First of all, let me preface this by saying the security of Emscripten running in a modern browser is excellent, stack smashing and ROP are totally mitigated by the fact that Emscripen runs on top of the JavaScript VM. Emscripten, even with inline JavaScript is compatible with CSP, which can further clamp down on attack surfaces.
That being said, code written for Emscripten can harbor potential security issues. The source code for the toy is here: https://gist.github.com/hackcasual/413277eb8f2c19c5b3e6bac0303b083c The ordinary flow of the program is a user's name and password is loaded into a buffer, then handed off to one of a few possible login methods. There is a function of interest "send_ajax_request", but it is not a candidate for a login handler. Here is a fiddle showing the vulnerability being exploited. https://jsfiddle.net/qx2mmdyz By overflowing the buffer, the exploit changes the function pointer to "send_ajax_request", as well as pulling in the secret token. The effectiveness of this type of attack is limited in Emscripten by needing to replace a function pointer with one of the exact same signature. Hopefully this is an interesting PoC. I'd be interested to hear about other potential interesting vulnerable coding patterns. -- You received this message because you are subscribed to the Google Groups "emscripten-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
