New issue
Advanced search Search tips
Issue 1043
Starred by 3 users
Status: Fixed
Owner:
lokihardt@google.com
Closed: Mar 2017
Cc:
project-...@google.com



Sign in to add a comment
 Microsoft Edge: Undefined behavior on some getters
Project Member Reported by lokihardt@google.com, Dec 16 2016 Back to list 
I noticed that some javascript getters behave strangely.

My test code:

var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];

var f = document.createElement("iframe");

f.onload = () => {
    f.onload = null;

    for (var x in window) {
        if (whitelist.indexOf(x) != -1)
            continue;

        try {
            window.__lookupGetter__(x).call(f.contentWindow);
            log(x);
        } catch (e) {

        }
    }

};

f.src = "https://abc.xyz/";
document.body.appendChild(f);

And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.

Tested on Microsoft Edge 38.14393.0.0.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
poc.html
1.6 KB View Download
Project Member Comment 1 by lokihardt@google.com, Mar 14 2017
Labels: CVE-2017-0070
Project Member Comment 2 by lokihardt@google.com, Mar 15 2017
Labels: -Restrict-View-Commit
Project Member Comment 3 by lokihardt@google.com, Mar 15 2017
Status: Fixed
Comment 4 by junchaol...@gmail.com, Jul 5 
Is it possible to exploit the vulnerability by a crafted web page remotely?
Sign in to add a comment