203
edits
Changes
Jump to navigation
Jump to search
mLine 2:
Line 2: + + + + + + Line 15:
Line 21: + +
Fix lines/spacing
===RenderArena use-after-free===
===RenderArena use-after-free===
'''Application''': [[Internet Browser]]
'''Application''': [[Internet Browser]]
'''Supported versions''': 2.0.0-5.1.0
'''Supported versions''': 2.0.0-5.1.0
'''Public in libwiiu''': Yes
'''Public in libwiiu''': Yes
An iframe is removed from its parent in a beforeload event and freed, but accessed for a vtable call later. Using Javascript, a vtable pointer is sprayed, occupying the frame's previous memory. A forged vtable referred to by the pointer is also sprayed. When WebKit attempts the virtual call, it goes to the forged vtable, which starts a ROP chain. More information [https://code.google.com/p/chromium/issues/detail?id=226696 here].
An iframe is removed from its parent in a beforeload event and freed, but accessed for a vtable call later. Using Javascript, a vtable pointer is sprayed, occupying the frame's previous memory. A forged vtable referred to by the pointer is also sprayed. When WebKit attempts the virtual call, it goes to the forged vtable, which starts a ROP chain. More information [https://code.google.com/p/chromium/issues/detail?id=226696 here].
===JSStringJoiner heap overflow===
===JSStringJoiner heap overflow===
'''Application''': [[Internet Browser]]
'''Application''': [[Internet Browser]]
'''Supported versions''': 5.3.2 (works but unimplemented for 5.1.1-5.3.1)
'''Supported versions''': 5.3.2 (works but unimplemented for 5.1.1-5.3.1)
'''Public in libwiiu''': Yes
'''Public in libwiiu''': Yes
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here].
When joining an array of strings, the lengths of the strings are summed to calculate the needed storage space. This summation is vulnerable to an integer overflow, which enables a heap overflow. As a result, a sprayed value from Javascript ends up as a vtable pointer, which can be used with a forged vtable to start a ROP chain. More information [http://googleprojectzero.blogspot.com/2014/07/pwn4fun-spring-2014-safari-part-i_24.html here].
===OSDriver race attack===
===OSDriver race attack===
'''Supported versions''': 2.0.0-5.4.0
'''Supported versions''': 2.0.0-5.4.0
'''Public in libwiiu''': Yes
'''Public in libwiiu''': Yes
The Cafe OS kernel implements a structure called an OSDriver, which can hold a 0x1000-byte cross-process data area. Accessing this data area is done through the CopyToSaveArea() and CopyFromSaveArea() [[Cafe OS Syscalls|syscalls]]. However, no lock on the OSDriver is held during the copy, allowing the save area to be freed and reallocated while the copy is taking place. With all 3 PPC cores, it is possible to copy over an OSDriver structure, and create a save area that points at the syscall table, giving PPC user mode code access to it. More information [http://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/ here].
The Cafe OS kernel implements a structure called an OSDriver, which can hold a 0x1000-byte cross-process data area. Accessing this data area is done through the CopyToSaveArea() and CopyFromSaveArea() [[Cafe OS Syscalls|syscalls]]. However, no lock on the OSDriver is held during the copy, allowing the save area to be freed and reallocated while the copy is taking place. With all 3 PPC cores, it is possible to copy over an OSDriver structure, and create a save area that points at the syscall table, giving PPC user mode code access to it. More information [http://gbatemp.net/threads/osdriver-kernel-exploit-a-technical-description.395444/ here].