Microsoft Edge Chakra OP_NewScObjArray Type Confusion 远程代码执行漏洞分析与利用

  • A+
所属分类:网络安全文章

Microsoft Edge Chakra OP_NewScObjArray Type Confusion 远程代码执行漏洞分析与利用

1. 漏洞描述

漏洞编号:无
影响版本:Chakra <= 1.10.0

该漏洞成因在于:Interpreter在执行OP_NewScObjArray操作码指令时处理不当,在OP_NewScObjArray_Impl函数内有一个结构体之间的强制转换,导致了类型混淆,成功利用该漏洞可导致远程代码执行。

2. 测试环境

Windows 10 x64 + Microsoft Edge 42.17074.1002.0

3. 漏洞分析

3.1 漏洞基本信息
开启页堆保护后(gflags.exe -I MicrosoftEdgeCP.exe +hpa +ust),用Microsoft Edge浏览器加载poc.html时的异常信息如下:

  1. 0:017> r
  2. rax=00000033438faf18 rbx=00000000000fefa0 rcx=000001aee1be3020
  3. rdx=00007ff88f40c698 rsi=000001a6c2bcd960 rdi=000001aee1be3020
  4. rip=00007ff88ee5d224 rsp=00000033438faea0 rbp=000000000000fefa
  5.  r8=000001aee1ce2050  r9=00007ff88f40c698 r10=000001a6c2b38568
  6. r11=000001aee33001b0 r12=000001aee1be3020 r13=000001aec87103c0
  7. r14=000001aee1be3b29 r15=00000000000009e9
  8. iopl=0         nv up ei pl nz na po nc
  9. cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
  10. chakra!Js::DynamicProfileInfo::RecordCallSiteInfo+0x54:
  11. 00007ff88ee5d224 450fb74802      movzx   r9d,word ptr [r8+2] ds:000001aee1ce2052=????
  12. 0:017> kb
  13. RetAddr           : Args to Child                                                           : Call Site
  14. 00 00007ff88ed5ca46 : 000001aee1be3020 000001aee33001b0 000001a6c2b3fefa 00007ff88f40c698 : chakra!Js::DynamicProfileInfo::RecordCallSiteInfo+0x54
  15. 01 00007ff88ed5b061 : 000001aec8708580 00000033438faff0 000001aec87103c0 000001a6c2b3fefa : chakra!Js::ProfilingHelpers::ProfiledNewScObjArray+0xa6
  16. 02 00007ff88efe8518 : 00000033438fb280 000001aee3af7c85 00000033438fb0b0 000001aee3af7c84 : chakra!Js::InterpreterStackFrame::OP_NewScObjArray_Impl<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<1> >,0>+0x81
  17. 03 00007ff88ee25e1b : 00000033438fb280 000001aee3af7c84 00000033438fb0b0 0000000000000000 : chakra!Windows::Data::Text::IUnicodeCharactersStatics::vcall'{144}'+0x1f618
  18. 04 00007ff88ee25c55 : 00000033438fb280 0000000000000000 0000000000000001 00007ff88ed5c496 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x9b
  19. 05 00007ff88ee24704 : 00000033438fb280 00000033438fb280 00000033438fb280 0000000000000001 : chakra!Js::InterpreterStackFrame::Process+0x175
  20. 06 00007ff88ee26cdb : 00000033438fb280 000001aee3af7c68 000001aee3af7c68 0000000000000000 : chakra!Js::InterpreterStackFrame::OP_TryCatch+0x64
  21. 07 00007ff88ee25c55 : 00000033438fb280 0000000000000000 0000000000000000 0000000000000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0xf5b
  22. 08 00007ff88ee1913d : 00000033438fb280 00000033438fb280 00000033438fbc80 000001a6c2b28760 : chakra!Js::InterpreterStackFrame::Process+0x175
  23. 09 00007ff88ee189de : 000001aec87103c0 00000033438fbe60 000001aee1c70fba 00000033438fbe78 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x49d
  24. 0a 000001aee1c70fba : 00000033438fbeb0 0000000000000001 00000033438fbea0 00000033438fc288 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x4e

从上面的栈帧可知是调用RecordCallSiteInfo函数时内部发生了访问异常。

CE安全网
网络安全宣传推广

发表评论

您必须登录才能发表评论!