Microsoft fixed an use-after-free bug in the Edge Chakra Engine in the May 2018 Patch. This bug (CVE-2018-0946) causes the Chakra Engine to access a freed function address that can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page via Microsoft Edge.
This use-after-free bug occurs when the Chakra Engine tries to execute the optimized function code generated by the just-in-time (JIT) compiler, which has already been freed when closing the related context. In this post, the team at FortiGuard Labs looks deeply into the Microsoft Edge Chakra Engine assembly codes to expose the root cause of this vulnerability.
We used the following PoC, which is based on information published by the Google Security Research Team during our analysis.
Since this is a classic user-after-free vulnerability, we used the related functions to demonstrate the whole process of “Use,” ”Free,” and “Use-After-Free.” All the following assembly codes were taken from chakra.dll version 11.00.14393.447. My added comments have been highlighted.
Let’s check the memory at address “0x0f2b5620”:
Let’s check the optimized function code at address “0x10e20000” in memory:
Secondly, ”Free.” The Chakra engine closes the context of the iframe “f” when “f.src = 'about:blank';” is executed. The memory at “0x10e20000”, which is the optimized function code, is freed when chakra!Memory::CustomHeap::Heap::DecommitAll is called.
“ntdll!NtFreeVirtualMemory” is called later to perform the actual free. Next, let’s check the stack and the call stack:
Now let’s check the memory changes:
chakra!Js::InterpreterStackFrame::OP_CallCommon is the function used by the Chakra engine to execute the optimized function code.
chakra!Js::InterpreterStackFrame::OP_CallCommon extracts the address of the optimized function code from the FunctionBody object and then executes the optimized function code:
Fortinet released IPS signature MS.Edge.Chakra.DataView.Object.Cross.Context.UAF to address this vulnerability.