header-logo
Suggest Exploit
vendor:
Microsoft Edge
by:
Unkown
7.5
CVSS
HIGH
Type Confusion
843
CWE
Product Name: Microsoft Edge
Affected Version From: Microsoft Edge 42.17672.1000.0
Affected Version To: Microsoft EdgeHTML 17.17672
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows
2019

Type Confusion in Intl.js Initializers

The InitializeNumberFormat and InitializeDateTimeFormat functions in Intl.js are used to initialize an Intl.NumberFormat object and Intl.DateTimeFormat object respectively. There are two versions of each initializer, one for WinGlob and the other for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized, which allows to initialize the same object multiple times and can lead to type confusion. This vulnerability was tested on Microsoft Edge 42.17672.1000.0 and Microsoft EdgeHTML 17.17672.

Mitigation:

The user should update to the latest version of Microsoft Edge to patch this vulnerability.
Source

Exploit-DB raw data:

/*
The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.

It seems the recent version of Edge in Windows Insider Preview has started to use ICU. Tested on Microsoft Edge 42.17672.1000.0 and Microsoft EdgeHTML 17.17672.

The initializer for ICU has no check:
https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L1151

The initializer for WinGlob has a check:
https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L3046

PoC:
*/

let object = {};
Intl.NumberFormat.apply(object);
Intl.DateTimeFormat.apply(object);
Intl.DateTimeFormat.prototype.formatToParts.apply(object);

Navigation

Suggest Exploit

Services By CQR