rtFilter Out-Of-Bounds Vulnerability
There seems to be an out-of-bounds vulnerability in Microsoft’s VBScript with the rtFilter function. The function provides a library written in C implementing real-time digital filtering for multichannel signals.
An Out-Of-Bound Vulnerability can help an attacker send malicious input to the host system. This causes an out-of-bound read condition, helping the attacker run arbitrary code.
The initial analysis on Packetstorm states “The rtFilter function is called from VbsFilter when a Filter() function is invoked. The Filter() function takes an array of strings and a string as params and returns another array containing just those elements from the original array containing the specified (sub)string.” Further adding “The issue is that the input array can be resized during the rtFilter call (by invoking a default getter on one of the input array members) and rtFilter fails to handle this case correctly. While rtFilter does implement some logic to determine if the input array has been resized, this logic fails to take into account elements of the input array that *do not match* the input string (Notice the “b” strings in the PoC and how the PoC would stop to work if those are all changed to “a”).”
This basically means some problem with input array resizing during rtFilter call.
Who Is At Risk?
Internet Explorer users are mostly affected. There aren’t any browsers that use VBScript, therefore, IE is the only one at risk. The vulnerability hasn’t been patched and is still present on Windows 7, even on the latest patch.
VBScript is aging although Microsoft has decided to provide future support of VBScript within ASP.NET. Even Windows Edge and IE11 have dropped it as a scripting language. This vulnerability can only cause Internet Explorer to crash, more serious attacks haven’t been mentioned on by the researchers.