ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
74 lines
No EOL
3.7 KiB
Text
74 lines
No EOL
3.7 KiB
Text
There's an integer overflow in computing the required allocation size when instantiating a new javascript object.
|
|
|
|
See the following code in objects.cc
|
|
|
|
// static
|
|
bool JSFunction::CalculateInstanceSizeForDerivedClass(
|
|
Handle<JSFunction> function, InstanceType instance_type,
|
|
int requested_embedder_fields, int* instance_size,
|
|
int* in_object_properties) {
|
|
Isolate* isolate = function->GetIsolate();
|
|
int expected_nof_properties = 0;
|
|
bool result = true;
|
|
for (PrototypeIterator iter(isolate, function, kStartAtReceiver);
|
|
!iter.IsAtEnd(); iter.Advance()) {
|
|
Handle<JSReceiver> current =
|
|
PrototypeIterator::GetCurrent<JSReceiver>(iter);
|
|
if (!current->IsJSFunction()) break;
|
|
Handle<JSFunction> func(Handle<JSFunction>::cast(current));
|
|
// The super constructor should be compiled for the number of expected
|
|
// properties to be available.
|
|
Handle<SharedFunctionInfo> shared(func->shared());
|
|
if (shared->is_compiled() ||
|
|
Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) {
|
|
DCHECK(shared->is_compiled());
|
|
expected_nof_properties += shared->expected_nof_properties(); // <--- overflow here!
|
|
} else if (!shared->is_compiled()) {
|
|
// In case there was a compilation error for the constructor we will
|
|
// throw an error during instantiation. Hence we directly return 0;
|
|
result = false;
|
|
break;
|
|
}
|
|
if (!IsDerivedConstructor(shared->kind())) {
|
|
break;
|
|
}
|
|
}
|
|
CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields,
|
|
expected_nof_properties, instance_size,
|
|
in_object_properties);
|
|
return result;
|
|
}
|
|
|
|
By supplying a long prototype chain of objects with a large expected_nof_properties we can control the resulting value of instance_size by causing (requested_embedder_fields + requested_in_object_properties) << kPointerSizeLog2 to be overflown to a small negative value, resulting in an allocation smaller than header_size, which is the minimum required size for the base object class being allocated. This results in memory corruption when the object is initialised/used.
|
|
|
|
void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type,
|
|
bool has_prototype_slot,
|
|
int requested_embedder_fields,
|
|
int requested_in_object_properties,
|
|
int* instance_size,
|
|
int* in_object_properties) {
|
|
int header_size = JSObject::GetHeaderSize(instance_type, has_prototype_slot);
|
|
DCHECK_LE(requested_embedder_fields,
|
|
(JSObject::kMaxInstanceSize - header_size) >> kPointerSizeLog2);
|
|
*instance_size =
|
|
Min(header_size +
|
|
((requested_embedder_fields + requested_in_object_properties)
|
|
<< kPointerSizeLog2),
|
|
JSObject::kMaxInstanceSize);
|
|
*in_object_properties = ((*instance_size - header_size) >> kPointerSizeLog2) -
|
|
requested_embedder_fields;
|
|
}
|
|
|
|
The attached PoC crashes current stable on linux.
|
|
|
|
See crash report ID: 307546648ba8a84a
|
|
|
|
Chrome issue is https://bugs.chromium.org/p/chromium/issues/detail?id=808192
|
|
|
|
Attaching the working exploit for this issue.
|
|
|
|
Note that issue_808192.html is a template - it requires server.py to do a version check and patch a few version dependent constants in, since some object layouts have changed during the range of Chrome versions on which the exploit was tested.
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44584.zip |