知识屋:更实用的电脑技术知识网站
所在位置:首页 > 网络安全 > 病毒学院

Microsoft Internet Explorer 8 Code Execution

发布时间:2012-07-25 13:47:45作者:知识屋

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

  1. [CAL-2012-0026] Microsfot IE Same ID Property Remote Code Execution Vulnerability
  2.  
  3. CVE ID: CVE-2012-1875
  4. http://technet.microsoft.com/en-us/security/bulletin/ms12-037
  5. http://blog.vulnhunt.com/index.php/2012/06/13/cal-2012-0026-microsfot-ie-same-id-property-remote-code-execution-vulnerability/
  6.  
  7.  
  8. 1 Affected Products
  9. =================
  10. IE8
  11. we tested£ºInternet Explorer 8.0.6001.18702
  12.  
  13.  
  14. 2 Vulnerability Details
  15. ======================
  16.  
  17. The vulnerability occurs when a img element and a div element have same
  18. id property, when remove them, img
  19. element is freed from memory, but CCollectionCache keep a reference to
  20. it, so it cause a use after free
  21. vulnerability, which can cause Remote Code Execution.
  22.  
  23.  
  24.  
  25. 3 Analysis
  26. ===========
  27. asm in mshtml.dll
  28.  
  29. bp mshtml!CCollectionCache::GetAtomFromName
  30. when break if ecx points to a CImgElement, remember ecx
  31. Breakpoint 0 hit
  32. eax=03341301 ebx=033413e0 ecx=033413e0 edx=00000001 esi=0000030c
  33. edi=016aa348
  34. eip=3db74101 esp=016aa300 ebp=016aa350 iopl=0 nv up ei pl nz na
  35. po nc
  36. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
  37. efl=00000202
  38. mshtml!CCollectionCache::GetAtomFromName:
  39. 3db74101 8bff mov edi,edi
  40. 0:008> dds ecx l4
  41. 033413e0 3dabe880 mshtml!CImgElement::`vftable'
  42. 033413e4 00000001
  43. 033413e8 00000008
  44. 033413ec 001a7ad0
  45.  
  46. 0:008> bd 0
  47. 0:008> g
  48. (2178.2120): Access violation - code c0000005 (first chance)
  49. First chance exceptions are reported before any exception handling.
  50. This exception may be expected and handled.
  51. eax=3db401b2 ebx=00000000 ecx=033413e0 edx=8bffff53 esi=033413e0
  52. edi=016aa348
  53. eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na
  54. pe nc
  55. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
  56. efl=00010246
  57. 8bffff53 ?? ???
  58. 0:008> kb
  59. ChildEBP RetAddr Args to Child
  60. WARNING: Frame IP not in any known module. Following frames may be wrong.
  61. 016aa2d8 3db56ce7 3db61cdb 80020003 033413e0 0x8bffff53
  62. 016aa2dc 3db61cdb 80020003 033413e0 016aa2fc mshtml!CElement::Doc+0x7
  63. 016aa2ec 3db74116 00000000 0000030c 016aa350
  64. mshtml!CElement::GetAtomTable+0x10
  65. 016aa2fc 3dac2bc9 009af5ac 00000003 03341301
  66. mshtml!CCollectionCache::GetAtomFromName+0x15
  67. 016aa350 3dae11bd 033414a0 009af5ac 00000003
  68. mshtml!CCollectionCache::GetIntoAry+0x74
  69. 016aa394 3dae1cb5 0000000d 009af5ac 016aa480
  70. mshtml!CCollectionCache::GetDispID+0x13e
  71. 016aa3a8 3dacfa5c 033414a0 0000000d 009af5ac
  72. mshtml!DispatchGetDispIDCollection+0x3f
  73. 016aa3d0 3db61de3 0019adf0 009af5ac 10000003
  74. mshtml!CElementCollectionBase::VersionedGetDispID+0x46
  75. 016aa410 3e374e18 0019aeb0 009af5ac 10000003 mshtml!PlainGetDispID+0xdc
  76. 016aa440 3e374d99 009af5ac 016aa480 0019aeb0
  77. jscript!IDispatchExGetDispID+0xb7
  78.  
  79. mshtml!CElement::Doc:
  80. 3db56ce0 8b01 mov eax,dword ptr [ecx]
  81. 3db56ce2 8b5070 mov edx,dword ptr [eax+70h]
  82. 3db56ce5 ffd2 call edx
  83. 3db56ce7 8b400c mov eax,dword ptr [eax+0Ch]
  84.  
  85.  
  86. 4 Exploitable?
  87. ============
  88. if overwrite freed memory with controlled content, combined with heap
  89. spray, can cause remote code execution.
  90.  
  91. and we noticed that the exploitation attack in the wild.
  92.  
  93.  
  94. 5 Crash info:
  95. ===============
  96. (2430.2450): Access violation - code c0000005 (first chance)
  97. First chance exceptions are reported before any exception handling.
  98. This exception may be expected and handled.
  99. eax=3db401b2 ebx=00000000 ecx=002455b8 edx=8bffff53 esi=002455b8
  100. edi=016aa348
  101. eip=8bffff53 esp=016aa2dc ebp=016aa2ec iopl=0 nv up ei pl zr na
  102. pe nc
  103. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
  104. efl=00010246
  105. 8bffff53 ?? ???
  106. 0:008> kb
  107. ChildEBP RetAddr Args to Child
  108. WARNING: Frame IP not in any known module. Following frames may be wrong.
  109. 016aa2d8 3db56ce7 3db61cdb 80020003 002455b8 0x8bffff53
  110. 016aa2dc 3db61cdb 80020003 002455b8 016aa2fc mshtml!CElement::Doc+0x7
  111. 016aa2ec 3db74116 00000000 0000030c 016aa350
  112. mshtml!CElement::GetAtomTable+0x10
  113. 016aa2fc 3dac2bc9 009af528 00000003 00245501
  114. mshtml!CCollectionCache::GetAtomFromName+0x15
  115. 016aa350 3dae11bd 00245678 009af528 00000003
  116. mshtml!CCollectionCache::GetIntoAry+0x74
  117. 016aa394 3dae1cb5 0000000d 009af528 016aa480
  118. mshtml!CCollectionCache::GetDispID+0x13e
  119. 016aa3a8 3dacfa5c 00245678 0000000d 009af528
  120. mshtml!DispatchGetDispIDCollection+0x3f
  121. 016aa3d0 3db61de3 033329c0 009af528 10000003
  122. mshtml!CElementCollectionBase::VersionedGetDispID+0x46
  123.  
  124.  
  125.  
  126. 6 TIMELINE:
  127. ==========
  128. 2012/2/15 Dark son request code audit labs to analyze a POC example
  129. 2012/2/15 we begin analyze
  130. 2012/2/20 we comfirmed this is an exploitable 0day. report to Microsoft
  131. 2012/2/21 Microsoft reply got the report.
  132. 2012/2/25 Microsoft begin to investigate
  133. 2012/3/1 Microsoft comfirmed this issue.
  134. 2012/6/14 Microsoft public this bulletin.
  135.  
  136.  
  137. 7 About Code Audit Labs:
  138. =====================
  139. Code Audit Labs secure your software,provide Professional include source
  140. code audit and binary code audit service.
  141. Code Audit Labs:" You create value for customer,We protect your value"
  142. http://www.VulnHunt.com
  143. http://blog.Vulnhunt.com
  144. http://t.qq.com/vulnhunt
  145. http://weibo.com/vulnhunt
  146. https://twitter.com/vulnhunt
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
收藏
  • 人气文章
  • 最新文章
  • 下载排行榜
  • 热门排行榜