CVE-2018-0838 is one of the ‘type confusion’ bugs in the Microsoft Edge Chakra Engine that was fixed by Microsoft three months ago. This bug causes memory corruption and can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page via Microsoft Edge.
We used the following PoC, which is based on information published by the Google Security Research Team during our analysis.
All the following assembly codes were taken from chakra.dll version 11.00.14393.447. My added comments have been highlighted.
A part of opt() function codes generated by JIT compiler:
The memory address of object arr is 0xfd50280. You can observe the memory changes below.
After invoking the NewScObjectNoCtor function, Chakra returns to the opt() function codes:
Next, let's check the memory changes in object arr at address 0xfd50280:
Accessing the arr latter causes memory corruption to occur: