CVE-2019-6215

HIGH

Safari < 12.0.3 - Remote Code Execution via Type Confusion

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-6215. PoCs published by Google Security Research.

AI-analyzed exploit summary This PoC exploits a type confusion vulnerability in WebKit's JavaScriptCore (CVE-2019-6215) by manipulating property attributes to achieve an out-of-bounds read via a CustomGetterSetter object linked to RegExp. The exploit leverages JIT compiler behavior to expose internal objects to JavaScript.

Description

A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 12.1.3, tvOS 12.1.2, Safari 12.0.3, iTunes 12.9.3 for Windows, iCloud for Windows 7.10. Processing maliciously crafted web content may lead to arbitrary code execution.

Exploits (1)

exploitdb WORKING POC

by Google Security Research · javascriptdosmultiple

https://www.exploit-db.com/exploits/46448

View Code ZIP pw:eip

This PoC exploits a type confusion vulnerability in WebKit's JavaScriptCore (CVE-2019-6215) by manipulating property attributes to achieve an out-of-bounds read via a CustomGetterSetter object linked to RegExp. The exploit leverages JIT compiler behavior to expose internal objects to JavaScript.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WebKit JavaScriptCore (Safari, other WebKit-based browsers)

No auth needed

Prerequisites: Target must be using a vulnerable version of WebKit

MITRE ATT&CK