cbcvebase.
CVE-2017-2446
published 2017-04-02

CVE-2017-2446: An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue…

PriorityP265high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.19%
94.2th percentile
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.

Affected

7 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os<= 10.2.1
applesafari<= 10.0.3
applesafari
appletvos<= 10.1.1
appletvos
debianwebkit2gtk< webkit2gtk 2.14.6-1 (bookworm)webkit2gtk 2.14.6-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

commandq.call(0x77777777);
commandq(0x7777, 0x7777, 0);
  • Exploit abuses Intl.DateTimeFormat.format() with a crafted object whose valueOf property is a function that leaks f.caller — look for JavaScript using 'new Intl.DateTimeFormat()' combined with a custom valueOf function passed to .format()
  • Exploit variant abuses Array.prototype property getter to leak g.caller in strict mode — look for Object.defineProperty on Array.prototype numeric indices combined with .concat() calls
  • Both PoC exploits call the leaked caller reference with a numeric magic value (0x77777777 or 0x7777) as the first argument — this pattern in JS heap/memory may indicate exploitation attempts
  • The vulnerability is triggered by processing maliciously crafted web content in WebKit — monitor for Safari/WebKit processes spawning unexpected child processes as a post-exploitation indicator
  • Root cause is a logic issue in the handling of strict mode functions (Function.caller access bypass) — detection should focus on JavaScript that accesses .caller or .arguments on strict-mode functions via builtins or prototype getters
  • ·Affected platforms are iOS before 10.3, Safari before 10.1, and tvOS before 10.2 — exploitation is only possible on unpatched versions of these Apple products
  • ·On Debian-based Linux systems (webkit2gtk), the vulnerability is resolved in version 2.14.6-1 across all tracked branches — ensure this version or later is deployed

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.