CVE-2017-2491
published 2017-06-27CVE-2017-2491: Use after free vulnerability in the String.replace method JavaScriptCore in Apple Safari in iOS before 10.3 allows remote attackers to execute arbitrary code…
PriorityP258high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.04%
94.1th percentile
Use after free vulnerability in the String.replace method JavaScriptCore in Apple Safari in iOS before 10.3 allows remote attackers to execute arbitrary code via a crafted web page, or a crafted file.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | <= 10.2.1 | — |
| apple | safari | — | — |
| apple | tvos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandvar regex = new RegExp("(ab)".repeat(n), "g"); var part = "ab".repeat(n); var s = (part + "|").repeat(m); s.replace(regex, function() {...})↗
- →The exploit triggers the UAF via String.replace() with a large compiled RegExp (n=0x40000 repetitions of '(ab)') and a replacement callback function — monitor for JS executing RegExp with extremely high repetition counts combined with String.replace and a callback. ↗
- →Exploit sprays ~14 GiB of ArrayBuffers with a repeating byte pattern to achieve heap layout control — large ArrayBuffer spray activity in JavaScriptCore is a strong indicator of heap-grooming for this exploit. ↗
- →Exploit constructs a fake JSCell/JSObject header inline (indexing type 8, structure ID 0) inside a container object to achieve type confusion after UAF — look for crafted Float64Array/Uint8Array usage to forge JSCell headers. ↗
- →Exploit follows pointer chains to locate a RWX memory region containing JIT-compiled code and overwrites it with shellcode — detection opportunity: memory writes to RWX pages from JavaScript heap in Safari/WebContent process. ↗
- →The exploit HTML lure uses a benign-looking anchor tag to deliver the malicious page — the delivery vector is a crafted web page. ↗
- →Vulnerable component is JSC::CachedCall within JavaScriptCore's String.replace implementation — patch/version check: Safari < 10.1, iOS < 10.3, tvOS < 10.2. ↗
- ·The exploit requires the target function to be compiled only by the low-level interpreter (not optimizing JITs) — calling the target function exactly once before use is a deliberate precondition of the exploit. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v5gq-732w-q78g: Use after free vulnerability in the String
ghsa_unreviewed·2022-05-13
CVE-2017-2491 [HIGH] CWE-416 GHSA-v5gq-732w-q78g: Use after free vulnerability in the String
Use after free vulnerability in the String.replace method JavaScriptCore in Apple Safari in iOS before 10.3 allows remote attackers to execute arbitrary code via a crafted web page, or a crafted file.
Apple
CVE-2017-2491: Safari 10.1
vendor_apple·2017-03-27·CVSS 8.8
CVE-2017-2491 [HIGH] CVE-2017-2491: Safari 10.1
Apple Security Update: About the security content of Safari 10.1
Product: Safari
Version: 10.1
CVE: CVE-2017-2491
Component: JavaScriptCore
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed through improved memory management.
Apple
CVE-2017-2491: iOS 10.3
vendor_apple·2017-03-27·CVSS 8.8
CVE-2017-2491 [HIGH] CVE-2017-2491: iOS 10.3
Apple Security Update: About the security content of iOS 10.3
Product: iOS
Version: 10.3
CVE: CVE-2017-2491
Component: JavaScriptCore
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed through improved memory management.
Apple
CVE-2017-2491: tvOS 10.2
vendor_apple·2017-03-27·CVSS 8.8
CVE-2017-2491 [HIGH] CVE-2017-2491: tvOS 10.2
Apple Security Update: About the security content of tvOS 10.2
Product: tvOS
Version: 10.2
CVE: CVE-2017-2491
Component: JavaScriptCore
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed through improved memory management.
No detection rules found.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/98316http://www.zerodayinitiative.com/advisories/ZDI-17-321https://support.apple.com/en-us/HT207617https://www.exploit-db.com/exploits/41964/http://www.securityfocus.com/bid/98316http://www.zerodayinitiative.com/advisories/ZDI-17-321https://support.apple.com/en-us/HT207617https://www.exploit-db.com/exploits/41964/
2017-06-27
Published