Internet Explorer GC Information Leakage

Internet Explorer GC Information Leakage

This vulnerability was released by dion Ox a few months ago. Recently, it also won the pwnie award. In the original article, we talked about flash, ff and Other GC engines all adopt conservative mark clearing algorithms and do not mark data or pointers. Therefore, this problem exists. We believe that dion is familiar to everyone, I did not know how to search for flash jit spray. I just checked it. This guy also went to FireEye. From the time point, it seems that he just sent this thing and then went there. He said that he studied how to deal with the problem more than a week and wrote the poc for flash and ff.

Flash has a dictionary object and supports traversal. It may not take long. ff is a little difficult. However, with the help of the source code, dion does not provide a usable poc, but even so, this efficiency is desperate and heartbroken.

Back to yuange, yuange discovered this vulnerability in ie9 in. The method used was to track human flesh data streams, and read algorithms in t, (may have read chrome's mark clearing algorithm before ?) This kind of skill must be something everyone wants, but it is hard to find. I have to say that yuange not only has a unique mineral processing vision, but also has a first-class human mining capability.


The Dion vulnerability is identified by the source code of the script engine. yuange was detected by the Disassembly and debugging. yuange was found earlier in terms of time, and the pwnie award did not mention yuange.

 

Then there was a qualitative competition between yuange and ms vulnerabilities. Everyone was enthusiastic and involved. It seems to be far away. After completing the vulnerability discovery, let's talk about how to exploit the vulnerability. The controllable data can be pushed so that gc can be used as a pointer tag and the objects that should be deleted will not be deleted during sweep. That is to say, the objects cannot be referenced at the js syntax level, but gc will not be cleared, obviously, this is a memory leak, but if there is a way to detect whether these objects are still in the memory, you can guess to leak the object address.

It is normal to find a method that can reference or count the objects that should have been deleted but not actually deleted at the script level. dion found the dictionary and weak reference relationships in flash, if the object reference count is not increased, it will be deleted when it is deleted. It can also be used to traverse whether the detection memory is indeed deleted, as if it was tailored to the exploitation of this vulnerability, it is awesome to guess multiple items at a time based on the traversal feature. Similar to weakmap in ff and ie11, but does not support traversal, it is difficult to test.

Dion Niu proposed three ideas: timing attack, timer ID, and objects that can generate io effects. Finally, they concentrated on timing attack, and half gave up on ff.

 

 

In fact, timing attack still works on ie11. Different algorithms, but the idea of the person who writes the code is always the same. Timing attack should be used in ie11 to solve several problems,

First, it is necessary to ensure that the time results do not go wrong. After learning about the weakmap's set algorithm, this can be precisely controlled to what extent, just like the dictionary of flash, whether the gc is successful, whether the object has not been deleted, or even a few addresses have been guessed. The principle dion already says is to fill the weakmap hash table, check whether the set method will cause time-consuming hash table resizing and copying;

The other is the time complexity of brute-force guesses. Changing the space complexity to the time complexity is a good method. The idea is to reduce the entropy of random guesses, but random guesses are still sequential guesses, how much space is used for changing the time? Further consideration and optimization are required. This is also the latency and probability problem I mentioned. If I guess it takes several minutes, that really becomes a real poc. The other one is the question of pushing multiple guesses and multiple guesses. It is good to push multiple, and the probability is greatly increased, but it is not like a dictionary that can be traversed, if you do not know which one is to be guessed, if you push multiple spray objects, you can guess multiple objects at a time, greatly increasing the probability of guessing;

The last question is what to guess. This is critical and affects the final result that can be guessed, selecting an appropriate object size that makes the last few addresses aligned (for example, 0x100/0 xfc) is an option, but it is not good enough, using the address pointer of the data member in array is a good method (the premise is that you know that not only the object address, but also the address of the member in the object can also cheat gc ), because you can control the size of the array to change the alignment address to the last four digits, that is to say, except for the upper 0 and lower four digits, only three digits are used to guess, even because the small spray effect generated by multiple guesses only uses two guesses, the efficiency will be greatly improved.

 

 

In fact, the use of timing and brute force speculation have already decided that the use of code will certainly not be perfect, but in line with the principle of serving the people, we still insist on version1. The selection of various methods in the middle is more painful than writing a typical Heap Overflow Vulnerability over all protection mechanisms, heap layout, time complexity, gc, weakmap algorithm and so on. In general, the input-output ratio is not high.

 

As for the leaked addresses, you can make full use of your imagination. The simplest method is to replace mstime's non-heapspay method, but the downside is that brute-force speculation is no better than heapspray. Second, when there is only one arbitrary address to read or write any address, only one vulnerability may be used in combination to bypass various BT protection mechanisms (although the flash vector has made any address write (no matter the relative or absolutely) but this method is not too many ). Once again, it depends on your imagination. For more information, see wushi's "Combination vulnerabilities" and yuange's "information islands and connections.

 

 

After talking about this, it is estimated that many people will not be able to watch it out. I would like to hear about the 40 thousand doctoral gossip or the news, however, if you think about how to crack it, it's not as expected that wushi has more than one hundred Internet Explorer vulnerabilities. Finally, let's end with the speech of the two teachers. "Every time I feel that I lose my meaning in my life, I will go down to the restroom silently. I will use the attack technology to supplement my positive energy, go over the mountains, and overcome difficulties and obstacles, after being confused or not doing anything, you will get stuck in an inexplicable emptiness and feel that you have found the meaning of your life ".