<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Consolas;

        panose-1:2 11 6 9 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:#0563C1;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:#954F72;

        text-decoration:underline;}

code

        {mso-style-priority:99;

        font-family:"Courier New";}

span.EmailStyle17

        {mso-style-type:personal-compose;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri",sans-serif;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="#0563C1" vlink="#954F72">

<div class="WordSection1">

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%">Hello,<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%"><o:p>&nbsp;</o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%">A Webkit exploit was reported where WebKit implementation was vulnerable to ROP(return oriented programming) attacks. Here are the details:

<a href="https://www.exploit-db.com/exploits/28081/"><span style="color:#033160;mso-style-textfill-fill-color:#033160;mso-style-textfill-fill-alpha:100.0%">https://www.exploit-db.com/exploits/28081/</span></a>.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%">However, we are interested in knowing which revision of WebKit has the fix for resolving this vulnerability.

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%"><o:p>&nbsp;</o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%">Digging more info, we found that the exploit was due to an heap buffer overflow issue in JavaScriptCore JSArray::Sort() method.

<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%">Details:<o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p>&nbsp;</o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">The heap memory buffer overflow vulnerability exists within the WebKit's

</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">JavaScriptCore JSArray::sort(...) method.&nbsp; This method accepts the user-defined

</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">JavaScript function and calls it from the native code to compare array items.

</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">If this compare function reduces array length, then the trailing array items

</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">will be written outside the &quot;m_storage-&gt;m_vector[]&quot; buffer, which leads to the

</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">heap memory corruption.</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.5pt;font-family:Consolas;color:#666666">&nbsp;<o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">The exploit for this vulnerability is a JavaScript code which shows how to

</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">use it for memory corruption of internal JS objects (Unit32Array and etc.)

</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted

</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.0pt;font-family:Consolas;color:#666666;background:#FAF6E1">into the JS code).</span><span style="font-size:10.5pt;font-family:Consolas;color:#666666"><o:p></o:p></span></p>

<p class="MsoNormal" style="line-height:11.55pt"><span style="font-size:10.5pt;font-family:Consolas;color:#666666">&nbsp;<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%">So our question is, can point us to the fix (i.e. changelist/revision) which patched this exploit?<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%"><o:p>&nbsp;</o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%">Thanks,<o:p></o:p></span></p>

<p class="MsoNormal"><span style="color:#203864;mso-style-textfill-fill-color:#203864;mso-style-textfill-fill-alpha:100.0%">Rupali<o:p></o:p></span></p>

</div>

</body>

</html>