CVE-2016-7201

Related Files

Microsoft Edge chakra.dll Information Leak / Type Confusion

Posted Jan 6, 2017

Authored by Brian Pak

Proof of concept exploit for Microsoft Edge bugs that allow for remote code execution.

tags | exploit, remote, code execution, proof of concept

advisories | CVE-2016-7200, CVE-2016-7201

SHA-256 | f2d4f1a9012f8e20eb5fd805d9286e3ffc7dd340986f32bc6918556e5807cb8e

Download | Favorite | View

Microsoft Edge FillFromPrototypes Type Confusion

Posted Nov 18, 2016

Authored by Google Security Research, natashenka

JavascriptArray::FillFromPrototypes is a method that is used by several Javascript functions available in the browser to set the native elements of an array to the values provide by its prototype. This function calls JavascriptArray::ForEachOwnMissingArrayIndexOfObject with the prototype of the object as a parameter, and if the prototype of the object is an array, it assumes that it is a Var array. While arrays are generally converted to var arrays if they are set as an object's prototype, if an object's prototype is a Proxy object, it can return a parent prototype that is a native int array. This can lead to type confusing, allowing an integer to be treated as an absolute pointer, when JavascriptArray::FillFromPrototypes is called.

tags | exploit, javascript

advisories | CVE-2016-7201

SHA-256 | 101dc4b8ff4f7d1e144aeed9b089ca5fedd08e6c84b3be506d775adb205e3772

Download | Favorite | View