首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer 8 / 9 / 10 / 11 MSHTML - 'DOMImplementation' Type Co
来源:http://blog.skylined.nl 作者:Skylined 发布时间:2016-11-29  
Source: http://blog.skylined.nl/20161128001.html
 
Synopsis
 
A specially crafted web-page can cause a type confusion vulnerability in Microsoft Internet Explorer 8 through to 11. An attacker can cause code to be executed with a stack layout it does not expect, or have code attempt to execute a method of an object using a vftable, when that object does not have a vftable. Successful exploitation can lead to arbitrary code execution.
 
Known affected software and attack vectors
 
Microsoft Internet Explorer 8, 9, 10 and 11
 
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
 
1 Repro.svg:
 
<script xmlns="http://www.w3.org/2000/svg">
  window.exploit = function(w) {
    o={x:w.DOMImplementation(0).prototype.has};
    o.x();
  };
  open("1 Target.html");
</script>
 
 
1 Target.html:
 
<script>
  opener.exploit(window);
</script>
 
Description
 
In an SVG page, a copy of the has method of a DOMImplementation object from a HTML page is created. This copy is used as a method of a new object and called with one argument. This can cause at least two issues in the MSHTML!Method___0o function of MSIE:
 
A Failfast exception when the code detects that calling a method of an object has not cleaned up the stack as expected; this is because the called function appears to expect a different number of arguments or a different calling convention. This issue can be triggered by changing the line o.x(); in the repro to o.x(new Array).
An out-of-bounds write when MSHTML!CBase::Private is called; this is probably caused by a type confusion bug: the code expects a VARIANT object of one type, but is working on an object of a different type.
The repro was tested on x86 systems and does not reproduce this issue on x64 systems. I did not determine if this is because x64 systems are not affected, or because the repro needs to be modified to work on x64 systems.
 
Exploit
 
Exploitation was not attempted. I reversed Method___0o only sufficiently to get an idea of the root cause, but not enough to determine exactly what is going on or how to control the issue for command execution.
 
2 Repro.html:
 
<body onload=open("2 Target.html")>
 
 
2 Target.html:
 
<meta http-equiv=X-UA-Compatible content=IE=11><body onload=x=opener.DOMImplementation(0).prototype.is;x()>
 
Description
 
Calling the is method of the DOMImplementation interface as a function results in type confusion where an object is assumed to implement IUnknown when in fact it does not. The code attempts to call the Release method of IUnknown through the vftable at offset 0, but since the object has no vftables, a member property is stored at this offset, which appears to have a static value 002dc6c0. An attacker that is able to control this value, or allocate memory and store data at that address, may be able to execute arbitrary code.
 
Exploit
 
No attempts were made to further reverse the code and determine the exact root cause. A few attempts were made to control the value at offset 0 of the object in question, as well as get another object in its place with a different value at this location, but both efforts were brief and unsuccessful.
 
Time-line
 
September 2015: This vulnerability was found through fuzzing.
October 2015: This vulnerability was submitted to ZDI.
November 2015: This vulnerability was acquired by ZDI.
February 2016: This issue was addressed by Microsoft in MS16-009.
November 2016: Details of this issue are released.
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Internet Explorer 10
·Android - 'BadKernel' Remote C
·Microsoft Internet Explorer 11
·Eagle Speed USB Modem Software
·Microsoft Internet Explorer 8
·NTP 4.2.8p3 - Denial of Servic
·Linux Kernel 2.6.22 < 3.9 - 'D
·Linux Kernel 2.6.22 < 3.9 - 'D
·WinPower 4.9.0.4 - Privilege E
·Linux Kernel 2.6.22 < 3.9 - 'D
·Google Chrome Accessibility bl
·Disk Pulse Enterprise 9.1.16 -
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved