Threat Research

An Analysis of Microsoft Edge Chakra JavascriptArray TypeId Handling Memory Corruption (CVE-2018-8467)

By Dehui Yin | October 19, 2018

The Javascript Type Confusion bug is a critical vulnerability that exists in many popular browsers. It causes memory corruption and can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page. A growing number of these type of confusion bugs in the Microsoft Chakra Engine have been disclosed and fixed by over the past recent months.

CVE-2018-8467 is one of the classic ‘Type Confusion’ bugs in the Microsoft Edge Chakra Engine that was fixed by Microsoft several weeks ago. In this post, the team at FortiGuard Labs looks deeply into the Microsoft Edge Chakra Engine assembly codes to expose the root cause of this vulnerability and figures out the common exploits used by this kind of ‘Type Confusion’.

This type confusion bug triggers the calling of JavascriptNativeFloatArray::ConvertToVarArray(). This function converts the JavascriptNativeFloatArray to JavascriptArray by setting a JavascriptNativeFloatArray member as a Dynamic object and then overwriting the TypeId field of the converted JavascriptArray. It does this using codes generated by the Chakra Just-In-Time(JIT) java compiler, which results in memory corruption when the TypeId field is accessed later.

We used the following PoC during our analysis. 

PoC:

All of the following assembly codes were taken from chakra.dll version 11.00.14393.447. My added comments have been highlighted.

A part of the opt() function codes generated by the JIT compiler: 

The function OP_SetElementI_JIT calls JavascriptNativeFloatArray::SetItem() to set the ‘method’ property as a Dynamic Object.

The memory address of object arr is 0xf010280. You can observe the memory changes below.

Before:

After:

When the function OP_SetElementI_JIT finishes, it returns to the JIT code:

Next, let's check the memory changes in object arr at address 0xf010280:

Before:

After:

Accessing the object arr later causes memory corruption to occur:

Solution:

Fortinet has released IPS signature MS.Edge.Chakra.JavascriptArray.TypeId.Memory.Corruption to address this vulnerability.

Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.