Google Chrome versions before 87.0.4280.88 integer overflow during SimplfiedLowering phase

This module exploits an issue in Google Chrome versions before 87.0.4280.88 64 bit. The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a type hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is...

Google Chrome SimplfiedLowering Integer Overflow Exploit

This Metasploit module exploits an issue in Google Chrome versions before 87.0.4280.88 64 bit. The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a typer hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1...

WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write

/ bool JSArray::shiftCountWithArrayStorageVM& vm, unsigned startIndex, unsigned count, ArrayStorage storage unsigned oldLength = storage-length; RELEASEASSERTcount hasHoles && this-structurevm-holesMustForwardToPrototypevm, this || hasSparseMap || shouldUseSlowPutindexingType return false; if...

WebKit JSC JSArray::shiftCountWithArrayStorage Out-Of-Band Read / Write Exploit

WebKit: JSC: A bug in JSArray::shiftCountWithArrayStorage CVE-2018-4441 bool JSArray::shiftCountWithArrayStorageVM& vm, unsigned startIndex, unsigned count, ArrayStorage storage unsigned oldLength = storage-length; RELEASEASSERTcount hasHoles && this-structurevm-holesMustForwardToPrototypevm, thi...

WebKit JSC JSArray::shiftCountWithArrayStorage Out-Of-Band Read / Write

WebKit: JSC: A bug in JSArray::shiftCountWithArrayStorage CVE-2018-4441 bool JSArray::shiftCountWithArrayStorageVM& vm, unsigned startIndex, unsigned count, ArrayStorage storage unsigned oldLength = storage-length; RELEASEASSERTcount hasHoles && this-structurevm-holesMustForwardToPrototypevm, thi...

WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy(CVE-2017-7064)

WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy Here's a snippet of JSArray::appendMemcpy. bool JSArray::appendMemcpyExecState exec, VM& vm, unsigned startIndex, JSC::JSArray otherArray auto scope = DECLARETHROWSCOPEvm; if !canFastCopyvm, otherArray return false; IndexingType type =...

WebKit JSC JSArray::appendMemcpy Uninitialized Memory Copy Vulnerability

WebKit suffers from a JSC JSArray::appendMemcpy uninitialized memory copy vulnerability. WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy CVE-2017-7064 WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy Here's a snippet of JSArray::appendMemcpy. bool...

WebKit JSC JSArray::appendMemcpy Uninitialized Memory Copy

WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy CVE-2017-7064 WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy Here's a snippet of JSArray::appendMemcpy. bool JSArray::appendMemcpyExecState exec, VM& vm, unsigned startIndex, JSC::JSArray otherArray auto scope =...

WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices

WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices lexicalGlobalObject-arrayStructureForIndexingTypeDuringAllocationArrayWithUndecided, actualDeleteCount; if !result return JSValue::encodethrowOutOfMemoryErrorexec, scope; for unsigned k = 0; k initializeIndexvm, k, v;...

WebKit JSC arrayProtoFuncSplice Initialization Fail

WebKit: JSC: arrayProtoFuncSplice doesn't initialize all indices. CVE-2017-6980 Here's a snippet of arrayProtoFuncSplice. EncodedJSValue JSCHOSTCALL arrayProtoFuncSpliceExecState exec ... result = JSArray::tryCreateForInitializationPrivatevm,...

Apple iTunes Multiple Vulnerabilities - June13 (Mac OS X)

This host is installed with Apple iTunes and is prone to multiple vulnerabilities. OpenVAS Vulnerability Test $Id: gbappleitunesmultvulnjun13macosx.nasl 6104 2017-05-11 09:03:48Z teissa $ Apple iTunes Multiple Vulnerabilities - June13 Mac OS X Authors: Thanga Prakash S Copyright: Copyright c 2013...

Apple iTunes Multiple Vulnerabilities (Jun 2013) - Windows

Apple iTunes is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2013 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apple:itunes"; ifdescription...

Apple Safari Array Indexing Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of JSArray...