Apple Safari - Wasm Section Exploit

By Fabian Beterke on 16 April, 2018

As part of our preparation for Pwn2own 2018 we started investigating Web Assembly (Wasm) as this feature is a relatively new component added to Safari, which was likely to have undergone less assurance than some of the more mature parts of the WebKit code base. Unfortunately, during the exploit development phase of this research this bug was patched by Apple within their master WebKit branch, forcing us to focus on other exploitable issues. This paper performs a walk through of the vulnerability (CVE-2018-4121) and exploitation techniques used on macOS 10.13.3 (17D47). The issue was addressed publicly with macOS 10.13.4 and was found independently by Natalie Silvanovich of Google Project Zero.