Vulners
Lucene search
Microsoft Chakra JIT Server Out-Of-Bounds Write Exploit
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | Microsoft Edge Information Disclosure Vulnerability (CNVD-2017-23791) | 9 Aug 201700:00 | – | cnvd |
 | CVE-2017-8659 | 8 Aug 201721:00 | – | cve |
 | CVE-2017-8659 | 8 Aug 201721:00 | – | cvelist |
 | ChakraCore information disclosure vulnerability | 17 May 202202:13 | – | github |
 | August 8, 2017—KB4034674 (OS Build 15063.540) | 8 Aug 201707:00 | – | mskb |
 | KLA11084 Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer | 8 Aug 201700:00 | – | kaspersky |
 | Scripting Engine Information Disclosure Vulnerability | 8 Aug 201707:00 | – | mscve |
 | CVE-2017-8659 | 8 Aug 201721:29 | – | nvd |
 | Microsoft Windows Multiple Vulnerabilities (KB4034674) | 9 Aug 201700:00 | – | openvas |
 | GHSA-H6M7-JPHX-F9P5 ChakraCore information disclosure vulnerability | 17 May 202202:13 | – | osv |
10
Microsoft Chakra JIT server out-of-bounds write when processing Js::OpCode::ProfiledLoopStart opcode
CVE-2017-8659
There is an issue in Chakra JIT server that can be potentially exploited to compromise the JIT process from a compromised browser content process. Bugs like this could potentially be used to bypass ACG (Arbitrary Code Guard) in Microsoft Edge.
The issue has been confirmed on a ChakraCore build from source.
Chakra JIT server takes bytecode as an input from the calling process. When processing the Js::OpCode::ProfiledLoopStart opcode in IRBuilder::BuildUnsigned1() function in IRBuilder.cpp there is this line
this->m_saveLoopImplicitCallFlags[num] = saveOpnd;
where num is client-controlled (it's an usigned char following the Js::OpCode::ProfiledLoopStart opcode).
m_saveLoopImplicitCallFlags is allocated in IRBuilder.h as
m_saveLoopImplicitCallFlags = (IR::Opnd**)func->m_alloc->Alloc(sizeof(IR::Opnd*) * loopCount);
where loopCount is also client-controlled (workItemData->jitData->bodyData->loopCount).
Thus if a client sets num larger than loopCount, an out-of-bounds write will occur. There appear to be no bounds checks related to this array, there are some asserts that happen *after* the overrwrite already occurred and they will not be present in the Release builds.
Note that there is also an integer overflow when m_saveLoopImplicitCallFlags is being allocated:
sizeof(IR::Opnd*) * loopCount
that's going to affect 32-bit processes.
Speaking of integer overflows that will affect 32-bit processes, there are also several other similar instances such as
this->tempMap = (SymID*)m_tempAlloc->AllocZero(sizeof(SymID) * tempCount);
in IRBuilder.cpp (as far as I can tell tempCount is going to be controllable by the user) an probably other places.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: ifratric
# 0day.today [2018-04-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2017 00:00Current
6.1Medium risk
Vulners AI Score6.1
EPSS0.14559