An Analysis of Microsoft Edge Chakra NewScObjectNoCtor Array Type Confusion (CVE-2018-0838)

FortiGuard Labs Threat Research

An Analysis of Microsoft Edge Chakra NewScObjectNoCtor Array Type Confusion (CVE-2018-0838)

By Dehui Yin | May 18, 2018

CVE-2018-0838 is one of the ‘type confusion’ bugs in the Microsoft Edge Chakra Engine that was by Microsoft three months ago. This bug causes memory corruption and can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page via Microsoft Edge.

This type confusion bug occurs when the codes generated by the Chakra just-in-time (JIT) java compiler change the property value of a newly converted JavascriptArray object without validation. In this post, the team at FortiGuard Labs looks deeply into the Microsoft Edge Chakra Engine assembly codes to expose the root cause of this vulnerability.

The Chakra just-in-time (JIT) java compiler generates the machine codes for the Javascript functions that are invoked multiple times for better performance. Under normal conditions, Chakra checks the value type before setting the property of a object in order to avoid a type confusion error; however, the machine codes generated by the Chakra just-in-time (JIT) java compiler don't perform the check and set the property value directly, which results in memory corruption when the property is accessed later.��

We used the following PoC, which is based on information published by the during our analysis.

PoC:

All the following assembly codes were taken from chakra.dll version 11.00.14393.447. My added comments have been highlighted.

A part of opt() function codes generated by JIT compiler:��

Looking into NewScObjectNoCtor, we can easily find that JavascriptNativeFloatArray::ConvertToVarArray is invoked to convert the JavascriptNativeFloatArray object(arr) to a JavascriptArray object.��