948 - Microsoft Edge: Type Confusion in eval - project-zero

Starred by 3 users

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Nov 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Severity-High Vendor-Microsoft Product-Edge Reported-2016-Sep-19 CVE-2016-7240

Microsoft Edge: Type Confusion in eval

Project Member Reported by natashenka@google.com, Sep 19 2016

Back to list

In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion. A full PoC is as follows and attached:

var p = new Proxy(eval, {});
p("alert(\"e\")"); 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

functiontrap.html
93 bytes View Download

Project Member Comment 1 by natashenka@google.com, Nov 17 2016

Labels: -Restrict-View-Commit CVE-2016-7240
Status: Fixed

Fixed in November update

► Sign in to add a comment