Microsoft Edge Chakra JIT Use-After-Free / Flag Issue

Posted by deepcore on January 18, 2019 – 9:36 am

In Microsoft Edge, the JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it is essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it does not restore the previous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Joomla ZHYandexMap 8.0.0.2 Database Disclosure Check Point ZoneAlarm 8.8.1.110 Local Privilege Escalation »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Microsoft Edge Chakra JIT Use-After-Free / Flag Issue

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL