New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 8 users
Status: Duplicate
Owner:
Email to this user bounced
Closed: Jul 2014

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment
WebKit JavaScriptCore integer truncation vulnerability
Reported by cevans@google.com, Jul 24 2014 Back to list
This bug represents the externally visible report for a previously filed and fixed bug, https://code.google.com/p/google-security-research/issues/detail?id=6

We're filing a new bug because the exploit has been re-written to work against a specific, downloadable old nightly build of WebKit. The exploit uses an identical strategy, it just has updated offsets, ROP payload offsets, etc. We've done it this way because it's not clear how to download the old, vulnerable Safari. But an effectively equivalent WebKit nightly can be referenced trivially by URL.
 
Comment 1 by cevans@google.com, Jul 24 2014
Mergedinto: 6
Status: Duplicate
Setting status straight to Duplicate. The underlying bug was already fixed (tracked by issue 6, status Fixed, and advisory http://support.apple.com/kb/HT6181); and we only want one valid issue per underlying bug / report, to avoid messing up the accuracy of metadata.
Project Member Comment 2 by ianbeer@google.com, Jul 24 2014
Grab this old nightly build of webkit:
http://builds.nightly.webkit.org/files/trunk/mac/WebKit-SVN-r161944.dmg

Compile the payload:
 $ clang -o simple_speak_payload.dylib simple_speak_payload.c -framework ApplicationServices -F/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks -dynamiclib

Convert the payload to a javascript string:
 $ python file_to_jsstr.py simple_speak_payload.dylib simple_speak_payload.js

Serve the files:
 $ python -m SimpleHTTPServer 8080 .

Navigate to localhost:8080/webkit-nightly-r161944.html
webkit-nightly-r161944.html
9.1 KB View Download
file_to_jsstr.py
452 bytes View Download
simple_speak_payload.c
316 bytes Download
Comment 3 by cevans@google.com, Jul 25 2014
Labels: -Restrict-View-Commit
Project Member Comment 4 by ianbeer@google.com, Jul 25 2014
Labels: Restrict-AddIssueComment-Commit
Sign in to add a comment