In this post we will examine a vulnerability in the WebAssembly subsystem of JavaScriptCore, the JavaScript engine used in WebKit and Apple Safari. Th

32 bits, 32 gigs, 1 click... | RET2 Systems Blog

submited by
Style Pass
2021-06-21 08:00:07

In this post we will examine a vulnerability in the WebAssembly subsystem of JavaScriptCore, the JavaScript engine used in WebKit and Apple Safari. The issue was patched in Safari 14.1.1. This vulnerability was discovered through source review and weaponized to achieve remote code execution in our Pwn2Own 2021 submission. A future post will detail the kernel mode sandbox escape.

WebAssembly, often dubbed wasm, is an assembly-like language with a binary representation primarily intended for use on the web. Compared to the highly dynamic and complex paradigm of JavaScript, WebAssembly is very simple (for now…). There are four primitive value types (32/64 bit integers and floats) coupled with a relatively small instruction set operating on a stack machine.

Like many assembly languages, wasm can be written by hand in a human-readable text format. Real world wasm applications, however, are typically built with a compiler. An increasing number of high-level languages are supporting compilation down to wasm, with projects like Emscripten opening up support to any language that uses LLVM.

Leave a Comment