Lucene search
Google Security Research1337DAY-ID-27869HistoryMay 31, 2017 - 12:00 a.m.
Microsoft MsMpEng - Use-After-Free via Saved Callers Exploit
2017-05-3100:00:00
Google Security Research
0day.today
23
EPSS
0.873
Percentile
98.7%
Exploit for windows platform in category dos / poc
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1259
In JsRuntimeState::setCaller, it saves the current caller in the JsRuntimeState object(rcx+158h in 64-bit). But the garbage collector doesn't mark this saved value. So it results in a UAF.
Unlike in our test environment(Linux), it doesn't make reliable crashes on Windows. So I used another bug(#1258) to confirm the bug. If the UAF bug doesn't exist, the "crash" function will not be called(See poc.js).
The password of the zip file is "calleruaf"
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42092.zip
# 0day.today [2018-01-05] #Related
checkpoint_advisories
checkpoint_advisories
Microsoft Malware Protection Engine Remote Code Execution (CVE-2017-8541)
2017-05-29 00:00:00
mscve
mscve
Microsoft Malware Protection Engine Remote Code Execution Vulnerability
2017-05-25 07:00:00
attackerkb
attackerkb
nvd
nvd
prion
prion
Remote code execution
2017-05-26 20:29:00
Remote code execution
2017-05-26 20:29:00
Remote code execution
2017-05-26 20:29:00
cve
cve
cvelist
cvelist
kaspersky
kaspersky
KLA11029 Multiple vulnerabilities in the Microsoft Malware Protection Engine
2017-05-09 00:00:00
KLA11839 Multiple vulnerabilities in Microsoft Exchange Server
2017-05-25 00:00:00
KLA11840 Multiple vulnerabilities in Microsoft System Center
2017-05-25 00:00:00
openvas
openvas
nessus
nessus
Microsoft Malware Protection Engine < 1.1.13804 Multiple Vulnerabilities
2017-05-31 00:00:00