Chakra Parser Type Confusion Vulnerability

vendor:

ChakraCore

by:

Project Zero

4,7

CVSS

MEDIUM

Type Confusion

843

CWE

Product Name: ChakraCore

Affected Version From: ChakraCore 1.11

Affected Version To: ChakraCore 1.11.11

Patch Exists: Yes

Related CWE: CVE-2017-8627

CPE: a:microsoft:chakracore:1.11

Metasploit: https://www.rapid7.com/db/vulnerabilities/msft-cve-2017-8627/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2017

Chakra Parser Type Confusion Vulnerability

When the Chakra's parser meets '{', at first, Chakra treats it as an object literal without distinguishing whether it will be an object literal or an object pattern. After finishing to parse it using 'Parser::ParseTerm', if it's an object pattern, Chakra converts it to an object pattern using the 'ConvertObjectToObjectPattern' method. The problem is that 'Parser::ParseTerm' also parses '.', etc. using 'ParsePostfixOperators' without proper checks. As a result, an invalid syntax (i.e., {b = 0x1111...}.c) can be parsed and 'ConvertObjectToObjectPattern' will fail to convert it to an object pattern. In the following PoC, 'ConvertObjectToObjectPattern' skips '{b = 0x1111...}.c'. So the object literal will have incorrect members (b = 0x1111, c = 0x2222), this leads to type confusion (Chakra will think 'c' is a setter and try to call it).

Mitigation:

Microsoft has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1308

When the Chakra's parser meets "{", at first, Chakra treats it as an object literal without distinguishing whether it will be an object literal(i.e., {a: 0x1234}) or an object pattern(i.e., {a} = {a: 1234}). After finishing to parse it using "Parser::ParseTerm", if it's an object pattern, Chakra converts it to an object pattern using the "ConvertObjectToObjectPattern" method.

The problem is that "Parser::ParseTerm" also parses ".", etc. using "ParsePostfixOperators" without proper checks. As a result, an invalid syntax(i.e., {b = 0x1111...}.c) can be parsed and "ConvertObjectToObjectPattern" will fail to convert it to an object pattern.

In the following PoC, "ConvertObjectToObjectPattern" skips "{b = 0x1111...}.c". So the object literal will have incorrect members(b = 0x1111, c = 0x2222), this leads to type confusion(Chakra will think "c" is a setter and try to call it).

PoC:
-->

function f() {
    ({
        a: {
            b = 0x1111,
            c = 0x2222,
        }.c = 0x3333
    } = {});
}

f();