Posts

Microsoft Edge Scripting Engine Memory Corruption Vulnerability

/in /by

Microsoft Edge in Microsoft Windows 10 and Windows Server 2016 is prone to an arbitrary code execution vulnerability CVE-2017-8671. Due to an interger underflow bug in the process of JavaScript engines handling objects in the memory, an attacker could gain read/write access to the out-of-bound heap memory regions. When combined with advanced exploitation techniques, this vulnerability can allows arbitrary code execution with the privilege of the current user.

There are 2 special JavaScript objects involved in this vulnerability: the “Proxy” and “arguments”:

Proxy object is used to define custom behavior for fundamental operations (e.g. property lookup, assignment, enumeration, function invocation, etc).

For example, in the following code, the number 37 is returned as the default value when a non-exist property name is referenced:

 var handler = {     get: function(target, name) {         return name in target ?             target[name] :             37;     } };   var p = new Proxy({}, handler); p.a = 1;  console.log(p.a); // 1 console.log('b' in p, p.b); // false, 37

The arguments object allows a function to access its parameters by sequence instead of names:

 function normal(a, b) {  //arguments[0] == a  //arguments[1] == b) }

This vulnerability can be triggered by the following steps:

Initiate a new Proxy object, set Function.prototype.call as its target object:

 let call = new Proxy(Function.prototype.call, {});  // proxy calls set the flag

Assign the call method of the Proxy object to a function, which read/write the arguments object. Such operations will cause a memory read/write error:

 function f() {     arguments[0] = "AAAA";	//write to out-of-bound memory address }   call.call(f);

The root cause of this vulnerability is, during the initialization of the call() method, the JavaScript engine wrongly decresed the args.Info.Count property (which counts the number of arguments) one more time. When the number is decreased from 0 to -1, an interger underflow would happen, allowing the arguments[] array points outside the designated heap region and write attacker-controllable contents.

SonicWall IPS team has developed the following signature to identify and stop the attacks:

  • IPS 12985: Scripting Engine Memory Corruption Vulnerability (AUG 17) 3

Microsoft Security Updates Coverage

/in /by

SonicWall has analyzed and addressed August 2017 Microsoft Security Updates. A list of issues reported, along with SonicWall coverage information are as follows:

  • CVE-2017-0174 Windows NetBIOS Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0250 Microsoft JET Database Engine Remote Code Execution Vulnerability
    Anti-Spyware:1541 Malformed-File mdb.MP.1
  • CVE-2017-0293 Windows PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8503 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8516 Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8591 Windows IME Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8593 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8620 Windows Search Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8622 Windows Subsystem for Linux Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8623 Windows Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8624 Windows CLFS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8625 Internet Explorer Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8627 Windows Subsystem for Linux Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8633 Windows Error Reporting Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8634 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8635 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8636 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8637 Scripting Engine Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8638 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8639 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8640 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8641 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8642 Microsoft Edge Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8644 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8645 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8646 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8647 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8650 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8651 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8652 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8653 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8654 Microsoft Office SharePoint XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8655 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8656 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8657 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8659 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8661 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8662 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8664 Windows Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8666 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8668 Volume Manager Extension Driver Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8669 Microsoft Browser Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8670 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8671 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8672 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8673 Windows Remote Desktop Protocol Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8674 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8691 Express Compressed Fonts Remote Code Execution Vulnerability
    There are no known exploits in the wild.