Spidermonkey IonMonkey can, during a bailout, leak an internal JS_OPTIMIZED_OUT magic value to the running script. This magic value can then be used to achieve memory corruption.
21e617fce84dfd81b604a208a22a2b6eddb28a37714ca8e794f2f450afc722a0JavaScript V8 Turbofan may read a Map pointer out-of-bounds when optimizing Reflect.construct.
d311bfc7e073e0c75b323b15851c846fd853b8cc1624285339ab7bbf990ab06eSpidermonkey IonMonkey suffers from an issue where an unexpected ObjectGroup in the ObjectGroupDispatch operation might lead to potentially unsafe code being executed.
76e43c0e0e984a9dd1a8f86e7060af365211daca525ccf24f7d75bf8f970279cJSC DFG's doesGC() is incorrect about the HasIndexedProperty operation's behavior on StringObjects.
14a279bae66e49056c0e4b2a9091c3240e0fe8851027046cca926102cea4471bJavaScriptCore loop-invariant code motion (LICM) in DFG JIT leaves a stack variable uninitialized.
27425be0903bc29c98b9ac1f8d97a7534299a0640fd9a7853018e50fa5fb5df7JavaScriptCore AIR optimization incorrectly removes assignment to register.
a8dd00ac9f2bcbdc2b915ee79af5769a43a82c3045a988444400a182ce34eb0cChrome V8 has an issue where JSCallReducer::ReduceArrayIndexOfIncludes in turbofan fails to insert Map checks.
f2e3a6c1975312311ca52450b341527d0b9e158c27138efc307a365bd9595b74JavaScriptCore suffer from an out-of-bounds access vulnerability in FTL JIT due to LICM moving array access before the bounds check.
9a02a54289b2b9f809f566be2d17028c79e568ca28237359ba4a8b4c918b6c32JavaScriptCore suffers from CodeBlock use-after-free vulnerabilities due to dangling Watchpoints.
30aab9e3b032f95ac520c57e1d074e71d3dfc7391284ee4107e7ab009d5eb514XNU has an issue where pidversion increment during execve is unsafe.
2828bbb358863a44474238816c7e9b7bd8be56c3e4abd3cbe5d4946a7923e3d0JavaScriptCore has an issue where createRegExpMatchesArray does not respect inferred types.
e3e805d860fc95f3375effbe7e1765bebfec64afa85c31a72c61f81229111064A bug in IonMonkey leaves type inference information inconsistent, which in turn allows the compilation of JITed functions that cause type confusions between arbitrary objects.
0d0ded10759c5c95d391d24ddcc96e23e393aa708a7bf5a1a78768bd095306eeA bug in IonMonkeys type inference system when JIT compiling and entering a constructor function via on-stack replacement (OSR) allows the compilation of JITed functions that cause type confusions between arbitrary objects.
69137aa1448d0433945fde8e7e4340601a30cc89d0f1611dc9c4960de77a3759This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion.
02d9b935a7a5cdf82db861dce43947e948ad10d79814fe11cb814deae28bd90eThis Metasploit module exploits a vulnerability in libxpc on macOS versions 10.13.3 and below. The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid.
d81c090e142679481756278a6bfdf34affd2552062d989fcb8bd5743ab2960b1Foxit PDF Reader version 9.0.1.1049 has a use-after-free vulnerability in the Text Annotations component and the TypedArray's use uninitialized pointers. The vulnerabilities can be combined to leak a vtable memory address, which can be adjusted to point to the base address of the executable. A ROP chain can be constructed that will execute when Foxit Reader performs the UAF.
328a4999829d5eb3b12ffaeb666a27977fb72410e1a96f44c840761020615f82Phrack: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622.
a2a651765bcc685814d2b564c3c669f0395802f26c4a1113472d38c2118c52fdApple Safari version 10.1 suffers from a spread operator integer overflow vulnerability.
2c0f5292b08697d84ad06fa095308fd81efb603b3e447a509d09fc788e834534Linux 3.4+ arbitrary write exploit for CONFIG_X86_X32 that spawns a root shell.
4fc904f1502158ecb8a6b7cfef323a01f7b9fb01f6ee00d06660c72f407ddd61This Metasploit module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.
5caa8725f0b0e52002e2804749d851584f474a1d0b411c2a827865afd2da031c
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed