Vulners
Lucene search
Microsoft Edge Chakra InitializeNumberFormat / InitializeDateTimeFormat Type Confusion
🗓️ 17 Aug 2018 00:00:00Reported by Google Security ResearchType 
packetstorm🔗 packetstormsecurity.com👁 58 Views
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion Explo | 17 Aug 201800:00 | – | zdt |
 | CVE-2018-8298 | 11 Jul 201800:00 | – | attackerkb |
| CVE-2018-8287 | 11 Jul 201800:00 | – | attackerkb |
 | CVE-2018-8298 | 17 Aug 201800:00 | – | circl |
 | ChakraCore Scripting Engine Type Confusion Vulnerability | 3 Mar 202200:00 | – | cisa_kev |
 | Microsoft ChakraCore Remote Code Execution Vulnerability (CNVD-2018-15861) | 12 Jul 201800:00 | – | cnvd |
 | Microsoft Chakra Scripting Engine Memory Corruption (CVE-2018-8298) | 10 Jul 201800:00 | – | checkpoint_advisories |
 | CVE-2018-8298 | 11 Jul 201800:00 | – | cve |
 | CVE-2018-8283 | 11 Jul 201800:00 | – | cvelist |
| CVE-2018-8298 | 11 Jul 201800:00 | – | cvelist |
10
`Microsoft Edge: Chakra: Bugs in InitializeNumberFormat and InitializeDateTimeFormat
CVE-2018-8298
The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.
It seems the recent version of Edge in Windows Insider Preview has started to use ICU. Tested on Microsoft Edge 42.17672.1000.0 and Microsoft EdgeHTML 17.17672.
The initializer for ICU has no check:
<a href="https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L1151" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L1151</a>
The initializer for WinGlob has a check:
<a href="https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L3046" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L3046</a>
PoC:
let object = {};
Intl.NumberFormat.apply(object);
Intl.DateTimeFormat.apply(object);
Intl.DateTimeFormat.prototype.formatToParts.apply(object);
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: lokihardt
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2018 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.8937