Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.6
CVSSv2

CVE-2020-9856

Published: 09/06/2020 Updated: 31/03/2022
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 5.3 | Impact Score: 3.4 | Exploitability Score: 1.8
VMScore: 500
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Mac Os X

Vulnerability Summary

This issue was addressed with improved checks. This issue is fixed in macOS Catalina 10.15.5. An application may be able to gain elevated privileges.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apple mac os x

apple mac os x 10.13.6

apple mac os x 10.14.6

Exploits

Exploit DB: Safari Type Confusion / Sandbox Escape
This Metasploit module exploits an incorrect side-effect modeling of the 'in' operator The DFG compiler assumes that the 'in' operator is side-effect free, however the embed element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850) The type confusion can be used as addrof and fakeobj p ...
Exploit DB: Safari in Operator Side Effect Exploit
This module exploits an incorrect side-effect modeling of the 'in' operator The DFG compiler assumes that the 'in' operator is side-effect free, however the element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850) The type confusion can be used ...

Mailing Lists

Full Disclosure: APPLE-SA-2020-05-26-3 macOS Catalina 10.15.5, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2020-05-26-3 macOS Catalina 10155, Security Update 2020-003 Mojave, Security Update 2020-003 High Sierra <! ...

Metasploit Modules

Safari in Operator Side Effect Exploit

This module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850). The type confusion can be used as addrof and fakeobj primitives that then lead to arbitrary read/write of memory. These primitives allow us to write shellcode into a JIT region (RWX memory) containing the next stage of the exploit. The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server, and extracts a macOS application containing our payload into /var/db/CVMS. The payload can then be opened with CVE-2020-9801, executing the payload as a user but without sandbox restrictions.

msf > use exploit/osx/browser/safari_in_operator_side_effect
msf exploit(safari_in_operator_side_effect) > show targets
    ...targets...
msf exploit(safari_in_operator_side_effect) > set TARGET < target-id >
msf exploit(safari_in_operator_side_effect) > show options
    ...show and set options...
msf exploit(safari_in_operator_side_effect) > exploit

References

NVD-CWE-noinfohttps://support.apple.com/HT211170https://nvd.nist.govhttps://packetstormsecurity.com/files/159447/Safari-Type-Confusion-Sandbox-Escape.htmlhttps://www.rapid7.com/db/modules/exploit/osx/browser/safari_in_operator_side_effect/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
hard-codedCVE-2024-27202NULL pointer dereferenceCVE-2024-28075CVE-2024-33608CVE-2024-28889CVE-2024-34572template injectionCVE-2024-34351
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook