Vulnerabilities > CVE-2018-4218 - Use After Free vulnerability in multiple products

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apple
canonical
CWE-416
nessus
exploit available

Summary

An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site that triggers an @generatorState use-after-free.

Vulnerable Configurations

Part Description Count
OS
Apple
265
OS
Microsoft
1
OS
Canonical
3
Application
Apple
403

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionWebKit - Use-After-Free when Resuming Generator. CVE-2018-4218. Dos exploit for Multiple platform. Tags: Use After Free (UAF)
fileexploits/multiple/dos/44861.html
idEDB-ID:44861
last seen2018-06-08
modified2018-06-08
platformmultiple
port
published2018-06-08
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44861/
titleWebKit - Use-After-Free when Resuming Generator
typedos

Nessus

  • NASL familyWindows
    NASL idITUNES_12_7_5.NASL
    descriptionThe version of Apple iTunes installed on the remote Windows host is prior to 12.7.5. It is, therefore, affected by multiple vulnerabilities as referenced in the HT208852 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id110384
    published2018-06-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110384
    titleApple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110384);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/04");
    
      script_cve_id(
        "CVE-2018-4188",
        "CVE-2018-4190",
        "CVE-2018-4192",
        "CVE-2018-4199",
        "CVE-2018-4200",
        "CVE-2018-4201",
        "CVE-2018-4204",
        "CVE-2018-4214",
        "CVE-2018-4218",
        "CVE-2018-4222",
        "CVE-2018-4224",
        "CVE-2018-4225",
        "CVE-2018-4226",
        "CVE-2018-4232",
        "CVE-2018-4233",
        "CVE-2018-4246"
      );
      script_bugtraq_id(103961, 104378);
      script_xref(name:"APPLE-SA", value:"APPLE-SA-2018-06-01-7");
    
      script_name(english:"Apple iTunes < 12.7.5 Multiple Vulnerabilities (credentialed check)");
      script_summary(english:"Checks the version of iTunes on Windows.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application installed on the remote host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Apple iTunes installed on the remote Windows host is
    prior to 12.7.5. It is, therefore, affected by multiple vulnerabilities
    as referenced in the HT208852 advisory.
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT208852");
      # https://lists.apple.com/archives/security-announce/2018/Jun/msg00006.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?375c8685");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apple iTunes version 12.7.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4246");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Safari Proxy Object Type Confusion');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/06");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:itunes");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("itunes_detect.nasl");
      script_require_keys("installed_sw/iTunes Version", "SMB/Registry/Enumerated");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    # Ensure this is Windows
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    
    app_info = vcf::get_app_info(app:"iTunes Version", win_local:TRUE);
    
    constraints = [{"fixed_version" : "12.7.5"}];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201808-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201808-04 (WebkitGTK+: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the referenced CVE identifiers for details. Impact : A remote attacker could execute arbitrary commands or cause a denial of service condition via a maliciously crafted web content. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id112078
    published2018-08-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112078
    titleGLSA-201808-04 : WebkitGTK+: Multiple vulnerabilities
  • NASL familyPeer-To-Peer File Sharing
    NASL idITUNES_12_7_5_BANNER.NASL
    descriptionThe version of Apple iTunes installed on the remote Windows host is prior to 12.7.5. It is, therefore, affected by multiple vulnerabilities in WebKit as referenced in the HT208852 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id110383
    published2018-06-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110383
    titleApple iTunes < 12.7.5 Multiple Vulnerabilities (uncredentialed check)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SAFARI11_1_1.NASL
    descriptionThe version of Apple Safari installed on the remote macOS or Mac OS X host is prior to 11.1.1 It is, therefore, affected by multiple vulnerabilities. - A remote code execution vulnerability exists in WebKit due to improper memory handling. An unauthenticated, remote attacker can exploit this, via a specifically crafted web page to to execute arbitrary code or cause a denial of service (CVE-2018-4199, CVE-2018-4201, CVE-2018-4218, CVE-2018-4233). - An information disclosure vulnerability exists in WebKit. An unauthenticated, remote attacker can exploit this, via a specifically crafted web page, to disclose potentially sensitive information (CVE-2018-4190). - An out-of-bounds read error exists in WebKit due to improper input validation. An unauthenticated, remote attacker can exploit this, via a specifically crafted web page that leverages a getWasmBufferFromValue during WebAssembly compilation to execute arbitrary code (CVE-2018-4222).
    last seen2020-06-01
    modified2020-06-02
    plugin id126381
    published2019-07-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126381
    titlemacOS : Apple Safari < 11.1.1 Multiple Vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-AAC3CA8936.NASL
    descriptionThis update addresses the following vulnerabilities : - [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4190), [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4199), [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4218), [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4222), [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4232), [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4233), [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4246), [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c gi?name=CVE-2018-11646). Additional fixes : - Fix installation directory of API documentation. - Disable Gigacage if mmap fails to allocate in Linux. - Add user agent quirk for paypal website. - Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations. - Fix a network process crash when trying to get cookies of about:blank page. - Fix UI process crash when closing the window under Wayland. - Fix several crashes and rendering issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-07-02
    plugin id110823
    published2018-07-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110823
    titleFedora 27 : webkitgtk4 (2018-aac3ca8936)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-566.NASL
    descriptionThis update for webkit2gtk3 to version 2.20.3 fixes the following issues : These security issues were fixed : - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693). - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693) - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693) - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693) - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693) - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611). These non-security issues were fixed : - Disable Gigacage if mmap fails to allocate in Linux. - Add user agent quirk for paypal website. - Fix a network process crash when trying to get cookies of about:blank page. - Fix UI process crash when closing the window under Wayland. - Fix several crashes and rendering issues. This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123245
    published2019-03-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123245
    titleopenSUSE Security Update : webkit2gtk3 (openSUSE-2019-566)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-118B9ABF99.NASL
    descriptionThis update addresses the following vulnerabilities : - [CVE-2018-4190](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4190), [CVE-2018-4199](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4199), [CVE-2018-4218](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4218), [CVE-2018-4222](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4222), [CVE-2018-4232](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4232), [CVE-2018-4233](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4233), [CVE-2018-4246](https://cve.mitre.org/cgi-bin/cvename.cg i?name=CVE-2018-4246), [CVE-2018-11646](https://cve.mitre.org/cgi-bin/cvename.c gi?name=CVE-2018-11646). Additional fixes : - Fix installation directory of API documentation. - Disable Gigacage if mmap fails to allocate in Linux. - Add user agent quirk for paypal website. - Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations. - Fix a network process crash when trying to get cookies of about:blank page. - Fix UI process crash when closing the window under Wayland. - Fix several crashes and rendering issues. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120240
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120240
    titleFedora 28 : webkit2gtk3 (2018-118b9abf99)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3687-1.NASL
    descriptionA large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110611
    published2018-06-19
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110611
    titleUbuntu 16.04 LTS / 17.10 / 18.04 LTS : webkit2gtk vulnerabilities (USN-3687-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3387-1.NASL
    descriptionThis update for webkit2gtk3 to version 2.20.3 fixes the issues : The following security vulnerabilities were addressed : CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs (boo#1101999) CVE-2017-13884: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2017-13885: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2017-7153: An unspecified issue allowed remote attackers to spoof user-interface information (about whether the entire content is derived from a valid TLS session) via a crafted website that sends a 401 Unauthorized redirect (bsc#1077535). CVE-2017-7160: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2017-7161: An unspecified issue allowed remote attackers to execute arbitrary code via special characters that trigger command injection (bsc#1075775, bsc#1077535). CVE-2017-7165: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2018-4088: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2018-4096: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). CVE-2018-4200: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers a WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280). CVE-2018-4204: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1092279). CVE-2018-4101: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182). CVE-2018-4113: An issue in the JavaScriptCore function in the
    last seen2020-06-01
    modified2020-06-02
    plugin id118389
    published2018-10-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118389
    titleSUSE SLED12 / SLES12 Security Update : webkit2gtk3 (SUSE-SU-2018:3387-1)
  • NASL familyMisc.
    NASL idAPPLETV_11_4.NASL
    descriptionAccording to its banner, the version of Apple TV on the remote device is prior to 11.4. It is, therefore, affected by multiple vulnerabilities as described in the HT208850 security advisory. Note that only 4th and 5th generation models are affected by these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id110325
    published2018-06-05
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110325
    titleApple TV < 11.4 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2075-1.NASL
    descriptionThis update for webkit2gtk3 to version 2.20.3 fixes the following issues: These security issues were fixed : - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693). - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693) - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693) - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693) - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693) - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id120064
    published2019-01-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120064
    titleSUSE SLED15 / SLES15 Security Update : webkit2gtk3 (SUSE-SU-2018:2075-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1288.NASL
    descriptionThis update for webkit2gtk3 to version 2.20.3 fixes the issues : The following security vulnerabilities were addressed : - CVE-2018-12911: Fixed an off-by-one error in xdg_mime_get_simple_globs (boo#1101999) - CVE-2017-13884: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2017-13885: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2017-7153: An unspecified issue allowed remote attackers to spoof user-interface information (about whether the entire content is derived from a valid TLS session) via a crafted website that sends a 401 Unauthorized redirect (bsc#1077535). - CVE-2017-7160: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2017-7161: An unspecified issue allowed remote attackers to execute arbitrary code via special characters that trigger command injection (bsc#1075775, bsc#1077535). - CVE-2017-7165: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2018-4088: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2018-4096: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1075775). - CVE-2018-4200: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers a WebCore::jsElementScrollHeightGetter use-after-free (bsc#1092280). - CVE-2018-4204: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1092279). - CVE-2018-4101: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1088182). - CVE-2018-4113: An issue in the JavaScriptCore function in the
    last seen2020-06-05
    modified2018-10-26
    plugin id118453
    published2018-10-26
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118453
    titleopenSUSE Security Update : webkit2gtk3 (openSUSE-2018-1288)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-845.NASL
    descriptionThis update for webkit2gtk3 to version 2.20.3 fixes the following issues : These security issues were fixed : - CVE-2018-4190: An unspecified issue allowed remote attackers to obtain sensitive credential information that is transmitted during a CSS mask-image fetch (bsc#1097693). - CVE-2018-4199: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted website (bsc#1097693) - CVE-2018-4218: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website that triggers an @generatorState use-after-free (bsc#1097693) - CVE-2018-4222: An unspecified issue allowed remote attackers to execute arbitrary code via a crafted website that leverages a getWasmBufferFromValue out-of-bounds read during WebAssembly compilation (bsc#1097693) - CVE-2018-4232: An unspecified issue allowed remote attackers to overwrite cookies via a crafted website (bsc#1097693) - CVE-2018-4233: An unspecified issue allowed remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted website (bsc#1097693) - CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL mishandle an unset pageURL, leading to an application crash (bsc#1095611). These non-security issues were fixed : - Disable Gigacage if mmap fails to allocate in Linux. - Add user agent quirk for paypal website. - Fix a network process crash when trying to get cookies of about:blank page. - Fix UI process crash when closing the window under Wayland. - Fix several crashes and rendering issues. This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-05
    modified2018-08-10
    plugin id111626
    published2018-08-10
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111626
    titleopenSUSE Security Update : webkit2gtk3 (openSUSE-2018-845)

Seebug

bulletinFamilyexploit
descriptionIn WebKit, resuming a generator is implemented in JavaScript. An internal object property, @generatorState is used to prevent recursion within generators. In GeneratorPrototype.js, the state is checked by calling: ``` var state = this.@generatorState; ``` and set by calling: ``` generator.@generatorState = @GeneratorStateExecuting; ``` Checking that the @generator property is set is also used in place of type checking the generator. Therefore, if Generator.next is called on an object with a prototype that is a Generator, it will pass the type check, and the internal properties of the Generator prototype will be used to resume the generator. However, when @generatorState, it will be set as an own property on the object, not the prototype. This allows the creation of non-Generator objects with the @generatorState set to completed. It is then possible to bypass the recursion check by setting the prototype of one of these objects to a Generator, as the check will then get the object's @generatorState own property, meanwhile the other internal properties will come from the prototype. Generators are not intended to allow recursion, so a reference to the scope is not maintained, leading to a use-after free. A minimal sample of the script causing this problem is below, and a full PoC is attached. ``` var iterator; var a = []; function* foo(index) { while (1) { var q = a.pop(); if(q){ q.__proto__ = iterator; q.next(); } yield index++; } } function* foo2(){ yield; } var temp = foo2(0); for(var i = 0; i < 10; i++){ // make a few objects with @generatorState set var q = {}; q.__proto__ = temp; q.next(); q.__proto__ = {}; a.push(q); } iterator = foo(0); var q = {}; q.__proto__ = iterator; print(q.next().value); ```
idSSV:97334
last seen2018-06-08
modified2018-06-08
published2018-06-08
reporterKnownsec
sourcehttps://www.seebug.org/vuldb/ssvid-97334
titleWebKit: Use-after-free when resuming generator(CVE-2018-4218)