首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Edge CInputDateTimeScrollerElement::_SelectValueInternal Out-Of-Bounds
来源:Google Security Research 作者:ifratric 发布时间:2017-08-17  
Microsoft Edge: Out-of-bounds read in CInputDateTimeScrollerElement::_SelectValueInternal CVE-2017-8644 The vulnerability has been confirmed on Windows 10 Enterprise 64-bit (OS version 1607, OS build 14393.1198) and Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393. PoC: ========================================== ========================================= Preliminary analysis: CInputDateTimeScrollerElement::_SelectValueInternal calls CInputDateTimeScrollerElement::_UpdateSelected with a pointer that is obtained from an array, approximately: CInputDateTimeScrollerElement::_SelectValueInternal(...) { ... this->_UpdateSelected(this->array_at_offset_0xB8[this->index_at_offset_0xD4].ptr_at_index_0, ...); ... } The problem is that the index in the PoC has unsigned 32-bit value of 0xffffffff, possibly because the data structure has not been properly initialized, which leads to out-of-bound access. If an attacker can put data they control at array+offset, they would be able to call this->_UpdateSelected with a controlled argument, which presumably would be sufficient to turn this into a write primitive. Crash log: ========================================= (1afc.1b94): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. edgehtml!CInputDateTimeScrollerElement::_SelectValueInternal+0x57: 00007ffd`625b3903 488b14ca mov rdx,qword ptr [rdx+rcx*8] ds:00000290`617a5788=???????????????? 0:013> k # Child-SP RetAddr Call Site 00 00000086`73dfcee0 00007ffd`625b2f87 edgehtml!CInputDateTimeScrollerElement::_SelectValueInternal+0x57 01 00000086`73dfcf30 00007ffd`61f952b7 edgehtml!CInputDateTimeScrollerElement::OnScroll+0xb7 02 00000086`73dfcf60 00007ffd`61e8fc58 edgehtml!CAsyncEventQueue::DispatchAllEvents+0x9b 03 00000086`73dfcfd0 00007ffd`61e8fc12 edgehtml!CDoc::ProcessPaintBeatEventQueue+0x38 04 00000086`73dfd000 00007ffd`61e22c42 edgehtml!CPaintController::ProcessPaintBeatEventQueue+0x12 05 00000086`73dfd030 00007ffd`61e22aee edgehtml!CPaintBeat::OnBeat+0xf2 06 00000086`73dfd080 00007ffd`61ed5eb3 edgehtml!CPaintBeat::OnVSyncMethodCall+0x5e 07 00000086`73dfd0b0 00007ffd`61ed7670 edgehtml!GlobalWndOnMethodCall+0x273 08 00000086`73dfd1b0 00007ffd`7e0a1c24 edgehtml!GlobalWndProc+0x130 09 00000086`73dfd270 00007ffd`7e0a156c user32!UserCallWinProcCheckWow+0x274 0a 00000086`73dfd3d0 00007ffd`5bc0d421 user32!DispatchMessageWorker+0x1ac 0b 00000086`73dfd450 00007ffd`5bc0c9e1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1 0c 00000086`73dff6a0 00007ffd`705d9586 EdgeContent!LCIETab_ThreadProc+0x2c1 0d 00000086`73dff7c0 00007ffd`7ec28364 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16 0e 00000086`73dff7f0 00007ffd`7ed970d1 KERNEL32!BaseThreadInitThunk+0x14 0f 00000086`73dff820 00000000`00000000 ntdll!RtlUserThreadStart+0x21 0:013> r rax=00000000ffffffff rbx=000002786177d770 rcx=00000002fffffffd rdx=00000278617a57a0 rsi=0000027054093eb8 rdi=00000000ffffff00 rip=00007ffd625b3903 rsp=0000008673dfcee0 rbp=0000000000000001 r8=000000000a028001 r9=00007ffd6295a4a0 r10=00000fffac3bb648 r11=0000000000000100 r12=0000000000000004 r13=0000000000000002 r14=00000278617f55b0 r15=0000000000000004 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 edgehtml!CInputDateTimeScrollerElement::_SelectValueInternal+0x57: 00007ffd`625b3903 488b14ca mov rdx,qword ptr [rdx+rcx*8] ds:00000290`617a5788=???????????????? ========================================= This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: ifratric
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeBSD 10.3 Jail SHM Issue
·Microsoft Edge Charka PreVisit
·Internet Download Manager 6.28
·Microsoft Edge Charka Failed R
·ALLPlayer 7.4 - Buffer Overflo
·Microsoft Edge Chakra PushPopF
·Xamarin Studio for Mac 6.2.1 (
·Microsoft Edge Chakra TryUndel
·Tomabo MP4 Converter 3.19.15 -
·Microsoft Edge Chakra Incorrec
·Microsoft Edge textarea.defaul
·Microsoft Edge Chakra Javascri
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved