Microsoft Edge Chakra StackScriptFunction::BoxState::Box Uninitialized Pointers

2017.10.15
Credit: lokihardt
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Microsoft Edge: Chakra: Accesses to uninitialized pointers in StackScriptFunction::BoxState::Box CVE-2017-11809 Here's a snippet of the method that interprets a javascript function's bytecode. Js::Var Js::InterpreterStackFrame::INTERPRETERLOOPNAME() { PROBE_STACK(scriptContext, Js::Constants::MinStackInterpreter); <<----- (a) if (!this->closureInitDone) { Assert(this->m_reader.GetCurrentOffset() == 0); this->InitializeClosures(); <<------- (b) } ... ... interprets the bytecode ... At (b), it initializes the local variables of the javascript function. In the PoC, the variables a, b and c are initialized. But at (a), if it fails to allocate Js::Constants::MinStackInterpreter bytes to the stack, it throws an exception which leads to the following code. void StackScriptFunction::BoxState::Box() { ... if (callerFunctionBody->DoStackScopeSlots()) { Var* stackScopeSlots = (Var*)interpreterFrame->GetLocalClosure(); if (stackScopeSlots) { Var* boxedScopeSlots = this->BoxScopeSlots(stackScopeSlots, ScopeSlots(stackScopeSlots).GetCount()); interpreterFrame->SetLocalClosure((Var)boxedScopeSlots); } ... ... "stackScopeSlots" contains the local variables that were supposed to be initialized at (b). So it results in accessing the uninitialized pointers. It's a little difficult to trigger this in Edge. So I recommend to use the command: ./Debug/ch -NoNative ~/test.js. PoC: function trigger() { let a, b, c; function g() { trigger(); a, b, c; } g(); } trigger(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top