Lucene search
Google Security ResearchEDB-ID:42092HistoryMay 30, 2017 - 12:00 a.m.
Microsoft MsMpEng - Use-After-Free via Saved Callers
2017-05-3000:00:00
Google Security Research
www.exploit-db.com
38
AI Score
7.4
Confidence
Low
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259
In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState object(rcx+158h in 64-bit). But the garbage collector doesn't mark this saved value. So it results in a UAF.
Unlike in our test environment(Linux), it doesn't make reliable crashes on Windows. So I used another bug(#1258) to confirm the bug. If the UAF bug doesn't exist, the "crash" function will not be called(See poc.js).
The password of the zip file is "calleruaf"
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42092.zipRelated
checkpoint_advisories
checkpoint_advisories
Microsoft Malware Protection Engine Remote Code Execution (CVE-2017-8541)
2017-05-29 00:00:00
mscve
mscve
Microsoft Malware Protection Engine Remote Code Execution Vulnerability
2017-05-25 07:00:00
zdt
zdt
Microsoft MsMpEng - Use-After-Free via Saved Callers Exploit
2017-05-31 00:00:00
cvelist
cvelist
cve
cve
attackerkb
attackerkb
prion
prion
Remote code execution
2017-05-26 20:29:00
Remote code execution
2017-05-26 20:29:00
Remote code execution
2017-05-26 20:29:00
nvd
nvd
openvas
openvas
kaspersky
kaspersky
KLA11840 Multiple vulnerabilities in Microsoft System Center
2017-05-25 00:00:00
KLA11839 Multiple vulnerabilities in Microsoft Exchange Server
2017-05-25 00:00:00
KLA11029 Multiple vulnerabilities in the Microsoft Malware Protection Engine
2017-05-09 00:00:00
nessus
nessus
Microsoft Malware Protection Engine < 1.1.13804 Multiple Vulnerabilities
2017-05-31 00:00:00