Threat Research

An Analysis of Microsoft Edge Chakra NewScObjectNoCtor Array Type Confusion (CVE-2018-0838)

By Dehui Yin | May 18, 2018

CVE-2018-0838 is one of the ‘type confusion’ bugs in the Microsoft Edge Chakra Engine that was fixed by Microsoft three months ago. This bug causes memory corruption and can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page via Microsoft Edge.

This type confusion bug occurs when the codes generated by the Chakra just-in-time (JIT) java compiler change the property value of a newly converted JavascriptArray object without validation. In this post, the team at FortiGuard Labs looks deeply into the Microsoft Edge Chakra Engine assembly codes to expose the root cause of this vulnerability.

The Chakra just-in-time (JIT) java compiler generates the machine codes for the Javascript functions that are invoked multiple times for better performance. Under normal conditions, Chakra checks the value type before setting the property of a object in order to avoid a type confusion error; however, the machine codes generated by the Chakra just-in-time (JIT) java compiler don't perform the check and set the property value directly, which results in memory corruption when the property is accessed later. 

We used the following PoC, which is based on information published by the Google Security Research Team during our analysis.

PoC:

All the following assembly codes were taken from chakra.dll version 11.00.14393.447. My added comments have been highlighted.

A part of opt() function codes generated by JIT compiler: 

Looking into NewScObjectNoCtor, we can easily find that JavascriptNativeFloatArray::ConvertToVarArray is invoked to convert the JavascriptNativeFloatArray object(arr) to a JavascriptArray object. 

The memory address of object arr is 0xfd50280. You can observe the memory changes below.

Before:

After:

Let's check the JavascriptNumber object 0x111a7ff0 in the memory:

After invoking the NewScObjectNoCtor function, Chakra returns to the opt() function codes:

Next, let's check the memory changes in object arr at address 0xfd50280:

Accessing the arr[0] latter causes memory corruption to occur:

Fortinet released IPS signature MS.Edge.Chakra.NewScObjectNoCtor.Array.Type.Confusion to address this vulnerability.

 

Learn more and download the full Quarterly Threat Landscape report.

Also, sign up for the weekly FortiGuard Threat Intelligence Briefs or the FortiGuard Threat Intelligence Service