cbcvebase.
CVE-2017-2491
published 2017-06-27

CVE-2017-2491: Use after free vulnerability in the String.replace method JavaScriptCore in Apple Safari in iOS before 10.3 allows remote attackers to execute arbitrary code…

PriorityP258high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
8.04%
94.1th percentile
Use after free vulnerability in the String.replace method JavaScriptCore in Apple Safari in iOS before 10.3 allows remote attackers to execute arbitrary code via a crafted web page, or a crafted file.

Affected

4 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os<= 10.2.1
applesafari
appletvos

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://www.exploit-db.com/exploits/41964
commandvar regex = new RegExp("(ab)".repeat(n), "g"); var part = "ab".repeat(n); var s = (part + "|").repeat(m); s.replace(regex, function() {...})
  • The exploit triggers the UAF via String.replace() with a large compiled RegExp (n=0x40000 repetitions of '(ab)') and a replacement callback function — monitor for JS executing RegExp with extremely high repetition counts combined with String.replace and a callback.
  • Exploit sprays ~14 GiB of ArrayBuffers with a repeating byte pattern to achieve heap layout control — large ArrayBuffer spray activity in JavaScriptCore is a strong indicator of heap-grooming for this exploit.
  • Exploit constructs a fake JSCell/JSObject header inline (indexing type 8, structure ID 0) inside a container object to achieve type confusion after UAF — look for crafted Float64Array/Uint8Array usage to forge JSCell headers.
  • Exploit follows pointer chains to locate a RWX memory region containing JIT-compiled code and overwrites it with shellcode — detection opportunity: memory writes to RWX pages from JavaScript heap in Safari/WebContent process.
  • The exploit HTML lure uses a benign-looking anchor tag to deliver the malicious page — the delivery vector is a crafted web page.
  • Vulnerable component is JSC::CachedCall within JavaScriptCore's String.replace implementation — patch/version check: Safari < 10.1, iOS < 10.3, tvOS < 10.2.
  • ·The exploit requires the target function to be compiled only by the low-level interpreter (not optimizing JITs) — calling the target function exactly once before use is a deliberate precondition of the exploit.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.