An Analysis of the Use-After-Free Bug in the Microsoft Edge Chakra Engine (CVE-2018-0946)

Microsoft fixed an use-after-free bug in the Edge Chakra Engine in the May 2018 Patch. This bug (CVE-2018-0946) causes the Chakra Engine to access a freed function address that can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page via Microsoft Edge.

This use-after-free bug occurs when the Chakra Engine tries to execute the optimized function code generated by the just-in-time (JIT) compiler, which has already been freed when closing the related context. In this post, the team at FortiGuard Labs looks deeply into the Microsoft Edge Chakra Engine assembly codes to expose the root cause of this vulnerability.

The access to the Javascript objects across different contexts is always controlled by the CrossSite class; however, it lacks checking when the object of a DataView class accesses the optimized function code generated by the Chakra just-in-time (JIT) compiler in another context. If the object accesses freed function code after the related context is closed, an access violation occurs and arbitrary codes may be executed if the freed function address has been overwritten by the other function code generated by the JIT compiler.

We used the following PoC, which is based on information published by the Google Security Research Team during our analysis. 

Since this is a classic user-after-free vulnerability, we used the related functions to demonstrate the whole process of “Use,” ”Free,” and “Use-After-Free.” All the following assembly codes were taken from chakra.dll version 11.00.14393.447. My added comments have been highlighted.

Firstly, “Use.” The Chakra engine stores the address of the optimized function code into the global property “opt” when executing the script “let opt = buffer.opt;”. The Javascript object is referred as a property of the global object by the Chakra engine. “PropertyId,” an int32 type value, is used to retrieve the property.

Let’s check the memory at address “0x0f2b5620”:

“0x0f2b5620” is a ScriptFunction object, which is used by Chakra to store the information about the Javascript function “opt(). We can easily find out that it includes a FunctionBody object(“0xfb70360”) from the above code. The first field of the FunctionBody object is the address of the optimized function code: 

Let’s check the optimized function code at address “0x10e20000” in memory:

Secondly, ”Free.” The Chakra engine closes the context of the iframe “f” when “f.src = ‘about:blank’;” is executed. The memory at “0x10e20000”, which is the optimized function code, is freed when chakra!Memory::CustomHeap::Heap::DecommitAll is called.

“ntdll!NtFreeVirtualMemory” is called later to perform the actual free. Next, let’s check the stack and the call stack:

Now let’s check the memory changes:



Finally, “Use-After-Free.” The address of the optimized function code is retrieved from the global property “opt” and the code is executed when “let obj = opt();” is executed. chakra!Js::JavascriptOperators::PatchGetMethodFromObject is used to extract the address of the optimized function code from the global property “opt”.

chakra!Js::RootObjectBase::GetRootProperty is called by  chakra!Js::JavascriptOperators::GetPropertyReference_Internal later in order to grab the global property from the global object by using the PropertyId.

After getting the ScriptFunction object from the global property “opt”, the Chakra engine goes back to chakra!Js::JavascriptOperators::PatchGetMethodFromObject:

chakra!Js::InterpreterStackFrame::OP_CallCommon is the function used by the Chakra engine to execute the optimized function code. 

chakra!Js::InterpreterStackFrame::OP_CallCommon extracts the address of the optimized function code from the FunctionBody object and then executes the optimized function code:

Fortinet released IPS signature MS.Edge.Chakra.DataView.Object.Cross.Context.UAF to address this vulnerability.


Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.

*** This is a Security Bloggers Network syndicated blog from Fortinet All Blogs authored by Fortinet All Blogs. Read the original post at: