Microsoft Edge Scripting Engine Memory Corruption Vulnerability

October 6, 2017

Microsoft Edge in Microsoft Windows 10 and Windows Server 2016 is prone to an arbitrary code execution vulnerability CVE-2017-8671. Due to an interger underflow bug in the process of JavaScript engines handling objects in the memory, an attacker could gain read/write access to the out-of-bound heap memory regions. When combined with advanced exploitation techniques, this vulnerability can allows arbitrary code execution with the privilege of the current user.

There are 2 special JavaScript objects involved in this vulnerability: the “Proxy” and “arguments”:

Proxy object is used to define custom behavior for fundamental operations (e.g. property lookup, assignment, enumeration, function invocation, etc).

For example, in the following code, the number 37 is returned as the default value when a non-exist property name is referenced:

 var handler = {     get: function(target, name) {         return name in target ?             target[name] :             37;     } };   var p = new Proxy({}, handler); p.a = 1;  console.log(p.a); // 1 console.log('b' in p, p.b); // false, 37  

The arguments object allows a function to access its parameters by sequence instead of names:

 function normal(a, b) {  //arguments[0] == a  //arguments[1] == b) } 

This vulnerability can be triggered by the following steps:

Initiate a new Proxy object, set Function.prototype.call as its target object:

 let call = new Proxy(Function.prototype.call, {});  // proxy calls set the flag  

Assign the call method of the Proxy object to a function, which read/write the arguments object. Such operations will cause a memory read/write error:

 function f() {     arguments[0] = "AAAA";	//write to out-of-bound memory address }   call.call(f); 

The root cause of this vulnerability is, during the initialization of the call() method, the JavaScript engine wrongly decresed the args.Info.Count property (which counts the number of arguments) one more time. When the number is decreased from 0 to -1, an interger underflow would happen, allowing the arguments[] array points outside the designated heap region and write attacker-controllable contents.

SonicWall IPS team has developed the following signature to identify and stop the attacks:

  • IPS 12985: Scripting Engine Memory Corruption Vulnerability (AUG 17) 3