113 matches found
Chakra JIT server Privilege Escalation
A vulnerability exists in Microsoft Chakra JIT server, aka 'Scripting Engine Elevation of Privileges Vulnerability'...
CVE-2019-0649
CVE-2019-0649 describes a vulnerability in Microsoft Chakra JIT server (Scripting Engine) that could enable elevation of privileges. The Microsoft security guidance notes that the flaw is addressed by altering how Chakra handles constructorCaches, with updates provided by multiple KB/MSRC advisor...
CVE-2019-0649
A vulnerability exists in Microsoft Chakra JIT server, aka 'Scripting Engine Elevation of Privileged Vulnerability'...
CVE-2019-0649
A vulnerability exists in Microsoft Chakra JIT server, aka 'Scripting Engine Elevation of Privileged Vulnerability'...
CVE-2019-0649
A vulnerability exists in Microsoft Chakra JIT server, aka 'Scripting Engine Elevation of Privileged Vulnerability'...
KB4487044: Windows 10 Version 1809 and Windows Server 2019 February 2019 Security Update
The remote Windows host is missing security update 4487044. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in .NET Framework and Visual Studio software when the software fails to check the source markup of a file. An attacker who successful...
KB4487020: Windows 10 Version 1703 February 2019 Security Update
The remote Windows host is missing security update 4487020. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in .NET Framework and Visual Studio software when the software fails to check the source markup of a file. An attacker who successful...
Microsoft Edge Chakra JIT NewScObjectNoCtor / InitProto Type Confusion
Microsoft Edge: Chakra: JIT: Type confusion via NewScObjectNoCtor or InitProto CVE-2019-0567 NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This ca...
Microsoft Edge Chakra JIT - BailOutOnInvalidatedArrayHeadSegment Check Bypass Exploit
Exploit for windows platform in category dos / poc / The BailOutOnInvalidatedArrayHeadSegment check uses the JavascriptArray::GetArrayForArrayOrObjectWithArray method to check whether the given object is an array. If it's not an array, it will decide to skip the check which means that no bailout...
Microsoft Edge Chakra JIT - Type Confusion Exploit
Exploit for windows platform in category dos / poc / The switch statement only handles Js::TypeIdsArray but not Js::TypeIdsNativeIntArray and Js::TypeIdsNativeFloatArray. So for example, a native float array can be considered as of type ObjectType::Object under certain circumstances where...
Microsoft Edge Chakra JIT - Type Confusion
Microsoft Edge Chakra JIT - Type Confusion / The switch statement only handles Js::TypeIdsArray but not Js::TypeIdsNativeIntArray and Js::TypeIdsNativeFloatArray. So for example, a native float array can be considered as of type ObjectType::Object under certain circumstances where...
Microsoft Edge Chakra JIT - BailOutOnInvalidatedArrayHeadSegment Check Bypass
Microsoft Edge Chakra JIT - BailOutOnInvalidatedArrayHeadSegment Check Bypass / The BailOutOnInvalidatedArrayHeadSegment check uses the JavascriptArray::GetArrayForArrayOrObjectWithArray method to check whether the given object is an array. If it's not an array, it will decide to skip the check...
Microsoft Edge Chakra JIT - localeCompare Type Confusion
Microsoft Edge Chakra JIT - localeCompare Type Confusion / A call to the String.prototype.localeCompare method can be inlineed when it only takes one argument. There are two versions of String.prototype.localeCompare, one 1 is written in JavaScript and the other 2 is written in C++ which just cal...
Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion
/ Here's the method. template template void DictionaryPropertyDescriptor::CopyFromDictionaryPropertyDescriptor& descriptor this-Attributes = descriptor.Attributes; this-Data = descriptor.Data == DictionaryPropertyDescriptor::NoSlots ? NoSlots : descriptor.Data; this-Getter = descriptor.Getter ==...
Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl
Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl / If the Intl object hasn't been initialized, access to any property of it will trigger the initialization process which will run Intl.js. The problem is that it runs Intl.js without caring about the ImplicitCallFlags flag. In t...
Microsoft Edge Chakra JIT - DictionaryPropertyDescriptor::CopyFrom Type Confusion Exploit
Exploit for windows platform in category dos / poc / Here's the method. template template void DictionaryPropertyDescriptor::CopyFromDictionaryPropertyDescriptor& descriptor this-Attributes = descriptor.Attributes; this-Data = descriptor.Data == DictionaryPropertyDescriptor::NoSlots ? NoSlots :...
Microsoft Edge Chakra JIT - InlineArrayPush Type Confusion Exploit
Exploit for windows platform in category dos / poc / This is similar to issue 1531 . The patch seems to prevent type confusion triggered from StElemIA instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve type...
Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion
/ The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for...
Microsoft Edge Chakra JIT - DictionaryPropertyDescriptor::CopyFrom Type Confusion
Microsoft Edge Chakra JIT - DictionaryPropertyDescriptor::CopyFrom Type Confusion / Here's the method. template template void DictionaryPropertyDescriptor::CopyFromDictionaryPropertyDescriptor& descriptor this-Attributes = descriptor.Attributes; this-Data = descriptor.Data ==...
Microsoft Edge Chakra JIT InlineArrayPush Type Confusion
Microsoft Edge: Chakra: JIT: Type confusion with InlineArrayPush This is similar to issue 1531 . The patch seems to prevent type confusion triggered from StElemIA instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve...