Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the fifth
entry in that series.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161107001.html. There you can find a repro
that triggered this issue in addition to the information below as well
as a Proof-of-Concept exploit.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

VBScript CRegExp::Execute use of uninitialized memory
=====================================================
https://technet.microsoft.com/en-us/library/security/MS14-080
https://technet.microsoft.com/en-us/library/security/MS14-084
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6363

Synopsis
--------
A specially craft script can cause the VBScript engine to access data
before initializing it. An attacker that is able to run such a script in
any application that embeds the VBScript engine may be able to control
execution flow and execute arbitrary code. This includes all versions of
Microsoft Internet Explorer.

Known affected versions, attack vectors and mitigations
-------------------------------------------------------
* vbscript.dll
  The issue affects versions 5.6 through 5.8 and both the 32- and 64-bit
  vbscript.dll binaries.

* Windows Script Host
  VBScript can be executed in the command line using cscript.exe/
  wscript.exe. An attacker would need to find a script running on a
  target machine that accepts an attacker supplied regular expression
  and a string, or be able to execute his/her own script. However,
  since the later should already provide an attacker with arbitrary
  code execution, no additional privileges are gained by exploiting
  this vuln.

* Microsoft Internet Explorer
  VBScript can be executed from a webpage; MSIE 8, 9, 10 and 11 were
  tested and are all affected. MSIE 11 requires a META tag to force it
  to render the page as an earlier version, as MSIE 11 attempts to
  deprecate vbscript (but fails, so why bother?).
  An attacker would need to get a target user to open a specially
  crafted webpage. Disabling scripting, particularly VBScript, should
  prevent an attacker from triggering the vulnerable code path.
  Enabling *Enhanced Protected Mode* appears to disable VBScript on my
  systems, but I have been unable to find documentation online that
  confirms this is by design.

* Internet Information Server (IIS)
  If Active Server Pages (ASP) are enabled, VBScript can be executed in
  Active Server Pages. An attacker would need to find an asp page that
  accepts an attacker supplied regular expression and a string, or be
  able to inject VBScript into an ASP page in order to trigger the
  vulnerability.

Description
-----------
During normal operation, when you execute the `RegExp.Execute` method
from `VBScript` the code in vbscript.dll executes the `CRegExp::Execute`
function. This function creates a `CMatch` object for each match found,
and stores pointers for all of these `CMatch` objects in a singly linked
list of `CMatchBlock` structures (Note: the vbscript.dll symbols do not
provide a name for this structure, so I gave it this name). Each
`CMatchBlock` structure can store up to 16 such pointers, as well as a
pointer to the next `CMatchBlock`. This
last pointer is NULL unless all pointers in the `CMatchBlock` object are
in use and more storage is needed, in which case a new `CMatchBlock`
object is created and a link to the new object is added to the last one
in the list. The code counts how many matches it has found so far, and
this corresponds to the number of `CMatch` objects it has allocated.

When an error occurs in this part of the code, the error handling code
will try to clean up and free all `CMatchBlock` structures created
before the error occurred. To do this, it walks the linked list of
`CMatchBlock` structures and for each structure, release each `CMatch`
object in the structure. All `CMatchBlock` structures except the last
one should have 16 such pointers, the last `CMatchBlock` structure can
have 1-16, depending on how many matches where found in total. This
appears to have been designed to count how many `CMatch` objects it has
yet to free. This counter is initialized to the number of matches found
before the error occurred and should be decremented whenever the code
frees a `CMatch` object, so the code can determine how many `CMatch`
object are in the last `CMatchBlock` structure. However, this code
neglects to decrement this counter. This causes the code to assume all
`CMatchBlock` structures have 16 `CMatch` object pointers if there were
more than 16 matches in total, and attempt to release 16 `CMatch`
objects from the last `CMatchBlock` structure, even if less than 16
pointers to `CMatch` objects were stored there. This results in the code
using uninitialized memory as a pointer to an object on which it
attempts to call the `Release` method.

Timeline
--------
* March 2014: This vulnerability was found through fuzzing.
* March/April 2014: This vulnerability was submitted to ZDI and
  iDefense.
* May 2014: The vulnerability was acquired by iDefense.
* June 2014: The vulnerability was reported to Microsoft by iDefense.
* December 2014: The vulnerability was address by Microsoft in MS14-080
  and MS14-084.
* November 2016: Details of this issue are released.

Cheers,

SkyLined

Repro.vbs

Set oRegExp = New RegExp
oRegExp.Pattern = "A|()*?$"
oRegExp.Global = True
oRegExp.Execute(String(&H11, "A") & "x")

Repro.html

<html>
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=10">
    <script language="VBScript">
      Set oRegExp = New RegExp
      oRegExp.Pattern = "A|()*?$"
      oRegExp.Global = True
      oRegExp.Execute(String(&H11, "A") & "x")
    </script>
  </head>
</html>

Repro.asp

<%
Set oRegExp = New RegExp
oRegExp.Pattern = "A|()*?$"
oRegExp.Global = True
oRegExp.Execute(String(&H11, "A") & "x")
%>