Demo Exploit Code Published for Remote Code Execution via Microsoft Edge

Exploit code demonstrating a memory corruption bug in Microsoft’s Edge web browser has been published today by the researcher that discovered and reported the vulnerability in the first place. The code can lead to remote code execution on unpatched machines.

The security bug affects Chakra, the JavaScript engine powering Edge, in a way that could allow an attacker to run on the machine arbitrary code with the same privileges as the logged user.

Reported by Bruno Keith of the phoenhex team of vulnerability researchers, the flaw has been marked as having a critical impact by Microsoft on most operating systems it affects. The only systems where it has ‘moderate’ severity are Windows server editions 2019 and 2016.

The proof-of-concept code has 71 lines and results in an out-of-bounds (OOB) memory read leak; the effect may not appear that damaging but an attacker can modify the demo exploit to achieve a more harmful outcome.

I published the PoC for CVE-2018-8629: a JIT bug in Chakra fixed in the latest security updates. It resulted in an (almost) unbounded relative R/W
— Bruno @ C3 (@bkth_) December 27, 2018

“Chakra failed to insert value compensation which causes the headSegmentsym to be reloaded but not the headSegmentLength sym, we, therefore, accessed the new buffer with the wrong length checked,” explains a comment in the demo code.
Unpatched systems at risk

There are multiple scenarios where an adversary could see the exploit code pay off, as it would give them complete control over installing programs, viewing, changing, or deleting data, or to create new user accounts with administrative rights.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website,” Microsoft notes in its advisory this month.

Adversaries could also use a different approach to infect user computers: placing the exploit code in a location the user is likely to access, such as a website or advertisements, can do the trick just as good, the company added.

MIcrosoft addressed the issue in the December security updates for Windows. This does not mean that users are all protected, though. Some may not have the update mechanism turned on or postpone installing the updates to a convenient time, while others may depend on a system administrator to install them on their system.