Vulnerabilities > CVE-2017-0070 - Use After Free vulnerability in Microsoft Edge

047910
CVSS 7.6 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
microsoft
CWE-416
nessus
exploit available

Summary

A remote code execution vulnerability exists in the way affected Microsoft scripting engines render when handling objects in memory in Microsoft browsers. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This vulnerability is different from those described in CVE-2017-0010, CVE-2017-0015, CVE-2017-0032, CVE-2017-0035, CVE-2017-0067, CVE-2017-0071, CVE-2017-0094, CVE-2017-0131, CVE-2017-0132, CVE-2017-0133, CVE-2017-0134, CVE-2017-0136, CVE-2017-0137, CVE-2017-0138, CVE-2017-0141, CVE-2017-0150, and CVE-2017-0151.

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionMicrosoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free. CVE-2017-0070. Dos exploit for Windows platform
fileexploits/windows/dos/41623.html
idEDB-ID:41623
last seen2017-03-16
modified2017-03-16
platformwindows
port
published2017-03-16
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41623/
titleMicrosoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free
typedos

Msbulletin

bulletin_idMS17-007
bulletin_url
date2017-03-14T00:00:00
impactRemote Code Execution
knowledgebase_id4013071
knowledgebase_url
severityCritical
titleCumulative Security Update for Microsoft Edge

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS17-007.NASL
descriptionThe version of Microsoft Edge installed on the remote Windows host is missing Cumulative Security Update 4013071. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. Note that in order to be fully protected from CVE-2017-0071, Microsoft recommends the July 2017 security updates to be installed.
last seen2020-06-01
modified2020-06-02
plugin id97730
published2017-03-14
reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/97730
titleMS17-007: Cumulative Security Update for Microsoft Edge (4013071)

Seebug

bulletinFamilyexploit
descriptionContent source:https://bugs. chromium. org/p/project-zero/issues/detail? id=1043 I noticed that some javascript getters behave what. My test code: `` var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"]; var f = document. createElement("iframe"); f. onload = () => { f. onload = null; for (var x in window) { if (whitelist. indexOf(x) != -1) continue; try { window.__ lookupGetter__(x). call(f. contentWindow); log(x); } catch (e) { } } }; f. src = "https://abc.xyz/"; document. body. appendChild(f); `` And after some plays, finally reached an UAF condition. The PoC is attached. RIP will jump into the freed JIT code. Tested on Microsoft Edge 38.14393.0.0.
idSSV:92797
last seen2017-11-19
modified2017-03-20
published2017-03-20
reporterAnonymous
sourcehttps://www.seebug.org/vuldb/ssvid-92797
titleMicrosoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free (CVE-2017-0070)