Turbofan fails to deoptimize code after map deprecation, leading to a type confusion vulnerability.
4675105280cdacd6d7b10a3432235de93f0ad03438e55b1af205dc5e314ff026PAC aims to prevent an attacker with the ability to read and write memory from executing arbitrary code. It does that by cryptographically signing and validating code pointers (as well as some data pointers) at runtime. However, it seems that imports of function pointers from shared libraries in userspace are not properly protected by PAC, allowing an attacker to sign arbitrary pointers and thus bypass PAC.
5678bd6488f4650c38c54830ecab44a07b651b61fd1c0a35953bf286d640cfe7A PAC and JIT hardening bypass exists in WebKit on iOS.
7e43df27a79d01df906491c3fa75f5b9b076ed4934270a40b2e9bf12e7d1271cThe DFG and FTL JIT compilers incorrectly replace Checked with Unchecked ArithNegate operations (and vice versa) during Common Subexpression Elimination. This can then be exploited to cause out-of-bounds accesses and potentially other memory safety violations.
c63474f7958ed7b94d4d7df571792f778fb9ea8a94dac6a55e849f3c5a09d7e2This Metasploit modules exploits a type confusion in Google Chrome's JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.
5a38c9abffbaf08c049cb1b58519cd4edf1737251883302e32656d4b4f6eadc6macOS and iOS have a vulnerability with ImageIO where memory safety issues occur when processing OpenEXR images.
23ef758e43b0bb631041d08cd27de77d60045e1369c4166c69601d12ea248b03An issue in JSC leaves the data flow graph inconsistent. While fuzzing JavaScriptCore with fuzzilli, the researcher found a crash condition in JSC.
f2e43004dcfceafecefbc6c781e8b7b7c0553fe8bd4f4bb81b7c35e3f2629141OpenEXR suffers from multiple memory safety issues including out-of-bounds access.
d7f7bcfc376186e510d108af1edd8e502ddcaa95444256cedbc8fa3a1e31276emacOS and iOS suffer from an ImageIO out-of-bounds read when processing PVR images.
f6b6615ff3c10615db4544403efd534d79c5bca32c67cc20611c861580487992macOS and iOS have an ImageIO heap corruption issue when processing malformed PVR images.
546388d4bf46530e3c77204e301afd8ecd6eddfbb73e6073087f364fa8d6d25bImageIO on macOS suffers from an issue where a heap out-of-bounds write occurs when processing JPEG images.
0fded68d208fd526884efcafbf5ad255a269c1c26776d09f5cb316dd3ee8dc96macOS and iOS suffer from an out-of-bounds read when processing DDS images with ImageIO.
2a3ee9088ec7bc67462b2f166cd760628181995daea86c0601cdd51c7b7d773fmacOS and iOS suffers from an ImageIO heap corruption vulnerability when processing malformed TIFF images.
13426064f89c728f71398758157ce3dd58664468ab3aed036f25619661b4c556iMessage suffers from an issue where decoding NSSharedKeyDictionary can lead to out-of-bounds reads.
a772ba6d56eb9f4385d289203202f34b3b8949163d27b60eb66aefa0e64c8f4diMessage suffers from an issue where decoding NSSharedKeyDictionary can read an ObjC object at attacker controlled address.
b18e9e6778ffc1757603d2aa43c54b09f80d4266e6e7a9dbcec8b1612156526aJSC suffers from a type confusion vulnerability during bailout when reconstructing arguments objects.
762e61444c8ff7e2cb5b183d57fbdd52d862a600247e6dd7cb87b54328d97054JavaScriptCore (JSC) GetterSetter suffers from a type confusion vulnerability during DFG compilation.
f8e60930397de757314b85c289c63228a5b19761b6793d77e58b54ffc9aab262V8 map migration does not respect element kind, leading to a type confusion vulnerability.
66abbd66703464406f6bb552f67f0494667856838fdad4d68539221d8a3797c1This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.
fa8f560293640c4759f220069490d2498cf18f75ce1183b3ab8f77dd819585e5NSKeyedUnarchiver suffers from a use-after-free vulnerability with ObjC objects when unarchiving OITSUIntDictionary instances even if secureCoding is required.
63703796ab8c03a5e2f4d71cdf0827418691b14bf48da00e28c71cabc8224370JavaScriptCore suffers from an issue where there's a JSValue use-after-free vulnerability in ValueProfiles.
a9501df8f786600223589a22ac96f06da65cf505b543b54f2ef6219f16639ac6JavaScriptCore DFG loop-invariant code motion (LICM) has an issue where it leaves object property access unguarded.
8fd7bdc27408729bccdf334f804fe0fb27728920396e0444c1671aec6b62ab56In Spidermonkey, definite properties are incorrectly computed in some cases, leading to uninitialized memory access when unboxed objects are enabled.
d5e57b45335987c57a60c695f2a40c77e9067f21be0de63eebb043e2659b8b6cSpidermonkey IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusion vulnerabilities.
9e304ae2a07d3108f6f5ef85d1c28d031eea4e4fd06da0f3643edab9e09c52eeThis Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
ac8550e0b0dd814a249c313353fcb65341e18bb2e59885151b0cffac8172e060
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed