This Metasploit modules exploits a type confusion in Google Chrome's JIT compiler. The Object.create operation can be used to cause a type confusion between a PropertyArray and a NameDictionary. The payload is executed within the rwx region of the sandboxed renderer process, so the browser must be run with the --no-sandbox option for the payload to work.
2040ec95b119e742369ae8f7039cd437macOS and iOS have a vulnerability with ImageIO where memory safety issues occur when processing OpenEXR images.
dfd701d5c1fe94bd260c7c44d2b790ffAn issue in JSC leaves the data flow graph inconsistent. While fuzzing JavaScriptCore with fuzzilli, the researcher found a crash condition in JSC.
8ff3ad6a06cbb649d99f59f076aa906eOpenEXR suffers from multiple memory safety issues including out-of-bounds access.
8d08baf0c93f03a247b45a66e29d52b0macOS and iOS suffer from an ImageIO out-of-bounds read when processing PVR images.
65a5c4717babccedb508eed5edd77a7dmacOS and iOS have an ImageIO heap corruption issue when processing malformed PVR images.
09ee6affef93456d05af1a19df94303bImageIO on macOS suffers from an issue where a heap out-of-bounds write occurs when processing JPEG images.
97e1f93434c4368069b75479c4a0d5c6macOS and iOS suffer from an out-of-bounds read when processing DDS images with ImageIO.
744a77b150f3b9b90f322d4ef38f096dmacOS and iOS suffers from an ImageIO heap corruption vulnerability when processing malformed TIFF images.
f09a3684b3b87ef878c518dc38922c1ciMessage suffers from an issue where decoding NSSharedKeyDictionary can lead to out-of-bounds reads.
a2b5e05c79091ab5459b0ba4514324d3iMessage suffers from an issue where decoding NSSharedKeyDictionary can read an ObjC object at attacker controlled address.
44b9493651f02f67170dee4980389e1aJSC suffers from a type confusion vulnerability during bailout when reconstructing arguments objects.
6a4caa0c9a9e7558705c23bf516ebff4JavaScriptCore (JSC) GetterSetter suffers from a type confusion vulnerability during DFG compilation.
63f1952a7a692ab451a162d31ee902edV8 map migration does not respect element kind, leading to a type confusion vulnerability.
f6ab8a5e41409debf546a94e0e445037This repository contains several tools Project Zero uses to test iPhone messaging. It includes SmsSimulator: an SMS simulator for iPhone, iMessage: tools for sending and dumping iMessage messages, and imapiness: a fuzzer for IMAP clients. See the directory for each tool for further instructions and contact information. This is not an officially supported Google product. These tools were released and presented at BlackHat USA 2019.
2e9ddb1606e5ec0f3068837fa5919c6cNSKeyedUnarchiver suffers from a use-after-free vulnerability with ObjC objects when unarchiving OITSUIntDictionary instances even if secureCoding is required.
70ef6bfcfed7ece0d7495dba139227e2JavaScriptCore suffers from an issue where there's a JSValue use-after-free vulnerability in ValueProfiles.
1ab75d03880956f7d5252f34b059120aJavaScriptCore DFG loop-invariant code motion (LICM) has an issue where it leaves object property access unguarded.
f7edad8829fb8a634c008e209dbf7127In Spidermonkey, definite properties are incorrectly computed in some cases, leading to uninitialized memory access when unboxed objects are enabled.
79fc5823bfa08cae2fcfd2ee4bbcd32cSpidermonkey IonMonkey incorrectly predicts return type of Array.prototype.pop, leading to type confusion vulnerabilities.
b9cfb835c09f9ff2359a0ac43fb9d908This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
394148cda471deeb3abbfdccf622fa46Spidermonkey IonMonkey can, during a bailout, leak an internal JS_OPTIMIZED_OUT magic value to the running script. This magic value can then be used to achieve memory corruption.
f548194e2e5ce1c18bacbf389f666b48JavaScript V8 Turbofan may read a Map pointer out-of-bounds when optimizing Reflect.construct.
36998fe03e21e2360e63455dcd1824edSpidermonkey IonMonkey suffers from an issue where an unexpected ObjectGroup in the ObjectGroupDispatch operation might lead to potentially unsafe code being executed.
9fd40f0341879df02a9860af01e711aaJSC DFG's doesGC() is incorrect about the HasIndexedProperty operation's behavior on StringObjects.
447815ba563e6a4e43af5179de5f3476
© 2020 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed