Microsoft Edge - eval Type Confusion Vulnerability

ID 1337DAY-ID-26350
Type zdt
Reporter Google Security Research
Modified 2016-11-18T00:00:00


Exploit for windows platform in category dos / poc

In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion. A full PoC is as follows and attached:
var p = new Proxy(eval, {});
var p = new Proxy(eval, {});

# [2018-02-16]  #