lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9d965d98-37dd-1b68-5279-4ab358e4d4e3@nwever.nl>
Date: Wed, 16 Nov 2016 09:51:28 +0100
From: Berend-Jan Wever <berendj@...ver.nl>
To: fulldisclosure@...lists.org, Bugtraq <bugtraq@...urityfocus.com>
Subject: CVE-2015-2482 MSIE 8 jscript RegExpBase::FBadHeader use-after-free
 details

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
twelfth entry in that series. Unfortunately I won't be able to publish
everything within one month at the current rate, so I may continue to
publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161116001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 8 jscript RegExpBase::FBadHeader use-after-free
====================================================
(MS15-018, CVE-2015-2482)

Synopsis
--------
A specially crafted web-page can cause the Javascript engine of
Microsoft Internet Explorer 8 to free memory used for a string. The code
will keep a reference to the string and can be forced to reuse it when
compiling a regular expression.

Known affected software, attack vectors and mitigations
-------------------------------------------------------
* Microsoft Internet Explorer 8
  An attacker would need to get a target user to open a specially
  crafted web-page. Disabling Javascript should prevent an attacker
  from triggering the vulnerable code path.

Description
-----------
Recompiling the regular expression pattern during a replace can cause
the code to reuse a freed string, but only if the string is freed from
the cache by allocating and freeing a number of strings of certain size,
as explained by Alexander Sotirov in his Heap Feng-Shui presentation.

Exploit
-------
Exploitation was not investigated.

Time-line
---------
* *March 2015*: This vulnerability was found through fuzzing.
* *March 2015*: This vulnerability was submitted to ZDI.
* *April 2015*: This vulnerability was acquired by ZDI.
* *October 2015*: Microsoft addressed this issue in MS15-018.
* *November 2016*: Details of this issue are released.

Cheers,

SkyLined

Download attachment "0x2557C5AA.asc" of type "application/pgp-keys" (2036 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists