Rapid7 VulnDB

Safari Proxy Object Type Confusion

Back to Search

Safari Proxy Object Type Confusion

Disclosed
03/15/2018
Created
03/19/2019

Description

This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's "spawn_via_launchd" API (CVE-2018-4404).

Author(s)

  • saelo

Platform

OSX

Architectures

python, cmd

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/osx/browser/safari_proxy_object_type_confusion
msf exploit(safari_proxy_object_type_confusion) > show targets
    ...targets...
msf exploit(safari_proxy_object_type_confusion) > set TARGET < target-id >
msf exploit(safari_proxy_object_type_confusion) > show options
    ...show and set options...
msf exploit(safari_proxy_object_type_confusion) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;