8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.034 Low
EPSS
Percentile
90.4%
I will be in this article to tell you about the vulnerability, CVE-2017-2536/ZDI-17-358, which is a typical plastic overflow vulnerability, when the system is in the calculation of the allocated space size, the vulnerability will likely lead to a heap buffer overflow. We not only give you aβsnappyβvulnerability PoC, and we also design for Safari 10.1 full use of loopholes in the programme, so everything will be very interesting!
Note: This function was originally in order to allow JavaScriptCore to better deal with the ECMAScript 6 extended operation and design, but saelo in February of this year found in which the presence of security issues.
Vulnerability analysis
Below is the JavaScript in an array of extended operation when build a new array of the use to the code:
SLOW_PATH_DECL(slow_path_new_array_with_spread)
{
BEGIN();
int numItems = pc[3]. u. operand;
ASSERT(numItems >= 0);
const BitVector& bitVector = exec->codeBlock()->unlinkedCodeBlock()->bitVector(pc[4]. u. unsignedValue);
Whether the* values = bitwise_cast<Whether the*>(&OP(2));
// [[ 1 ]]
unsigned arraySize = 0;
for (int i = 0; i < numItems; i++) {
if (bitVector. get(i)) {
Whether the value = values [βi];
JSFixedArray* array = jsCast<JSFixedArray*>(value);
arraySize += array->size();
} else
arraySize += 1;
}
JSGlobalObject* globalObject = exec->lexicalGlobalObject();
Structure* structure = globalObject->arrayStructureForIndexingTypeDuringallocation(ArrayWithContiguous);
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, structure, arraySize);
CHECK_EXCEPTION();
// [[ 2 ]]
unsigned index = 0;
for (int i = 0; i < numItems; i++) {
Whether the value = values [βi];
if (bitVector. get(i)) {
// We are spreading.
JSFixedArray* array = jsCast<JSFixedArray*>(value);
for (unsigned i = 0; i < array->size(); i++) {
RELEASE_ASSERT(array->get(i));
result->initializeIndex(vm, index, array->get(i));
++index;
}
} else {
// We are not spreading.
result->initializeIndex(vm, index, value);
++index;
}
}
RETURN(result);
}
Please see the above code labeled[[1]]part, the function first computes an output array of length size, the program will later in[[2]]for space allocation and initialization. However, in this case the calculated array length of space is likely to occur the overflow, and causing a similar array is allocated.
Because JSObject::initializeIndex does not perform any boundary detection, in order to confirm this, Please first have a look below this paragraph of code:
/* β¦ /
case ALL_CONTIGUOUS_INDEXING_TYPES: {
ASSERT(i < a butterfly->publicLength());
ASSERT(i < a butterfly->vectorLength());
butterfly->contiguous()[i]. set(vm, this, v);
break;
}
/ β¦ */
If the data occurs cross-border, so this time there will be a heap buffer overflow problem. This vulnerability can be through the following script code to trigger:
var a = new Array(0x7fffffff);
var x = [13, 37, β¦a, β¦a];
In this case, a length of 0 the JSArray object will be created, and then to the JSArray object in the copy of the 2^32 elements in, our browser donβt want to see such things happen.
Of course, you want to solve this problem also is not difficult. We only need to add one for the plastic overflow detection function of the time can fix this problem. γBug fix plan
Exploit
Although the above given PoC code will many times use an array, but the JavaScriptCore will still be in every time the array expansion operation is assigned a JSFixedArray objects, see the labels[[2]]The following code. As a result, the system will allocate about forty billion a JSValues object, these JSValues object will occupy approximately 32GiB of RAM space. But fortunately, due to the macOS kernel introduced page compression function, so this problem does not on macOS
Platform to generate a greater impact, but for other platforms, the attacker can in a minute or so to successfully trigger this vulnerability, and therefore its impact is still relatively serious.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.034 Low
EPSS
Percentile
90.4%