Rapid7 Vulnerability & Exploit Database

Safari in Operator Side Effect Exploit

Back to Search

Safari in Operator Side Effect Exploit

Disclosed
03/18/2020
Created
10/01/2020

Description

This module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850). The type confusion can be used as addrof and fakeobj primitives that then lead to arbitrary read/write of memory. These primitives allow us to write shellcode into a JIT region (RWX memory) containing the next stage of the exploit. The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server, and extracts a macOS application containing our payload into /var/db/CVMS. The payload can then be opened with CVE-2020-9801, executing the payload as a user but without sandbox restrictions.

Author(s)

  • Yonghwi Jin <jinmoteam@gmail.com>
  • Jungwon Lim <setuid0@protonmail.com>
  • Insu Yun <insu@gatech.edu>
  • Taesoo Kim <taesoo@gatech.edu>
  • timwr

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/osx/browser/safari_in_operator_side_effect
msf exploit(safari_in_operator_side_effect) > show targets
    ...targets...
msf exploit(safari_in_operator_side_effect) > set TARGET < target-id >
msf exploit(safari_in_operator_side_effect) > show options
    ...show and set options...
msf exploit(safari_in_operator_side_effect) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;