WebKitGTK 2.1.2 (Ubuntu 14.04) Heap based Buffer Overflow

2018.03.01
Credit: Ren Kimura
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# CVE-2014-1303 PoC for Linux CVE-2014-1303 (WebKit Heap based BOF) proof of concept for Linux. This repository demonstrates the WebKit heap based buffer overflow vulnerability (CVE-2014-1303) on **Linux**. **NOTE:** Original exploit is written for Mac OS X and PS4 (PlayStation4). I've ported and tested work on Ubuntu 14.04, [WebKitGTK 2.1.2](https://webkitgtk.org/releases/) ## Usage Firstly you need to run simple web server, ``` $ python server.py ``` then ``` $ cd /path/to/webkitgtk2.1.2/ $ ./Programs/GtkLauncher http://localhost ``` You can run several tests like, - Crash ROP (Jump to invalid address like 0xdeadbeefdeadbeef) - Get PID (Get current PID) - Code Execution (Load and execute payload from outer network) - File System Dump (Dump "/dev" entries) ## Description **exploit.html** ..... trigger vulnerability and jump to ROP chain **scripts/roputil.js** ..... utilities for ROP building **scripts/syscall.js** ..... syscall ROP chains **scripts/code.js** ..... hard coded remote loader **loader/** ..... simple remote loader (written in C) **loader/bin2js** ..... convert binary to js variables (for loader) ## Purpose I've created this WebKit PoC for education in my course. I couldn't, of course, use actual PS4 console in my lecture for legal reason :( ## Reference CVE 2014-1303 Proof Of Concept for PS4 (https://github.com/Fire30/PS4-2014-1303-POC) Liang Chen, WEBKIT EVERYWHERE: SECURE OR NOT? [BHEU14] (https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF)

References:

https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top