lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <9d965d98-37dd-1b68-5279-4ab358e4d4e3@nwever.nl> Date: Wed, 16 Nov 2016 09:51:28 +0100 From: Berend-Jan Wever <berendj@...ver.nl> To: fulldisclosure@...lists.org, Bugtraq <bugtraq@...urityfocus.com> Subject: CVE-2015-2482 MSIE 8 jscript RegExpBase::FBadHeader use-after-free details Throughout November, I plan to release details on vulnerabilities I found in web-browsers which I've not released before. This is the twelfth entry in that series. Unfortunately I won't be able to publish everything within one month at the current rate, so I may continue to publish these through December and January. The below information is available in more detail on my blog at http://blog.skylined.nl/20161116001.html. Follow me on http://twitter.com/berendjanwever for daily browser bugs. MSIE 8 jscript RegExpBase::FBadHeader use-after-free ==================================================== (MS15-018, CVE-2015-2482) Synopsis -------- A specially crafted web-page can cause the Javascript engine of Microsoft Internet Explorer 8 to free memory used for a string. The code will keep a reference to the string and can be forced to reuse it when compiling a regular expression. Known affected software, attack vectors and mitigations ------------------------------------------------------- * Microsoft Internet Explorer 8 An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path. Description ----------- Recompiling the regular expression pattern during a replace can cause the code to reuse a freed string, but only if the string is freed from the cache by allocating and freeing a number of strings of certain size, as explained by Alexander Sotirov in his Heap Feng-Shui presentation. Exploit ------- Exploitation was not investigated. Time-line --------- * *March 2015*: This vulnerability was found through fuzzing. * *March 2015*: This vulnerability was submitted to ZDI. * *April 2015*: This vulnerability was acquired by ZDI. * *October 2015*: Microsoft addressed this issue in MS15-018. * *November 2016*: Details of this issue are released. Cheers, SkyLined Download attachment "0x2557C5AA.asc" of type "application/pgp-keys" (2036 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists