CVE-2018-8467 is one of the classic ‘Type Confusion’ bugs in the Microsoft Edge Chakra Engine that was fixed by Microsoft several weeks ago. In this post, the team at FortiGuard Labs looks deeply into the Microsoft Edge Chakra Engine assembly codes to expose the root cause of this vulnerability and figures out the common exploits used by this kind of ‘Type Confusion’.
We used the following PoC during our analysis.
All of the following assembly codes were taken from chakra.dll version 11.00.14393.447. My added comments have been highlighted.
A part of the opt() function codes generated by the JIT compiler:
The memory address of object arr is 0xf010280. You can observe the memory changes below.
When the function OP_SetElementI_JIT finishes, it returns to the JIT code:
Next, let's check the memory changes in object arr at address 0xf010280:
Accessing the object arr later causes memory corruption to occur:
Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.
Sign up for our weekly FortiGuard Threat Brief.
Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.