation

Qihoo 360 has not publicly released a patch for CVE-2021-33972 as of the publication date. The vendor was notified and details withheld; therefore no fixed version is available. Users should consider alternatives or apply least-privilege principles to limit the impact of exploitation. No known workaround has been published. The vulnerability is not listed on the CISA KEV catalog as of April 2023 [1].