CVE-2022-44789 - Remote Code Execution Vulnerability in Artifex MuJS Versions 1.. to 1.3.x Before 1.3.2 Due to a Logical Issue in O_getOwnPropertyDescriptor()

The CVE-2022-44789 vulnerability is a critical security issue affecting Artifex MuJS, a lightweight JavaScript engine used in various applications, including PDF readers and certain web applications. This vulnerability allows an attacker to execute arbitrary code remotely by exploiting a logical flaw within the O_getOwnPropertyDescriptor() function in Artifex MuJS versions 1.. through 1.3.x before 1.3.2. This post discusses the technical details of this vulnerability, existing exploits, and mitigation strategies. It also contains references to the original research and CVE information.

Exploit Details

The attacker can exploit this vulnerability by crafting a malicious JavaScript file, which, when loaded into a vulnerable application running a vulnerable version of the MuJS engine, results in memory corruption and ultimately leads to Remote Code Execution (RCE). This exploit has significant consequences, as it enables an attacker to gain full control over the victim's system and perform actions such as installing malware, stealing data, or causing damage to the system.

This vulnerability stems from a logical issue within the O_getOwnPropertyDescriptor() function, located in the jsobject.c source file. The function is responsible for fetching the property descriptors associated with a given object.

The vulnerability is triggered when the O_getOwnPropertyDescriptor() function attempts to fetch the property descriptor and encounters a crafted object that causes unexpected behavior. This crafted object causes memory corruption, which leads to a crash or, worse, the execution of malicious code.

Code Snippet

Below is a code snippet that demonstrates the issue within the O_getOwnPropertyDescriptor() function:

static void O_getOwnPropertyDescriptor(js_State *J)
{
    ...
    while (obj) {
        js_Property *ref = obj->properties;
        ...
        /* verify if the property keys are fetched */
        if (own) {
            if (desc->getter)
                desc->getset |= 1;
            if (desc->setter)
                desc->getset |= 2;
            if (desc->getset) {
                desc->value = NULL;
                ...
            }
            return;
        }
        obj = obj->prototype;
    }
}

As shown in the code snippet above, the O_getOwnPropertyDescriptor() function incorrectly handles the cases where the crafted object contains a getter or setter with missing security checks. This triggers the memory corruption, leading to potential RCE.

Original References

The original discovery and research regarding this vulnerability were reported by community members who notified the project maintainers. The official CVE-2022-44789 record is available here: <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44789>

Additionally, there are several reports and publications detailing the vulnerability, such as

1. NVD (National Vulnerability Database) page: <https://nvd.nist.gov/vuln/detail/CVE-2022-44789>
2. Official Artifex MuJS GitHub Repository: <https://github.com/ccxvii/mujs>

Mitigation and Patching

The vulnerability mentioned above has been fixed in Artifex MuJS version 1.3.2. Users and developers using older versions of the library are urged to upgrade to the latest version as soon as possible to protect against potential attacks leveraging this vulnerability.

Artifex MuJS version 1.3.2 can be downloaded from the official GitHub repository: <https://github.com/ccxvii/mujs/releases/tag/1.3.2>

Additionally, users and developers should ensure that any application utilizing the MuJS engine is updated and protected. This might involve patching or upgrading the application itself.

Conclusion

CVE-2022-44789 is a critical security vulnerability in Artifex MuJS, potentially leading to remote code execution through the exploitation of a logical flaw in the O_getOwnPropertyDescriptor() function. This post highlights the technical details of the issue, discusses existing exploits, and provides resources for mitigation and patching information. Users and developers affected by this vulnerability should take immediate action to ensure the security and integrity of their systems.

Timeline

Published on: 11/23/2022 21:15:00 UTC
Last modified on: 02/01/2023 15:59:00 UTC