Microsoft Edge Scripting Engine Memory Corruption Vulnerability

By

Microsoft Edge in Microsoft Windows 10 and Windows Server 2016 is prone to an arbitrary code execution vulnerability CVE-2017-8671. Due to an interger underflow bug in the process of JavaScript engines handling objects in the memory, an attacker could gain read/write access to the out-of-bound heap memory regions. When combined with advanced exploitation techniques, this vulnerability can allows arbitrary code execution with the privilege of the current user.

There are 2 special JavaScript objects involved in this vulnerability: the “Proxy” and “arguments”:

Proxy object is used to define custom behavior for fundamental operations (e.g. property lookup, assignment, enumeration, function invocation, etc).

For example, in the following code, the number 37 is returned as the default value when a non-exist property name is referenced:

 var handler = {     get: function(target, name) {         return name in target ?             target[name] :             37;     } };   var p = new Proxy({}, handler); p.a = 1;  console.log(p.a); // 1 console.log('b' in p, p.b); // false, 37  

The arguments object allows a function to access its parameters by sequence instead of names:

 function normal(a, b) {  //arguments[0] == a  //arguments[1] == b) } 

This vulnerability can be triggered by the following steps:

Initiate a new Proxy object, set Function.prototype.call as its target object:

 let call = new Proxy(Function.prototype.call, {});  // proxy calls set the flag  

Assign the call method of the Proxy object to a function, which read/write the arguments object. Such operations will cause a memory read/write error:

 function f() {     arguments[0] = "AAAA";	//write to out-of-bound memory address }   call.call(f); 

The root cause of this vulnerability is, during the initialization of the call() method, the JavaScript engine wrongly decresed the args.Info.Count property (which counts the number of arguments) one more time. When the number is decreased from 0 to -1, an interger underflow would happen, allowing the arguments[] array points outside the designated heap region and write attacker-controllable contents.

SonicWall IPS team has developed the following signature to identify and stop the attacks:

  • IPS 12985: Scripting Engine Memory Corruption Vulnerability (AUG 17) 3
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.