来源

关联漏洞

描述

CVE-2021-30809 UAF use-after-free PoC

介绍

## CVE-2021-30809 — Apple WebKit Use-After-Free Vulnerability (Crash PoC)


https://github.com/user-attachments/assets/e81f8a01-d48d-44cc-a38f-ce59b01222d5


### Overview
This repository contains a minimal crash-inducing harness for CVE-2021-30809, a use-after-free (UAF) vulnerability in WebKit. The PoC exercises the vulnerable code path by processing crafted web content and aims to reliably trigger a browser crash (not a full exploit). It is intended strictly for research, debugging, and regression testing.

- Target engine: WebKit (e.g., WebKitGTK / WPE WebKit, legacy forks embedded in devices)
- Example device under test: PlayStation 4 Browser (WebKit 605.1.15)
- Purpose: deterministic crash trigger to validate exposure and verify fixes/mitigations

### Affected components and versions
- WebKitGTK and WPE WebKit before 2.32.4 are reported as vulnerable.
- Apple platforms (Safari 15, iOS/iPadOS/tvOS/watchOS 15, ps4 6.00 to 12.52) contain the upstream fix according to vendor advisories.

Always consult vendor/security advisories for the definitive scope.

### PoC design
- The HTML invokes a JavaScript routine (`triggerCrash`) that stresses WebKit’s internationalization/date-time formatting code paths using crafted options and aggressive iteration.
- The sequence is designed to amplify lifetime/GC pressure and expose a UAF crash when the engine is vulnerable.
- No memory corruption primitives are harvested. The PoC intentionally avoids ROP/spray or privilege-escalation steps.

### Repository layout
- `exploit.html`: Entry point that wires UI to the PoC routine.
- `poc.js`: JavaScript harness that triggers the crash condition.
- `server.py`: Lightweight HTTP server with explicit routing, CORS, and simple logging.
- `start_server.bat`: Convenience launcher for Windows.

### Requirements
- Python 3.x
- A desktop OS or a device under test on the same LAN as the server

### Running the server
- Windows (recommended quick start):
  1. Double-click `start_server.bat` or run it from a terminal.
  2. The script resolves a suitable RFC1918 LAN IP and prints the access URLs, e.g. `http://localhost:8080` and `http://<LAN_IP>:8080`.

- Cross‑platform:
  1. Open a terminal in the project directory.
  2. Run: `python server.py`
  3. Navigate to the printed URL, typically `http://localhost:8080`.

### PS4 testing (example target)
1. Ensure the PS4 is connected to the same LAN as the server.
2. Open the PS4 Browser.
3. Browse to `http://<server-lan-ip>:8080`.
4. Click “Run Crash Test”.

### Server details
- Bind: `0.0.0.0:8080`
- Endpoints:
  - `/` or `/index.html` → serves `exploit.html`
  - `/poc.js` → serves the PoC harness
  - `/server-info.js` → exposes `{ ip, port, url, ips }` derived from local enumerations
  - `/ip` → returns the selected server IP as plain text
  - `/favicon.ico` → 204
- Features:
  - RFC1918 IP selection with preference order: `192.168.0.0/16`, then `10.0.0.0/8`, then `172.16.0.0/12`
  - CORS headers enabled for GET/POST/OPTIONS
  - Simple logging with User-Agent hints (flags PS4 Browser)

### Notes and safety
- This PoC is crash‑oriented; it does not attempt code execution.
- Use only in controlled environments and on devices you own and are authorized to test.
- Expect instability and browser crashes on vulnerable builds.

### References
- WebKitGTK and WPE WebKit Security Advisory WSA-2021-0007: https://webkitgtk.org/security/WSA-2021-0007.html
- NVD entry for CVE-2021-30809: https://nvd.nist.gov/vuln/detail/CVE-2021-30809
- Amazon Linux Security Center: https://alas.aws.amazon.com/cve/html/CVE-2021-30809.html
- Ubuntu CVE notice: https://ubuntu.com/security/CVE-2021-30809
- SUSE CVE notice: https://www.suse.com/security/cve/CVE-2021-30809.html

文件快照

 [4.0K]  /data/pocs/d090b18d256d9a0a39ca59cf12ededf0900e430a
├── [ 368]  exploit.html
├── [1.1K]  poc.js
├── [3.7K]  README.md
├── [9.5K]  server.py
└── [2.5K]  start_server.bat

0 directories, 5 files

备注