CVE-2018-17781

Foxit PhantomPDF and Foxit Reader are affected: versions before 9.3 are vulnerable to an Uninitialized Object Information Disclosure caused by mishandling ArrayBuffer and DataView object creation. This allows remote attackers to obtain information without user interaction. No remediation details ...

CVE-2018-17781

Foxit PhantomPDF and Reader before 9.3 allow remote attackers to trigger Uninitialized Object Information Disclosure because creation of ArrayBuffer and DataView objects is mishandled...

The Problems and Promise of WebAssembly

Posted by Natalie Silvanovich, Project Zero WebAssembly is a format that allows code written in assembly-like instructions to be run from JavaScript. It has recently been implemented in all four major browsers. We reviewed each browser’s WebAssembly implementation and found three vulnerabilities...

Foxit Reader 9.0.1.1049 - Remote Code Execution

Foxit Reader 9.0.1.1049 - Remote Code Execution %PDF 1 0 obj 2 0 obj /S /JavaScript /JS / Foxit Reader Remote Code Execution Exploit ========================================== Written by: Steven Seeley mrme of Source Incite Date: 22/06/2018 Technical details:...

WebKit - WebAssembly Compilation Info Leak

arrayBufferView-vector : staticcastarrayBuffer-impl-data; If the source buffer is a view DataView or TypedArray, arrayBufferView-vector is returned. The vector method returns the start of the data in the buffer, including any offset. However, the function createSourceBufferFromValue copies the...

Microsoft Edge: Chakra: Cross context bug(CVE-2018-0946)

Background The CrossSite class is used for passing JavaScript variables across different contexts. Chakra is basically trying to wrap every variable being passed from a context to another context. The way it wraps an object is, first overwrite the virtual function table pointer of the given objec...

Microsoft Edge Chakra - Cross Context Use-After-Free

f.onload = null; // Garbage collection for let i = 0; i 10; i++ new ArrayBuffer1024 1024 40; let obj = opt; // "opt" returns the freed string constant. ; // Closing the diffrent context f.src = 'about:blank'; But in fact, if you run the code, you will see an exception...

Microsoft Chakra asm.js ArrayBuffer Use-After-Free Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Chakra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of...

Microsoft Chakra asm.js ArrayBuffer Use-After-Free Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Chakra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of...

(Pwn2Own) Microsoft Chakra ArrayBuffer Use-After-Free Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Chakra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of...

WebKit JSC arrayProtoFuncSplice Initialization Fail

WebKit: JSC: arrayProtoFuncSplice doesn't initialize all indices. CVE-2017-6980 Here's a snippet of arrayProtoFuncSplice. EncodedJSValue JSCHOSTCALL arrayProtoFuncSpliceExecState exec ... result = JSArray::tryCreateForInitializationPrivatevm,...

WebKit Unspecified Memory Corruption Vulnerability(CVE-2017-2521)

WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed. Here's a snippet of JSObject::ensureLength. bool WARNUNUSEDRETURN ensureLengthVM& vm, unsigned length ASSERTlength vectorLength publicLength setPublicLengthlength; return result; |setPublicLength| is called whether...

WebKit JSC - 'JSObject::ensureLength' ensureLengthSlow Check Failure

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1165 Here's a snippet of JSObject::ensureLength. bool WARNUNUSEDRETURN ensureLengthVM& vm, unsigned length ASSERTlength vectorLength publicLength setPublicLengthlength; return result; |setPublicLength| is called whether...

WebKit JSC JSObject::ensureLength Failure Check

WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed. CVE-2017-2521 Here's a snippet of JSObject::ensureLength. bool WARNUNUSEDRETURN ensureLengthVM& vm, unsigned length ASSERTlength vectorLength publicLength setPublicLengthlength; return result; |setPublicLength| is calle...

Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write

// Source: https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ // // v8 exploit for https://crbug.com/716044 var oobrw = null; var leak = null; var arbrw = null; var code = function return 1; code; class BuggyArray extends Array constructorlen super1; oobrw = new Array1.1, 1.1; leak = new...

Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write

Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write // Source: https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ // // v8 exploit for https://crbug.com/716044 var oobrw = null; var leak = null; var arbrw = null; var code = function return 1; code; class BuggyArray extend...

(Pwn2Own) Microsoft Edge ArrayBuffer Use-After-Free Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of...

MS16-145: Edge browser the TypedArray. sort UAF vulnerability analysis-vulnerability warning-the black bar safety net

In this article, we will provide the reader detailed analysis of how to use the MS Edge browser in the UAF vulnerability to remote code execution. This article will provide readers in-depth analysis of the impact of MS Edge CVE-2016-7288 UAF vulnerability root causes, and how to reliably trigger...

Apple Safari 10.0.3 - JSC::CachedCall Use-After-Free Exploit

Exploit for macOS platform in category remote exploits function makecompiledfunction function targetx return x5 + x - xx; // Call only once so that function gets compiled with low level interpreter // but none of the optimizing JITs target0; return target; function pwn var haxs = new Array0x100;...

Firefox Integer overflow leading to a buffer overflow in nsScriptLoadHandler (CVE-2016-9066)

This post will explore how CVE-2016-9066, a simple but quite interesting from an exploitation perspective vulnerability in Firefox, can be exploited to gain code execution. tl;dr an integer overflow in the code responsible for loading script tags leads to an out-of-bounds write past the end of an...