CVE-2019-1217

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka 'Chakra Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1138, CVE-2019-1237, CVE-2019-1298, CVE-2019-1300...

Microsoft Edge Chakra 1.11.4 Type Confusion

/ Exploit Title: getting Read permission through Type Confusion Date: date Exploit Author: Fahad Aid Alharbi Vendor Homepage: https://www.microsoft.com/en-us/ Version: Chakra 1114 REQUIRED Tested on: Windows 10 CVE : cve-2019-0539 / / author @0x4142 = Fahad Aid Alharbi cve-2019-0539 Getting Read ...

Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion

Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion / Exploit Title: getting Read permission through Type Confusion Date: date Exploit Author: Fahad Aid Alharbi Vendor Homepage: https://www.microsoft.com/en-us/ Version: Chakra 1114 REQUIRED Tested on: Windows 10 CVE : cve-2019-0539 ...

Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion

NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code. In the PoC, it overwrites the pointer to property...

Microsoft Edge Chakra - 'InlineArrayPush' Type Confusion

/ In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer to the object array which stores numeric properties. For...

Microsoft Edge Chakra - NewScObjectNoCtor or InitProto Type Confusion

Microsoft Edge Chakra - NewScObjectNoCtor or InitProto Type Confusion NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusio...

Microsoft Edge Chakra - OP_Memset Type Confusion Exploit

Exploit for windows platform in category dos / poc Microsoft Edge Chakra - OPMemset Type Confusion / Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it...

Remote code execution

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8541, CVE-2018-8542,...

Microsoft Edge Chakra - PathTypeHandlerBase::SetAttributesHelper Type Confusion

Microsoft Edge Chakra - PathTypeHandlerBase::SetAttributesHelper Type Confusion / Here's a snippet of PathTypeHandlerBase::SetAttributesHelper. PathTypeHandlerBase predTypeHandler = this; DynamicType currentType = instance-GetDynamicType; while predTypeHandler-GetPathLength propertyIndex...

Microsoft Edge Chakra PathTypeHandlerBase::SetAttributesHelper Type Confusion

Microsoft Edge: Chakra: Type confusion with PathTypeHandlerBase::SetAttributesHelper CVE-2018-8384 Here's a snippet of PathTypeHandlerBase::SetAttributesHelper. PathTypeHandlerBase predTypeHandler = this; DynamicType currentType = instance-GetDynamicType; while predTypeHandler-GetPathLength...

Microsoft Edge Chakra JIT - DictionaryPropertyDescriptor::CopyFrom Type Confusion

Microsoft Edge Chakra JIT - DictionaryPropertyDescriptor::CopyFrom Type Confusion / Here's the method. template template void DictionaryPropertyDescriptor::CopyFromDictionaryPropertyDescriptor& descriptor this-Attributes = descriptor.Attributes; this-Data = descriptor.Data ==...

Microsoft Edge Chakra JIT - Scope Parsing Type Confusion Exploit

Exploit for windows platform in category dos / poc // PoC: async function triggera = class b await 1 let spray = ; for let i = 0; i 0016 SetHomeObj R13 R14 001b NewScObjectSimple R9 001d ProfiledStFld R9.value = R2 1 0021 ProfiledStFld R9.done = R4 2 0025 Yield R9 R9...

Microsoft Edge Chakra JIT BoundFunction::NewInstance Bug

Microsoft Edge: Chakra: A bug in BoundFunction::NewInstance CVE-2018-8139 BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function...

Microsoft Edge Chakra - Cross Context Use-After-Free

Microsoft Edge Chakra - Cross Context Use-After-Free f.onload = null; // Garbage collection for let i = 0; i 10; i++ new ArrayBuffer1024 1024 40; let obj = opt; // "opt" returns the freed string constant. ; // Closing the diffrent context f.src = 'about:blank'; But in fact, if you run the code, y...

Microsoft Edge Chakra JIT - Magic Value Type Confusion

Microsoft Edge Chakra JIT - Magic Value Type Confusion / BOOL JavascriptNativeFloatArray::SetItemuint32 index, double dValue if uint64&dValue == uint64&JavascriptNativeFloatArray::MissingItem JavascriptArray varArr = JavascriptNativeFloatArray::ToVarArraythis; varArr-DirectSetItemAtindex,...

Microsoft Edge Chakra JIT - Bound Check Elimination Bug

/ Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instaed of the control flow. This may lead to incorrectly remove the bound checks. In the following code, currentBlock's block number is 4...

Microsoft Edge Chakra JIT CallRegExSymbolFunction Return Check Fail Exploit

Exploit for windows platform in category dos / poc Microsoft Edge: Chakra: JIT: CallRegExSymbolFunction doesn't check the return type The "CallRegExSymbolFunction" method is used to call symbol functions in regexp objects. But it doesn't check the return value's type. Since the user can define th...

Microsoft Edge Chakra JIT - Array.prototype.reverse Array Type Confusion Exploit

Exploit for windows platform in category dos / poc / This is simillar to the previous issue 1457. But this time, we use Array.prototype.reverse. Array.prototype.reverse can be inlined and may invoke EnsureNonNativeArray to convert the prototype of "this" to a Var array. Call flow:...

Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass

Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass / Here's a snippet of ExecuteImplicitCall which is responsible for updating the ImplicitCallFlags flag. template inline Js::Var ExecuteImplicitCallJs::RecyclableObject function, Js::ImplicitCallFlags flags, Fn implicitCall...

Microsoft Edge Chakra JIT - GlobOpt::OptTagChecks Must Consider IsLoopPrePass Properly (2)

Microsoft Edge Chakra JIT - GlobOpt::OptTagChecks Must Consider IsLoopPrePass Properly 2 It seems this is the patch for the bug. https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a The following two cases will bypass the fix. 1: function opt let obj ...