Spidermonkey IonMonkey can, during a bailout, leak an internal JS_OPTIMIZED_OUT magic value to the running script. This magic value can then be used to achieve memory corruption.
21e617fce84dfd81b604a208a22a2b6eddb28a37714ca8e794f2f450afc722a0
JavaScript V8 Turbofan may read a Map pointer out-of-bounds when optimizing Reflect.construct.
d311bfc7e073e0c75b323b15851c846fd853b8cc1624285339ab7bbf990ab06e
Spidermonkey IonMonkey suffers from an issue where an unexpected ObjectGroup in the ObjectGroupDispatch operation might lead to potentially unsafe code being executed.
76e43c0e0e984a9dd1a8f86e7060af365211daca525ccf24f7d75bf8f970279c
JSC DFG's doesGC() is incorrect about the HasIndexedProperty operation's behavior on StringObjects.
14a279bae66e49056c0e4b2a9091c3240e0fe8851027046cca926102cea4471b
JavaScriptCore loop-invariant code motion (LICM) in DFG JIT leaves a stack variable uninitialized.
27425be0903bc29c98b9ac1f8d97a7534299a0640fd9a7853018e50fa5fb5df7
JavaScriptCore AIR optimization incorrectly removes assignment to register.
a8dd00ac9f2bcbdc2b915ee79af5769a43a82c3045a988444400a182ce34eb0c
Chrome V8 has an issue where JSCallReducer::ReduceArrayIndexOfIncludes in turbofan fails to insert Map checks.
f2e3a6c1975312311ca52450b341527d0b9e158c27138efc307a365bd9595b74
JavaScriptCore suffer from an out-of-bounds access vulnerability in FTL JIT due to LICM moving array access before the bounds check.
9a02a54289b2b9f809f566be2d17028c79e568ca28237359ba4a8b4c918b6c32
JavaScriptCore suffers from CodeBlock use-after-free vulnerabilities due to dangling Watchpoints.
30aab9e3b032f95ac520c57e1d074e71d3dfc7391284ee4107e7ab009d5eb514
XNU has an issue where pidversion increment during execve is unsafe.
2828bbb358863a44474238816c7e9b7bd8be56c3e4abd3cbe5d4946a7923e3d0
JavaScriptCore has an issue where createRegExpMatchesArray does not respect inferred types.
e3e805d860fc95f3375effbe7e1765bebfec64afa85c31a72c61f81229111064
A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.
0d0ded10759c5c95d391d24ddcc96e23e393aa708a7bf5a1a78768bd095306ee
A bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement (OSR) allows the compilation of JITed functions that cause type confusions between arbitrary objects.
69137aa1448d0433945fde8e7e4340601a30cc89d0f1611dc9c4960de77a3759
This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion.
02d9b935a7a5cdf82db861dce43947e948ad10d79814fe11cb814deae28bd90e
This Metasploit module exploits a vulnerability in libxpc on macOS versions 10.13.3 and below. The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid.
d81c090e142679481756278a6bfdf34affd2552062d989fcb8bd5743ab2960b1
Foxit PDF Reader version 9.0.1.1049 has a use-after-free vulnerability in the Text Annotations component and the TypedArray's use uninitialized pointers. The vulnerabilities can be combined to leak a vtable memory address, which can be adjusted to point to the base address of the executable. A ROP chain can be constructed that will execute when Foxit Reader performs the UAF.
328a4999829d5eb3b12ffaeb666a27977fb72410e1a96f44c840761020615f82
Phrack: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622.
a2a651765bcc685814d2b564c3c669f0395802f26c4a1113472d38c2118c52fd
Apple Safari version 10.1 suffers from a spread operator integer overflow vulnerability.
2c0f5292b08697d84ad06fa095308fd81efb603b3e447a509d09fc788e834534
Linux 3.4+ arbitrary write exploit for CONFIG_X86_X32 that spawns a root shell.
4fc904f1502158ecb8a6b7cfef323a01f7b9fb01f6ee00d06660c72f407ddd61
This Metasploit module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.
5caa8725f0b0e52002e2804749d851584f474a1d0b411c2a827865afd2da031c