VBScript Engine Use-After-Free Vulnerability : CVE-2018-8373

A use-after-free (UAF) vulnerability has been discovered in the Windows VBScript engine. Upon successful exploitation an attacker can achieve remote code execution on the target. CVE-2018-8373 has been assigned to track this vulnerability. CVE-2018-8373 is being exploited in the wild similar to CVE-2018-8174. The issue affects Internet explorer 9-11 unless VBScript is disabled by default. Microsoft has addressed this issue in the August 2018 patch release.

This vulnerability is similar to CVE-2014-6332, another VBScript engine vulnerability that causes an error when rendering a resized array. A crash occurs due to an integer overflow.

Vulnerability
As mentioned earlier the issue is a UAF vulnerability where the address of an array element is freed due to resizing of an array and can be reused later. To better understand the vulnerability we will use PoC.

'PoC by Trend Micro Security Research
Class MyClass
	Dim array()
	
	Private Sub Class_Initialize
		ReDim array(2)
	End Sub
	
	Public Default Property Get P
		Redim Preserve array(1)
	End Property
End Class

Set cls = New MyClass
cls.array(2) = cls

When object ‘cls’ is created ‘Class_Initialize’ is called automatically, its a built-in depreciated constructor. The overloaded function reallocates storage space for class member ‘array’ to 2. The statement ‘cls.array(2) = cls’ triggers a bunch function calls in the VBScript engine. Function vbscript!AccessArray will obtain the address for array index 2 and save it on the stack. Next the assignment operator will trigger the Get property of object ‘cls’, this overloaded function will in turn reallocate ‘array’ and reduces the array size to 1. Using ‘Preserve’ modifier ensures that existing data in the array is preserved.

This reduction in the array size will free memory for ‘array(2)’. After the Get property has completed its operation return. To complete the assignment the engine will call vbscript!AssignVar which will try to access the freed ‘array(2)’ location (obtained from the stack) resulting in an access violation as the function is trying to de-reference a freed pointer.

Mitigation
We request organizations to apply the latest patches provided by Microsoft to address CVE-2018-8373. Qualys customer can scan their network using QID: 100341 to detect vulnerable machines.

Please continue to follow Qualys Threat Protection for more information on this vulnerability.

References
CVE-2018-8373
CVE-2018-8373 | Scripting Engine Memory Corruption Vulnerability
Use-after-free (UAF) Vulnerability CVE-2018-8373 in VBScript Engine Affects Internet Explorer to Run Shellcode

Leave a Reply

Your email address will not be published. Required fields are marked *