New issue
Advanced search Search tips

Issue 1673 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 1668
Owner:
Closed: Oct 8
Cc:



Sign in to add a comment

VBScript: reference leak in ReDim

Project Member Reported by ifratric@google.com, Sep 26

Issue description

This issue is quite similar to https://bugs.chromium.org/p/project-zero/issues/detail?id=1668. However, since the reference leak happens in a different function, I'm filing it as a separate issue.

During a call to ReDim, it is possible that an attacker-controlled destructor will be called, which can set another value to the variable being ReDim'd. Once the destructor returns, the refernce to the newly set variable will be lost without decrementing the corresponding reference counter.

See the attached PoC for details. The same principle can be used to increment the reference count over 2^32 and turn the issue into an use-after-free. I have not developed a full PoC for this issue, so if needed please see MSRC Case‚ÄČ47706 for an example on turning a similar reference leak into a use-after-free.



This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

 
leak2.html
544 bytes View Download
Project Member

Comment 1 by ifratric@google.com, Oct 8

Mergedinto: 1668
Status: Duplicate (was: New)
Microsoft replied that they are considering this issue a duplicate of a similar issue in VbsErase
Project Member

Comment 2 by ifratric@google.com, Dec 19

Labels: -Restrict-View-Commit

Sign in to add a comment