module
Safari in Operator Side Effect Exploit
| Disclosed | Created |
|---|---|
| 2020-03-18 | 2020-10-01 |
Disclosed
2020-03-18
Created
2020-10-01
Description
This module exploits an incorrect side-effect modeling of the 'in' operator.
The DFG compiler assumes that the 'in' operator is side-effect free, however
the element with the PDF plugin provides a callback that can trigger
side-effects leading to type confusion (CVE-2020-9850).
The type confusion can be used as addrof and fakeobj primitives that then
lead to arbitrary read/write of memory. These primitives allow us to write
shellcode into a JIT region (RWX memory) containing the next stage of the
exploit.
The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server,
and extracts a macOS application containing our payload into /var/db/CVMS.
The payload can then be opened with CVE-2020-9801, executing the payload
as a user but without sandbox restrictions.
The DFG compiler assumes that the 'in' operator is side-effect free, however
the element with the PDF plugin provides a callback that can trigger
side-effects leading to type confusion (CVE-2020-9850).
The type confusion can be used as addrof and fakeobj primitives that then
lead to arbitrary read/write of memory. These primitives allow us to write
shellcode into a JIT region (RWX memory) containing the next stage of the
exploit.
The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server,
and extracts a macOS application containing our payload into /var/db/CVMS.
The payload can then be opened with CVE-2020-9801, executing the payload
as a user but without sandbox restrictions.
Authors
Yonghwi Jin jinmoteam@gmail.com
Jungwon Lim setuid0@protonmail.com
Insu Yun insu@gatech.edu
Taesoo Kim taesoo@gatech.edu
timwr
Jungwon Lim setuid0@protonmail.com
Insu Yun insu@gatech.edu
Taesoo Kim taesoo@gatech.edu
timwr
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.