It seems that the syntax highlighting filter will read the `data-sourcepos` attribute rather permissively including newlines and angle brackets. This value gets reflected back out into the page where the browser will end up interpreting as HTML some of the text the backend throught was in the attribute.
**tl;dr** Two CVEs, one an integer overflow due to incorrectly assuming the compiler would optimize an `enum` into a single byte, and the other some uninitialized kernel stack variables that could be exposed to userspace.
Follow-up to the December post which covered an int overflow in the CoreGraphics PDF parser for the JBIG2 image format, which implemented a weird machine / mini architecture to execute code. This post covers the sandbox escape that was chained with it, which unlike the first bug, is a logic issue rather than a memory corruption.
**Escaping to the Node Virtual Machine**
Two issues, first an XSS requiring two injection points to bypass the web-application firewall and a cache poisoning attack making it possible for the XSS to be stored.
We've got two XSS "puzzles" in unnamed bounty programs, each with somewhat interesting exploit strategies. The original post is worth a read for more insight into the thought process leading to the discovery of each step.
It is possible for a malicious website to associate a visitor with their a known slack account.The attack relies on a difference in behavior when accessing a file with and without permission, and the ability to share a file with specific users...
The cool part of this paper is the speculative type confusion attack where the browser's optimizer is trained to expect a memory access will be a uint8 array, and the CPU branch predictor that it will always go down that path. Then the attack changes both conditions leading to the CPU speculatively executing the uint8 access using data from another object, aligned in memory such that two 32bit value in JavaScript become one 64bit value.
The idea here is that by overflowing the value containing the size of a header name you can cause the header to be misinterpreted.
Great exploit chain starts with a newline injection, leading to the ability to write "2" to any file culminating in a login and root code execution, all doable with remotely hosted javascript.