89 lines
No EOL
3.6 KiB
Text
89 lines
No EOL
3.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
+------------------------------------------------------------------------------+
|
|
| Packet Storm Advisory 2013-0903-1 |
|
|
| http://packetstormsecurity.com/ |
|
|
+------------------------------------------------------------------------------+
|
|
| Title: Apple Safari Heap Buffer Overflow |
|
|
+--------------------+---------------------------------------------------------+
|
|
| Release Date | 2013/09/03 |
|
|
| Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) |
|
|
| Researcher | Vitaliy Toropov |
|
|
+--------------------+---------------------------------------------------------+
|
|
| System Affected | Apple Safari |
|
|
| Versions Affected | 6.0.1 for iOS 6.0 and OS X 10.7/8, possibly earlier |
|
|
| Related Advisory | APPLE-SA-2012-11-01-2 |
|
|
| Related CVE Number | CVE-2012-3748 |
|
|
| Vendor Patched | 2012/11/01 |
|
|
| Classification | 1-day |
|
|
+--------------------+---------------------------------------------------------+
|
|
|
|
+----------+
|
|
| OVERVIEW |
|
|
+----------+
|
|
|
|
The release of this advisory provides exploitation details in relation to a
|
|
known patched vulnerability in Apple Safari. These details were obtained
|
|
through the Packet Storm Bug Bounty program and are being released to the
|
|
community.
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+---------+
|
|
| DETAILS |
|
|
+---------+
|
|
|
|
The heap memory buffer overflow vulnerability exists within the WebKit's
|
|
JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined
|
|
JavaScript function and calls it from the native code to compare array items.
|
|
If this compare function reduces array length, then the trailing array items
|
|
will be written outside the "m_storage->m_vector[]" buffer, which leads to the
|
|
heap memory corruption.
|
|
|
|
The exploit for this vulnerability is a JavaScript code which shows how to
|
|
use it for memory corruption of internal JS objects (Unit32Array and etc.)
|
|
and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted
|
|
into the JS code).
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+------------------+
|
|
| PROOF OF CONCEPT |
|
|
+------------------+
|
|
|
|
The full exploit code is available here:
|
|
http://packetstormsecurity.com/files/123088/
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/28081.tgz
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
+---------------+
|
|
| RELATED LINKS |
|
|
+---------------+
|
|
|
|
http://lists.apple.com/archives/security-announce/2012/Nov/msg00001.html
|
|
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3748
|
|
|
|
+------------------------------------------------------------------------------+
|
|
|
|
|
|
+----------------+
|
|
| SHAMELESS PLUG |
|
|
+----------------+
|
|
|
|
The Packet Storm Bug Bounty program gives researchers the ability to profit
|
|
from their discoveries. You can get paid thousands of dollars for one day
|
|
and zero day exploits. Get involved by contacting us at
|
|
getpaid@packetstormsecurity.com or visit the bug bounty page at:
|
|
|
|
http://packetstormsecurity.com/bugbounty/
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.4.14 (GNU/Linux)
|
|
|
|
iEYEARECAAYFAlImrisACgkQrM7A8W0gTbHnIwCfR6vCe/+YjbxYoeHaErbHYDsN
|
|
bC0An34R0Am9RemKiIDnoa+hD3pT+M0y
|
|
=VXyD
|
|
-----END PGP SIGNATURE----- |