search

codenote / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

WebKit JavaScriptCore integer truncation vulnerability #77

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
This bug represents the externally visible report for a previously filed and 
fixed bug, https://code.google.com/p/google-security-research/issues/detail?id=6

We're filing a new bug because the exploit has been re-written to work against 
a specific, downloadable old nightly build of WebKit. The exploit uses an 
identical strategy, it just has updated offsets, ROP payload offsets, etc. 
We've done it this way because it's not clear how to download the old, 
vulnerable Safari. But an effectively equivalent WebKit nightly can be 
referenced trivially by URL.

Original issue reported on code.google.com by cev...@google.com on 24 Jul 2014 at 8:04

GoogleCodeExporter commented 9 years ago 
Setting status straight to Duplicate. The underlying bug was already fixed 
(tracked by issue 6, status Fixed, and advisory 
http://support.apple.com/kb/HT6181); and we only want one valid issue per 
underlying bug / report, to avoid messing up the accuracy of metadata.

Original comment by cev...@google.com on 24 Jul 2014 at 8:06

GoogleCodeExporter commented 9 years ago 
Grab this old nightly build of webkit:
http://builds.nightly.webkit.org/files/trunk/mac/WebKit-SVN-r161944.dmg

Compile the payload:
 $ clang -o simple_speak_payload.dylib simple_speak_payload.c -framework ApplicationServices -F/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks -dynamiclib

Convert the payload to a javascript string:
 $ python file_to_jsstr.py simple_speak_payload.dylib simple_speak_payload.js

Serve the files:
 $ python -m SimpleHTTPServer 8080 .

Navigate to localhost:8080/webkit-nightly-r161944.html

Original comment by ianb...@google.com on 24 Jul 2014 at 8:19

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 25 Jul 2014 at 12:50

GoogleCodeExporter commented 9 years ago

Original comment by ianb...@google.com on 25 Jul 2014 at 1:23