Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
845
VMScore

CVE-2018-4233

Published: 08/06/2018 Updated: 02/06/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 845
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Apple

Vulnerability Summary

An issue exists in certain Apple products. iOS prior to 11.4 is affected. Safari prior to 11.1.1 is affected. iCloud prior to 7.5 on Windows is affected. iTunes prior to 12.7.5 on Windows is affected. tvOS prior to 11.4 is affected. watchOS prior to 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote malicious users to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apple tvos

apple safari

apple iphone os

apple watchos

apple icloud

apple itunes

canonical ubuntu linux 16.04

canonical ubuntu linux 17.10

canonical ubuntu linux 18.04

Vendor Advisories

Ubuntu Security Notice: webkit2gtk vulnerabilities
Several security issues were fixed in WebKitGTK+ ...

Exploits

Exploit DB: Safari Webkit Proxy Object Type Confusion
This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument without causing a bailout, ...
Exploit DB: Safari Proxy Object Type Confusion
This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument without causing a bailout, ...
Exploit DB: Safari Webkit Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument withou ...
Exploit DB: Safari Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument withou ...
Exploit DB: Safari Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument withou ...
Exploit DB: Safari Webkit Proxy Object Type Confusion
This module exploits a type confusion bug in the Javascript Proxy object in WebKit The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation This makes it possible to change the structure of eg an argument withou ...

Metasploit Modules

Safari Webkit Proxy Object Type Confusion

This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

msf > use exploit/apple_ios/browser/webkit_createthis
msf exploit(webkit_createthis) > show targets
    ...targets...
msf exploit(webkit_createthis) > set TARGET < target-id >
msf exploit(webkit_createthis) > show options
    ...show and set options...
msf exploit(webkit_createthis) > exploit
Safari Proxy Object Type Confusion

This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's "spawn_via_launchd" API (CVE-2018-4404).

msf > use exploit/osx/browser/safari_proxy_object_type_confusion
msf exploit(safari_proxy_object_type_confusion) > show targets
    ...targets...
msf exploit(safari_proxy_object_type_confusion) > set TARGET < target-id >
msf exploit(safari_proxy_object_type_confusion) > show options
    ...show and set options...
msf exploit(safari_proxy_object_type_confusion) > exploit
Safari Proxy Object Type Confusion

This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The JIT region is then replaced with shellcode which loads the second stage. The second stage exploits a logic error in libxpc, which uses command execution via the launchd's "spawn_via_launchd" API (CVE-2018-4404).

msf > use exploit/osx/browser/safari_proxy_object_type_confusion
msf exploit(safari_proxy_object_type_confusion) > show targets
    ...targets...
msf exploit(safari_proxy_object_type_confusion) > set TARGET < target-id >
msf exploit(safari_proxy_object_type_confusion) > show options
    ...show and set options...
msf exploit(safari_proxy_object_type_confusion) > exploit
Safari Webkit Proxy Object Type Confusion

This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233). The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object. This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript. The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution. The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.

msf > use exploit/apple_ios/browser/webkit_createthis
msf exploit(webkit_createthis) > show targets
    ...targets...
msf exploit(webkit_createthis) > set TARGET < target-id >
msf exploit(webkit_createthis) > show options
    ...show and set options...
msf exploit(webkit_createthis) > exploit

Github Repositories

https://github.com/saelo/cve-2018-4233

Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018

CVE-2018-4233 Exploit for CVE-2018-4233, a bug in the JIT compiler of WebKit Tested on Safari 1103 on macOS 10133 For more details see saelogithubio/presentations/blackhat_us_18_attacking_client_side_jit_compilerspdf The exploit gains arbitrary memory read/write by constructing the addrof and fakeobj primitives and subsequently faking a typed array as described

https://github.com/awesomehd1/JailbreakMe

JailbreakMe Huge Note This is very unstable and This is only work on Iphone 8 (iOS 1131) Notes This exploit obtains tfp0 from the WebContent sandbox (ie from a website), via two known bugs: CVE-2018-4233 (discovered by saelo, reported via ZDI, exploit by niklasb) and CVE-2018-4243 (empty_list exploit by Ian Beer), both fixed in 114 See pwn_i8js for details I have no pl

https://github.com/NickA1260/My-Coding-Bio

Jailbreak For iOS 11.2-11.3 Safari

!!! NOT USEFUL FOR END USERS !!! THIS IS ONLY INTERESTING FOR DEVELOPERS, EXPECT NO SUPPORT IN ANY SHAPE OR FORM! This exploit obtains tfp0 from the WebContent sandbox (ie from a website), via two known bugs: CVE-2018-4233 (discovered by saelo, reported via ZDI, exploit by niklasb) and CVE-2018-4243 (empty_list exploit by Ian Beer), both fixed in 114 See pwn_i8js for detai

https://github.com/howmuch515/howmuch515

Skills Python Go JavaScript (Vuejs/TypeScript) Links CTF writeup Slide Qiita Works Burp Extension BurpExportObjects BurpSnippets poc_generator Nday PoC CVE-2018-4233 CVE-2018-4441

https://github.com/TrungNguyen1909/WebKid-Pillow-Chaingineering

WebKid-Pillow-Chaingineering This is an exploit for those three 35C3CTF challenges Huge thanks to Samuel Groß (@5aelo) for his challenge and his awesome Int64 library Also thanks to Linus Henze (@LinusHenze) Also thanks to LiveOverflow for his awesome browser series Most of the code were based on Linus's WebKit-RegEx-Exploit and Samuel's exploit for CVE-2018

https://github.com/Tom-ODonnell/TFP0-via-Safari-iOS-11.3.1

This is a *mirror* of a POC Safari Exploit for iOS 11.3.1 that runs empty_list to achieve TFP0. This POC is by niklsab

!!! NOT USEFUL FOR END USERS !!! THIS IS ONLY INTERESTING FOR DEVELOPERS, EXPECT NO SUPPORT IN ANY SHAPE OR FORM! This exploit obtains tfp0 from the WebContent sandbox (ie from a website), via two known bugs: CVE-2018-4233 (discovered by saelo, reported via ZDI, exploit by niklasb) and CVE-2018-4243 (empty_list exploit by Ian Beer), both fixed in 114 See pwn_i8js for detai

https://github.com/itzskill/pwn

PLEASE READ THIS FIRST This is currently only patched in the WebKit sources and works with the latest version of Safari (macOS and iOS, although this needs to be updated in order to work with iOS) Please don't do evil stuff with this And if you're a normal user, this will be useless for you WebKit-RegEx-Exploit This is an exploit for the latest version of Safari (a

https://github.com/LinusHenze/WebKit-RegEx-Exploit

PLEASE READ THIS FIRST This is currently only patched in the WebKit master branch (not in any version shipped in macOS/iOS) and works with the latest version of Safari (macOS and iOS, although shellcode loading is not supported on iOS) YES, iOS 1211 IS SUPPORTED! Please don't do evil stuff with this And if you're a normal user, this will be useless for you WebKit

https://github.com/Embodimentgeniuslm3/glowing-adventure

This repo provides some info on how to downgrade, jailbreak, and setup IOS 1033 on an iPhone 5s The "install" script in this repo lists all post-jailbreak steps, so use that one in addition to this readme to guide you This repo provides sources only The full package can be downloaded from the releases section: githubcom/WRFan/jailbreak1033/releases

https://github.com/salcho/spiderMonkeyDebugEnv

A docker exploit dev environment for SpiderMonkey

A docker debug environment for SpiderMonkey This repo builds a debug environment to develop and test exploits for SpiderMonkey It defines a docker image based on Debian with all the dependencies needed to build and run a JavaScript shell SpiderMonkey's source code should be dropped next to this repo's Docker file Mozilla use Mercurial to do this but I prefer git: g

https://github.com/WRFan/jailbreak10.3.3

This repo provides some info on how to downgrade, jailbreak, and setup IOS 10.3.3 on an iPhone 5s.

This repo provides some info on how to downgrade, jailbreak, and setup IOS 1033 on an iPhone 5s The "install" script in this repo lists all post-jailbreak steps, so use that one in addition to this readme to guide you This repo provides sources only The full package can be downloaded from the releases section: githubcom/WRFan/jailbreak1033/releases

https://github.com/C9Shady/webvfs

!!! NOT USEFUL FOR END USERS !!! THIS IS ONLY INTERESTING FOR DEVELOPERS, EXPECT NO SUPPORT IN ANY SHAPE OR FORM! This exploit obtains tfp0 from the WebContent sandbox (ie from a website), via two known bugs: CVE-2018-4233 (discovered by saelo, reported via ZDI, exploit by niklasb) and CVE-2018-4243 (empty_list exploit by Ian Beer), both fixed in 114 See pwn_i8js for detai

https://github.com/kazaf0322/jb5.0

!!! NOT USEFUL FOR END USERS !!! THIS IS ONLY INTERESTING FOR DEVELOPERS, EXPECT NO SUPPORT IN ANY SHAPE OR FORM! This exploit obtains tfp0 from the WebContent sandbox (ie from a website), via two known bugs: CVE-2018-4233 (discovered by saelo, reported via ZDI, exploit by niklasb) and CVE-2018-4243 (empty_list exploit by Ian Beer), both fixed in 114 See pwn_i8js for detai

https://github.com/Yangcheesen/jailbreakme

!!! NOT USEFUL FOR END USERS !!! THIS IS ONLY INTERESTING FOR DEVELOPERS, EXPECT NO SUPPORT IN ANY SHAPE OR FORM! This exploit obtains tfp0 from the WebContent sandbox (ie from a website), via two known bugs, CVE-2018-4233 and CVE-2018-4243 See pwn_i8js for details I have no plans to work on this more Stage 2 is closed source for now so people don't write malware, bu

https://github.com/nqcshady/webvfs

!!! NOT USEFUL FOR END USERS !!! THIS IS ONLY INTERESTING FOR DEVELOPERS, EXPECT NO SUPPORT IN ANY SHAPE OR FORM! This exploit obtains tfp0 from the WebContent sandbox (ie from a website), via two known bugs: CVE-2018-4233 (discovered by saelo, reported via ZDI, exploit by niklasb) and CVE-2018-4243 (empty_list exploit by Ian Beer), both fixed in 114 See pwn_i8js for detai

https://github.com/Joe0077Rayyan/Exploit

CVE-2018-4233 Exploit for CVE-2018-4233, a bug in the JIT compiler of WebKit Tested on Safari 1103 on macOS 10133 For more details see saelogithubio/presentations/blackhat_us_18_attacking_client_side_jit_compilerspdf The exploit gains arbitrary memory read/write by constructing the addrof and fakeobj primitives and subsequently faking a typed array as described

References

CWE-119https://support.apple.com/HT208854https://support.apple.com/HT208853https://support.apple.com/HT208852https://support.apple.com/HT208851https://support.apple.com/HT208850https://support.apple.com/HT208848http://www.securitytracker.com/id/1041029https://usn.ubuntu.com/3687-1/https://security.gentoo.org/glsa/201808-04https://www.exploit-db.com/exploits/45998/http://packetstormsecurity.com/files/153148/Safari-Webkit-Proxy-Object-Type-Confusion.htmlhttps://usn.ubuntu.com/3687-1/https://nvd.nist.gov
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2006-4304CVE-2024-4240arbitrary CVE-2024-31601XSSCVE-2023-20198CVE-2024-4256CVE-2024-3342encryption
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook