Headline
CVE-2023-43338: Function Pointer Hijack mjs/mjs.c in mjs_execute · Issue #250 · cesanta/mjs
Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input.
Function Pointer Hijack mjs/mjs.c in mjs_execute****Affected Projects
mjs 2.20.0 (https://github.com/cesanta/mjs)
Problem Type
CWE-822 (Untrusted Pointer Dereference)
Description
I discovered a vulnerability that could potentially lead to function pointer hijacking. I believe this is a logical vulnerability since it does not trigger any out-of-bounds (OOB) or use-after-free (UAF) assertions when compiled with AddressSanitizer. An attacker can exploit this vulnerability by providing a specially crafted input to the affected program, leading to the execution of arbitrary code.
The function hijack happend in mjs.c:8824
call_stack_push_frame(mjs, bp.start_idx + i, retval_stack_idx);
/* Perform the cfunction call */ ((void (*) (struct mjs *)) mjs_get_ptr(mjs, *func))(mjs);
call_stack_restore_frame(mjs);
PoC:****Log:
$ clang -g -O2 -o mjs mjs.c -DMJS_MAIN
$ ./mjs poc.js
Illegal instruction